From be43ce516103439abc01f2eaeb4d33d1a631762e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 15 Mar 2025 14:34:51 +0100 Subject: [PATCH] change default of authentication type to "denyall" for secure-by-default --- config | 2 +- radicale/config.py | 2 +- radicale/tests/test_base.py | 2 ++ radicale/tests/test_rights.py | 3 +++ radicale/tests/test_storage.py | 1 + 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/config b/config index 14bb3c40..6df01d9f 100644 --- a/config +++ b/config @@ -63,7 +63,7 @@ # Authentication method # Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall -#type = none +#type = denyall # Cache logins for until expiration time #cache_logins = false diff --git a/radicale/config.py b/radicale/config.py index f13a8d6a..e683cb5b 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -206,7 +206,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "type": str})])), ("auth", OrderedDict([ ("type", { - "value": "none", + "value": "denyall", "help": "authentication method (" + "|".join(auth.INTERNAL_TYPES) + ")", "type": str_or_callable, "internal": auth.INTERNAL_TYPES}), diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index 69864366..63c420e9 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -1714,6 +1714,7 @@ permissions: RrWw""") assert status == 200 and prop.text == "text/vcard;charset=utf-8" def test_authorization(self) -> None: + self.configure({"auth": {"type": "none"}}) _, responses = self.propfind("/", """\ @@ -1740,6 +1741,7 @@ permissions: RrWw""") def test_principal_collection_creation(self) -> None: """Verify existence of the principal collection.""" + self.configure({"auth": {"type": "none"}}) self.propfind("/user/", login="user:") def test_authentication_current_user_principal_hack(self) -> None: diff --git a/radicale/tests/test_rights.py b/radicale/tests/test_rights.py index 896c910e..8231214c 100644 --- a/radicale/tests/test_rights.py +++ b/radicale/tests/test_rights.py @@ -143,6 +143,7 @@ collection: public/[^/]* permissions: i""") self.configure({"rights": {"type": "from_file", "file": rights_file_path}}) + self.configure({"auth": {"type": "none"}}) self.mkcalendar("/tmp/calendar", login="tmp:bepo") self.mkcol("/public", login="tmp:bepo") self.mkcalendar("/public/calendar", login="tmp:bepo") @@ -165,6 +166,7 @@ permissions: i""") Items are allowed at "/.../.../...". """ + self.configure({"auth": {"type": "none"}}) self.mkcalendar("/", check=401) self.mkcalendar("/user/", check=401) self.mkcol("/user/") @@ -175,6 +177,7 @@ permissions: i""") def test_put_collections_and_items(self) -> None: """Test rights for creation of calendars and items with PUT.""" + self.configure({"auth": {"type": "none"}}) self.put("/user/", "BEGIN:VCALENDAR\r\nEND:VCALENDAR", check=401) self.mkcol("/user/") self.put("/user/calendar/", "BEGIN:VCALENDAR\r\nEND:VCALENDAR") diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index 1957a137..2fcfe717 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -77,6 +77,7 @@ class TestMultiFileSystem(BaseTest): """Verify that the hooks runs when a new user is created.""" self.configure({"storage": {"hook": "mkdir %s" % os.path.join( "collection-root", "created_by_hook")}}) + self.configure({"auth": {"type": "none"}}) self.propfind("/", login="user:") self.propfind("/created_by_hook/")