def test_Privilege_isAggregateOf(self): """ Privilege.isAggregateOf() """ for a, b in ( (davxml.All(), davxml.Write()), (davxml.All(), davxml.ReadACL()), (davxml.Write(), davxml.WriteProperties()), (davxml.Write(), davxml.WriteContent()), (davxml.Write(), davxml.Bind()), (davxml.Write(), davxml.Unbind()), ): pa = davxml.Privilege(a) pb = davxml.Privilege(b) self.failUnless(pa.isAggregateOf(pb, davPrivilegeSet), "%s contains %s" % (a.sname(), b.sname())) self.failIf(pb.isAggregateOf(pa, davPrivilegeSet), "%s does not contain %s" % (b.sname(), a.sname())) for a, b in ( (davxml.Unlock(), davxml.Write()), (davxml.Unlock(), davxml.WriteACL()), (davxml.ReadCurrentUserPrivilegeSet(), davxml.WriteProperties()), ): pa = davxml.Privilege(a) pb = davxml.Privilege(b) self.failIf(pb.isAggregateOf(pa, davPrivilegeSet), "%s does not contain %s" % (b.sname(), a.sname()))
class TestResource(DAVResource): """A simple test resource used for creating trees of DAV Resources """ _cachedPropertyStores = {} acl = davxml.ACL( davxml.ACE( davxml.Principal(davxml.All()), davxml.Grant(davxml.Privilege(davxml.All())), davxml.Protected(), )) def __init__(self, uri=None, children=None, principalCollections=()): """ @param uri: A string respresenting the URI of the given resource @param children: a dictionary of names to Resources """ DAVResource.__init__(self, principalCollections=principalCollections) self.children = children self.uri = uri def deadProperties(self): """ Retrieve deadProperties from a special place in memory """ if not hasattr(self, "_dead_properties"): dp = TestResource._cachedPropertyStores.get(self.uri) if dp is None: TestResource._cachedPropertyStores[ self.uri] = InMemoryPropertyStore(self) dp = TestResource._cachedPropertyStores[self.uri] self._dead_properties = dp return self._dead_properties def isCollection(self): return self.children is not None def listChildren(self): return self.children.keys() def supportedPrivileges(self, request): return succeed(davPrivilegeSet) def locateChild(self, request, segments): child = segments[0] if child == "": return self, segments[1:] elif child in self.children: return self.children[child], segments[1:] else: raise HTTPError(404) def setAccessControlList(self, acl): self.acl = acl def accessControlList(self, request, **kwargs): return succeed(self.acl)
def createDocumentRoot(self): docroot = self.mktemp() os.mkdir(docroot) userResource = TestDAVPrincipalResource("/principals/users/user01") userResource.writeDeadProperty(TwistedPasswordProperty("user01")) principalCollection = TestPrincipalsCollection( "/principals/", children={"users": TestPrincipalsCollection( "/principals/users/", children={"user01": userResource})}) rootResource = self.resource_class( docroot, principalCollections=(principalCollection,)) portal = Portal(DavRealm()) portal.registerChecker(TwistedPropertyChecker()) credentialFactories = (basic.BasicCredentialFactory(""),) loginInterfaces = (IPrincipal,) self.site = Site(AuthenticationWrapper( rootResource, portal, credentialFactories, credentialFactories, loginInterfaces )) rootResource.setAccessControlList(self.grant(element.All())) for name, acl in ( ("none" , self.grant()), ("read" , self.grant(element.Read())), ("read-write" , self.grant(element.Read(), element.Write())), ("unlock" , self.grant(element.Unlock())), ("all" , self.grant(element.All())), ): filename = os.path.join(docroot, name) if not os.path.isfile(filename): file(filename, "w").close() resource = self.resource_class(filename) resource.setAccessControlList(acl) for name, acl in ( ("nobind" , self.grant()), ("bind" , self.grant(element.Bind())), ("unbind" , self.grant(element.Bind(), element.Unbind())), ): dirname = os.path.join(docroot, name) if not os.path.isdir(dirname): os.mkdir(dirname) resource = self.resource_class(dirname) resource.setAccessControlList(acl) return docroot
def defaultAccessControlList(self): aces = ( # DAV:read access for authenticated users. davxml.ACE( davxml.Principal(davxml.Authenticated()), davxml.Grant(davxml.Privilege(davxml.Read())), ), # Inheritable DAV:all access for the resource's associated principal. davxml.ACE( davxml.Principal(davxml.HRef(self.parent.principalURL())), davxml.Grant(davxml.Privilege(davxml.WriteProperties())), davxml.Protected(), ), ) # Add admins aces += tuple(( davxml.ACE( davxml.Principal(davxml.HRef(principal)), davxml.Grant(davxml.Privilege(davxml.All())), davxml.Protected(), ) for principal in config.AdminPrincipals )) return succeed(davxml.ACL(*aces))
def createDocumentRoot(self): docroot = self.mktemp() os.mkdir(docroot) rootresource = self.resource_class(docroot) rootresource.setAccessControlList(self.grantInherit(element.All())) dirnames = ( os.path.join(docroot, "dir1"), # 0 os.path.join(docroot, "dir2"), # 1 os.path.join(docroot, "dir2", "subdir1"), # 2 os.path.join(docroot, "dir3"), # 3 os.path.join(docroot, "dir4"), # 4 os.path.join(docroot, "dir4", "subdir1"), # 5 os.path.join(docroot, "dir4", "subdir1", "subsubdir1"), # 6 os.path.join(docroot, "dir4", "subdir2"), # 7 os.path.join(docroot, "dir4", "subdir2", "dir1"), # 8 os.path.join(docroot, "dir4", "subdir2", "dir2"), # 9 ) for dir in dirnames: os.mkdir(dir) src = os.path.dirname(__file__) filenames = [ os.path.join(src, f) for f in os.listdir(src) if os.path.isfile(os.path.join(src, f)) ] for dirname in (docroot, ) + dirnames[3:8 + 1]: for filename in filenames[:5]: copy(filename, dirname) return docroot
def createDocumentRoot(self): docroot = self.mktemp() os.mkdir(docroot) rootresource = self.resource_class(docroot) rootresource.setAccessControlList(self.grantInherit(davxml.All())) self.site = Site(rootresource) self.site.resource.setQuotaRoot(None, 100000) return docroot
def defaultAccessControlList(self): return succeed( davxml.ACL( # DAV:Read for all principals (includes anonymous) davxml.ACE( davxml.Principal(davxml.All()), davxml.Grant(davxml.Privilege(davxml.Read()), ), davxml.Protected(), ), ))
class AuthAllResource(TestResource): """ Give Authenticated principals all privileges and deny everyone else. """ acl = davxml.ACL( davxml.ACE( davxml.Principal(davxml.Authenticated()), davxml.Grant(davxml.Privilege(davxml.All())), davxml.Protected(), ))
def work(): dst_path = os.path.join(self.docroot, "copy_dst") dst_uri = "/" + os.path.basename(dst_path) for src, status in ( ("nobind", responsecode.FORBIDDEN), ("bind", responsecode.FORBIDDEN), ("unbind", responsecode.CREATED), ): src_path = os.path.join(self.docroot, "src_" + src) src_uri = "/" + os.path.basename(src_path) if not os.path.isdir(src_path): os.mkdir(src_path) src_resource = self.resource_class(src_path) src_resource.setAccessControlList({ "nobind": self.grant(), "bind" : self.grant(element.Bind()), "unbind": self.grant(element.Bind(), element.Unbind()) }[src]) for name, acl in ( ("none" , self.grant()), ("read" , self.grant(element.Read())), ("read-write" , self.grant(element.Read(), element.Write())), ("unlock" , self.grant(element.Unlock())), ("all" , self.grant(element.All())), ): filename = os.path.join(src_path, name) if not os.path.isfile(filename): file(filename, "w").close() self.resource_class(filename).setAccessControlList(acl) for method in ("COPY", "MOVE"): for name, code in ( ("none", {"COPY": responsecode.FORBIDDEN, "MOVE": status}[method]), ("read", {"COPY": responsecode.CREATED, "MOVE": status}[method]), ("read-write" , {"COPY": responsecode.CREATED, "MOVE": status}[method]), ("unlock", {"COPY": responsecode.FORBIDDEN, "MOVE": status}[method]), ("all", {"COPY": responsecode.CREATED, "MOVE": status}[method]), ): path = os.path.join(src_path, name) uri = src_uri + "/" + name request = SimpleRequest(self.site, method, uri) request.headers.setHeader("destination", dst_uri) _add_auth_header(request) def test(response, code=code, path=path): if os.path.isfile(dst_path): os.remove(dst_path) if response.code != code: return self.oops(request, response, code, method, name) yield (request, test)
def defaultAccessControlList(self): privs = ( davxml.Privilege(davxml.Read()), davxml.Privilege(caldavxml.ScheduleDeliver()), ) return succeed( davxml.ACL( # DAV:Read, CalDAV:schedule-deliver for all principals (includes anonymous) davxml.ACE( davxml.Principal(davxml.All()), davxml.Grant(*privs), davxml.Protected(), ), ))
class SimpleResource( CalDAVResource, ): allReadACL = davxml.ACL( # Read access for all users. davxml.ACE( davxml.Principal(davxml.All()), davxml.Grant(davxml.Privilege(davxml.Read())), davxml.Protected(), ), ) authReadACL = davxml.ACL( # Read access for authenticated users. davxml.ACE( davxml.Principal(davxml.Authenticated()), davxml.Grant(davxml.Privilege(davxml.Read())), davxml.Protected(), ), ) def __init__(self, principalCollections, isdir=False, defaultACL=authReadACL): """ Make sure it is a collection. """ CalDAVResource.__init__(self, principalCollections=principalCollections) self._isDir = isdir self.defaultACL = defaultACL def isCollection(self): return self._isDir def deadProperties(self): if not hasattr(self, "_dead_properties"): self._dead_properties = NonePropertyStore(self) return self._dead_properties def etag(self): return succeed(None) def accessControlList(self, request, inheritance=True, expanding=False, inherited_aces=None): return succeed(self.defaultACL)
def test_checkPrivileges(self): """ DAVResource.checkPrivileges() """ ds = [] authAllResource = AuthAllResource() requested_access = (davxml.All(), ) site = Site(authAllResource) def expectError(failure): failure.trap(AccessDeniedError) errors = failure.value.errors self.failUnless(len(errors) == 1) subpath, denials = errors[0] self.failUnless(subpath is None) self.failUnless( tuple(denials) == requested_access, "%r != %r" % (tuple(denials), requested_access)) def expectOK(result): self.failUnlessEquals(result, None) def _checkPrivileges(resource): d = resource.checkPrivileges(request, requested_access) return d # No auth; should deny request = SimpleRequest(site, "GET", "/") d = request.locateResource("/").addCallback( _checkPrivileges).addErrback(expectError) ds.append(d) # Has auth; should allow request = SimpleRequest(site, "GET", "/") request.authzUser = request.authnUser = self.rootresource.principalForUser( "gooduser") d = request.locateResource("/") d.addCallback(_checkPrivileges) d.addCallback(expectOK) ds.append(d) return DeferredList(ds)
def setUp(self): TestCase.setUp(self) gooduser = TestDAVPrincipalResource("/users/gooduser") gooduser.writeDeadProperty(TwistedPasswordProperty("goodpass")) baduser = TestDAVPrincipalResource("/users/baduser") baduser.writeDeadProperty(TwistedPasswordProperty("badpass")) rootresource = TestPrincipalsCollection( "/", { "users": TestResource("/users/", { "gooduser": gooduser, "baduser": baduser }) }) protected = TestResource("/protected", principalCollections=[rootresource]) protected.setAccessControlList( davxml.ACL( davxml.ACE(davxml.Principal(davxml.HRef("/users/gooduser")), davxml.Grant(davxml.Privilege(davxml.All())), davxml.Protected()))) rootresource.children["protected"] = protected portal = Portal(DavRealm()) portal.registerChecker(TwistedPropertyChecker()) credentialFactories = (basic.BasicCredentialFactory(""), ) loginInterfaces = (IPrincipal, ) self.rootresource = rootresource self.site = Site( AuthenticationWrapper( self.rootresource, portal, credentialFactories, credentialFactories, loginInterfaces, ))
def defaultAccessControlList(self): if config.AnonymousDirectoryAddressBookAccess: # DAV:Read for all principals (includes anonymous) accessPrincipal = davxml.All() else: # DAV:Read for all authenticated principals (does not include anonymous) accessPrincipal = davxml.Authenticated() return succeed( davxml.ACL( davxml.ACE( davxml.Principal(accessPrincipal), davxml.Grant( davxml.Privilege(davxml.Read()), davxml.Privilege( davxml.ReadCurrentUserPrivilegeSet())), davxml.Protected(), TwistedACLInheritable(), ), ))
def grant(*privileges): return element.ACL(*[ element.ACE(element.Grant(element.Privilege(privilege)), element.Principal(element.All())) for privilege in privileges ])
def grantInherit(*privileges): return element.ACL(*[ element.ACE(element.Grant(element.Privilege(privilege)), element.Principal(element.All()), TwistedACLInheritable()) for privilege in privileges ])
def _getSite(self): if not hasattr(self, "_site"): rootresource = self.resource_class(self.docroot) rootresource.setAccessControlList(self.grantInherit(element.All())) self._site = Site(rootresource) return self._site