def _authReadOnlyPrivileges(self, resource, url, records=None):
items = []
if records is None:
records = yield self._allRecords()
for (
_ignore_provisioningResource, _ignore_recordType, recordResource, _ignore_record
) in records:
items.append((
davxml.HRef().fromString(recordResource.principalURL()),
davxml.Read(), True
))
items.append((
davxml.HRef().fromString(recordResource.principalURL()),
davxml.Write(), False
))
items.append((
davxml.Unauthenticated(), davxml.Read(), False
))
items.append((
davxml.Unauthenticated(), davxml.Write(), False
))
results = []
for principal, privilege, allowed in items:
results.append((resource, url, principal, privilege, allowed))
returnValue(results)
def createDocumentRoot(self):
docroot = self.mktemp()
os.mkdir(docroot)
userResource = TestDAVPrincipalResource("/principals/users/user01")
userResource.writeDeadProperty(TwistedPasswordProperty("user01"))
principalCollection = TestPrincipalsCollection(
"/principals/",
children={"users": TestPrincipalsCollection(
"/principals/users/",
children={"user01": userResource})})
rootResource = self.resource_class(
docroot, principalCollections=(principalCollection,))
portal = Portal(DavRealm())
portal.registerChecker(TwistedPropertyChecker())
credentialFactories = (basic.BasicCredentialFactory(""),)
loginInterfaces = (IPrincipal,)
self.site = Site(AuthenticationWrapper(
rootResource,
portal,
credentialFactories,
credentialFactories,
loginInterfaces
))
rootResource.setAccessControlList(self.grant(element.All()))
for name, acl in (
("none" , self.grant()),
("read" , self.grant(element.Read())),
("read-write" , self.grant(element.Read(), element.Write())),
("unlock" , self.grant(element.Unlock())),
("all" , self.grant(element.All())),
):
filename = os.path.join(docroot, name)
if not os.path.isfile(filename):
file(filename, "w").close()
resource = self.resource_class(filename)
resource.setAccessControlList(acl)
for name, acl in (
("nobind" , self.grant()),
("bind" , self.grant(element.Bind())),
("unbind" , self.grant(element.Bind(), element.Unbind())),
):
dirname = os.path.join(docroot, name)
if not os.path.isdir(dirname):
os.mkdir(dirname)
resource = self.resource_class(dirname)
resource.setAccessControlList(acl)
return docroot
def work():
dst_path = os.path.join(self.docroot, "copy_dst")
dst_uri = "/" + os.path.basename(dst_path)
for src, status in (
("nobind", responsecode.FORBIDDEN),
("bind", responsecode.FORBIDDEN),
("unbind", responsecode.CREATED),
):
src_path = os.path.join(self.docroot, "src_" + src)
src_uri = "/" + os.path.basename(src_path)
if not os.path.isdir(src_path):
os.mkdir(src_path)
src_resource = self.resource_class(src_path)
src_resource.setAccessControlList({
"nobind": self.grant(),
"bind" : self.grant(element.Bind()),
"unbind": self.grant(element.Bind(), element.Unbind())
}[src])
for name, acl in (
("none" , self.grant()),
("read" , self.grant(element.Read())),
("read-write" , self.grant(element.Read(), element.Write())),
("unlock" , self.grant(element.Unlock())),
("all" , self.grant(element.All())),
):
filename = os.path.join(src_path, name)
if not os.path.isfile(filename):
file(filename, "w").close()
self.resource_class(filename).setAccessControlList(acl)
for method in ("COPY", "MOVE"):
for name, code in (
("none", {"COPY": responsecode.FORBIDDEN, "MOVE": status}[method]),
("read", {"COPY": responsecode.CREATED, "MOVE": status}[method]),
("read-write" , {"COPY": responsecode.CREATED, "MOVE": status}[method]),
("unlock", {"COPY": responsecode.FORBIDDEN, "MOVE": status}[method]),
("all", {"COPY": responsecode.CREATED, "MOVE": status}[method]),
):
path = os.path.join(src_path, name)
uri = src_uri + "/" + name
request = SimpleRequest(self.site, method, uri)
request.headers.setHeader("destination", dst_uri)
_add_auth_header(request)
def test(response, code=code, path=path):
if os.path.isfile(dst_path):
os.remove(dst_path)
if response.code != code:
return self.oops(request, response, code, method, name)
yield (request, test)
def _xmlHandleInviteReply(self, request, docroot):
# Sharing must be enabled for this collection
if not self.canShare():
raise HTTPError(ErrorResponse(
responsecode.FORBIDDEN,
(customxml.calendarserver_namespace, "valid-request"),
"Sharing not supported on this resource",
))
yield self.authorize(request, (element.Read(), element.Write()))
result = (yield self._handleInviteReply(request, docroot))
returnValue(result)
def test_Privilege_isAggregateOf(self):
"""
Privilege.isAggregateOf()
"""
for a, b in (
(davxml.All(), davxml.Write()),
(davxml.All(), davxml.ReadACL()),
(davxml.Write(), davxml.WriteProperties()),
(davxml.Write(), davxml.WriteContent()),
(davxml.Write(), davxml.Bind()),
(davxml.Write(), davxml.Unbind()),
):
pa = davxml.Privilege(a)
pb = davxml.Privilege(b)
self.failUnless(pa.isAggregateOf(pb, davPrivilegeSet),
"%s contains %s" % (a.sname(), b.sname()))
self.failIf(pb.isAggregateOf(pa, davPrivilegeSet),
"%s does not contain %s" % (b.sname(), a.sname()))
for a, b in (
(davxml.Unlock(), davxml.Write()),
(davxml.Unlock(), davxml.WriteACL()),
(davxml.ReadCurrentUserPrivilegeSet(), davxml.WriteProperties()),
):
pa = davxml.Privilege(a)
pb = davxml.Privilege(b)
self.failIf(pb.isAggregateOf(pa, davPrivilegeSet),
"%s does not contain %s" % (b.sname(), a.sname()))
def defaultAccessControlList(self):
return succeed(
davxml.ACL(
# DAV:Read for authenticated principals
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Read()), ),
davxml.Protected(),
),
# DAV:Write for authenticated principals
davxml.ACE(
davxml.Principal(davxml.Authenticated()),
davxml.Grant(davxml.Privilege(davxml.Write()), ),
davxml.Protected(),
),
))
def http_POST(self, request):
yield self.authorize(request, (davxml.Write(), ))
yield parsePOSTData(request)
code, msg = (yield self.processSubscription(request))
returnValue(self.renderResponse(code, body=msg))
def getWikiACL(resource, request):
"""
Ask the wiki server we're paired with what level of access the authnUser
has.
Returns an ACL.
Wiki authentication is a bit tricky because the end-user accessing a group
calendar may not actually be enabled for calendaring. Therefore in that
situation, the authzUser will have been replaced with the wiki principal
in locateChild( ), so that any changes the user makes will have the wiki
as the originator. The authnUser will always be the end-user.
"""
from twistedcaldav.directory.principal import DirectoryPrincipalResource
if (not hasattr(resource, "record")
or resource.record.recordType != RecordType.macOSXServerWiki):
returnValue(None)
if hasattr(request, 'wikiACL'):
returnValue(request.wikiACL)
wikiRecord = resource.record
wikiID = wikiRecord.shortNames[0]
userRecord = None
try:
url = request.authnUser.principalURL()
principal = (yield request.locateResource(url))
if isinstance(principal, DirectoryPrincipalResource):
userRecord = principal.record
except:
# TODO: better error handling
pass
try:
access = yield wikiRecord.accessForRecord(userRecord)
# The ACL we returns has ACEs for the end-user and the wiki principal
# in case authzUser is the wiki principal.
if access == WikiAccessLevel.read:
request.wikiACL = davxml.ACL(
davxml.ACE(
(request.authnUser.principalElement()
if request.authnUser is not None else davxml.Principal(
davxml.Unauthenticated())),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
# We allow write-properties so that direct sharees can
# change e.g. calendar color properties
davxml.Privilege(davxml.WriteProperties()),
),
TwistedACLInheritable(),
),
davxml.ACE(
davxml.Principal(
davxml.HRef.fromString(
"/principals/wikis/{}/".format(wikiID))),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
),
TwistedACLInheritable(),
))
returnValue(request.wikiACL)
elif access == WikiAccessLevel.write:
request.wikiACL = davxml.ACL(
davxml.ACE(
(request.authnUser.principalElement()
if request.authnUser is not None else davxml.Principal(
davxml.Unauthenticated())),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
davxml.Privilege(davxml.Write()),
),
TwistedACLInheritable(),
),
davxml.ACE(
davxml.Principal(
davxml.HRef.fromString(
"/principals/wikis/{}/".format(wikiID))),
davxml.Grant(
davxml.Privilege(davxml.Read()),
davxml.Privilege(davxml.ReadCurrentUserPrivilegeSet()),
davxml.Privilege(davxml.Write()),
),
TwistedACLInheritable(),
))
returnValue(request.wikiACL)
else: # "no-access":
if userRecord is None:
# Return a 401 so they have an opportunity to log in
response = (yield UnauthorizedResponse.makeResponse(
request.credentialFactories,
request.remoteAddr,
))
raise HTTPError(response)
raise HTTPError(
StatusResponse(responsecode.FORBIDDEN,
"You are not allowed to access this wiki"))
except HTTPError:
# pass through the HTTPError we might have raised above
raise
except Exception as e:
log.error("Wiki ACL lookup failed: {error}", error=e)
raise HTTPError(
StatusResponse(responsecode.SERVICE_UNAVAILABLE,
"Wiki ACL lookup failed"))
def shareeAccessControlList(self, request, *args, **kwargs):
"""
Return WebDAV ACLs appropriate for the current user accessing the
shared collection. For an "invite" share we take the privilege granted
to the sharee in the invite and map that to WebDAV ACLs. For a
"direct" share, if it is a wiki collection we map the wiki privileges
into WebDAV ACLs, otherwise we use whatever privileges exist on the
underlying shared collection.
@param request: the request used to locate the owner resource.
@type request: L{txweb2.iweb.IRequest}
@param args: The arguments for
L{txweb2.dav.idav.IDAVResource.accessControlList}
@param kwargs: The keyword arguments for
L{txweb2.dav.idav.IDAVResource.accessControlList}, plus
keyword-only arguments.
@return: the appropriate WebDAV ACL for the sharee
@rtype: L{davxml.ACL}
"""
assert self._isShareeResource, "Only call this for a sharee resource"
assert self.isCalendarCollection() or self.isAddressBookCollection(
), "Only call this for a address book or calendar resource"
sharee = yield self.principalForUID(
self._newStoreObject.viewerHome().uid())
access = yield self._checkAccessControl()
if access == "original" and not self._newStoreObject.ownerHome(
).external():
original = (yield request.locateResource(self._share_url))
result = (yield original.accessControlList(request, *args,
**kwargs))
returnValue(result)
# Direct shares use underlying privileges of shared collection
userprivs = []
if access in (
"read-only",
"read-write",
):
userprivs.append(element.Privilege(element.Read()))
userprivs.append(element.Privilege(element.ReadACL()))
userprivs.append(
element.Privilege(element.ReadCurrentUserPrivilegeSet()))
if access in ("read-only", ):
userprivs.append(element.Privilege(element.WriteProperties()))
if access in ("read-write", ):
userprivs.append(element.Privilege(element.Write()))
proxyprivs = list(userprivs)
try:
proxyprivs.remove(element.Privilege(element.ReadACL()))
except ValueError:
# If wiki says no-access then ReadACL won't be in the list
pass
aces = (
# Inheritable specific access for the resource's associated principal.
element.ACE(
element.Principal(element.HRef(sharee.principalURL())),
element.Grant(*userprivs),
element.Protected(),
TwistedACLInheritable(),
), )
if self.isCalendarCollection():
aces += (
# Inheritable CALDAV:read-free-busy access for authenticated users.
element.ACE(
element.Principal(element.Authenticated()),
element.Grant(element.Privilege(caldavxml.ReadFreeBusy())),
TwistedACLInheritable(),
), )
# Give read access to config.ReadPrincipals
aces += config.ReadACEs
# Give all access to config.AdminPrincipals
aces += config.AdminACEs
if self.isCalendarCollection() and config.EnableProxyPrincipals:
aces += (
# DAV:read/DAV:read-current-user-privilege-set access for this principal's calendar-proxy-read users.
element.ACE(
element.Principal(
element.HRef(
joinURL(sharee.principalURL(),
"calendar-proxy-read/"))),
element.Grant(
element.Privilege(element.Read()),
element.Privilege(
element.ReadCurrentUserPrivilegeSet()),
element.Privilege(element.WriteProperties()),
),
element.Protected(),
TwistedACLInheritable(),
),
# DAV:read/DAV:read-current-user-privilege-set/DAV:write access for this principal's calendar-proxy-write users.
element.ACE(
element.Principal(
element.HRef(
joinURL(sharee.principalURL(),
"calendar-proxy-write/"))),
element.Grant(*proxyprivs),
element.Protected(),
TwistedACLInheritable(),
),
)
returnValue(element.ACL(*aces))
