From 39662fc680ceedf66323703f549ef2221368a84c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 07:48:45 +0200 Subject: [PATCH 1/7] fix config section info --- radicale/app/__init__.py | 4 ++-- radicale/app/base.py | 2 +- radicale/app/put.py | 2 +- radicale/httputils.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index 5fe71d30..1c323b5d 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -146,7 +146,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead, if self._response_content_on_debug: logger.debug("Response content:\n%s", answer) else: - logger.debug("Response content: suppressed by config/option [auth] response_content_on_debug") + logger.debug("Response content: suppressed by config/option [logging] response_content_on_debug") headers["Content-Type"] += "; charset=%s" % self._encoding answer = answer.encode(self._encoding) accept_encoding = [ @@ -196,7 +196,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead, logger.debug("Request header:\n%s", pprint.pformat(self._scrub_headers(environ))) else: - logger.debug("Request header: suppressed by config/option [auth] request_header_on_debug") + logger.debug("Request header: suppressed by config/option [logging] request_header_on_debug") # SCRIPT_NAME is already removed from PATH_INFO, according to the # WSGI specification. diff --git a/radicale/app/base.py b/radicale/app/base.py index 15b5a1df..ac4a26bc 100644 --- a/radicale/app/base.py +++ b/radicale/app/base.py @@ -76,7 +76,7 @@ class ApplicationBase: logger.debug("Response content:\n%s", xmlutils.pretty_xml(xml_content)) else: - logger.debug("Response content: suppressed by config/option [auth] response_content_on_debug") + logger.debug("Response content: suppressed by config/option [logging] response_content_on_debug") f = io.BytesIO() ET.ElementTree(xml_content).write(f, encoding=self._encoding, xml_declaration=True) diff --git a/radicale/app/put.py b/radicale/app/put.py index e30c4e07..15a7e00d 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -150,7 +150,7 @@ class ApplicationPartPut(ApplicationBase): if self._log_bad_put_request_content: logger.warning("Bad PUT request content of %r:\n%s", path, content) else: - logger.debug("Bad PUT request content: suppressed by config/option [auth] bad_put_request_content") + logger.debug("Bad PUT request content: suppressed by config/option [logging] bad_put_request_content") return httputils.BAD_REQUEST (prepared_items, prepared_tag, prepared_write_whole_collection, prepared_props, prepared_exc_info) = prepare( diff --git a/radicale/httputils.py b/radicale/httputils.py index a9565293..04898b40 100644 --- a/radicale/httputils.py +++ b/radicale/httputils.py @@ -146,7 +146,7 @@ def read_request_body(configuration: "config.Configuration", if configuration.get("logging", "request_content_on_debug"): logger.debug("Request content:\n%s", content) else: - logger.debug("Request content: suppressed by config/option [auth] request_content_on_debug") + logger.debug("Request content: suppressed by config/option [logging] request_content_on_debug") return content From 4f1e8ce889c6e09d711b0305333181734cdaf02e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 07:49:48 +0200 Subject: [PATCH 2/7] add overseen conditional request_content debug log --- radicale/app/base.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/radicale/app/base.py b/radicale/app/base.py index ac4a26bc..5c8a9355 100644 --- a/radicale/app/base.py +++ b/radicale/app/base.py @@ -51,6 +51,7 @@ class ApplicationBase: self._encoding = configuration.get("encoding", "request") self._log_bad_put_request_content = configuration.get("logging", "bad_put_request_content") self._response_content_on_debug = configuration.get("logging", "response_content_on_debug") + self._request_content_on_debug = configuration.get("logging", "request_content_on_debug") self._hook = hook.load(configuration) def _read_xml_request_body(self, environ: types.WSGIEnviron @@ -66,17 +67,20 @@ class ApplicationBase: logger.debug("Request content (Invalid XML):\n%s", content) raise RuntimeError("Failed to parse XML: %s" % e) from e if logger.isEnabledFor(logging.DEBUG): - logger.debug("Request content:\n%s", - xmlutils.pretty_xml(xml_content)) + if self._request_content_on_debug: + logger.debug("Request content (XML):\n%s", + xmlutils.pretty_xml(xml_content)) + else: + logger.debug("Request content (XML): suppressed by config/option [logging] request_content_on_debug") return xml_content def _xml_response(self, xml_content: ET.Element) -> bytes: if logger.isEnabledFor(logging.DEBUG): if self._response_content_on_debug: - logger.debug("Response content:\n%s", + logger.debug("Response content (XML):\n%s", xmlutils.pretty_xml(xml_content)) else: - logger.debug("Response content: suppressed by config/option [logging] response_content_on_debug") + logger.debug("Response content (XML): suppressed by config/option [logging] response_content_on_debug") f = io.BytesIO() ET.ElementTree(xml_content).write(f, encoding=self._encoding, xml_declaration=True) From 107fe1bc53f5a9f712efe24d2d34b05a49048aa3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 08:02:54 +0200 Subject: [PATCH 3/7] fix missing newline at the end --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 829ad7db..b6bd2209 100644 --- a/config +++ b/config @@ -177,4 +177,4 @@ # When returning a free-busy report, limit the number of returned # occurences per event to prevent DOS attacks. -#max_freebusy_occurrence = 10000 \ No newline at end of file +#max_freebusy_occurrence = 10000 From e852c887d7f864d6570a225716cde2efb01bf29c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 08:03:16 +0200 Subject: [PATCH 4/7] Enhancement: add option to toggle debug log of right with doesn't match --- CHANGELOG.md | 1 + DOCUMENTATION.md | 6 ++++++ config | 2 ++ radicale/config.py | 4 ++++ radicale/rights/from_file.py | 4 +++- 5 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a919054..b2459ddf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Enhancement: Added 'max_freebusy_occurrences` setting to avoid potential DOS on reports * Enhancement: remove unexpected control codes from uploaded items * Enhancement: add 'strip_domain' setting for username handling +* Enhancement: add option to toggle debug log of right with doesn't match * Drop: remove unused requirement "typeguard" * Improve: Refactored some date parsing code diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 15f54d0b..342b89cb 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -978,6 +978,12 @@ Log response on level=debug Default: `False` +##### right_doesnt_match = True + +Log right which doesn't match on level=debug + +Default: `False` + #### headers In this section additional HTTP headers that are sent to clients can be diff --git a/config b/config index b6bd2209..0a999877 100644 --- a/config +++ b/config @@ -158,6 +158,8 @@ # Log response content on level=debug #response_content_on_debug = False +# Log right which doesn't match +#right_doesnt_match = False [headers] diff --git a/radicale/config.py b/radicale/config.py index 0515813b..46fafbb8 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -292,6 +292,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "log response content on level=debug", "type": bool}), + ("right_doesnt_match", { + "value": "False", + "help": "log rights which doesn't match on level=debug", + "type": bool}), ("mask_passwords", { "value": "True", "help": "mask passwords in logs", diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py index d766d1dd..47218085 100644 --- a/radicale/rights/from_file.py +++ b/radicale/rights/from_file.py @@ -48,6 +48,7 @@ class Rights(rights.BaseRights): def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("rights", "file") + self._log_right_doesnt_match = configuration.get("logging", "right_doesnt_match") def authorization(self, user: str, path: str) -> str: user = user or "" @@ -80,7 +81,8 @@ class Rights(rights.BaseRights): user, sane_path, user_pattern, collection_pattern, section, permission) return permission - logger.debug("Rule %r:%r doesn't match %r:%r from section %r", + if self._log_right_doesnt_match: + logger.debug("Rule %r:%r doesn't match %r:%r from section %r", user, sane_path, user_pattern, collection_pattern, section) logger.info("Rights: %r:%r doesn't match any section", user, sane_path) From 6d117382432a42a5075baff9b438cb5376ca521b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 08:39:16 +0200 Subject: [PATCH 5/7] fix/enhance Apache template for file authentication --- contrib/apache/radicale.conf | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/contrib/apache/radicale.conf b/contrib/apache/radicale.conf index 7499be61..98a25a72 100644 --- a/contrib/apache/radicale.conf +++ b/contrib/apache/radicale.conf @@ -57,13 +57,15 @@ Require all granted - ## You may want to use apache's authentication (config: [auth] type = remote_user) + ## You may want to use apache's authentication (config: [auth] type = http_x_remote_user) + ## e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser #AuthBasicProvider file #AuthType Basic #AuthName "Enter your credentials" - #AuthUserFile /path/to/httpdfile/ + #AuthUserFile /etc/httpd/conf/htpasswd-radicale #AuthGroupFile /dev/null #Require valid-user + #RequestHeader set X-Remote-User expr=%{REMOTE_USER} @@ -106,13 +108,15 @@ Require all granted - ## You may want to use apache's authentication (config: [auth] type = remote_user) + ## You may want to use apache's authentication (config: [auth] type = http_x_remote_user) + ## e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser #AuthBasicProvider file #AuthType Basic #AuthName "Enter your credentials" - #AuthUserFile /path/to/httpdfile/ + #AuthUserFile /etc/httpd/conf/htpasswd-radicale #AuthGroupFile /dev/null #Require valid-user + #RequestHeader set X-Remote-User expr=%{REMOTE_USER} @@ -179,11 +183,12 @@ CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Require all granted - ## You may want to use apache's authentication (config: [auth] type = remote_user) + ## You may want to use apache's authentication (config: [auth] type = http_x_remote_user) + ## e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser #AuthBasicProvider file #AuthType Basic #AuthName "Enter your credentials" - #AuthUserFile /path/to/httpdfile/ + #AuthUserFile /etc/httpd/conf/htpasswd-radicale #AuthGroupFile /dev/null #Require valid-user @@ -221,11 +226,12 @@ CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Require all granted - ## You may want to use apache's authentication (config: [auth] type = remote_user) + ## You may want to use apache's authentication (config: [auth] type = http_x_remote_user) + ## e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser #AuthBasicProvider file #AuthType Basic #AuthName "Enter your credentials" - #AuthUserFile /path/to/httpdfile/ + #AuthUserFile /etc/httpd/conf/htpasswd-radicale #AuthGroupFile /dev/null #Require valid-user From a79c2ad83e5ddd94897bc5ef945d784e075988dd Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 08:59:32 +0200 Subject: [PATCH 6/7] align option name --- DOCUMENTATION.md | 4 ++-- config | 4 ++-- radicale/config.py | 4 ++-- radicale/rights/from_file.py | 10 ++++++---- 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 342b89cb..644ad012 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -978,9 +978,9 @@ Log response on level=debug Default: `False` -##### right_doesnt_match = True +##### rights_rule_doesnt_match_on_debug = True -Log right which doesn't match on level=debug +Log rights rule which doesn't match on level=debug Default: `False` diff --git a/config b/config index 0a999877..8c75bf77 100644 --- a/config +++ b/config @@ -158,8 +158,8 @@ # Log response content on level=debug #response_content_on_debug = False -# Log right which doesn't match -#right_doesnt_match = False +# Log rights rule which doesn't match on level=debug +#rights_rule_doesnt_match_on_debug = False [headers] diff --git a/radicale/config.py b/radicale/config.py index 46fafbb8..d5797c13 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -292,9 +292,9 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "log response content on level=debug", "type": bool}), - ("right_doesnt_match", { + ("rights_rule_doesnt_match_on_debug", { "value": "False", - "help": "log rights which doesn't match on level=debug", + "help": "log rights rules which doesn't match on level=debug", "type": bool}), ("mask_passwords", { "value": "True", diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py index 47218085..79e0994f 100644 --- a/radicale/rights/from_file.py +++ b/radicale/rights/from_file.py @@ -48,7 +48,7 @@ class Rights(rights.BaseRights): def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("rights", "file") - self._log_right_doesnt_match = configuration.get("logging", "right_doesnt_match") + self._log_rights_rule_doesnt_match_on_debug = configuration.get("logging", "rights_rule_doesnt_match_on_debug") def authorization(self, user: str, path: str) -> str: user = user or "" @@ -62,6 +62,8 @@ class Rights(rights.BaseRights): except Exception as e: raise RuntimeError("Failed to load rights file %r: %s" % (self._filename, e)) from e + if not self._log_rights_rule_doesnt_match_on_debug: + logger.debug("logging of rules which doesn't match suppressed by config/option [logging] rights_rule_doesnt_match_on_debug") for section in rights_config.sections(): try: user_pattern = rights_config.get(section, "user") @@ -81,9 +83,9 @@ class Rights(rights.BaseRights): user, sane_path, user_pattern, collection_pattern, section, permission) return permission - if self._log_right_doesnt_match: + if self._log_rights_rule_doesnt_match_on_debug: logger.debug("Rule %r:%r doesn't match %r:%r from section %r", - user, sane_path, user_pattern, collection_pattern, - section) + user, sane_path, user_pattern, collection_pattern, + section) logger.info("Rights: %r:%r doesn't match any section", user, sane_path) return "" From 3f62982e1d3d0a6e571c58e23924774b4340fd81 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 28 Aug 2024 09:00:41 +0200 Subject: [PATCH 7/7] fix --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2459ddf..614db10a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ * Enhancement: Added 'max_freebusy_occurrences` setting to avoid potential DOS on reports * Enhancement: remove unexpected control codes from uploaded items * Enhancement: add 'strip_domain' setting for username handling -* Enhancement: add option to toggle debug log of right with doesn't match +* Enhancement: add option to toggle debug log of rights rule with doesn't match * Drop: remove unused requirement "typeguard" * Improve: Refactored some date parsing code