diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 0f9f9729..3116c4b8 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -35,7 +35,7 @@ class Auth(auth.BaseAuth): _ldap_secret: str _ldap_filter: str _ldap_load_groups: bool - _ldap_groups = [] + _ldap_groups = set def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) @@ -77,10 +77,12 @@ class Auth(auth.BaseAuth): conn.protocol_version = 3 conn.set_option(ldap.OPT_REFERRALS, 0) conn.simple_bind_s(user_dn,password) + tmp = [] if self._ldap_load_groups: - self._ldap_groups = [] + tmp = [] for t in res[0][1]['memberOf']: - self._ldap_groups.append(t.decode('utf-8').split(',')[0][3:]) + tmp.append(t.decode('utf-8').split(',')[0][3:]) + self._ldap_groups = set(tmp) logger.debug("LDAP Auth groups of user: %s",",".join(self._ldap_groups)) conn.unbind() return login diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py index 01fa2fb7..51f40433 100644 --- a/radicale/rights/from_file.py +++ b/radicale/rights/from_file.py @@ -44,30 +44,42 @@ from radicale.log import logger class Rights(rights.BaseRights): _filename: str + _rights_config def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("rights", "file") + _rights_config = configparser.ConfigParser() + try: + with open(self._filename, "r") as f: + _rights_config.read_file(f) + except Exception as e: + raise RuntimeError("Failed to load rights file %r: %s" % + (self._filename, e)) from e def authorization(self, user: str, path: str) -> str: user = user or "" sane_path = pathutils.strip_path(path) # Prevent "regex injection" escaped_user = re.escape(user) - rights_config = configparser.ConfigParser() - try: - with open(self._filename, "r") as f: - rights_config.read_file(f) - except Exception as e: - raise RuntimeError("Failed to load rights file %r: %s" % - (self._filename, e)) from e - for section in rights_config.sections(): + + for section in _rights_config.sections(): + user_match = False + group_match = [] + collection_match = False try: - user_pattern = rights_config.get(section, "user") - collection_pattern = rights_config.get(section, "collection") + collection_pattern = _rights_config.get(section, "collection") + user_pattern = _rights_config.get(section, "user", fallback = "") + groups = _rights_config.get(section, "groups", fallback = "").split(",") + + try: + group_match = self._auth._ldap_groups & set(groups) + except NameError: + pass + # Use empty format() for harmonized handling of curly braces user_match = re.fullmatch(user_pattern.format(), user) - collection_match = user_match and re.fullmatch( + collection_match = re.fullmatch( collection_pattern.format( *(re.escape(s) for s in user_match.groups()), user=escaped_user), sane_path) @@ -75,10 +87,15 @@ class Rights(rights.BaseRights): raise RuntimeError("Error in section %r of rights file %r: " "%s" % (section, self._filename, e)) from e if user_match and collection_match: - logger.debug("Rule %r:%r matches %r:%r from section %r", + logger.debug("User rule %r:%r matches %r:%r from section %r", user, sane_path, user_pattern, collection_pattern, section) - return rights_config.get(section, "permissions") + return _rights_config.get(section, "permissions") + if len(group_match) > 0 and collection_match: + logger.debug("Group rule %r:%r matches %r from section %r", + group_match, sane_path, + collection_pattern, section) + return _rights_config.get(section, "permissions") logger.debug("Rule %r:%r doesn't match %r:%r from section %r", user, sane_path, user_pattern, collection_pattern, section)