Separation of authentication and authorization. Separation of read and write authorization.

Static test strategies for authentication. Barely tested. Use at your own risk!

radicale/acl/IMAP.py

@@ -38,11 +38,8 @@ IMAP_SERVER = config.get("acl", "imap_auth_host_name")
 IMAP_SERVER_PORT = config.get("acl", "imap_auth_host_port")
 
 
-def has_right(owner, user, password):
+def is_authenticated(user, password):
     """Check if ``user``/``password`` couple is valid."""
-    if not user or (owner not in acl.PRIVATE_USERS and user != owner):
-        # No user given, or owner is not private and is not user, forbidden
-        return False
 
     log.LOGGER.debug(
         "[IMAP ACL] Connecting to %s:%s." % (IMAP_SERVER, IMAP_SERVER_PORT,))

radicale/acl/LDAP.py

@@ -38,14 +38,10 @@ PASSWORD = config.get("acl", "ldap_password")
 SCOPE = getattr(ldap, "SCOPE_%s" % config.get("acl", "ldap_scope").upper())
 
 
-def has_right(owner, user, password):
+def is_authenticated(user, password):
     """Check if ``user``/``password`` couple is valid."""
     global CONNEXION
 
-    if not user or (owner not in acl.PRIVATE_USERS and user != owner):
-        # No user given, or owner is not private and is not user, forbidden
-        return False
-
     try:
         CONNEXION.whoami_s()
     except:

radicale/acl/PAM.py

@@ -33,11 +33,8 @@ from radicale import acl, config, log
 GROUP_MEMBERSHIP = config.get("acl", "pam_group_membership")
 
 
-def has_right(owner, user, password):
+def is_authenticated(user, password):
     """Check if ``user``/``password`` couple is valid."""
-    if not user or (owner not in acl.PRIVATE_USERS and user != owner):
-        # No user given, or owner is not private and is not user, forbidden
-        return False
 
     # Check whether the user exists in the PAM system
     try:
@@ -50,7 +47,7 @@ def has_right(owner, user, password):
 
     # Check whether the group exists
     try:
-        members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem
+        members = grp.getgrnam(GROUP_MEMBERSHIP)
     except KeyError:
         log.LOGGER.debug(
             "The PAM membership required group (%s) doesn't exist" %

radicale/acl/__init__.py

@@ -19,19 +19,20 @@
 # along with Radicale.  If not, see <http://www.gnu.org/licenses/>.
 
 """
-Users and rights management.
+Users management.
+
+ACL is basically the wrong name here since this package deals with authenticating users.
+
+The authorization part is done in the package "authorization".
 
 This module loads a list of users with access rights, according to the acl
 configuration.
 
 """
 
-from radicale import config
-
-
-PUBLIC_USERS = []
-PRIVATE_USERS = []
+from radicale import config, log
 
+CONFIG_PREFIX = "acl"
 
 def _config_users(name):
     """Get an iterable of strings from the configuraton string [acl] ``name``.
@@ -40,18 +41,17 @@ def _config_users(name):
     stripped at the beginning and at the end of the values.
 
     """
-    for user in config.get("acl", name).split(","):
+    for user in config.get(CONFIG_PREFIX, name).split(","):
         user = user.strip()
         yield None if user == "None" else user
 
 
 def load():
     """Load list of available ACL managers."""
-    acl_type = config.get("acl", "type")
+    acl_type = config.get(CONFIG_PREFIX, "type")
+    log.LOGGER.debug("acl_type = "  + acl_type)
     if acl_type == "None":
         return None
     else:
-        PUBLIC_USERS.extend(_config_users("public_users"))
-        PRIVATE_USERS.extend(_config_users("private_users"))
         module = __import__("acl.%s" % acl_type, globals=globals(), level=2)
         return getattr(module, acl_type)

radicale/acl/courier.py

@@ -29,14 +29,11 @@ from radicale import acl, config, log
 COURIER_SOCKET = config.get("acl", "courier_socket")
 
 
-def has_right(owner, user, password):
+def is_authenticated(user, password):
     """Check if ``user``/``password`` couple is valid."""
-    if not user or (owner not in acl.PRIVATE_USERS and user != owner):
-        # No user given, or owner is not private and is not user, forbidden
-        return False
 
     line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
-    line = "AUTH %i\n%s" % (len(line), line)
+    line = "%i\n%s" % (len(line), line)
     try:
         sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
         sock.connect(COURIER_SOCKET)
@@ -51,13 +48,7 @@ def has_right(owner, user, password):
 
     log.LOGGER.debug("Got Courier socket response: %r" % data)
 
-    # Address, HOME, GID, and either UID or USERNAME are mandatory in resposne
-    # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
-    for line in data.split():
-        if 'GID' in line:
-            return True
+    if repr(data) == "FAIL":
+        return False
 
-    # default is reject
-    # this alleviates the problem of a possibly empty reply from courier authlib
-    # see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
-    return False
+    return True

radicale/acl/htpasswd.py

@@ -58,11 +58,11 @@ def _sha1(hash_value, password):
     return sha1.digest() == base64.b64decode(hash_value)
 
 
-def has_right(owner, user, password):
+def is_authenticated(user, password):
     """Check if ``user``/``password`` couple is valid."""
     for line in open(FILENAME).readlines():
         if line.strip():
             login, hash_value = line.strip().split(":")
-            if login == user and (owner in acl.PRIVATE_USERS or owner == user):
+            if login == user:
                 return globals()["_%s" % ENCRYPTION](hash_value, password)
     return False