def test_Privilege_isAggregateOf(self):
"""
Privilege.isAggregateOf()
"""
for a, b in (
(davxml.All(), davxml.Write()),
(davxml.All(), davxml.ReadACL()),
(davxml.Write(), davxml.WriteProperties()),
(davxml.Write(), davxml.WriteContent()),
(davxml.Write(), davxml.Bind()),
(davxml.Write(), davxml.Unbind()),
):
pa = davxml.Privilege(a)
pb = davxml.Privilege(b)
self.failUnless(pa.isAggregateOf(pb, davPrivilegeSet),
"%s contains %s" % (a.sname(), b.sname()))
self.failIf(pb.isAggregateOf(pa, davPrivilegeSet),
"%s does not contain %s" % (b.sname(), a.sname()))
for a, b in (
(davxml.Unlock(), davxml.Write()),
(davxml.Unlock(), davxml.WriteACL()),
(davxml.ReadCurrentUserPrivilegeSet(), davxml.WriteProperties()),
):
pa = davxml.Privilege(a)
pb = davxml.Privilege(b)
self.failIf(pb.isAggregateOf(pa, davPrivilegeSet),
"%s does not contain %s" % (b.sname(), a.sname()))
class TestResource(DAVResource):
"""A simple test resource used for creating trees of
DAV Resources
"""
_cachedPropertyStores = {}
acl = davxml.ACL(
davxml.ACE(
davxml.Principal(davxml.All()),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
))
def __init__(self, uri=None, children=None, principalCollections=()):
"""
@param uri: A string respresenting the URI of the given resource
@param children: a dictionary of names to Resources
"""
DAVResource.__init__(self, principalCollections=principalCollections)
self.children = children
self.uri = uri
def deadProperties(self):
"""
Retrieve deadProperties from a special place in memory
"""
if not hasattr(self, "_dead_properties"):
dp = TestResource._cachedPropertyStores.get(self.uri)
if dp is None:
TestResource._cachedPropertyStores[
self.uri] = InMemoryPropertyStore(self)
dp = TestResource._cachedPropertyStores[self.uri]
self._dead_properties = dp
return self._dead_properties
def isCollection(self):
return self.children is not None
def listChildren(self):
return self.children.keys()
def supportedPrivileges(self, request):
return succeed(davPrivilegeSet)
def locateChild(self, request, segments):
child = segments[0]
if child == "":
return self, segments[1:]
elif child in self.children:
return self.children[child], segments[1:]
else:
raise HTTPError(404)
def setAccessControlList(self, acl):
self.acl = acl
def accessControlList(self, request, **kwargs):
return succeed(self.acl)
def createDocumentRoot(self):
docroot = self.mktemp()
os.mkdir(docroot)
userResource = TestDAVPrincipalResource("/principals/users/user01")
userResource.writeDeadProperty(TwistedPasswordProperty("user01"))
principalCollection = TestPrincipalsCollection(
"/principals/",
children={"users": TestPrincipalsCollection(
"/principals/users/",
children={"user01": userResource})})
rootResource = self.resource_class(
docroot, principalCollections=(principalCollection,))
portal = Portal(DavRealm())
portal.registerChecker(TwistedPropertyChecker())
credentialFactories = (basic.BasicCredentialFactory(""),)
loginInterfaces = (IPrincipal,)
self.site = Site(AuthenticationWrapper(
rootResource,
portal,
credentialFactories,
credentialFactories,
loginInterfaces
))
rootResource.setAccessControlList(self.grant(element.All()))
for name, acl in (
("none" , self.grant()),
("read" , self.grant(element.Read())),
("read-write" , self.grant(element.Read(), element.Write())),
("unlock" , self.grant(element.Unlock())),
("all" , self.grant(element.All())),
):
filename = os.path.join(docroot, name)
if not os.path.isfile(filename):
file(filename, "w").close()
resource = self.resource_class(filename)
resource.setAccessControlList(acl)
for name, acl in (
("nobind" , self.grant()),
("bind" , self.grant(element.Bind())),
("unbind" , self.grant(element.Bind(), element.Unbind())),
):
dirname = os.path.join(docroot, name)
if not os.path.isdir(dirname):
os.mkdir(dirname)
resource = self.resource_class(dirname)
resource.setAccessControlList(acl)
return docroot
def defaultAccessControlList(self):
aces = (
# DAV:read access for authenticated users.
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read())),
),
# Inheritable DAV:all access for the resource's associated principal.
davxml.ACE(
davxml.Principal(davxml.HRef(self.parent.principalURL())),
davxml.Grant(davxml.Privilege(davxml.WriteProperties())),
davxml.Protected(),
),
)
# Add admins
aces += tuple((
davxml.ACE(
davxml.Principal(davxml.HRef(principal)),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
)
for principal in config.AdminPrincipals
))
return succeed(davxml.ACL(*aces))
def createDocumentRoot(self):
docroot = self.mktemp()
os.mkdir(docroot)
rootresource = self.resource_class(docroot)
rootresource.setAccessControlList(self.grantInherit(element.All()))
dirnames = (
os.path.join(docroot, "dir1"), # 0
os.path.join(docroot, "dir2"), # 1
os.path.join(docroot, "dir2", "subdir1"), # 2
os.path.join(docroot, "dir3"), # 3
os.path.join(docroot, "dir4"), # 4
os.path.join(docroot, "dir4", "subdir1"), # 5
os.path.join(docroot, "dir4", "subdir1", "subsubdir1"), # 6
os.path.join(docroot, "dir4", "subdir2"), # 7
os.path.join(docroot, "dir4", "subdir2", "dir1"), # 8
os.path.join(docroot, "dir4", "subdir2", "dir2"), # 9
)
for dir in dirnames:
os.mkdir(dir)
src = os.path.dirname(__file__)
filenames = [
os.path.join(src, f) for f in os.listdir(src)
if os.path.isfile(os.path.join(src, f))
]
for dirname in (docroot, ) + dirnames[3:8 + 1]:
for filename in filenames[:5]:
copy(filename, dirname)
return docroot
def createDocumentRoot(self):
docroot = self.mktemp()
os.mkdir(docroot)
rootresource = self.resource_class(docroot)
rootresource.setAccessControlList(self.grantInherit(davxml.All()))
self.site = Site(rootresource)
self.site.resource.setQuotaRoot(None, 100000)
return docroot
def defaultAccessControlList(self):
return succeed(
davxml.ACL(
# DAV:Read for all principals (includes anonymous)
davxml.ACE(
davxml.Principal(davxml.All()),
davxml.Grant(davxml.Privilege(davxml.Read()), ),
davxml.Protected(),
), ))
class AuthAllResource(TestResource):
"""
Give Authenticated principals all privileges and deny everyone else.
"""
acl = davxml.ACL(
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected(),
))
def work():
dst_path = os.path.join(self.docroot, "copy_dst")
dst_uri = "/" + os.path.basename(dst_path)
for src, status in (
("nobind", responsecode.FORBIDDEN),
("bind", responsecode.FORBIDDEN),
("unbind", responsecode.CREATED),
):
src_path = os.path.join(self.docroot, "src_" + src)
src_uri = "/" + os.path.basename(src_path)
if not os.path.isdir(src_path):
os.mkdir(src_path)
src_resource = self.resource_class(src_path)
src_resource.setAccessControlList({
"nobind": self.grant(),
"bind" : self.grant(element.Bind()),
"unbind": self.grant(element.Bind(), element.Unbind())
}[src])
for name, acl in (
("none" , self.grant()),
("read" , self.grant(element.Read())),
("read-write" , self.grant(element.Read(), element.Write())),
("unlock" , self.grant(element.Unlock())),
("all" , self.grant(element.All())),
):
filename = os.path.join(src_path, name)
if not os.path.isfile(filename):
file(filename, "w").close()
self.resource_class(filename).setAccessControlList(acl)
for method in ("COPY", "MOVE"):
for name, code in (
("none", {"COPY": responsecode.FORBIDDEN, "MOVE": status}[method]),
("read", {"COPY": responsecode.CREATED, "MOVE": status}[method]),
("read-write" , {"COPY": responsecode.CREATED, "MOVE": status}[method]),
("unlock", {"COPY": responsecode.FORBIDDEN, "MOVE": status}[method]),
("all", {"COPY": responsecode.CREATED, "MOVE": status}[method]),
):
path = os.path.join(src_path, name)
uri = src_uri + "/" + name
request = SimpleRequest(self.site, method, uri)
request.headers.setHeader("destination", dst_uri)
_add_auth_header(request)
def test(response, code=code, path=path):
if os.path.isfile(dst_path):
os.remove(dst_path)
if response.code != code:
return self.oops(request, response, code, method, name)
yield (request, test)
def defaultAccessControlList(self):
privs = (
davxml.Privilege(davxml.Read()),
davxml.Privilege(caldavxml.ScheduleDeliver()),
)
return succeed(
davxml.ACL(
# DAV:Read, CalDAV:schedule-deliver for all principals (includes anonymous)
davxml.ACE(
davxml.Principal(davxml.All()),
davxml.Grant(*privs),
davxml.Protected(),
), ))
class SimpleResource(
CalDAVResource, ):
allReadACL = davxml.ACL(
# Read access for all users.
davxml.ACE(
davxml.Principal(davxml.All()),
davxml.Grant(davxml.Privilege(davxml.Read())),
davxml.Protected(),
), )
authReadACL = davxml.ACL(
# Read access for authenticated users.
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read())),
davxml.Protected(),
), )
def __init__(self,
principalCollections,
isdir=False,
defaultACL=authReadACL):
"""
Make sure it is a collection.
"""
CalDAVResource.__init__(self,
principalCollections=principalCollections)
self._isDir = isdir
self.defaultACL = defaultACL
def isCollection(self):
return self._isDir
def deadProperties(self):
if not hasattr(self, "_dead_properties"):
self._dead_properties = NonePropertyStore(self)
return self._dead_properties
def etag(self):
return succeed(None)
def accessControlList(self,
request,
inheritance=True,
expanding=False,
inherited_aces=None):
return succeed(self.defaultACL)
def test_checkPrivileges(self):
"""
DAVResource.checkPrivileges()
"""
ds = []
authAllResource = AuthAllResource()
requested_access = (davxml.All(), )
site = Site(authAllResource)
def expectError(failure):
failure.trap(AccessDeniedError)
errors = failure.value.errors
self.failUnless(len(errors) == 1)
subpath, denials = errors[0]
self.failUnless(subpath is None)
self.failUnless(
tuple(denials) == requested_access,
"%r != %r" % (tuple(denials), requested_access))
def expectOK(result):
self.failUnlessEquals(result, None)
def _checkPrivileges(resource):
d = resource.checkPrivileges(request, requested_access)
return d
# No auth; should deny
request = SimpleRequest(site, "GET", "/")
d = request.locateResource("/").addCallback(
_checkPrivileges).addErrback(expectError)
ds.append(d)
# Has auth; should allow
request = SimpleRequest(site, "GET", "/")
request.authzUser = request.authnUser = self.rootresource.principalForUser(
"gooduser")
d = request.locateResource("/")
d.addCallback(_checkPrivileges)
d.addCallback(expectOK)
ds.append(d)
return DeferredList(ds)
def setUp(self):
TestCase.setUp(self)
gooduser = TestDAVPrincipalResource("/users/gooduser")
gooduser.writeDeadProperty(TwistedPasswordProperty("goodpass"))
baduser = TestDAVPrincipalResource("/users/baduser")
baduser.writeDeadProperty(TwistedPasswordProperty("badpass"))
rootresource = TestPrincipalsCollection(
"/", {
"users":
TestResource("/users/", {
"gooduser": gooduser,
"baduser": baduser
})
})
protected = TestResource("/protected",
principalCollections=[rootresource])
protected.setAccessControlList(
davxml.ACL(
davxml.ACE(davxml.Principal(davxml.HRef("/users/gooduser")),
davxml.Grant(davxml.Privilege(davxml.All())),
davxml.Protected())))
rootresource.children["protected"] = protected
portal = Portal(DavRealm())
portal.registerChecker(TwistedPropertyChecker())
credentialFactories = (basic.BasicCredentialFactory(""), )
loginInterfaces = (IPrincipal, )
self.rootresource = rootresource
self.site = Site(
AuthenticationWrapper(
self.rootresource,
portal,
credentialFactories,
credentialFactories,
loginInterfaces,
))
def defaultAccessControlList(self):
if config.AnonymousDirectoryAddressBookAccess:
# DAV:Read for all principals (includes anonymous)
accessPrincipal = davxml.All()
else:
# DAV:Read for all authenticated principals (does not include anonymous)
accessPrincipal = davxml.Authenticated()
return succeed(
davxml.ACL(
davxml.ACE(
davxml.Principal(accessPrincipal),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(
davxml.ReadCurrentUserPrivilegeSet())),
davxml.Protected(),
TwistedACLInheritable(),
), ))
def grant(*privileges):
return element.ACL(*[
element.ACE(element.Grant(element.Privilege(privilege)),
element.Principal(element.All()))
for privilege in privileges
])
def grantInherit(*privileges):
return element.ACL(*[
element.ACE(element.Grant(element.Privilege(privilege)),
element.Principal(element.All()),
TwistedACLInheritable()) for privilege in privileges
])
def _getSite(self):
if not hasattr(self, "_site"):
rootresource = self.resource_class(self.docroot)
rootresource.setAccessControlList(self.grantInherit(element.All()))
self._site = Site(rootresource)
return self._site
