| 
									
										
										
										
											2021-12-08 21:45:42 +01:00
										 |  |  | # This file is part of Radicale - CalDAV and CardDAV server | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | # Copyright © 2008 Nicolas Kandel | 
					
						
							|  |  |  | # Copyright © 2008 Pascal Halter | 
					
						
							|  |  |  | # Copyright © 2008-2017 Guillaume Ayoub | 
					
						
							| 
									
										
										
										
											2019-06-17 04:13:25 +02:00
										 |  |  | # Copyright © 2017-2019 Unrud <unrud@outlook.com> | 
					
						
							| 
									
										
										
										
											2025-01-01 15:47:22 +01:00
										 |  |  | # Copyright © 2024-2025 Peter Bieringer <pb@bieringer.de> | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | # | 
					
						
							|  |  |  | # This library is free software: you can redistribute it and/or modify | 
					
						
							|  |  |  | # it under the terms of the GNU General Public License as published by | 
					
						
							|  |  |  | # the Free Software Foundation, either version 3 of the License, or | 
					
						
							|  |  |  | # (at your option) any later version. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # This library is distributed in the hope that it will be useful, | 
					
						
							|  |  |  | # but WITHOUT ANY WARRANTY; without even the implied warranty of | 
					
						
							|  |  |  | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the | 
					
						
							|  |  |  | # GNU General Public License for more details. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # You should have received a copy of the GNU General Public License | 
					
						
							|  |  |  | # along with Radicale.  If not, see <http://www.gnu.org/licenses/>. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | """
 | 
					
						
							|  |  |  | Radicale WSGI application. | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-01-12 23:32:28 +01:00
										 |  |  | Can be used with an external WSGI server (see ``radicale.application()``) or | 
					
						
							|  |  |  | the built-in server (see ``radicale.server`` module). | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | """
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import base64 | 
					
						
							|  |  |  | import datetime | 
					
						
							|  |  |  | import pprint | 
					
						
							|  |  |  | import random | 
					
						
							|  |  |  | import time | 
					
						
							|  |  |  | import zlib | 
					
						
							|  |  |  | from http import client | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  | from typing import Iterable, List, Mapping, Tuple, Union | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  | from radicale import config, httputils, log, pathutils, types | 
					
						
							|  |  |  | from radicale.app.base import ApplicationBase | 
					
						
							|  |  |  | from radicale.app.delete import ApplicationPartDelete | 
					
						
							|  |  |  | from radicale.app.get import ApplicationPartGet | 
					
						
							|  |  |  | from radicale.app.head import ApplicationPartHead | 
					
						
							|  |  |  | from radicale.app.mkcalendar import ApplicationPartMkcalendar | 
					
						
							|  |  |  | from radicale.app.mkcol import ApplicationPartMkcol | 
					
						
							|  |  |  | from radicale.app.move import ApplicationPartMove | 
					
						
							|  |  |  | from radicale.app.options import ApplicationPartOptions | 
					
						
							|  |  |  | from radicale.app.post import ApplicationPartPost | 
					
						
							|  |  |  | from radicale.app.propfind import ApplicationPartPropfind | 
					
						
							|  |  |  | from radicale.app.proppatch import ApplicationPartProppatch | 
					
						
							|  |  |  | from radicale.app.put import ApplicationPartPut | 
					
						
							|  |  |  | from radicale.app.report import ApplicationPartReport | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | from radicale.log import logger | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  | # Combination of types.WSGIStartResponse and WSGI application return value | 
					
						
							|  |  |  | _IntermediateResponse = Tuple[str, List[Tuple[str, str]], Iterable[bytes]] | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  | class Application(ApplicationPartDelete, ApplicationPartHead, | 
					
						
							|  |  |  |                   ApplicationPartGet, ApplicationPartMkcalendar, | 
					
						
							|  |  |  |                   ApplicationPartMkcol, ApplicationPartMove, | 
					
						
							|  |  |  |                   ApplicationPartOptions, ApplicationPartPropfind, | 
					
						
							|  |  |  |                   ApplicationPartProppatch, ApplicationPartPost, | 
					
						
							|  |  |  |                   ApplicationPartPut, ApplicationPartReport, ApplicationBase): | 
					
						
							| 
									
										
										
										
											2020-01-12 23:32:28 +01:00
										 |  |  |     """WSGI application.""" | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |     _mask_passwords: bool | 
					
						
							|  |  |  |     _auth_delay: float | 
					
						
							|  |  |  |     _internal_server: bool | 
					
						
							|  |  |  |     _max_content_length: int | 
					
						
							|  |  |  |     _auth_realm: str | 
					
						
							| 
									
										
										
										
											2025-03-02 09:05:12 +01:00
										 |  |  |     _script_name: str | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |     _extra_headers: Mapping[str, str] | 
					
						
							| 
									
										
										
										
											2024-03-09 06:43:39 +01:00
										 |  |  |     _permit_delete_collection: bool | 
					
						
							| 
									
										
										
										
											2024-09-29 18:15:42 +02:00
										 |  |  |     _permit_overwrite_collection: bool | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |     def __init__(self, configuration: config.Configuration) -> None: | 
					
						
							| 
									
										
										
										
											2020-01-13 15:51:10 +01:00
										 |  |  |         """Initialize Application.
 | 
					
						
							| 
									
										
										
										
											2020-01-12 23:32:28 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |         ``configuration`` see ``radicale.config`` module. | 
					
						
							| 
									
										
										
										
											2020-01-13 15:51:10 +01:00
										 |  |  |         The ``configuration`` must not change during the lifetime of | 
					
						
							|  |  |  |         this object, it is kept as an internal reference. | 
					
						
							| 
									
										
										
										
											2020-01-12 23:32:28 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  |         """
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |         super().__init__(configuration) | 
					
						
							|  |  |  |         self._mask_passwords = configuration.get("logging", "mask_passwords") | 
					
						
							| 
									
										
										
										
											2024-05-29 06:07:36 +02:00
										 |  |  |         self._bad_put_request_content = configuration.get("logging", "bad_put_request_content") | 
					
						
							| 
									
										
										
										
											2024-06-11 13:26:21 +02:00
										 |  |  |         self._request_header_on_debug = configuration.get("logging", "request_header_on_debug") | 
					
						
							|  |  |  |         self._response_content_on_debug = configuration.get("logging", "response_content_on_debug") | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |         self._auth_delay = configuration.get("auth", "delay") | 
					
						
							|  |  |  |         self._internal_server = configuration.get("server", "_internal_server") | 
					
						
							| 
									
										
										
										
											2025-03-02 09:05:12 +01:00
										 |  |  |         self._script_name = configuration.get("server", "script_name") | 
					
						
							|  |  |  |         if self._script_name: | 
					
						
							|  |  |  |             if self._script_name[0] != "/": | 
					
						
							|  |  |  |                 logger.error("server.script_name must start with '/': %r", self._script_name) | 
					
						
							|  |  |  |                 raise RuntimeError("server.script_name option has to start with '/'") | 
					
						
							|  |  |  |             else: | 
					
						
							|  |  |  |                 if self._script_name.endswith("/"): | 
					
						
							|  |  |  |                     logger.error("server.script_name must not end with '/': %r", self._script_name) | 
					
						
							|  |  |  |                     raise RuntimeError("server.script_name option must not end with '/'") | 
					
						
							|  |  |  |                 else: | 
					
						
							|  |  |  |                     logger.info("Provided script name to strip from URI if called by reverse proxy: %r", self._script_name) | 
					
						
							|  |  |  |         else: | 
					
						
							|  |  |  |             logger.info("Default script name to strip from URI if called by reverse proxy is taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME") | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |         self._max_content_length = configuration.get( | 
					
						
							|  |  |  |             "server", "max_content_length") | 
					
						
							|  |  |  |         self._auth_realm = configuration.get("auth", "realm") | 
					
						
							| 
									
										
										
										
											2024-03-09 06:43:39 +01:00
										 |  |  |         self._permit_delete_collection = configuration.get("rights", "permit_delete_collection") | 
					
						
							|  |  |  |         logger.info("permit delete of collection: %s", self._permit_delete_collection) | 
					
						
							| 
									
										
										
										
											2024-09-29 18:15:42 +02:00
										 |  |  |         self._permit_overwrite_collection = configuration.get("rights", "permit_overwrite_collection") | 
					
						
							|  |  |  |         logger.info("permit overwrite of collection: %s", self._permit_overwrite_collection) | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |         self._extra_headers = dict() | 
					
						
							|  |  |  |         for key in self.configuration.options("headers"): | 
					
						
							|  |  |  |             self._extra_headers[key] = configuration.get("headers", key) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     def _scrub_headers(self, environ: types.WSGIEnviron) -> types.WSGIEnviron: | 
					
						
							|  |  |  |         """Mask passwords and cookies.""" | 
					
						
							|  |  |  |         headers = dict(environ) | 
					
						
							|  |  |  |         if (self._mask_passwords and | 
					
						
							|  |  |  |                 headers.get("HTTP_AUTHORIZATION", "").startswith("Basic")): | 
					
						
							|  |  |  |             headers["HTTP_AUTHORIZATION"] = "Basic **masked**" | 
					
						
							|  |  |  |         if headers.get("HTTP_COOKIE"): | 
					
						
							|  |  |  |             headers["HTTP_COOKIE"] = "**masked**" | 
					
						
							|  |  |  |         return headers | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     def __call__(self, environ: types.WSGIEnviron, start_response: | 
					
						
							|  |  |  |                  types.WSGIStartResponse) -> Iterable[bytes]: | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         with log.register_stream(environ["wsgi.errors"]): | 
					
						
							|  |  |  |             try: | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |                 status_text, headers, answers = self._handle_request(environ) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |             except Exception as e: | 
					
						
							|  |  |  |                 logger.error("An exception occurred during %s request on %r: " | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |                              "%s", environ.get("REQUEST_METHOD", "unknown"), | 
					
						
							|  |  |  |                              environ.get("PATH_INFO", ""), e, exc_info=True) | 
					
						
							|  |  |  |                 # Make minimal response | 
					
						
							|  |  |  |                 status, raw_headers, raw_answer = ( | 
					
						
							|  |  |  |                     httputils.INTERNAL_SERVER_ERROR) | 
					
						
							|  |  |  |                 assert isinstance(raw_answer, str) | 
					
						
							|  |  |  |                 answer = raw_answer.encode("ascii") | 
					
						
							|  |  |  |                 status_text = "%d %s" % ( | 
					
						
							|  |  |  |                     status, client.responses.get(status, "Unknown")) | 
					
						
							|  |  |  |                 headers = [*raw_headers, ("Content-Length", str(len(answer)))] | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                 answers = [answer] | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |             start_response(status_text, headers) | 
					
						
							| 
									
										
										
										
											2022-01-19 19:58:05 +01:00
										 |  |  |         if environ.get("REQUEST_METHOD") == "HEAD": | 
					
						
							|  |  |  |             return [] | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         return answers | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |     def _handle_request(self, environ: types.WSGIEnviron | 
					
						
							|  |  |  |                         ) -> _IntermediateResponse: | 
					
						
							| 
									
										
										
										
											2022-01-15 22:32:38 +01:00
										 |  |  |         time_begin = datetime.datetime.now() | 
					
						
							|  |  |  |         request_method = environ["REQUEST_METHOD"].upper() | 
					
						
							| 
									
										
										
										
											2022-01-18 18:20:14 +01:00
										 |  |  |         unsafe_path = environ.get("PATH_INFO", "") | 
					
						
							| 
									
										
										
										
											2025-03-08 16:50:35 +01:00
										 |  |  |         https = environ.get("HTTPS", "") | 
					
						
							| 
									
										
										
										
											2022-01-15 22:32:38 +01:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         """Manage a request.""" | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |         def response(status: int, headers: types.WSGIResponseHeaders, | 
					
						
							|  |  |  |                      answer: Union[None, str, bytes]) -> _IntermediateResponse: | 
					
						
							|  |  |  |             """Helper to create response from internal types.WSGIResponse""" | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |             headers = dict(headers) | 
					
						
							|  |  |  |             # Set content length | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |             answers = [] | 
					
						
							|  |  |  |             if answer is not None: | 
					
						
							|  |  |  |                 if isinstance(answer, str): | 
					
						
							| 
									
										
										
										
											2024-06-11 13:26:21 +02:00
										 |  |  |                     if self._response_content_on_debug: | 
					
						
							|  |  |  |                         logger.debug("Response content:\n%s", answer) | 
					
						
							| 
									
										
										
										
											2024-06-18 08:24:25 +02:00
										 |  |  |                     else: | 
					
						
							| 
									
										
										
										
											2024-08-28 07:48:45 +02:00
										 |  |  |                         logger.debug("Response content: suppressed by config/option [logging] response_content_on_debug") | 
					
						
							| 
									
										
										
										
											2020-01-14 06:19:11 +01:00
										 |  |  |                     headers["Content-Type"] += "; charset=%s" % self._encoding | 
					
						
							|  |  |  |                     answer = answer.encode(self._encoding) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                 accept_encoding = [ | 
					
						
							|  |  |  |                     encoding.strip() for encoding in | 
					
						
							|  |  |  |                     environ.get("HTTP_ACCEPT_ENCODING", "").split(",") | 
					
						
							|  |  |  |                     if encoding.strip()] | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |                 if "gzip" in accept_encoding: | 
					
						
							|  |  |  |                     zcomp = zlib.compressobj(wbits=16 + zlib.MAX_WBITS) | 
					
						
							|  |  |  |                     answer = zcomp.compress(answer) + zcomp.flush() | 
					
						
							|  |  |  |                     headers["Content-Encoding"] = "gzip" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |                 headers["Content-Length"] = str(len(answer)) | 
					
						
							| 
									
										
										
										
											2022-01-19 19:58:05 +01:00
										 |  |  |                 answers.append(answer) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |             # Add extra headers set in configuration | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |             headers.update(self._extra_headers) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |             # Start response | 
					
						
							|  |  |  |             time_end = datetime.datetime.now() | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |             status_text = "%d %s" % ( | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                 status, client.responses.get(status, "Unknown")) | 
					
						
							| 
									
										
										
										
											2022-01-18 18:20:14 +01:00
										 |  |  |             logger.info("%s response status for %r%s in %.3f seconds: %s", | 
					
						
							|  |  |  |                         request_method, unsafe_path, depthinfo, | 
					
						
							|  |  |  |                         (time_end - time_begin).total_seconds(), status_text) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |             # Return response content | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |             return status_text, list(headers.items()), answers | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-03-02 09:05:41 +01:00
										 |  |  |         reverse_proxy = False | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         remote_host = "unknown" | 
					
						
							|  |  |  |         if environ.get("REMOTE_HOST"): | 
					
						
							|  |  |  |             remote_host = repr(environ["REMOTE_HOST"]) | 
					
						
							|  |  |  |         elif environ.get("REMOTE_ADDR"): | 
					
						
							|  |  |  |             remote_host = environ["REMOTE_ADDR"] | 
					
						
							|  |  |  |         if environ.get("HTTP_X_FORWARDED_FOR"): | 
					
						
							| 
									
										
										
										
											2025-03-02 09:05:41 +01:00
										 |  |  |             reverse_proxy = True | 
					
						
							| 
									
										
										
										
											2020-09-26 22:08:23 +02:00
										 |  |  |             remote_host = "%s (forwarded for %r)" % ( | 
					
						
							|  |  |  |                 remote_host, environ["HTTP_X_FORWARDED_FOR"]) | 
					
						
							| 
									
										
										
										
											2025-03-02 09:05:41 +01:00
										 |  |  |         if environ.get("HTTP_X_FORWARDED_HOST") or environ.get("HTTP_X_FORWARDED_PROTO") or environ.get("HTTP_X_FORWARDED_SERVER"): | 
					
						
							|  |  |  |             reverse_proxy = True | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         remote_useragent = "" | 
					
						
							|  |  |  |         if environ.get("HTTP_USER_AGENT"): | 
					
						
							|  |  |  |             remote_useragent = " using %r" % environ["HTTP_USER_AGENT"] | 
					
						
							|  |  |  |         depthinfo = "" | 
					
						
							|  |  |  |         if environ.get("HTTP_DEPTH"): | 
					
						
							|  |  |  |             depthinfo = " with depth %r" % environ["HTTP_DEPTH"] | 
					
						
							| 
									
										
										
										
											2025-03-08 16:50:35 +01:00
										 |  |  |         if https: | 
					
						
							|  |  |  |             https_info = " " + environ.get("SSL_PROTOCOL", "") + " " + environ.get("SSL_CIPHER", "") | 
					
						
							|  |  |  |         else: | 
					
						
							|  |  |  |             https_info = "" | 
					
						
							|  |  |  |         logger.info("%s request for %r%s received from %s%s%s", | 
					
						
							| 
									
										
										
										
											2022-01-15 22:32:37 +01:00
										 |  |  |                     request_method, unsafe_path, depthinfo, | 
					
						
							| 
									
										
										
										
											2025-03-08 16:50:35 +01:00
										 |  |  |                     remote_host, remote_useragent, https_info) | 
					
						
							| 
									
										
										
										
											2024-06-11 13:26:21 +02:00
										 |  |  |         if self._request_header_on_debug: | 
					
						
							| 
									
										
										
										
											2024-06-18 08:24:25 +02:00
										 |  |  |             logger.debug("Request header:\n%s", | 
					
						
							| 
									
										
										
										
											2024-06-11 13:26:21 +02:00
										 |  |  |                          pprint.pformat(self._scrub_headers(environ))) | 
					
						
							| 
									
										
										
										
											2024-06-18 08:24:25 +02:00
										 |  |  |         else: | 
					
						
							| 
									
										
										
										
											2024-08-28 07:48:45 +02:00
										 |  |  |             logger.debug("Request header: suppressed by config/option [logging] request_header_on_debug") | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-15 22:32:37 +01:00
										 |  |  |         # SCRIPT_NAME is already removed from PATH_INFO, according to the | 
					
						
							|  |  |  |         # WSGI specification. | 
					
						
							|  |  |  |         # Reverse proxies can overwrite SCRIPT_NAME with X-SCRIPT-NAME header | 
					
						
							| 
									
										
										
										
											2025-03-02 09:06:30 +01:00
										 |  |  |         if self._script_name and (reverse_proxy is True): | 
					
						
							|  |  |  |             base_prefix_src = "config" | 
					
						
							|  |  |  |             base_prefix = self._script_name | 
					
						
							|  |  |  |         else: | 
					
						
							|  |  |  |             base_prefix_src = ("HTTP_X_SCRIPT_NAME" if "HTTP_X_SCRIPT_NAME" in | 
					
						
							|  |  |  |                                environ else "SCRIPT_NAME") | 
					
						
							|  |  |  |             base_prefix = environ.get(base_prefix_src, "") | 
					
						
							|  |  |  |             if base_prefix and base_prefix[0] != "/": | 
					
						
							|  |  |  |                 logger.error("Base prefix (from %s) must start with '/': %r", | 
					
						
							|  |  |  |                              base_prefix_src, base_prefix) | 
					
						
							|  |  |  |                 if base_prefix_src == "HTTP_X_SCRIPT_NAME": | 
					
						
							|  |  |  |                     return response(*httputils.BAD_REQUEST) | 
					
						
							|  |  |  |                 return response(*httputils.INTERNAL_SERVER_ERROR) | 
					
						
							|  |  |  |             if base_prefix.endswith("/"): | 
					
						
							|  |  |  |                 logger.warning("Base prefix (from %s) must not end with '/': %r", | 
					
						
							|  |  |  |                                base_prefix_src, base_prefix) | 
					
						
							|  |  |  |                 base_prefix = base_prefix.rstrip("/") | 
					
						
							|  |  |  |         if base_prefix: | 
					
						
							|  |  |  |             logger.debug("Base prefix (from %s): %r", base_prefix_src, base_prefix) | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         # Sanitize request URI (a WSGI server indicates with an empty path, | 
					
						
							|  |  |  |         # that the URL targets the application root without a trailing slash) | 
					
						
							| 
									
										
										
										
											2022-01-15 22:32:37 +01:00
										 |  |  |         path = pathutils.sanitize_path(unsafe_path) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         logger.debug("Sanitized path: %r", path) | 
					
						
							| 
									
										
										
										
											2025-03-02 09:06:30 +01:00
										 |  |  |         if (reverse_proxy is True) and (len(base_prefix) > 0): | 
					
						
							|  |  |  |             if path.startswith(base_prefix): | 
					
						
							|  |  |  |                 path_new = path.removeprefix(base_prefix) | 
					
						
							|  |  |  |                 logger.debug("Called by reverse proxy, remove base prefix %r from path: %r => %r", base_prefix, path, path_new) | 
					
						
							|  |  |  |                 path = path_new | 
					
						
							|  |  |  |             else: | 
					
						
							| 
									
										
										
										
											2025-04-10 05:44:35 +02:00
										 |  |  |                 logger.warning("Called by reverse proxy, cannot remove base prefix %r from path: %r as not matching", base_prefix, path) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |         # Get function corresponding to method | 
					
						
							| 
									
										
										
										
											2022-01-15 22:32:37 +01:00
										 |  |  |         function = getattr(self, "do_%s" % request_method, None) | 
					
						
							| 
									
										
										
										
											2020-09-12 20:23:45 +02:00
										 |  |  |         if not function: | 
					
						
							|  |  |  |             return response(*httputils.METHOD_NOT_ALLOWED) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-22 18:19:41 +01:00
										 |  |  |         # Redirect all "…/.well-known/{caldav,carddav}" paths to "/". | 
					
						
							|  |  |  |         # This shouldn't be necessary but some clients like TbSync require it. | 
					
						
							|  |  |  |         # Status must be MOVED PERMANENTLY using FOUND causes problems | 
					
						
							|  |  |  |         if (path.rstrip("/").endswith("/.well-known/caldav") or | 
					
						
							|  |  |  |                 path.rstrip("/").endswith("/.well-known/carddav")): | 
					
						
							|  |  |  |             return response(*httputils.redirect( | 
					
						
							|  |  |  |                 base_prefix + "/", client.MOVED_PERMANENTLY)) | 
					
						
							| 
									
										
										
										
											2024-07-24 11:22:49 +02:00
										 |  |  |         # Return NOT FOUND for all other paths containing ".well-known" | 
					
						
							| 
									
										
										
										
											2022-01-22 18:19:41 +01:00
										 |  |  |         if path.endswith("/.well-known") or "/.well-known/" in path: | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |             return response(*httputils.NOT_FOUND) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         # Ask authentication backend to check rights | 
					
						
							|  |  |  |         login = password = "" | 
					
						
							| 
									
										
										
										
											2020-01-14 06:19:11 +01:00
										 |  |  |         external_login = self._auth.get_external_login(environ) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         authorization = environ.get("HTTP_AUTHORIZATION", "") | 
					
						
							|  |  |  |         if external_login: | 
					
						
							|  |  |  |             login, password = external_login | 
					
						
							|  |  |  |             login, password = login or "", password or "" | 
					
						
							|  |  |  |         elif authorization.startswith("Basic"): | 
					
						
							|  |  |  |             authorization = authorization[len("Basic"):].strip() | 
					
						
							| 
									
										
										
										
											2020-09-14 21:19:48 +02:00
										 |  |  |             login, password = httputils.decode_request( | 
					
						
							|  |  |  |                 self.configuration, environ, base64.b64decode( | 
					
						
							|  |  |  |                     authorization.encode("ascii"))).split(":", 1) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2025-01-01 16:30:34 +01:00
										 |  |  |         (user, info) = self._auth.login(login, password) or ("", "") if login else ("", "") | 
					
						
							| 
									
										
										
										
											2024-08-26 11:21:53 +02:00
										 |  |  |         if self.configuration.get("auth", "type") == "ldap": | 
					
						
							|  |  |  |             try: | 
					
						
							| 
									
										
										
										
											2024-09-11 08:12:08 +02:00
										 |  |  |                 logger.debug("Groups %r", ",".join(self._auth._ldap_groups)) | 
					
						
							| 
									
										
										
										
											2024-08-26 11:21:53 +02:00
										 |  |  |                 self._rights._user_groups = self._auth._ldap_groups | 
					
						
							|  |  |  |             except AttributeError: | 
					
						
							|  |  |  |                 pass | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         if user and login == user: | 
					
						
							| 
									
										
										
										
											2025-01-01 16:30:34 +01:00
										 |  |  |             logger.info("Successful login: %r (%s)", user, info) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         elif user: | 
					
						
							| 
									
										
										
										
											2025-01-01 16:30:34 +01:00
										 |  |  |             logger.info("Successful login: %r -> %r (%s)", login, user, info) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |         elif login: | 
					
						
							| 
									
										
										
										
											2025-01-01 16:30:34 +01:00
										 |  |  |             logger.warning("Failed login attempt from %s: %r (%s)", | 
					
						
							|  |  |  |                            remote_host, login, info) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |             # Random delay to avoid timing oracles and bruteforce attacks | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |             if self._auth_delay > 0: | 
					
						
							|  |  |  |                 random_delay = self._auth_delay * (0.5 + random.random()) | 
					
						
							| 
									
										
										
										
											2025-01-03 07:11:51 +01:00
										 |  |  |                 logger.debug("Failed login, sleeping random: %.3f sec", random_delay) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                 time.sleep(random_delay) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if user and not pathutils.is_safe_path_component(user): | 
					
						
							|  |  |  |             # Prevent usernames like "user/calendar.ics" | 
					
						
							|  |  |  |             logger.info("Refused unsafe username: %r", user) | 
					
						
							|  |  |  |             user = "" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         # Create principal collection | 
					
						
							|  |  |  |         if user: | 
					
						
							|  |  |  |             principal_path = "/%s/" % user | 
					
						
							| 
									
										
										
										
											2020-04-22 19:20:07 +02:00
										 |  |  |             with self._storage.acquire_lock("r", user): | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |                 principal = next(iter(self._storage.discover( | 
					
						
							|  |  |  |                     principal_path, depth="1")), None) | 
					
						
							| 
									
										
										
										
											2020-04-22 19:20:07 +02:00
										 |  |  |             if not principal: | 
					
						
							|  |  |  |                 if "W" in self._rights.authorization(user, principal_path): | 
					
						
							| 
									
										
										
										
											2020-01-14 06:19:11 +01:00
										 |  |  |                     with self._storage.acquire_lock("w", user): | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                         try: | 
					
						
							| 
									
										
										
										
											2024-04-22 12:23:24 +03:00
										 |  |  |                             new_coll = self._storage.create_collection(principal_path) | 
					
						
							|  |  |  |                             if new_coll: | 
					
						
							|  |  |  |                                 jsn_coll = self.configuration.get("storage", "predefined_collections") | 
					
						
							|  |  |  |                                 for (name_coll, props) in jsn_coll.items(): | 
					
						
							|  |  |  |                                     try: | 
					
						
							| 
									
										
										
										
											2024-05-03 23:07:04 +03:00
										 |  |  |                                         self._storage.create_collection(principal_path + name_coll, props=props) | 
					
						
							| 
									
										
										
										
											2024-04-22 12:23:24 +03:00
										 |  |  |                                     except ValueError as e: | 
					
						
							|  |  |  |                                         logger.warning("Failed to create predefined collection %r: %s", name_coll, e) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                         except ValueError as e: | 
					
						
							|  |  |  |                             logger.warning("Failed to create principal " | 
					
						
							|  |  |  |                                            "collection %r: %s", user, e) | 
					
						
							|  |  |  |                             user = "" | 
					
						
							| 
									
										
										
										
											2020-04-22 19:20:07 +02:00
										 |  |  |                 else: | 
					
						
							|  |  |  |                     logger.warning("Access to principal path %r denied by " | 
					
						
							|  |  |  |                                    "rights backend", principal_path) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |         if self._internal_server: | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |             # Verify content length | 
					
						
							|  |  |  |             content_length = int(environ.get("CONTENT_LENGTH") or 0) | 
					
						
							|  |  |  |             if content_length: | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |                 if (self._max_content_length > 0 and | 
					
						
							|  |  |  |                         content_length > self._max_content_length): | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  |                     logger.info("Request body too large: %d", content_length) | 
					
						
							|  |  |  |                     return response(*httputils.REQUEST_ENTITY_TOO_LARGE) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if not login or user: | 
					
						
							|  |  |  |             status, headers, answer = function( | 
					
						
							|  |  |  |                 environ, base_prefix, path, user) | 
					
						
							|  |  |  |             if (status, headers, answer) == httputils.NOT_ALLOWED: | 
					
						
							|  |  |  |                 logger.info("Access to %r denied for %s", path, | 
					
						
							|  |  |  |                             repr(user) if user else "anonymous user") | 
					
						
							|  |  |  |         else: | 
					
						
							|  |  |  |             status, headers, answer = httputils.NOT_ALLOWED | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if ((status, headers, answer) == httputils.NOT_ALLOWED and not user and | 
					
						
							|  |  |  |                 not external_login): | 
					
						
							|  |  |  |             # Unknown or unauthorized user | 
					
						
							|  |  |  |             logger.debug("Asking client for authentication") | 
					
						
							|  |  |  |             status = client.UNAUTHORIZED | 
					
						
							|  |  |  |             headers = dict(headers) | 
					
						
							|  |  |  |             headers.update({ | 
					
						
							|  |  |  |                 "WWW-Authenticate": | 
					
						
							| 
									
										
										
										
											2021-07-26 20:56:46 +02:00
										 |  |  |                 "Basic realm=\"%s\"" % self._auth_realm}) | 
					
						
							| 
									
										
										
										
											2018-08-28 16:19:36 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |         return response(status, headers, answer) |