Implementing group based collection matching.

Optimize rights evaluation.
2025-06-26 16:45:52 +00:00 · 2022-02-21 08:36:10 +01:00 · 2022-02-21 08:36:10 +01:00 · eda8309a04
commit eda8309a04
parent 2dc0fd29dc
2 changed files with 35 additions and 16 deletions
--- a/radicale/rights/from_file.py
+++ b/radicale/rights/from_file.py
@ -44,30 +44,42 @@ from radicale.log import logger
 class Rights(rights.BaseRights):

    _filename: str
+    _rights_config

    def __init__(self, configuration: config.Configuration) -> None:
        super().__init__(configuration)
        self._filename = configuration.get("rights", "file")
+        _rights_config = configparser.ConfigParser()
+        try:
+            with open(self._filename, "r") as f:
+                _rights_config.read_file(f)
+        except Exception as e:
+            raise RuntimeError("Failed to load rights file %r: %s" %
+                               (self._filename, e)) from e

    def authorization(self, user: str, path: str) -> str:
        user = user or ""
        sane_path = pathutils.strip_path(path)
        # Prevent "regex injection"
        escaped_user = re.escape(user)
-        rights_config = configparser.ConfigParser()
-        try:
-            with open(self._filename, "r") as f:
-                rights_config.read_file(f)
-        except Exception as e:
-            raise RuntimeError("Failed to load rights file %r: %s" %
-                               (self._filename, e)) from e
-        for section in rights_config.sections():
+
+        for section in _rights_config.sections():
+            user_match       = False
+            group_match      = []
+            collection_match = False
            try:
-                user_pattern = rights_config.get(section, "user")
-                collection_pattern = rights_config.get(section, "collection")
+                collection_pattern = _rights_config.get(section, "collection")
+                user_pattern = _rights_config.get(section, "user", fallback = "")
+                groups = _rights_config.get(section, "groups", fallback = "").split(",")
+
+                try:
+                    group_match = self._auth._ldap_groups & set(groups)
+                except NameError:
+                    pass
+
                # Use empty format() for harmonized handling of curly braces
                user_match = re.fullmatch(user_pattern.format(), user)
-                collection_match = user_match and re.fullmatch(
+                collection_match = re.fullmatch(
                    collection_pattern.format(
                        *(re.escape(s) for s in user_match.groups()),
                        user=escaped_user), sane_path)
@ -75,10 +87,15 @@ class Rights(rights.BaseRights):
                raise RuntimeError("Error in section %r of rights file %r: "
                                   "%s" % (section, self._filename, e)) from e
            if user_match and collection_match:
-                logger.debug("Rule %r:%r matches %r:%r from section %r",
+                logger.debug("User rule %r:%r matches %r:%r from section %r",
                             user, sane_path, user_pattern,
                             collection_pattern, section)
-                return rights_config.get(section, "permissions")
+                return _rights_config.get(section, "permissions")
+            if len(group_match) > 0 and collection_match:
+                logger.debug("Group rule %r:%r matches %r from section %r",
+                             group_match, sane_path,
+                             collection_pattern, section)
+                return _rights_config.get(section, "permissions")
            logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
                         user, sane_path, user_pattern, collection_pattern,
                         section)