From 8bfed78926bfa59e35b41bbcdd2df22663b3cd9d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 15 Oct 2024 08:14:54 +0200 Subject: [PATCH 001/361] pin ubuntu version to 22.04 (try to fix https://github.com/Kozea/Radicale/issues/1594) --- .github/workflows/generate-documentation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/generate-documentation.yml b/.github/workflows/generate-documentation.yml index 3b94427e..d766a834 100644 --- a/.github/workflows/generate-documentation.yml +++ b/.github/workflows/generate-documentation.yml @@ -6,7 +6,7 @@ on: jobs: generate: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 with: From c63d00a55068939d41c917d2e604b434f72f1629 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 15 Oct 2024 08:25:46 +0200 Subject: [PATCH 002/361] update minimum python version --- DOCUMENTATION.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 64aff476..ac8d33e8 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -55,8 +55,7 @@ Follow one of the chapters below depending on your operating system. #### Linux / \*BSD -First, make sure that **python** 3.5 or later (**python** ≥ 3.6 is -recommended) and **pip** are installed. On most distributions it should be +First, make sure that **python** 3.8 or later and **pip** are installed. On most distributions it should be enough to install the package ``python3-pip``. Then open a console and type: From b6fa3c47c38f83864ca50fcf6db54fee3e82feeb Mon Sep 17 00:00:00 2001 From: Artur Neumann Date: Tue, 15 Oct 2024 14:50:08 +0545 Subject: [PATCH 003/361] fix casing in docker file --- Dockerfile | 2 +- Dockerfile.dev | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 914d06a9..90259508 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # This file is intended to be used apart from the containing source code tree. -FROM python:3-alpine as builder +FROM python:3-alpine AS builder # Version of Radicale (e.g. v3) ARG VERSION=master diff --git a/Dockerfile.dev b/Dockerfile.dev index 36ff98e5..65e00fcd 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,4 +1,4 @@ -FROM python:3-alpine as builder +FROM python:3-alpine AS builder # Optional dependencies (e.g. bcrypt) ARG DEPENDENCIES=bcrypt From 5cafd29d7f96ea1de0c334e5f5dd8bf785383544 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 18 Oct 2024 08:23:16 +0200 Subject: [PATCH 004/361] initial nginx config file --- contrib/nginx/radicale.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 contrib/nginx/radicale.conf diff --git a/contrib/nginx/radicale.conf b/contrib/nginx/radicale.conf new file mode 100644 index 00000000..fea82d03 --- /dev/null +++ b/contrib/nginx/radicale.conf @@ -0,0 +1,21 @@ +### Proxy Forward to local running "radicale" server +### +### Usual configuration file location: /etc/nginx/default.d/ + +## Base URI: /radicale/ +#location /radicale/ { +# proxy_pass http://localhost:5232/; +# proxy_set_header X-Script-Name /radicale; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header Host $http_host; +# proxy_pass_header Authorization; +#} + +## Base URI: / +#location / { +# proxy_pass http://localhost:5232/; +# proxy_set_header X-Script-Name /radicale; +# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header Host $http_host; +# proxy_pass_header Authorization; +#} From e0c04f2ae3671511ce9adab2ef18cf95868588d9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 29 Oct 2024 07:17:31 +0100 Subject: [PATCH 005/361] update version to 3.3.1.dev --- pyproject.toml | 2 +- setup.py.legacy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 4e8e2dd0..c2df6f66 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.0" +version = "3.3.1.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 95717e6a..4d108ccd 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -19,7 +19,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.0" +VERSION = "3.3.1.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 059afef35d111640e29200bb8c53a3eb5ee7e005 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 29 Oct 2024 07:19:45 +0100 Subject: [PATCH 006/361] log content in case of multiple main components error --- radicale/item/filter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/item/filter.py b/radicale/item/filter.py index cb3e8cdb..61b7c1b4 100644 --- a/radicale/item/filter.py +++ b/radicale/item/filter.py @@ -279,7 +279,7 @@ def visit_time_ranges(vobject_item: vobject.base.Component, child_name: str, yield comp, True, [] else: if main is not None: - raise ValueError("Multiple main components") + raise ValueError("Multiple main components. Got comp: {}".format(comp)) main = comp if main is None and len(recurrences) == 1: main = rec_main From f7c731e1898c51fb606a8ff6f9e2d5565fa65fe7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 29 Oct 2024 07:19:54 +0100 Subject: [PATCH 007/361] changelog: log content in case of multiple main components error --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 965b9f53..595b534f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog +* Enhancement: log content in case of multiple main components error + ## 3.3.0 * Adjustment: option [auth] htpasswd_encryption change default from "md5" to "autodetect" From f25a5fbc7901f824e05b98421579ae8ae81d43c8 Mon Sep 17 00:00:00 2001 From: Jean-Denis Girard Date: Wed, 30 Oct 2024 10:33:10 -1000 Subject: [PATCH 008/361] Rebase galaxy4public patch on top of bf4f5834 --- radicale/auth/__init__.py | 3 +- radicale/auth/dovecot.py | 178 ++++++++++++++++++++++++++++++++++++ radicale/config.py | 4 + radicale/tests/test_auth.py | 98 ++++++++++++++++++++ 4 files changed, 282 insertions(+), 1 deletion(-) create mode 100644 radicale/auth/dovecot.py diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 623b2064..256ebe9e 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -37,7 +37,8 @@ from radicale.log import logger INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "denyall", "htpasswd", - "ldap") + "ldap", + "dovecot") def load(configuration: "config.Configuration") -> "BaseAuth": diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py new file mode 100644 index 00000000..34180eb5 --- /dev/null +++ b/radicale/auth/dovecot.py @@ -0,0 +1,178 @@ +# This file is part of Radicale Server - Calendar Server +# Copyright © 2014 Giel van Schijndel +# Copyright © 2019 (GalaxyMaster) +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + +import base64 +import itertools +import os +import socket +from contextlib import closing + +from radicale import auth +from radicale.log import logger + + +class Auth(auth.BaseAuth): + def __init__(self, configuration): + super().__init__(configuration) + self.socket = configuration.get("auth", "dovecot_socket") + self.timeout = 5 + self.request_id_gen = itertools.count(1) + + def login(self, login, password): + """Validate credentials. + + Check if the ``login``/``password`` pair is valid according to Dovecot. + + This implementation communicates with a Dovecot server through the + Dovecot Authentication Protocol v1.1. + + https://dovecot.org/doc/auth-protocol.txt + + """ + + logger.info("Authentication request (dovecot): '{}'".format(login)) + if not login or not password: + return "" + + with closing(socket.socket( + socket.AF_UNIX, + socket.SOCK_STREAM) + ) as sock: + try: + sock.settimeout(self.timeout) + sock.connect(self.socket) + + buf = bytes() + supported_mechs = [] + done = False + seen_part = [0, 0, 0] + # Upon the initial connection we only care about the + # handshake, which is usually just around 100 bytes long, + # e.g. + # + # VERSION 1 2 + # MECH PLAIN plaintext + # SPID 22901 + # CUID 1 + # COOKIE 2dbe4116a30fb4b8a8719f4448420af7 + # DONE + # + # Hence, we try to read just once with a buffer big + # enough to hold all of it. + buf = sock.recv(1024) + while b'\n' in buf and not done: + line, buf = buf.split(b'\n', 1) + parts = line.split(b'\t') + first, parts = parts[0], parts[1:] + + if first == b'VERSION': + if seen_part[0]: + logger.warning( + "Server presented multiple VERSION " + "tokens, ignoring" + ) + continue + version = parts + logger.debug("Dovecot server version: '{}'".format( + (b'.'.join(version)).decode() + )) + if int(version[0]) != 1: + logger.fatal( + "Only Dovecot 1.x versions are supported!" + ) + return "" + seen_part[0] += 1 + elif first == b'MECH': + supported_mechs.append(parts[0]) + seen_part[1] += 1 + elif first == b'DONE': + seen_part[2] += 1 + if not (seen_part[0] and seen_part[1]): + logger.fatal( + "An unexpected end of the server " + "handshake received!" + ) + return "" + done = True + + if not done: + logger.fatal("Encountered a broken server handshake!") + return "" + + logger.debug( + "Supported auth methods: '{}'" + .format((b"', '".join(supported_mechs)).decode()) + ) + if b'PLAIN' not in supported_mechs: + logger.info( + "Authentication method 'PLAIN' is not supported, " + "but is required!" + ) + return "" + + # Handshake + logger.debug("Sending auth handshake") + sock.send(b'VERSION\t1\t1\n') + sock.send(b'CPID\t%u\n' % os.getpid()) + + request_id = next(self.request_id_gen) + logger.debug( + "Authenticating with request id: '{}'" + .format(request_id) + ) + sock.send( + b'AUTH\t%u\tPLAIN\tservice=radicale\tresp=%b\n' % + ( + request_id, base64.b64encode( + b'\0%b\0%b' % + (login.encode(), password.encode()) + ) + ) + ) + + logger.debug("Processing auth response") + buf = sock.recv(1024) + line = buf.split(b'\n', 1)[0] + parts = line.split(b'\t')[:2] + resp, reply_id, params = ( + parts[0], int(parts[1]), + dict(part.split('=', 1) for part in parts[2:]) + ) + + logger.debug( + "Auth response: result='{}', id='{}', parameters={}" + .format(resp.decode(), reply_id, params) + ) + if request_id != reply_id: + logger.fatal( + "Unexpected reply ID {} received (expected {})" + .format( + reply_id, request_id + ) + ) + return "" + + if resp == b'OK': + return login + + except socket.error as e: + logger.fatal( + "Failed to communicate with Dovecot socket %r: %s" % + (self.socket, e) + ) + + return "" diff --git a/radicale/config.py b/radicale/config.py index 241f6380..12dce95a 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -183,6 +183,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "autodetect", "help": "htpasswd encryption method", "type": str}), + ("dovecot_socket", { + "value": "/var/run/dovecot/auth-client", + "help": "dovecot auth socket", + "type": str}), ("realm", { "value": "Radicale - Password Required", "help": "message displayed when a password is needed", diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 3604e2f9..816029fd 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -22,6 +22,7 @@ Radicale tests with simple requests and authentication. """ +import base64 import os import sys from typing import Iterable, Tuple, Union @@ -159,6 +160,103 @@ class TestBaseAuthRequests(BaseTest): href_element = prop.find(xmlutils.make_clark("D:href")) assert href_element is not None and href_element.text == "/test/" + def _test_dovecot( + self, user, password, expected_status, + response=b'FAIL\n1\n', mech=[b'PLAIN'], broken=None): + import socket + from unittest.mock import DEFAULT, patch + + self.configure({"auth": {"type": "dovecot", + "dovecot_socket": "./dovecot.sock"}}) + + if broken is None: + broken = [] + + handshake = b'' + if "version" not in broken: + handshake += b'VERSION\t' + if "incompatible" in broken: + handshake += b'2' + else: + handshake += b'1' + handshake += b'\t2\n' + + if "mech" not in broken: + handshake += b'MECH\t%b\n' % b' '.join(mech) + + if "duplicate" in broken: + handshake += b'VERSION\t1\t2\n' + + if "done" not in broken: + handshake += b'DONE\n' + + with patch.multiple( + 'socket.socket', + connect=DEFAULT, + send=DEFAULT, + recv=DEFAULT + ) as mock_socket: + if "socket" in broken: + mock_socket["connect"].side_effect = socket.error( + "Testing error with the socket" + ) + mock_socket["recv"].side_effect = [handshake, response] + status, _, answer = self.request( + "PROPFIND", "/", + HTTP_AUTHORIZATION="Basic %s" % base64.b64encode( + ("%s:%s" % (user, password)).encode()).decode()) + assert status == expected_status + + def test_dovecot_no_user(self): + self._test_dovecot("", "", 401) + + def test_dovecot_no_password(self): + self._test_dovecot("user", "", 401) + + def test_dovecot_broken_handshake_no_version(self): + self._test_dovecot("user", "password", 401, broken=["version"]) + + def test_dovecot_broken_handshake_incompatible(self): + self._test_dovecot("user", "password", 401, broken=["incompatible"]) + + def test_dovecot_broken_handshake_duplicate(self): + self._test_dovecot( + "user", "password", 207, response=b'OK\t1', + broken=["duplicate"] + ) + + def test_dovecot_broken_handshake_no_mech(self): + self._test_dovecot("user", "password", 401, broken=["mech"]) + + def test_dovecot_broken_handshake_unsupported_mech(self): + self._test_dovecot("user", "password", 401, mech=[b'ONE', b'TWO']) + + def test_dovecot_broken_handshake_no_done(self): + self._test_dovecot("user", "password", 401, broken=["done"]) + + def test_dovecot_broken_socket(self): + self._test_dovecot("user", "password", 401, broken=["socket"]) + + def test_dovecot_auth_good1(self): + self._test_dovecot("user", "password", 207, response=b'OK\t1') + + def test_dovecot_auth_good2(self): + self._test_dovecot( + "user", "password", 207, response=b'OK\t1', + mech=[b'PLAIN\nEXTRA\tTERM'] + ) + + self._test_dovecot("user", "password", 207, response=b'OK\t1') + + def test_dovecot_auth_bad1(self): + self._test_dovecot("user", "password", 401, response=b'FAIL\t1') + + def test_dovecot_auth_bad2(self): + self._test_dovecot("user", "password", 401, response=b'CONT\t1') + + def test_dovecot_auth_id_mismatch(self): + self._test_dovecot("user", "password", 401, response=b'OK\t2') + def test_custom(self) -> None: """Custom authentication.""" self.configure({"auth": {"type": "radicale.tests.custom.auth"}}) From 652e76865094e29ace42ff6599aed325ea72ab2a Mon Sep 17 00:00:00 2001 From: Jean-Denis Girard Date: Thu, 31 Oct 2024 06:36:47 -1000 Subject: [PATCH 009/361] Skip Dovecot auth tests on Windows --- radicale/tests/test_auth.py | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 816029fd..3aec8ef7 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -160,6 +160,7 @@ class TestBaseAuthRequests(BaseTest): href_element = prop.find(xmlutils.make_clark("D:href")) assert href_element is not None and href_element.text == "/test/" + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def _test_dovecot( self, user, password, expected_status, response=b'FAIL\n1\n', mech=[b'PLAIN'], broken=None): From c6cc7f3486c98992164d9f4058bc4cb59b1415ca Mon Sep 17 00:00:00 2001 From: Jean-Denis Girard Date: Thu, 31 Oct 2024 09:28:35 -1000 Subject: [PATCH 010/361] Skip Dovecot auth tests on Windows (try again...) --- radicale/tests/test_auth.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 3aec8ef7..5358e218 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -208,39 +208,50 @@ class TestBaseAuthRequests(BaseTest): ("%s:%s" % (user, password)).encode()).decode()) assert status == expected_status + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_no_user(self): self._test_dovecot("", "", 401) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_no_password(self): self._test_dovecot("user", "", 401) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_handshake_no_version(self): self._test_dovecot("user", "password", 401, broken=["version"]) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_handshake_incompatible(self): self._test_dovecot("user", "password", 401, broken=["incompatible"]) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_handshake_duplicate(self): self._test_dovecot( "user", "password", 207, response=b'OK\t1', broken=["duplicate"] ) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_handshake_no_mech(self): self._test_dovecot("user", "password", 401, broken=["mech"]) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_handshake_unsupported_mech(self): self._test_dovecot("user", "password", 401, mech=[b'ONE', b'TWO']) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_handshake_no_done(self): self._test_dovecot("user", "password", 401, broken=["done"]) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_broken_socket(self): self._test_dovecot("user", "password", 401, broken=["socket"]) + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_auth_good1(self): self._test_dovecot("user", "password", 207, response=b'OK\t1') + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_auth_good2(self): self._test_dovecot( "user", "password", 207, response=b'OK\t1', @@ -249,12 +260,15 @@ class TestBaseAuthRequests(BaseTest): self._test_dovecot("user", "password", 207, response=b'OK\t1') + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_auth_bad1(self): self._test_dovecot("user", "password", 401, response=b'FAIL\t1') + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_auth_bad2(self): self._test_dovecot("user", "password", 401, response=b'CONT\t1') + @pytest.mark.skipif(sys.platform == 'win32', reason="Not supported on Windows") def test_dovecot_auth_id_mismatch(self): self._test_dovecot("user", "password", 401, response=b'OK\t2') From a1b8c65def74ba809f3b8289fc7129edf870cdc2 Mon Sep 17 00:00:00 2001 From: Jean-Denis Girard Date: Thu, 31 Oct 2024 09:29:03 -1000 Subject: [PATCH 011/361] Document Dovecot auth --- DOCUMENTATION.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ac8d33e8..c3ed03b1 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -746,6 +746,9 @@ Available backends: `ldap` : Use a LDAP or AD server to authenticate users. +`dovecot` +: Use a local Dovecot server to authenticate users. + Default: `none` ##### htpasswd_filename @@ -858,6 +861,12 @@ The path to the CA file in pem format which is used to certificate the server ce Default: +##### dovecot_socket + +The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. + +Default: + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth From 19cca41a430d01b07a686a6ff9fab345c836f8ea Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 1 Nov 2024 21:17:40 +0100 Subject: [PATCH 012/361] update changelog related to auth/type=dovecot --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 595b534f..244cae47 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ # Changelog +* Add: option [auth] type=dovecot * Enhancement: log content in case of multiple main components error ## 3.3.0 From 687624a40373f0a43c35debb2d6e2acd4ce9a34c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 2 Nov 2024 13:23:41 +0100 Subject: [PATCH 013/361] fix spelling --- DOCUMENTATION.md | 2 +- config | 2 +- radicale/auth/ldap.py | 2 +- radicale/config.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index c3ed03b1..2d5e838d 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -851,7 +851,7 @@ Default: False ##### ldap_ssl_verify_mode -The certifikat verification mode. NONE, OPTIONAL or REQUIRED +The certificate verification mode. NONE, OPTIONAL or REQUIRED Default: REQUIRED diff --git a/config b/config index 041fa9ce..20e459c8 100644 --- a/config +++ b/config @@ -77,7 +77,7 @@ # Use ssl on the ldap connection #ldap_use_ssl = False -# The certifikat verification mode. NONE, OPTIONAL, default is REQUIRED +# The certificate verification mode. NONE, OPTIONAL, default is REQUIRED #ldap_ssl_verify_mode = REQUIRED # The path to the CA file in pem format which is used to certificate the server certificate diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 3c87561e..56261105 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -24,7 +24,7 @@ Following parameters are needed in the configuration: ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection - ldap_ssl_verify_mode The certifikat verification mode. NONE, OPTIONAL, default is REQUIRED + ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED ldap_ssl_ca_file """ diff --git a/radicale/config.py b/radicale/config.py index 12dce95a..5bb24534 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -225,7 +225,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "type": bool}), ("ldap_ssl_verify_mode", { "value": "REQUIRED", - "help": "The certifikat verification mode. NONE, OPTIONAL, default is REQUIRED", + "help": "The certificate verification mode. NONE, OPTIONAL, default is REQUIRED", "type": str}), ("ldap_ssl_ca_file", { "value": "", From ee2af306d75d5bcf7cdc9c1aeea8ba02fb597cbd Mon Sep 17 00:00:00 2001 From: Bishtawi Date: Tue, 30 Jul 2024 00:22:07 -0700 Subject: [PATCH 014/361] Support loading ldap secret from file --- DOCUMENTATION.md | 10 ++++++++-- Dockerfile | 2 +- Dockerfile.dev | 2 +- config | 3 +++ pyproject.toml | 1 + radicale/auth/ldap.py | 15 ++++++++++----- radicale/config.py | 10 +++++++--- setup.py.legacy | 3 ++- 8 files changed, 33 insertions(+), 13 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 2d5e838d..596a5125 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -824,7 +824,13 @@ Default: ##### ldap_secret -The password of the ldap_reader_dn. This parameter must be provided if auth type is ldap. +The password of the ldap_reader_dn. Either this parameter or `ldap_secret_file` must be provided if auth type is ldap. + +Default: + +##### ldap_secret_file + +Path of the file containing the password of the ldap_reader_dn. Either this parameter or `ldap_secret` must be provided if auth type is ldap. Default: @@ -869,7 +875,7 @@ Default: ##### lc_username -Сonvert username to lowercase, must be true for case-insensitive auth +Сonvert username to lowercase, must be true for case-insensitive auth providers like ldap, kerberos Default: `False` diff --git a/Dockerfile b/Dockerfile index 90259508..f6ac22f6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ FROM python:3-alpine AS builder # Version of Radicale (e.g. v3) ARG VERSION=master -# Optional dependencies (e.g. bcrypt) +# Optional dependencies (e.g. bcrypt or ldap) ARG DEPENDENCIES=bcrypt RUN apk add --no-cache --virtual gcc libffi-dev musl-dev \ diff --git a/Dockerfile.dev b/Dockerfile.dev index 65e00fcd..2f6f9fc0 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,6 +1,6 @@ FROM python:3-alpine AS builder -# Optional dependencies (e.g. bcrypt) +# Optional dependencies (e.g. bcrypt or ldap) ARG DEPENDENCIES=bcrypt COPY . /app diff --git a/config b/config index 20e459c8..cb50ab72 100644 --- a/config +++ b/config @@ -68,6 +68,9 @@ # Password of the reader DN #ldap_secret = ldapreader-secret +# Path of the file containing password of the reader DN +#ldap_secret_file = /run/secrets/ldap_password + # If the ldap groups of the user need to be loaded #ldap_load_groups = True diff --git a/pyproject.toml b/pyproject.toml index c2df6f66..ff95d0a0 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -41,6 +41,7 @@ dependencies = [ [project.optional-dependencies] test = ["pytest>=7", "waitress", "bcrypt"] bcrypt = ["bcrypt"] +ldap = ["ldap3"] [project.scripts] radicale = "radicale.__main__:run" diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 56261105..a8e94794 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -16,11 +16,12 @@ """ Authentication backend that checks credentials with a ldap server. Following parameters are needed in the configuration: - ldap_uri The ldap url to the server like ldap://localhost - ldap_base The baseDN of the ldap server - ldap_reader_dn The DN of a ldap user with read access to get the user accounts - ldap_secret The password of the ldap_reader_dn - ldap_filter The search filter to find the user to authenticate by the username + ldap_uri The ldap url to the server like ldap://localhost + ldap_base The baseDN of the ldap server + ldap_reader_dn The DN of a ldap user with read access to get the user accounts + ldap_secret The password of the ldap_reader_dn + ldap_secret_file The path of the file containing the password of the ldap_reader_dn + ldap_filter The search filter to find the user to authenticate by the username ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection @@ -64,6 +65,10 @@ class Auth(auth.BaseAuth): self._ldap_load_groups = configuration.get("auth", "ldap_load_groups") self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") + ldap_secret_file_path = configuration.get("auth", "ldap_secret_file") + if ldap_secret_file_path: + with open(ldap_secret_file_path, 'r') as file: + self._ldap_secret = file.read().rstrip('\n') if self._ldap_version == 3: self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl") if self._ldap_use_ssl: diff --git a/radicale/config.py b/radicale/config.py index 5bb24534..3e91a6fa 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -200,17 +200,21 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "URI to the ldap server", "type": str}), ("ldap_base", { - "value": "none", + "value": "", "help": "LDAP base DN of the ldap server", "type": str}), ("ldap_reader_dn", { - "value": "none", + "value": "", "help": "the DN of a ldap user with read access to get the user accounts", "type": str}), ("ldap_secret", { - "value": "none", + "value": "", "help": "the password of the ldap_reader_dn", "type": str}), + ("ldap_secret_file", { + "value": "", + "help": "path of the file containing the password of the ldap_reader_dn", + "type": str}), ("ldap_filter", { "value": "(cn={0})", "help": "the search filter to find the user DN to authenticate by the username", diff --git a/setup.py.legacy b/setup.py.legacy index 4d108ccd..d82d289e 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -40,6 +40,7 @@ install_requires = ["defusedxml", "passlib", "vobject>=0.9.6", "pika>=1.1.0", ] bcrypt_requires = ["bcrypt"] +ldap_requires = ["ldap3"] test_requires = ["pytest>=7", "waitress", *bcrypt_requires] setup( @@ -58,7 +59,7 @@ setup( package_data={"radicale": [*web_files, "py.typed"]}, entry_points={"console_scripts": ["radicale = radicale.__main__:run"]}, install_requires=install_requires, - extras_require={"test": test_requires, "bcrypt": bcrypt_requires}, + extras_require={"test": test_requires, "bcrypt": bcrypt_requires, "ldap": ldap_requires}, keywords=["calendar", "addressbook", "CalDAV", "CardDAV"], python_requires=">=3.8.0", classifiers=[ From ae274911d5430be9647265b1074d82a65722dee9 Mon Sep 17 00:00:00 2001 From: Pieter Hijma Date: Tue, 5 Nov 2024 12:44:39 +0100 Subject: [PATCH 015/361] Fix timezone in test file --- radicale/tests/static/event_full_day_rrule.ics | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/tests/static/event_full_day_rrule.ics b/radicale/tests/static/event_full_day_rrule.ics index 88f81c7d..76c0050a 100644 --- a/radicale/tests/static/event_full_day_rrule.ics +++ b/radicale/tests/static/event_full_day_rrule.ics @@ -5,14 +5,14 @@ BEGIN:VTIMEZONE LAST-MODIFIED:20040110T032845Z TZID:US/Eastern BEGIN:DAYLIGHT -DTSTART:20000404 +DTSTART:20000404T020000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 TZNAME:EDT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 END:DAYLIGHT BEGIN:STANDARD -DTSTART:20001026 +DTSTART:20001026T020000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:EST TZOFFSETFROM:-0400 From 74f4412761ddb623fb6e9ce84adfc8d2401d60ab Mon Sep 17 00:00:00 2001 From: Pieter Hijma Date: Sat, 2 Nov 2024 21:09:01 +0100 Subject: [PATCH 016/361] Honor start and end times expand --- radicale/app/report.py | 13 +++++++++++++ radicale/tests/test_base.py | 6 +++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/radicale/app/report.py b/radicale/app/report.py index d5092db1..11c5bea4 100644 --- a/radicale/app/report.py +++ b/radicale/app/report.py @@ -303,6 +303,10 @@ def _expand( # then in the response we return the date, not datetime dt_format = '%Y%m%d' + duration = None + if hasattr(item.vobject_item.vevent, "dtend"): + duration = item.vobject_item.vevent.dtend.value - item.vobject_item.vevent.dtstart.value + expanded_item, rruleset = _make_vobject_expanded_item(item, dt_format) if rruleset: @@ -319,6 +323,15 @@ def _expand( name='RECURRENCE-ID', value=recurrence_utc.strftime(dt_format), params={} ) + vevent.dtstart = ContentLine( + name='DTSTART', + value=recurrence_utc.strftime(dt_format), params={} + ) + if duration: + vevent.dtend = ContentLine( + name='DTEND', + value=(recurrence_utc + duration).strftime(dt_format), params={} + ) if is_expanded_filled is False: expanded.vevent = vevent diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index c47df720..fd6e8c30 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -1715,7 +1715,7 @@ permissions: RrWw""") recurrence_ids.append(line) if line.startswith("DTSTART:"): - assert line == "DTSTART:20060102T170000Z" + assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T170000Z"] assert len(uids) == 2 assert len(set(recurrence_ids)) == 2 @@ -1802,10 +1802,10 @@ permissions: RrWw""") recurrence_ids.append(line) if line.startswith("DTSTART:"): - assert line == "DTSTART:20060102" + assert line in ["DTSTART:20060103", "DTSTART:20060104", "DTSTART:20060105"] if line.startswith("DTEND:"): - assert line == "DTEND:20060103" + assert line in ["DTEND:20060104", "DTEND:20060105", "DTEND:20060106"] assert len(uids) == 3 assert len(set(recurrence_ids)) == 3 From 2d5dc5186befb6fc1612adffb635d89142ceb9ff Mon Sep 17 00:00:00 2001 From: Pieter Hijma Date: Tue, 5 Nov 2024 11:33:27 +0100 Subject: [PATCH 017/361] Expand overridden recurring events --- radicale/app/report.py | 148 ++++++++++++++---- .../static/event_daily_rrule_overridden.ics | 35 +++++ radicale/tests/test_base.py | 87 ++++++++++ 3 files changed, 238 insertions(+), 32 deletions(-) create mode 100644 radicale/tests/static/event_daily_rrule_overridden.ics diff --git a/radicale/app/report.py b/radicale/app/report.py index 11c5bea4..43d89916 100644 --- a/radicale/app/report.py +++ b/radicale/app/report.py @@ -313,25 +313,30 @@ def _expand( recurrences = rruleset.between(start, end, inc=True) expanded: vobject.base.Component = copy.copy(expanded_item.vobject_item) + vevent_recurrence, vevents_overridden = _split_overridden_vevents(expanded, dt_format) + is_expanded_filled: bool = False + i_overridden = 0 for recurrence_dt in recurrences: recurrence_utc = recurrence_dt.astimezone(datetime.timezone.utc) + i_overridden, vevent = _find_overridden(i_overridden, vevents_overridden, recurrence_utc, dt_format) - vevent = copy.deepcopy(expanded.vevent) - vevent.recurrence_id = ContentLine( - name='RECURRENCE-ID', - value=recurrence_utc.strftime(dt_format), params={} - ) - vevent.dtstart = ContentLine( - name='DTSTART', - value=recurrence_utc.strftime(dt_format), params={} - ) - if duration: - vevent.dtend = ContentLine( - name='DTEND', - value=(recurrence_utc + duration).strftime(dt_format), params={} + if not vevent: + vevent = copy.deepcopy(vevent_recurrence) + vevent.recurrence_id = ContentLine( + name='RECURRENCE-ID', + value=recurrence_utc.strftime(dt_format), params={} ) + vevent.dtstart = ContentLine( + name='DTSTART', + value=recurrence_utc.strftime(dt_format), params={} + ) + if duration: + vevent.dtend = ContentLine( + name='DTEND', + value=(recurrence_utc + duration).strftime(dt_format), params={} + ) if is_expanded_filled is False: expanded.vevent = vevent @@ -346,6 +351,29 @@ def _expand( return element +def _convert_timezone(vevent: vobject.icalendar.RecurringComponent, + name_prop: str, + name_content_line: str): + prop = getattr(vevent, name_prop, None) + if prop: + if type(prop.value) is datetime.date: + date_time = datetime.datetime.fromordinal( + prop.value.toordinal() + ).replace(tzinfo=datetime.timezone.utc) + else: + date_time = prop.value.astimezone(datetime.timezone.utc) + + setattr(vevent, name_prop, ContentLine(name=name_content_line, value=date_time, params=[])) + + +def _convert_to_utc(vevent: vobject.icalendar.RecurringComponent, + name_prop: str, + dt_format: str): + prop = getattr(vevent, name_prop, None) + if prop: + setattr(vevent, name_prop, ContentLine(name=prop.name, value=prop.value.strftime(dt_format), params=[])) + + def _make_vobject_expanded_item( item: radicale_item.Item, dt_format: str, @@ -381,33 +409,89 @@ def _make_vobject_expanded_item( vevent.dtend = ContentLine(name='DTEND', value=end_utc, params={}) rruleset = None - if hasattr(item.vobject_item.vevent, 'rrule'): - rruleset = vevent.getrruleset() + for i, vevent in enumerate(item.vobject_item.vevent_list): + _convert_timezone(vevent, 'dtstart', 'DTSTART') + _convert_timezone(vevent, 'dtend', 'DTEND') + _convert_timezone(vevent, 'recurrence_id', 'RECURRENCE-ID') - # There is something strange behaviour during serialization native datetime, so converting manually - vevent.dtstart.value = vevent.dtstart.value.strftime(dt_format) - if dt_end is not None: - vevent.dtend.value = vevent.dtend.value.strftime(dt_format) + if hasattr(vevent, 'rrule'): + rruleset = vevent.getrruleset() - timezones_to_remove = [] - for component in item.vobject_item.components(): - if component.name == 'VTIMEZONE': - timezones_to_remove.append(component) + # There is something strange behaviour during serialization native datetime, so converting manually + _convert_to_utc(vevent, 'dtstart', dt_format) + _convert_to_utc(vevent, 'dtend', dt_format) + _convert_to_utc(vevent, 'recurrence_id', dt_format) - for timezone in timezones_to_remove: - item.vobject_item.remove(timezone) + timezones_to_remove = [] + for component in item.vobject_item.components(): + if component.name == 'VTIMEZONE': + timezones_to_remove.append(component) - try: - delattr(item.vobject_item.vevent, 'rrule') - delattr(item.vobject_item.vevent, 'exdate') - delattr(item.vobject_item.vevent, 'exrule') - delattr(item.vobject_item.vevent, 'rdate') - except AttributeError: - pass + for timezone in timezones_to_remove: + item.vobject_item.remove(timezone) + + try: + delattr(item.vobject_item.vevent_list[i], 'rrule') + delattr(item.vobject_item.vevent_list[i], 'exdate') + delattr(item.vobject_item.vevent_list[i], 'exrule') + delattr(item.vobject_item.vevent_list[i], 'rdate') + except AttributeError: + pass return item, rruleset +def _split_overridden_vevents( + component: vobject.base.Component, + dt_format: str +) -> Tuple[ + vobject.icalendar.RecurringComponent, + List[vobject.icalendar.RecurringComponent] +]: + vevent_recurrence = None + vevents_overridden = [] + + for vevent in component.vevent_list: + if hasattr(vevent, 'recurrence_id'): + vevents_overridden += [vevent] + elif vevent_recurrence: + raise ValueError( + f"component with UID {vevent.uid} " + f"has more than one vevent without a recurrence_id" + ) + else: + vevent_recurrence = vevent + + if vevent_recurrence: + return ( + vevent_recurrence, sorted( + vevents_overridden, + key=lambda vevent: datetime.datetime.strptime(vevent.recurrence_id.value, dt_format) + ) + ) + else: + raise ValueError( + f"component with UID {vevent.uid} " + f"does not have a vevent without a recurrence_id" + ) + + +def _find_overridden( + start: int, + vevents: List[vobject.icalendar.RecurringComponent], + dt: datetime.datetime, + dt_format: str +) -> Tuple[int, Optional[vobject.icalendar.RecurringComponent]]: + for i in range(start, len(vevents)): + dt_event = datetime.datetime.strptime( + vevents[i].recurrence_id.value, + dt_format + ).replace(tzinfo=datetime.timezone.utc) + if dt_event == dt: + return (i + 1, vevents[i]) + return (start, None) + + def xml_item_response(base_prefix: str, href: str, found_props: Sequence[ET.Element] = (), not_found_props: Sequence[ET.Element] = (), diff --git a/radicale/tests/static/event_daily_rrule_overridden.ics b/radicale/tests/static/event_daily_rrule_overridden.ics new file mode 100644 index 00000000..077d6cd4 --- /dev/null +++ b/radicale/tests/static/event_daily_rrule_overridden.ics @@ -0,0 +1,35 @@ +BEGIN:VCALENDAR +VERSION:2.0 +BEGIN:VTIMEZONE +LAST-MODIFIED:20040110T032845Z +TZID:US/Eastern +BEGIN:DAYLIGHT +DTSTART:20000404T020000 +RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 +TZNAME:EDT +TZOFFSETFROM:-0500 +TZOFFSETTO:-0400 +END:DAYLIGHT +BEGIN:STANDARD +DTSTART:20001026T020000 +RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 +TZNAME:EST +TZOFFSETFROM:-0400 +TZOFFSETTO:-0500 +END:STANDARD +END:VTIMEZONE +BEGIN:VEVENT +DTSTART;TZID=US/Eastern:20060102T120000 +DURATION:PT1H +RRULE:FREQ=DAILY;COUNT=5 +SUMMARY:Event #2 +UID:event_daily_rrule_overridden +END:VEVENT +BEGIN:VEVENT +DTSTART;TZID=US/Eastern:20060104T140000 +DURATION:PT1H +RECURRENCE-ID;TZID=US/Eastern:20060104T120000 +SUMMARY:Event #2 bis +UID:event_daily_rrule_overridden +END:VEVENT +END:VCALENDAR diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index fd6e8c30..d8d97f98 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -1810,6 +1810,93 @@ permissions: RrWw""") assert len(uids) == 3 assert len(set(recurrence_ids)) == 3 + def test_report_with_expand_property_overridden(self) -> None: + """Test report with expand property""" + self.put("/calendar.ics/", get_file_content("event_daily_rrule_overridden.ics")) + req_body_without_expand = \ + """ + + + + + + + + + + + + + + """ + _, responses = self.report("/calendar.ics/", req_body_without_expand) + assert len(responses) == 1 + + response_without_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] + assert not isinstance(response_without_expand, int) + status, element = response_without_expand["C:calendar-data"] + + assert status == 200 and element.text + + assert "RRULE" in element.text + assert "BEGIN:VTIMEZONE" in element.text + + uids: List[str] = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + uid = line[len("UID:"):] + assert uid == "event_daily_rrule_overridden" + uids.append(uid) + + assert len(uids) == 2 + + req_body_with_expand = \ + """ + + + + + + + + + + + + + + + """ + + _, responses = self.report("/calendar.ics/", req_body_with_expand) + + assert len(responses) == 1 + + response_with_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] + assert not isinstance(response_with_expand, int) + status, element = response_with_expand["C:calendar-data"] + + assert status == 200 and element.text + assert "RRULE" not in element.text + assert "BEGIN:VTIMEZONE" not in element.text + + uids = [] + recurrence_ids = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + assert line == "UID:event_daily_rrule_overridden" + uids.append(line) + + if line.startswith("RECURRENCE-ID:"): + assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] + recurrence_ids.append(line) + + if line.startswith("DTSTART:"): + assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T190000Z"] + + assert len(uids) == 2 + assert len(set(recurrence_ids)) == 2 + def test_propfind_sync_token(self) -> None: """Retrieve the sync-token with a propfind request""" calendar_path = "/calendar.ics/" From b0d1ccc0f64ec6839a66e2ec72f0aad6ec6422f4 Mon Sep 17 00:00:00 2001 From: Pieter Hijma Date: Tue, 5 Nov 2024 11:39:25 +0100 Subject: [PATCH 018/361] Factor expand tests out of base --- radicale/tests/test_base.py | 265 --------------------------- radicale/tests/test_expand.py | 336 ++++++++++++++++++++++++++++++++++ 2 files changed, 336 insertions(+), 265 deletions(-) create mode 100644 radicale/tests/test_expand.py diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index d8d97f98..6440542f 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -1632,271 +1632,6 @@ permissions: RrWw""") calendar_path, "http://radicale.org/ns/sync/INVALID") assert not sync_token - def test_report_with_expand_property(self) -> None: - """Test report with expand property""" - self.put("/calendar.ics/", get_file_content("event_daily_rrule.ics")) - req_body_without_expand = \ - """ - - - - - - - - - - - - - - """ - _, responses = self.report("/calendar.ics/", req_body_without_expand) - assert len(responses) == 1 - - response_without_expand = responses['/calendar.ics/event_daily_rrule.ics'] - assert not isinstance(response_without_expand, int) - status, element = response_without_expand["C:calendar-data"] - - assert status == 200 and element.text - - assert "RRULE" in element.text - assert "BEGIN:VTIMEZONE" in element.text - assert "RECURRENCE-ID" not in element.text - - uids: List[str] = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - uid = line[len("UID:"):] - assert uid == "event_daily_rrule" - uids.append(uid) - - assert len(uids) == 1 - - req_body_with_expand = \ - """ - - - - - - - - - - - - - - - """ - - _, responses = self.report("/calendar.ics/", req_body_with_expand) - - assert len(responses) == 1 - - response_with_expand = responses['/calendar.ics/event_daily_rrule.ics'] - assert not isinstance(response_with_expand, int) - status, element = response_with_expand["C:calendar-data"] - - assert status == 200 and element.text - assert "RRULE" not in element.text - assert "BEGIN:VTIMEZONE" not in element.text - - uids = [] - recurrence_ids = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - assert line == "UID:event_daily_rrule" - uids.append(line) - - if line.startswith("RECURRENCE-ID:"): - assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] - recurrence_ids.append(line) - - if line.startswith("DTSTART:"): - assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T170000Z"] - - assert len(uids) == 2 - assert len(set(recurrence_ids)) == 2 - - def test_report_with_expand_property_all_day_event(self) -> None: - """Test report with expand property""" - self.put("/calendar.ics/", get_file_content("event_full_day_rrule.ics")) - req_body_without_expand = \ - """ - - - - - - - - - - - - - - """ - _, responses = self.report("/calendar.ics/", req_body_without_expand) - assert len(responses) == 1 - - response_without_expand = responses['/calendar.ics/event_full_day_rrule.ics'] - assert not isinstance(response_without_expand, int) - status, element = response_without_expand["C:calendar-data"] - - assert status == 200 and element.text - - assert "RRULE" in element.text - assert "RECURRENCE-ID" not in element.text - - uids: List[str] = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - uid = line[len("UID:"):] - assert uid == "event_full_day_rrule" - uids.append(uid) - - assert len(uids) == 1 - - req_body_with_expand = \ - """ - - - - - - - - - - - - - - - """ - - _, responses = self.report("/calendar.ics/", req_body_with_expand) - - assert len(responses) == 1 - - response_with_expand = responses['/calendar.ics/event_full_day_rrule.ics'] - assert not isinstance(response_with_expand, int) - status, element = response_with_expand["C:calendar-data"] - - assert status == 200 and element.text - assert "RRULE" not in element.text - assert "BEGIN:VTIMEZONE" not in element.text - - uids = [] - recurrence_ids = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - assert line == "UID:event_full_day_rrule" - uids.append(line) - - if line.startswith("RECURRENCE-ID:"): - assert line in ["RECURRENCE-ID:20060103", "RECURRENCE-ID:20060104", "RECURRENCE-ID:20060105"] - recurrence_ids.append(line) - - if line.startswith("DTSTART:"): - assert line in ["DTSTART:20060103", "DTSTART:20060104", "DTSTART:20060105"] - - if line.startswith("DTEND:"): - assert line in ["DTEND:20060104", "DTEND:20060105", "DTEND:20060106"] - - assert len(uids) == 3 - assert len(set(recurrence_ids)) == 3 - - def test_report_with_expand_property_overridden(self) -> None: - """Test report with expand property""" - self.put("/calendar.ics/", get_file_content("event_daily_rrule_overridden.ics")) - req_body_without_expand = \ - """ - - - - - - - - - - - - - - """ - _, responses = self.report("/calendar.ics/", req_body_without_expand) - assert len(responses) == 1 - - response_without_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] - assert not isinstance(response_without_expand, int) - status, element = response_without_expand["C:calendar-data"] - - assert status == 200 and element.text - - assert "RRULE" in element.text - assert "BEGIN:VTIMEZONE" in element.text - - uids: List[str] = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - uid = line[len("UID:"):] - assert uid == "event_daily_rrule_overridden" - uids.append(uid) - - assert len(uids) == 2 - - req_body_with_expand = \ - """ - - - - - - - - - - - - - - - """ - - _, responses = self.report("/calendar.ics/", req_body_with_expand) - - assert len(responses) == 1 - - response_with_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] - assert not isinstance(response_with_expand, int) - status, element = response_with_expand["C:calendar-data"] - - assert status == 200 and element.text - assert "RRULE" not in element.text - assert "BEGIN:VTIMEZONE" not in element.text - - uids = [] - recurrence_ids = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - assert line == "UID:event_daily_rrule_overridden" - uids.append(line) - - if line.startswith("RECURRENCE-ID:"): - assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] - recurrence_ids.append(line) - - if line.startswith("DTSTART:"): - assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T190000Z"] - - assert len(uids) == 2 - assert len(set(recurrence_ids)) == 2 - def test_propfind_sync_token(self) -> None: """Retrieve the sync-token with a propfind request""" calendar_path = "/calendar.ics/" diff --git a/radicale/tests/test_expand.py b/radicale/tests/test_expand.py new file mode 100644 index 00000000..d341f305 --- /dev/null +++ b/radicale/tests/test_expand.py @@ -0,0 +1,336 @@ +# This file is part of Radicale - CalDAV and CardDAV server +# Copyright © 2012-2017 Guillaume Ayoub +# Copyright © 2017-2019 Unrud +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + +""" +Radicale tests with expand requests. + +""" + +import os +import posixpath +from typing import Any, Callable, ClassVar, Iterable, List, Optional, Tuple + +import defusedxml.ElementTree as DefusedET +import vobject + +from radicale import storage, xmlutils +from radicale.tests import RESPONSES, BaseTest +from radicale.tests.helpers import get_file_content + + +class TestExpandRequests(BaseTest): + """Tests with expand requests.""" + + # Allow skipping sync-token tests, when not fully supported by the backend + full_sync_token_support: ClassVar[bool] = True + + def setup_method(self) -> None: + BaseTest.setup_method(self) + rights_file_path = os.path.join(self.colpath, "rights") + with open(rights_file_path, "w") as f: + f.write("""\ +[permit delete collection] +user: .* +collection: test-permit-delete +permissions: RrWwD + +[forbid delete collection] +user: .* +collection: test-forbid-delete +permissions: RrWwd + +[permit overwrite collection] +user: .* +collection: test-permit-overwrite +permissions: RrWwO + +[forbid overwrite collection] +user: .* +collection: test-forbid-overwrite +permissions: RrWwo + +[allow all] +user: .* +collection: .* +permissions: RrWw""") + self.configure({"rights": {"file": rights_file_path, + "type": "from_file"}}) + + def test_report_with_expand_property(self) -> None: + """Test report with expand property""" + self.put("/calendar.ics/", get_file_content("event_daily_rrule.ics")) + req_body_without_expand = \ + """ + + + + + + + + + + + + + + """ + _, responses = self.report("/calendar.ics/", req_body_without_expand) + assert len(responses) == 1 + + response_without_expand = responses['/calendar.ics/event_daily_rrule.ics'] + assert not isinstance(response_without_expand, int) + status, element = response_without_expand["C:calendar-data"] + + assert status == 200 and element.text + + assert "RRULE" in element.text + assert "BEGIN:VTIMEZONE" in element.text + assert "RECURRENCE-ID" not in element.text + + uids: List[str] = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + uid = line[len("UID:"):] + assert uid == "event_daily_rrule" + uids.append(uid) + + assert len(uids) == 1 + + req_body_with_expand = \ + """ + + + + + + + + + + + + + + + """ + + _, responses = self.report("/calendar.ics/", req_body_with_expand) + + assert len(responses) == 1 + + response_with_expand = responses['/calendar.ics/event_daily_rrule.ics'] + assert not isinstance(response_with_expand, int) + status, element = response_with_expand["C:calendar-data"] + + assert status == 200 and element.text + assert "RRULE" not in element.text + assert "BEGIN:VTIMEZONE" not in element.text + + uids = [] + recurrence_ids = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + assert line == "UID:event_daily_rrule" + uids.append(line) + + if line.startswith("RECURRENCE-ID:"): + assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] + recurrence_ids.append(line) + + if line.startswith("DTSTART:"): + assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T170000Z"] + + assert len(uids) == 2 + assert len(set(recurrence_ids)) == 2 + + def test_report_with_expand_property_all_day_event(self) -> None: + """Test report with expand property""" + self.put("/calendar.ics/", get_file_content("event_full_day_rrule.ics")) + req_body_without_expand = \ + """ + + + + + + + + + + + + + + """ + _, responses = self.report("/calendar.ics/", req_body_without_expand) + assert len(responses) == 1 + + response_without_expand = responses['/calendar.ics/event_full_day_rrule.ics'] + assert not isinstance(response_without_expand, int) + status, element = response_without_expand["C:calendar-data"] + + assert status == 200 and element.text + + assert "RRULE" in element.text + assert "RECURRENCE-ID" not in element.text + + uids: List[str] = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + uid = line[len("UID:"):] + assert uid == "event_full_day_rrule" + uids.append(uid) + + assert len(uids) == 1 + + req_body_with_expand = \ + """ + + + + + + + + + + + + + + + """ + + _, responses = self.report("/calendar.ics/", req_body_with_expand) + + assert len(responses) == 1 + + response_with_expand = responses['/calendar.ics/event_full_day_rrule.ics'] + assert not isinstance(response_with_expand, int) + status, element = response_with_expand["C:calendar-data"] + + assert status == 200 and element.text + assert "RRULE" not in element.text + assert "BEGIN:VTIMEZONE" not in element.text + + uids = [] + recurrence_ids = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + assert line == "UID:event_full_day_rrule" + uids.append(line) + + if line.startswith("RECURRENCE-ID:"): + assert line in ["RECURRENCE-ID:20060103", "RECURRENCE-ID:20060104", "RECURRENCE-ID:20060105"] + recurrence_ids.append(line) + + if line.startswith("DTSTART:"): + assert line in ["DTSTART:20060103", "DTSTART:20060104", "DTSTART:20060105"] + + if line.startswith("DTEND:"): + assert line in ["DTEND:20060104", "DTEND:20060105", "DTEND:20060106"] + + assert len(uids) == 3 + assert len(set(recurrence_ids)) == 3 + + def test_report_with_expand_property_overridden(self) -> None: + """Test report with expand property""" + self.put("/calendar.ics/", get_file_content("event_daily_rrule_overridden.ics")) + req_body_without_expand = \ + """ + + + + + + + + + + + + + + """ + _, responses = self.report("/calendar.ics/", req_body_without_expand) + assert len(responses) == 1 + + response_without_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] + assert not isinstance(response_without_expand, int) + status, element = response_without_expand["C:calendar-data"] + + assert status == 200 and element.text + + assert "RRULE" in element.text + assert "BEGIN:VTIMEZONE" in element.text + + uids: List[str] = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + uid = line[len("UID:"):] + assert uid == "event_daily_rrule_overridden" + uids.append(uid) + + assert len(uids) == 2 + + req_body_with_expand = \ + """ + + + + + + + + + + + + + + + """ + + _, responses = self.report("/calendar.ics/", req_body_with_expand) + + assert len(responses) == 1 + + response_with_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] + assert not isinstance(response_with_expand, int) + status, element = response_with_expand["C:calendar-data"] + + assert status == 200 and element.text + assert "RRULE" not in element.text + assert "BEGIN:VTIMEZONE" not in element.text + + uids = [] + recurrence_ids = [] + for line in element.text.split("\n"): + if line.startswith("UID:"): + assert line == "UID:event_daily_rrule_overridden" + uids.append(line) + + if line.startswith("RECURRENCE-ID:"): + assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] + recurrence_ids.append(line) + + if line.startswith("DTSTART:"): + assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T190000Z"] + + assert len(uids) == 2 + assert len(set(recurrence_ids)) == 2 From 6a6fec5bddb4d35504710a8ca9b0126dcf567d50 Mon Sep 17 00:00:00 2001 From: Pieter Hijma Date: Tue, 5 Nov 2024 12:43:58 +0100 Subject: [PATCH 019/361] Refactor test_expand --- radicale/tests/test_expand.py | 252 ++++++++-------------------------- 1 file changed, 58 insertions(+), 194 deletions(-) diff --git a/radicale/tests/test_expand.py b/radicale/tests/test_expand.py index d341f305..708c99fd 100644 --- a/radicale/tests/test_expand.py +++ b/radicale/tests/test_expand.py @@ -21,16 +21,14 @@ Radicale tests with expand requests. """ import os -import posixpath -from typing import Any, Callable, ClassVar, Iterable, List, Optional, Tuple +from typing import ClassVar, List -import defusedxml.ElementTree as DefusedET -import vobject - -from radicale import storage, xmlutils -from radicale.tests import RESPONSES, BaseTest +from radicale.tests import BaseTest from radicale.tests.helpers import get_file_content +ONLY_DATES = True +CONTAINS_TIMES = False + class TestExpandRequests(BaseTest): """Tests with expand requests.""" @@ -70,9 +68,14 @@ permissions: RrWw""") self.configure({"rights": {"file": rights_file_path, "type": "from_file"}}) - def test_report_with_expand_property(self) -> None: - """Test report with expand property""" - self.put("/calendar.ics/", get_file_content("event_daily_rrule.ics")) + def _test_expand(self, + expected_uid: str, + expected_recurrence_ids: List[str], + expected_start_times: List[str], + expected_end_times: List[str], + only_dates: bool, + nr_uids: int) -> None: + self.put("/calendar.ics/", get_file_content(f"{expected_uid}.ics")) req_body_without_expand = \ """ @@ -92,24 +95,26 @@ permissions: RrWw""") _, responses = self.report("/calendar.ics/", req_body_without_expand) assert len(responses) == 1 - response_without_expand = responses['/calendar.ics/event_daily_rrule.ics'] + response_without_expand = responses[f'/calendar.ics/{expected_uid}.ics'] assert not isinstance(response_without_expand, int) status, element = response_without_expand["C:calendar-data"] assert status == 200 and element.text assert "RRULE" in element.text - assert "BEGIN:VTIMEZONE" in element.text - assert "RECURRENCE-ID" not in element.text + if not only_dates: + assert "BEGIN:VTIMEZONE" in element.text + if nr_uids == 1: + assert "RECURRENCE-ID" not in element.text uids: List[str] = [] for line in element.text.split("\n"): if line.startswith("UID:"): uid = line[len("UID:"):] - assert uid == "event_daily_rrule" + assert uid == expected_uid uids.append(uid) - assert len(uids) == 1 + assert len(uids) == nr_uids req_body_with_expand = \ """ @@ -133,7 +138,7 @@ permissions: RrWw""") assert len(responses) == 1 - response_with_expand = responses['/calendar.ics/event_daily_rrule.ics'] + response_with_expand = responses[f'/calendar.ics/{expected_uid}.ics'] assert not isinstance(response_with_expand, int) status, element = response_with_expand["C:calendar-data"] @@ -145,192 +150,51 @@ permissions: RrWw""") recurrence_ids = [] for line in element.text.split("\n"): if line.startswith("UID:"): - assert line == "UID:event_daily_rrule" + assert line == f"UID:{expected_uid}" uids.append(line) if line.startswith("RECURRENCE-ID:"): - assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] + assert line in expected_recurrence_ids recurrence_ids.append(line) if line.startswith("DTSTART:"): - assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T170000Z"] - - assert len(uids) == 2 - assert len(set(recurrence_ids)) == 2 - - def test_report_with_expand_property_all_day_event(self) -> None: - """Test report with expand property""" - self.put("/calendar.ics/", get_file_content("event_full_day_rrule.ics")) - req_body_without_expand = \ - """ - - - - - - - - - - - - - - """ - _, responses = self.report("/calendar.ics/", req_body_without_expand) - assert len(responses) == 1 - - response_without_expand = responses['/calendar.ics/event_full_day_rrule.ics'] - assert not isinstance(response_without_expand, int) - status, element = response_without_expand["C:calendar-data"] - - assert status == 200 and element.text - - assert "RRULE" in element.text - assert "RECURRENCE-ID" not in element.text - - uids: List[str] = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - uid = line[len("UID:"):] - assert uid == "event_full_day_rrule" - uids.append(uid) - - assert len(uids) == 1 - - req_body_with_expand = \ - """ - - - - - - - - - - - - - - - """ - - _, responses = self.report("/calendar.ics/", req_body_with_expand) - - assert len(responses) == 1 - - response_with_expand = responses['/calendar.ics/event_full_day_rrule.ics'] - assert not isinstance(response_with_expand, int) - status, element = response_with_expand["C:calendar-data"] - - assert status == 200 and element.text - assert "RRULE" not in element.text - assert "BEGIN:VTIMEZONE" not in element.text - - uids = [] - recurrence_ids = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - assert line == "UID:event_full_day_rrule" - uids.append(line) - - if line.startswith("RECURRENCE-ID:"): - assert line in ["RECURRENCE-ID:20060103", "RECURRENCE-ID:20060104", "RECURRENCE-ID:20060105"] - recurrence_ids.append(line) - - if line.startswith("DTSTART:"): - assert line in ["DTSTART:20060103", "DTSTART:20060104", "DTSTART:20060105"] + assert line in expected_start_times if line.startswith("DTEND:"): - assert line in ["DTEND:20060104", "DTEND:20060105", "DTEND:20060106"] + assert line in expected_end_times - assert len(uids) == 3 - assert len(set(recurrence_ids)) == 3 + assert len(uids) == len(expected_recurrence_ids) + assert len(set(recurrence_ids)) == len(expected_recurrence_ids) + + def test_report_with_expand_property(self) -> None: + """Test report with expand property""" + self._test_expand( + "event_daily_rrule", + ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"], + ["DTSTART:20060103T170000Z", "DTSTART:20060104T170000Z"], + [], + CONTAINS_TIMES, + 1 + ) + + def test_report_with_expand_property_all_day_event(self) -> None: + """Test report with expand property for all day events""" + self._test_expand( + "event_full_day_rrule", + ["RECURRENCE-ID:20060103", "RECURRENCE-ID:20060104", "RECURRENCE-ID:20060105"], + ["DTSTART:20060103", "DTSTART:20060104", "DTSTART:20060105"], + ["DTEND:20060104", "DTEND:20060105", "DTEND:20060106"], + ONLY_DATES, + 1 + ) def test_report_with_expand_property_overridden(self) -> None: - """Test report with expand property""" - self.put("/calendar.ics/", get_file_content("event_daily_rrule_overridden.ics")) - req_body_without_expand = \ - """ - - - - - - - - - - - - - - """ - _, responses = self.report("/calendar.ics/", req_body_without_expand) - assert len(responses) == 1 - - response_without_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] - assert not isinstance(response_without_expand, int) - status, element = response_without_expand["C:calendar-data"] - - assert status == 200 and element.text - - assert "RRULE" in element.text - assert "BEGIN:VTIMEZONE" in element.text - - uids: List[str] = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - uid = line[len("UID:"):] - assert uid == "event_daily_rrule_overridden" - uids.append(uid) - - assert len(uids) == 2 - - req_body_with_expand = \ - """ - - - - - - - - - - - - - - - """ - - _, responses = self.report("/calendar.ics/", req_body_with_expand) - - assert len(responses) == 1 - - response_with_expand = responses['/calendar.ics/event_daily_rrule_overridden.ics'] - assert not isinstance(response_with_expand, int) - status, element = response_with_expand["C:calendar-data"] - - assert status == 200 and element.text - assert "RRULE" not in element.text - assert "BEGIN:VTIMEZONE" not in element.text - - uids = [] - recurrence_ids = [] - for line in element.text.split("\n"): - if line.startswith("UID:"): - assert line == "UID:event_daily_rrule_overridden" - uids.append(line) - - if line.startswith("RECURRENCE-ID:"): - assert line in ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"] - recurrence_ids.append(line) - - if line.startswith("DTSTART:"): - assert line in ["DTSTART:20060103T170000Z", "DTSTART:20060104T190000Z"] - - assert len(uids) == 2 - assert len(set(recurrence_ids)) == 2 + """Test report with expand property with overridden events""" + self._test_expand( + "event_daily_rrule_overridden", + ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"], + ["DTSTART:20060103T170000Z", "DTSTART:20060104T190000Z"], + [], + CONTAINS_TIMES, + 2 + ) From cfc1e94ad8cc62772121c6620ae45bdde389aa74 Mon Sep 17 00:00:00 2001 From: Pieter Hijma Date: Thu, 7 Nov 2024 11:03:24 +0100 Subject: [PATCH 020/361] Expand taking timezone into account --- radicale/app/report.py | 152 +++++++++---------- radicale/tests/static/event_weekly_rrule.ics | 28 ++++ radicale/tests/test_expand.py | 40 ++++- 3 files changed, 131 insertions(+), 89 deletions(-) create mode 100644 radicale/tests/static/event_weekly_rrule.ics diff --git a/radicale/app/report.py b/radicale/app/report.py index 43d89916..da06b61d 100644 --- a/radicale/app/report.py +++ b/radicale/app/report.py @@ -24,8 +24,8 @@ import posixpath import socket import xml.etree.ElementTree as ET from http import client -from typing import (Any, Callable, Iterable, Iterator, List, Optional, - Sequence, Tuple, Union) +from typing import (Callable, Iterable, Iterator, List, Optional, Sequence, + Tuple, Union) from urllib.parse import unquote, urlparse import vobject @@ -296,26 +296,45 @@ def _expand( start: datetime.datetime, end: datetime.datetime, ) -> ET.Element: - dt_format = '%Y%m%dT%H%M%SZ' + vevent_component: vobject.base.Component = copy.copy(item.vobject_item) - if type(item.vobject_item.vevent.dtstart.value) is datetime.date: - # If an event comes to us with a dt_start specified as a date + # Split the vevents included in the component into one that contains the + # recurrence information and others that contain a recurrence id to + # override instances. + vevent_recurrence, vevents_overridden = _split_overridden_vevents(vevent_component) + + dt_format = '%Y%m%dT%H%M%SZ' + all_day_event = False + + if type(vevent_recurrence.dtstart.value) is datetime.date: + # If an event comes to us with a dtstart specified as a date # then in the response we return the date, not datetime dt_format = '%Y%m%d' + all_day_event = True + # In case of dates, we need to remove timezone information since + # rruleset.between computes with datetimes without timezone information + start = start.replace(tzinfo=None) + end = end.replace(tzinfo=None) + + for vevent in vevents_overridden: + _strip_single_event(vevent, dt_format) duration = None - if hasattr(item.vobject_item.vevent, "dtend"): - duration = item.vobject_item.vevent.dtend.value - item.vobject_item.vevent.dtstart.value + if hasattr(vevent_recurrence, "dtend"): + duration = vevent_recurrence.dtend.value - vevent_recurrence.dtstart.value - expanded_item, rruleset = _make_vobject_expanded_item(item, dt_format) + rruleset = None + if hasattr(vevent_recurrence, 'rrule'): + rruleset = vevent_recurrence.getrruleset() if rruleset: + # This function uses datetimes internally without timezone info for dates recurrences = rruleset.between(start, end, inc=True) - expanded: vobject.base.Component = copy.copy(expanded_item.vobject_item) - vevent_recurrence, vevents_overridden = _split_overridden_vevents(expanded, dt_format) + _strip_component(vevent_component) + _strip_single_event(vevent_recurrence, dt_format) - is_expanded_filled: bool = False + is_component_filled: bool = False i_overridden = 0 for recurrence_dt in recurrences: @@ -323,30 +342,34 @@ def _expand( i_overridden, vevent = _find_overridden(i_overridden, vevents_overridden, recurrence_utc, dt_format) if not vevent: + # We did not find an overridden instance, so create a new one vevent = copy.deepcopy(vevent_recurrence) + + # For all day events, the system timezone may influence the + # results, so use recurrence_dt + recurrence_id = recurrence_dt if all_day_event else recurrence_utc vevent.recurrence_id = ContentLine( name='RECURRENCE-ID', - value=recurrence_utc.strftime(dt_format), params={} + value=recurrence_id, params={} ) + _convert_to_utc(vevent, 'recurrence_id', dt_format) vevent.dtstart = ContentLine( name='DTSTART', - value=recurrence_utc.strftime(dt_format), params={} + value=recurrence_id.strftime(dt_format), params={} ) if duration: vevent.dtend = ContentLine( name='DTEND', - value=(recurrence_utc + duration).strftime(dt_format), params={} + value=(recurrence_id + duration).strftime(dt_format), params={} ) - if is_expanded_filled is False: - expanded.vevent = vevent - is_expanded_filled = True + if not is_component_filled: + vevent_component.vevent = vevent + is_component_filled = True else: - expanded.add(vevent) + vevent_component.add(vevent) - element.text = expanded.serialize() - else: - element.text = expanded_item.vobject_item.serialize() + element.text = vevent_component.serialize() return element @@ -374,76 +397,37 @@ def _convert_to_utc(vevent: vobject.icalendar.RecurringComponent, setattr(vevent, name_prop, ContentLine(name=prop.name, value=prop.value.strftime(dt_format), params=[])) -def _make_vobject_expanded_item( - item: radicale_item.Item, - dt_format: str, -) -> Tuple[radicale_item.Item, Optional[Any]]: - # https://www.rfc-editor.org/rfc/rfc4791#section-9.6.5 - # The returned calendar components MUST NOT use recurrence - # properties (i.e., EXDATE, EXRULE, RDATE, and RRULE) and MUST NOT - # have reference to or include VTIMEZONE components. Date and local - # time with reference to time zone information MUST be converted - # into date with UTC time. +def _strip_single_event(vevent: vobject.icalendar.RecurringComponent, dt_format: str) -> None: + _convert_timezone(vevent, 'dtstart', 'DTSTART') + _convert_timezone(vevent, 'dtend', 'DTEND') + _convert_timezone(vevent, 'recurrence_id', 'RECURRENCE-ID') - item = copy.copy(item) - vevent = item.vobject_item.vevent + # There is something strange behaviour during serialization native datetime, so converting manually + _convert_to_utc(vevent, 'dtstart', dt_format) + _convert_to_utc(vevent, 'dtend', dt_format) + _convert_to_utc(vevent, 'recurrence_id', dt_format) - if type(vevent.dtstart.value) is datetime.date: - start_utc = datetime.datetime.fromordinal( - vevent.dtstart.value.toordinal() - ).replace(tzinfo=datetime.timezone.utc) - else: - start_utc = vevent.dtstart.value.astimezone(datetime.timezone.utc) + try: + delattr(vevent, 'rrule') + delattr(vevent, 'exdate') + delattr(vevent, 'exrule') + delattr(vevent, 'rdate') + except AttributeError: + pass - vevent.dtstart = ContentLine(name='DTSTART', value=start_utc, params=[]) - dt_end = getattr(vevent, 'dtend', None) - if dt_end is not None: - if type(vevent.dtend.value) is datetime.date: - end_utc = datetime.datetime.fromordinal( - dt_end.value.toordinal() - ).replace(tzinfo=datetime.timezone.utc) - else: - end_utc = dt_end.value.astimezone(datetime.timezone.utc) +def _strip_component(vevent: vobject.base.Component) -> None: + timezones_to_remove = [] + for component in vevent.components(): + if component.name == 'VTIMEZONE': + timezones_to_remove.append(component) - vevent.dtend = ContentLine(name='DTEND', value=end_utc, params={}) - - rruleset = None - for i, vevent in enumerate(item.vobject_item.vevent_list): - _convert_timezone(vevent, 'dtstart', 'DTSTART') - _convert_timezone(vevent, 'dtend', 'DTEND') - _convert_timezone(vevent, 'recurrence_id', 'RECURRENCE-ID') - - if hasattr(vevent, 'rrule'): - rruleset = vevent.getrruleset() - - # There is something strange behaviour during serialization native datetime, so converting manually - _convert_to_utc(vevent, 'dtstart', dt_format) - _convert_to_utc(vevent, 'dtend', dt_format) - _convert_to_utc(vevent, 'recurrence_id', dt_format) - - timezones_to_remove = [] - for component in item.vobject_item.components(): - if component.name == 'VTIMEZONE': - timezones_to_remove.append(component) - - for timezone in timezones_to_remove: - item.vobject_item.remove(timezone) - - try: - delattr(item.vobject_item.vevent_list[i], 'rrule') - delattr(item.vobject_item.vevent_list[i], 'exdate') - delattr(item.vobject_item.vevent_list[i], 'exrule') - delattr(item.vobject_item.vevent_list[i], 'rdate') - except AttributeError: - pass - - return item, rruleset + for timezone in timezones_to_remove: + vevent.remove(timezone) def _split_overridden_vevents( component: vobject.base.Component, - dt_format: str ) -> Tuple[ vobject.icalendar.RecurringComponent, List[vobject.icalendar.RecurringComponent] @@ -457,7 +441,7 @@ def _split_overridden_vevents( elif vevent_recurrence: raise ValueError( f"component with UID {vevent.uid} " - f"has more than one vevent without a recurrence_id" + f"has more than one vevent with recurrence information" ) else: vevent_recurrence = vevent @@ -466,7 +450,7 @@ def _split_overridden_vevents( return ( vevent_recurrence, sorted( vevents_overridden, - key=lambda vevent: datetime.datetime.strptime(vevent.recurrence_id.value, dt_format) + key=lambda vevent: vevent.recurrence_id.value ) ) else: diff --git a/radicale/tests/static/event_weekly_rrule.ics b/radicale/tests/static/event_weekly_rrule.ics new file mode 100644 index 00000000..f5e982cd --- /dev/null +++ b/radicale/tests/static/event_weekly_rrule.ics @@ -0,0 +1,28 @@ +BEGIN:VCALENDAR +VERSION:2.0 +BEGIN:VTIMEZONE +LAST-MODIFIED:20040110T032845Z +TZID:US/Eastern +BEGIN:DAYLIGHT +DTSTART:20000404T020000 +RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4 +TZNAME:EDT +TZOFFSETFROM:-0500 +TZOFFSETTO:-0400 +END:DAYLIGHT +BEGIN:STANDARD +DTSTART:20001026T020000 +RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 +TZNAME:EST +TZOFFSETFROM:-0400 +TZOFFSETTO:-0500 +END:STANDARD +END:VTIMEZONE +BEGIN:VEVENT +DTSTART;TZID=US/Eastern:20060321T150000 +DURATION:PT1H +RRULE:FREQ=WEEKLY;COUNT=5 +SUMMARY:Recurring event +UID:event_weekly_rrule +END:VEVENT +END:VCALENDAR diff --git a/radicale/tests/test_expand.py b/radicale/tests/test_expand.py index 708c99fd..1070bc77 100644 --- a/radicale/tests/test_expand.py +++ b/radicale/tests/test_expand.py @@ -70,6 +70,8 @@ permissions: RrWw""") def _test_expand(self, expected_uid: str, + start: str, + end: str, expected_recurrence_ids: List[str], expected_start_times: List[str], expected_end_times: List[str], @@ -77,7 +79,7 @@ permissions: RrWw""") nr_uids: int) -> None: self.put("/calendar.ics/", get_file_content(f"{expected_uid}.ics")) req_body_without_expand = \ - """ + f""" @@ -86,7 +88,7 @@ permissions: RrWw""") - + @@ -117,17 +119,17 @@ permissions: RrWw""") assert len(uids) == nr_uids req_body_with_expand = \ - """ + f""" - + - + @@ -170,6 +172,8 @@ permissions: RrWw""") """Test report with expand property""" self._test_expand( "event_daily_rrule", + "20060103T000000Z", + "20060105T000000Z", ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"], ["DTSTART:20060103T170000Z", "DTSTART:20060104T170000Z"], [], @@ -181,6 +185,8 @@ permissions: RrWw""") """Test report with expand property for all day events""" self._test_expand( "event_full_day_rrule", + "20060103T000000Z", + "20060105T000000Z", ["RECURRENCE-ID:20060103", "RECURRENCE-ID:20060104", "RECURRENCE-ID:20060105"], ["DTSTART:20060103", "DTSTART:20060104", "DTSTART:20060105"], ["DTEND:20060104", "DTEND:20060105", "DTEND:20060106"], @@ -192,9 +198,33 @@ permissions: RrWw""") """Test report with expand property with overridden events""" self._test_expand( "event_daily_rrule_overridden", + "20060103T000000Z", + "20060105T000000Z", ["RECURRENCE-ID:20060103T170000Z", "RECURRENCE-ID:20060104T170000Z"], ["DTSTART:20060103T170000Z", "DTSTART:20060104T190000Z"], [], CONTAINS_TIMES, 2 ) + + def test_report_with_expand_property_timezone(self): + self._test_expand( + "event_weekly_rrule", + "20060320T000000Z", + "20060414T000000Z", + [ + "RECURRENCE-ID:20060321T200000Z", + "RECURRENCE-ID:20060328T200000Z", + "RECURRENCE-ID:20060404T190000Z", + "RECURRENCE-ID:20060411T190000Z", + ], + [ + "DTSTART:20060321T200000Z", + "DTSTART:20060328T200000Z", + "DTSTART:20060404T190000Z", + "DTSTART:20060411T190000Z", + ], + [], + CONTAINS_TIMES, + 1 + ) From 1d07d729468452d072cea01d6d6c387c93a96ff9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 14 Nov 2024 07:28:57 +0100 Subject: [PATCH 021/361] update --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 244cae47..5d2858fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ * Add: option [auth] type=dovecot * Enhancement: log content in case of multiple main components error +* Fix: expand does not take timezones into account +* Fix: expand does not support overridden recurring events +* Fix: expand does not honor start and end times ## 3.3.0 From fb904320d20ddf8adc4b56f193905b572032dd82 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 13 Nov 2024 22:19:44 +0100 Subject: [PATCH 022/361] add support for ssl protocol and ciphersuite --- config | 6 +++ radicale/config.py | 8 ++++ radicale/server.py | 21 ++++++++- radicale/utils.py | 109 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 143 insertions(+), 1 deletion(-) diff --git a/config b/config index cb50ab72..8415807b 100644 --- a/config +++ b/config @@ -40,6 +40,12 @@ # TCP traffic between Radicale and a reverse proxy #certificate_authority = +# SSL protocol, secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1 +#protocol = (default) + +# SSL ciphersuite, secure configuration: DHE:ECDHE:-NULL:-SHA (see also "man openssl-ciphers") +#ciphersuite = (default) + [encoding] diff --git a/radicale/config.py b/radicale/config.py index 3e91a6fa..2a70a7e7 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -141,6 +141,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "aliases": ("-s", "--ssl",), "opposite_aliases": ("-S", "--no-ssl",), "type": bool}), + ("protocol", { + "value": "", + "help": "SSL/TLS protocol (Apache SSLProtocol format)", + "type": str}), + ("ciphersuite", { + "value": "", + "help": "SSL/TLS Cipher Suite (OpenSSL cipher list format)", + "type": str}), ("certificate", { "value": "/etc/ssl/radicale.cert.pem", "help": "set certificate file", diff --git a/radicale/server.py b/radicale/server.py index 2f03837c..497d492e 100644 --- a/radicale/server.py +++ b/radicale/server.py @@ -34,7 +34,7 @@ from typing import (Any, Callable, Dict, List, MutableMapping, Optional, Set, Tuple, Union) from urllib.parse import unquote -from radicale import Application, config +from radicale import Application, config, utils from radicale.log import logger COMPAT_EAI_ADDRFAMILY: int @@ -167,6 +167,8 @@ class ParallelHTTPSServer(ParallelHTTPServer): certfile: str = self.configuration.get("server", "certificate") keyfile: str = self.configuration.get("server", "key") cafile: str = self.configuration.get("server", "certificate_authority") + protocol: str = self.configuration.get("server", "protocol") + ciphersuite: str = self.configuration.get("server", "ciphersuite") # Test if the files can be read for name, filename in [("certificate", certfile), ("key", keyfile), ("certificate_authority", cafile)]: @@ -184,6 +186,23 @@ class ParallelHTTPSServer(ParallelHTTPServer): e)) from e context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.load_cert_chain(certfile=certfile, keyfile=keyfile) + if protocol: + logger.info("SSL set explicit protocol: '%s'", protocol) + context.options = utils.ssl_context_options_by_protocol(protocol, context.options) + context.minimum_version = utils.ssl_context_minimum_version_by_options(context.options) + else: + logger.info("SSL default protocol active") + logger.info("SSL minimum acceptable protocol: %s", context.minimum_version) + logger.info("SSL accepted protocols: %s", ' '.join(utils.ssl_get_protocols(context))) + if ciphersuite: + logger.info("SSL set explicit ciphersuite: '%s'", ciphersuite) + context.set_ciphers(ciphersuite) + else: + logger.info("SSL default ciphersuite active") + cipherlist = [] + for entry in context.get_ciphers(): + cipherlist.append(entry["name"]) + logger.info("SSL accepted ciphers: %s", ' '.join(cipherlist)) if cafile: context.load_verify_locations(cafile=cafile) context.verify_mode = ssl.CERT_REQUIRED diff --git a/radicale/utils.py b/radicale/utils.py index a6512646..d4954177 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -2,6 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -18,6 +19,7 @@ from importlib import import_module, metadata from typing import Callable, Sequence, Type, TypeVar, Union +import ssl from radicale import config from radicale.log import logger @@ -47,3 +49,110 @@ def load_plugin(internal_types: Sequence[str], module_name: str, def package_version(name): return metadata.version(name) + + +def ssl_context_options_by_protocol(protocol: str, ssl_context_options): + logger.debug("SSL protocol string: '%s' and current SSL context options: '0x%x'", protocol, ssl_context_options) + # disable any protocol by default + logger.debug("SSL context options, disable ALL by default") + ssl_context_options |= ssl.OP_NO_SSLv2 + ssl_context_options |= ssl.OP_NO_SSLv3 + ssl_context_options |= ssl.OP_NO_TLSv1 + ssl_context_options |= ssl.OP_NO_TLSv1_1 + ssl_context_options |= ssl.OP_NO_TLSv1_2 + ssl_context_options |= ssl.OP_NO_TLSv1_3 + logger.debug("SSL cleared SSL context options: '0x%x'", ssl_context_options) + for entry in protocol.split(): + entry = entry.strip('+') # remove trailing '+' + if entry == "ALL": + logger.debug("SSL context options, enable ALL (some maybe not supported by underlying OpenSSL, SSLv2 not enabled at all)") + ssl_context_options &= ~ssl.OP_NO_SSLv3 + ssl_context_options &= ~ssl.OP_NO_TLSv1 + ssl_context_options &= ~ssl.OP_NO_TLSv1_1 + ssl_context_options &= ~ssl.OP_NO_TLSv1_2 + ssl_context_options &= ~ssl.OP_NO_TLSv1_3 + elif entry == "SSLv2": + logger.notice("SSL context options, ignore SSLv2 (totally insecure)") + elif entry == "SSLv3": + ssl_context_options &= ~ssl.OP_NO_SSLv3 + logger.debug("SSL context options, enable SSLv3 (maybe not supported by underlying OpenSSL)") + elif entry == "TLSv1": + ssl_context_options &= ~ssl.OP_NO_TLSv1 + logger.debug("SSL context options, enable TLSv1 (maybe not supported by underlying OpenSSL)") + elif entry == "TLSv1.1": + logger.debug("SSL context options, enable TLSv1.1 (maybe not supported by underlying OpenSSL)") + ssl_context_options &= ~ssl.OP_NO_TLSv1_1 + elif entry == "TLSv1.2": + logger.debug("SSL context options, enable TLSv1.2") + ssl_context_options &= ~ssl.OP_NO_TLSv1_2 + elif entry == "TLSv1.3": + logger.debug("SSL context options, enable TLSv1.3") + ssl_context_options &= ~ssl.OP_NO_TLSv1_3 + elif entry == "-ALL": + logger.debug("SSL context options, disable ALL") + ssl_context_options |= ssl.OP_NO_SSLv2 + ssl_context_options |= ssl.OP_NO_SSLv3 + ssl_context_options |= ssl.OP_NO_TLSv1 + ssl_context_options |= ssl.OP_NO_TLSv1_1 + ssl_context_options |= ssl.OP_NO_TLSv1_2 + ssl_context_options |= ssl.OP_NO_TLSv1_3 + elif entry == "-SSLv2": + ssl_context_options |= ssl.OP_NO_SSLv2 + logger.debug("SSL context options, disable SSLv2") + elif entry == "-SSLv3": + ssl_context_options |= ssl.OP_NO_SSLv3 + logger.debug("SSL context options, disable SSLv3") + elif entry == "-TLSv1": + logger.debug("SSL context options, disable TLSv1") + ssl_context_options |= ssl.OP_NO_TLSv1 + elif entry == "-TLSv1.1": + logger.debug("SSL context options, disable TLSv1.1") + ssl_context_options |= ssl.OP_NO_TLSv1_1 + elif entry == "-TLSv1.2": + logger.debug("SSL context options, disable TLSv1.2") + ssl_context_options |= ssl.OP_NO_TLSv1_2 + elif entry == "-TLSv1.3": + logger.debug("SSL context options, disable TLSv1.3") + ssl_context_options |= ssl.OP_NO_TLSv1_3 + else: + logger.error("SSL protocol string: '%s' contain unsupported entry: '%s'", protocol, entry) + + logger.debug("SSL resulting context options: '0x%x'", ssl_context_options) + return ssl_context_options + + +def ssl_context_minimum_version_by_options(ssl_context_options): + logger.debug("SSL calculate minimum version by context options: '0x%x'", ssl_context_options) + ssl_context_minimum_version = 0 # default + if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_minimum_version == 0)): + ssl_context_minimum_version = ssl.TLSVersion.TLSv1 + if ((ssl_context_options & ssl.OP_NO_TLSv1) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1)): + ssl_context_minimum_version = ssl.TLSVersion.TLSv1_1 + if ((ssl_context_options & ssl.OP_NO_TLSv1_1) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1_1)): + ssl_context_minimum_version = ssl.TLSVersion.TLSv1_2 + if ((ssl_context_options & ssl.OP_NO_TLSv1_2) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1_2)): + ssl_context_minimum_version = ssl.TLSVersion.TLSv1_3 + if (ssl_context_minimum_version == 0): + ssl_context_minimum_version = ssl.TLSVersion.SSLv3 # default + + logger.debug("SSL context options: '0x%x' results in minimum version: %s", ssl_context_options, ssl_context_minimum_version) + return ssl_context_minimum_version + + +def ssl_get_protocols(context): + protocols = [] + if not (context.options & ssl.OP_NO_SSLv3): + if (context.minimum_version < ssl.TLSVersion.TLSv1): + protocols.append("SSLv3") + if not (context.options & ssl.OP_NO_TLSv1): + if (context.minimum_version < ssl.TLSVersion.TLSv1_1): + protocols.append("TLSv1") + if not (context.options & ssl.OP_NO_TLSv1_1): + if (context.minimum_version < ssl.TLSVersion.TLSv1_2): + protocols.append("TLSv1.1") + if not (context.options & ssl.OP_NO_TLSv1_2): + if (context.minimum_version < ssl.TLSVersion.TLSv1_3): + protocols.append("TLSv1.2") + if not (context.options & ssl.OP_NO_TLSv1_3): + protocols.append("TLSv1.3") + return protocols From 00dac0c030ed805c89ab9564e198cec9a2ec1e58 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 13 Nov 2024 22:20:13 +0100 Subject: [PATCH 023/361] add logging for ssl cert/key and cafile --- radicale/server.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/server.py b/radicale/server.py index 497d492e..9cf6af8f 100644 --- a/radicale/server.py +++ b/radicale/server.py @@ -185,6 +185,7 @@ class ParallelHTTPSServer(ParallelHTTPServer): "(%s)" % (type_name, name, "server", source, filename, e)) from e context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + logger.info("SSL load files certificate='%s' key='%s'", certfile, keyfile) context.load_cert_chain(certfile=certfile, keyfile=keyfile) if protocol: logger.info("SSL set explicit protocol: '%s'", protocol) @@ -204,6 +205,7 @@ class ParallelHTTPSServer(ParallelHTTPServer): cipherlist.append(entry["name"]) logger.info("SSL accepted ciphers: %s", ' '.join(cipherlist)) if cafile: + logger.info("SSL enable mandatory client certificate verification using CA file='%s'", cafile) context.load_verify_locations(cafile=cafile) context.verify_mode = ssl.CERT_REQUIRED self.socket = context.wrap_socket( From 6929f3d0b38e0c603f6f7f2144de4dc7a73c9609 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 13 Nov 2024 22:26:03 +0100 Subject: [PATCH 024/361] ignore: E261 at least two spaces before inline comment --- setup.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index 10786e2a..ba916303 100644 --- a/setup.cfg +++ b/setup.cfg @@ -2,5 +2,5 @@ # Only enable default tests (https://github.com/PyCQA/flake8/issues/790#issuecomment-812823398) # DNE: DOES-NOT-EXIST select = E,F,W,C90,DNE000 -ignore = E121,E123,E126,E226,E24,E704,W503,W504,DNE000,E501 +ignore = E121,E123,E126,E226,E24,E704,W503,W504,DNE000,E501,E261 extend-exclude = build From 9ecb95ce3764ca961ea01f680d20bd537a0bd043 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 13 Nov 2024 22:29:13 +0100 Subject: [PATCH 025/361] feedback from isort --- radicale/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/utils.py b/radicale/utils.py index d4954177..035c94a9 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -17,9 +17,9 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import ssl from importlib import import_module, metadata from typing import Callable, Sequence, Type, TypeVar, Union -import ssl from radicale import config from radicale.log import logger From 243b888c8e13c6f6e2de72621ba8b06c5f83e1fb Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 13 Nov 2024 22:34:53 +0100 Subject: [PATCH 026/361] fix unsupported log level --- radicale/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/utils.py b/radicale/utils.py index 035c94a9..8d5d9416 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -72,7 +72,7 @@ def ssl_context_options_by_protocol(protocol: str, ssl_context_options): ssl_context_options &= ~ssl.OP_NO_TLSv1_2 ssl_context_options &= ~ssl.OP_NO_TLSv1_3 elif entry == "SSLv2": - logger.notice("SSL context options, ignore SSLv2 (totally insecure)") + logger.warning("SSL context options, ignore SSLv2 (totally insecure)") elif entry == "SSLv3": ssl_context_options &= ~ssl.OP_NO_SSLv3 logger.debug("SSL context options, enable SSLv3 (maybe not supported by underlying OpenSSL)") From 5380629bdaf88eb87d3a259fdba02b0b62508b7c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 13 Nov 2024 22:37:53 +0100 Subject: [PATCH 027/361] extend doc for SSL protocol/ciphersuite --- DOCUMENTATION.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 596a5125..ee4c7ab1 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -703,6 +703,22 @@ authentication plugin that extracts the username from the certificate. Default: +##### protocol + +Accepted SSL protocol +Example for secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1 +Format: Apache SSLProtocol list (from "mod_ssl") + +Default: (system default) + +##### ciphersuite + +Accepted SSL ciphersuite +Example for secure configuration: DHE:ECDHE:-NULL:-SHA +Format: OpenSSL cipher list (see also "man openssl-ciphers") + +Default: (system-default) + #### encoding ##### request From 07b7d28323899abea356f51b069d909e10562844 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 14 Nov 2024 06:14:45 +0100 Subject: [PATCH 028/361] extend with OpenSSL hint --- DOCUMENTATION.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ee4c7ab1..d3de50d4 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -705,7 +705,7 @@ Default: ##### protocol -Accepted SSL protocol +Accepted SSL protocol (maybe not all supported by underlying OpenSSL version) Example for secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1 Format: Apache SSLProtocol list (from "mod_ssl") @@ -713,7 +713,7 @@ Default: (system default) ##### ciphersuite -Accepted SSL ciphersuite +Accepted SSL ciphersuite (maybe not all supported by underlying OpenSSL version) Example for secure configuration: DHE:ECDHE:-NULL:-SHA Format: OpenSSL cipher list (see also "man openssl-ciphers") From 416081a81f75e8b7a0afac2c3f3caa6aab0b68c7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 14 Nov 2024 06:54:10 +0100 Subject: [PATCH 029/361] review, calculate also max TLS version --- radicale/server.py | 16 +++++++++++----- radicale/utils.py | 37 ++++++++++++++++++++++++++++--------- 2 files changed, 39 insertions(+), 14 deletions(-) diff --git a/radicale/server.py b/radicale/server.py index 9cf6af8f..80e58fd3 100644 --- a/radicale/server.py +++ b/radicale/server.py @@ -188,18 +188,24 @@ class ParallelHTTPSServer(ParallelHTTPServer): logger.info("SSL load files certificate='%s' key='%s'", certfile, keyfile) context.load_cert_chain(certfile=certfile, keyfile=keyfile) if protocol: - logger.info("SSL set explicit protocol: '%s'", protocol) + logger.info("SSL set explicit protocols (maybe not all supported by underlying OpenSSL): '%s'", protocol) context.options = utils.ssl_context_options_by_protocol(protocol, context.options) context.minimum_version = utils.ssl_context_minimum_version_by_options(context.options) + if (context.minimum_version == 0): + raise RuntimeError("No SSL minimum protocol active") + context.maximum_version = utils.ssl_context_maximum_version_by_options(context.options) + if (context.maximum_version == 0): + raise RuntimeError("No SSL maximum protocol active") else: - logger.info("SSL default protocol active") - logger.info("SSL minimum acceptable protocol: %s", context.minimum_version) + logger.info("SSL active protocols: (system-default)") + logger.debug("SSL minimum acceptable protocol: %s", context.minimum_version) + logger.debug("SSL maximum acceptable protocol: %s", context.maximum_version) logger.info("SSL accepted protocols: %s", ' '.join(utils.ssl_get_protocols(context))) if ciphersuite: - logger.info("SSL set explicit ciphersuite: '%s'", ciphersuite) + logger.info("SSL set explicit ciphersuite (maybe not all supported by underlying OpenSSL): '%s'", ciphersuite) context.set_ciphers(ciphersuite) else: - logger.info("SSL default ciphersuite active") + logger.info("SSL active ciphersuite: (system-default)") cipherlist = [] for entry in context.get_ciphers(): cipherlist.append(entry["name"]) diff --git a/radicale/utils.py b/radicale/utils.py index 8d5d9416..50a8d822 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -115,7 +115,7 @@ def ssl_context_options_by_protocol(protocol: str, ssl_context_options): logger.debug("SSL context options, disable TLSv1.3") ssl_context_options |= ssl.OP_NO_TLSv1_3 else: - logger.error("SSL protocol string: '%s' contain unsupported entry: '%s'", protocol, entry) + raise RuntimeError("SSL protocol config contains unsupported entry '%s'" % (entry)) logger.debug("SSL resulting context options: '0x%x'", ssl_context_options) return ssl_context_options @@ -123,8 +123,8 @@ def ssl_context_options_by_protocol(protocol: str, ssl_context_options): def ssl_context_minimum_version_by_options(ssl_context_options): logger.debug("SSL calculate minimum version by context options: '0x%x'", ssl_context_options) - ssl_context_minimum_version = 0 # default - if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_minimum_version == 0)): + ssl_context_minimum_version = ssl.TLSVersion.SSLv3 # default + if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_minimum_version == ssl.TLSVersion.SSLv3)): ssl_context_minimum_version = ssl.TLSVersion.TLSv1 if ((ssl_context_options & ssl.OP_NO_TLSv1) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1)): ssl_context_minimum_version = ssl.TLSVersion.TLSv1_1 @@ -132,27 +132,46 @@ def ssl_context_minimum_version_by_options(ssl_context_options): ssl_context_minimum_version = ssl.TLSVersion.TLSv1_2 if ((ssl_context_options & ssl.OP_NO_TLSv1_2) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1_2)): ssl_context_minimum_version = ssl.TLSVersion.TLSv1_3 - if (ssl_context_minimum_version == 0): - ssl_context_minimum_version = ssl.TLSVersion.SSLv3 # default + if ((ssl_context_options & ssl.OP_NO_TLSv1_3) and (ssl_context_minimum_version == ssl.TLSVersion.TLSv1_3)): + ssl_context_minimum_version = 0 # all disabled logger.debug("SSL context options: '0x%x' results in minimum version: %s", ssl_context_options, ssl_context_minimum_version) return ssl_context_minimum_version +def ssl_context_maximum_version_by_options(ssl_context_options): + logger.debug("SSL calculate maximum version by context options: '0x%x'", ssl_context_options) + ssl_context_maximum_version = ssl.TLSVersion.TLSv1_3 # default + if ((ssl_context_options & ssl.OP_NO_TLSv1_3) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1_3)): + ssl_context_maximum_version = ssl.TLSVersion.TLSv1_2 + if ((ssl_context_options & ssl.OP_NO_TLSv1_2) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1_2)): + ssl_context_maximum_version = ssl.TLSVersion.TLSv1_1 + if ((ssl_context_options & ssl.OP_NO_TLSv1_1) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1_1)): + ssl_context_maximum_version = ssl.TLSVersion.TLSv1 + if ((ssl_context_options & ssl.OP_NO_TLSv1) and (ssl_context_maximum_version == ssl.TLSVersion.TLSv1)): + ssl_context_maximum_version = ssl.TLSVersion.SSLv3 + if ((ssl_context_options & ssl.OP_NO_SSLv3) and (ssl_context_maximum_version == ssl.TLSVersion.SSLv3)): + ssl_context_maximum_version = 0 + + logger.debug("SSL context options: '0x%x' results in maximum version: %s", ssl_context_options, ssl_context_maximum_version) + return ssl_context_maximum_version + + def ssl_get_protocols(context): protocols = [] if not (context.options & ssl.OP_NO_SSLv3): if (context.minimum_version < ssl.TLSVersion.TLSv1): protocols.append("SSLv3") if not (context.options & ssl.OP_NO_TLSv1): - if (context.minimum_version < ssl.TLSVersion.TLSv1_1): + if (context.minimum_version < ssl.TLSVersion.TLSv1_1) and (context.maximum_version >= ssl.TLSVersion.TLSv1): protocols.append("TLSv1") if not (context.options & ssl.OP_NO_TLSv1_1): - if (context.minimum_version < ssl.TLSVersion.TLSv1_2): + if (context.minimum_version < ssl.TLSVersion.TLSv1_2) and (context.maximum_version >= ssl.TLSVersion.TLSv1_1): protocols.append("TLSv1.1") if not (context.options & ssl.OP_NO_TLSv1_2): - if (context.minimum_version < ssl.TLSVersion.TLSv1_3): + if (context.minimum_version <= ssl.TLSVersion.TLSv1_2) and (context.maximum_version >= ssl.TLSVersion.TLSv1_2): protocols.append("TLSv1.2") if not (context.options & ssl.OP_NO_TLSv1_3): - protocols.append("TLSv1.3") + if (context.minimum_version <= ssl.TLSVersion.TLSv1_3) and (context.maximum_version >= ssl.TLSVersion.TLSv1_3): + protocols.append("TLSv1.3") return protocols From df5ca97442498a71c42e225faca1c0d67ad6c50e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 14 Nov 2024 07:30:18 +0100 Subject: [PATCH 030/361] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d2858fb..20d2ff32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Fix: expand does not take timezones into account * Fix: expand does not support overridden recurring events * Fix: expand does not honor start and end times +* Add: option [server] protocol + ciphersuite for optional restrictions on SSL socket ## 3.3.0 From 0baf67147e50086bb0f33368b6b5730b7c887404 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 14 Nov 2024 19:25:08 +0100 Subject: [PATCH 031/361] add X-Forwarded-Host/POrt --- contrib/nginx/radicale.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/nginx/radicale.conf b/contrib/nginx/radicale.conf index fea82d03..b05183eb 100644 --- a/contrib/nginx/radicale.conf +++ b/contrib/nginx/radicale.conf @@ -7,6 +7,8 @@ # proxy_pass http://localhost:5232/; # proxy_set_header X-Script-Name /radicale; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Host $host; +# proxy_set_header X-Forwarded-Port $server_port; # proxy_set_header Host $http_host; # proxy_pass_header Authorization; #} @@ -16,6 +18,8 @@ # proxy_pass http://localhost:5232/; # proxy_set_header X-Script-Name /radicale; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +# proxy_set_header X-Forwarded-Host $host; +# proxy_set_header X-Forwarded-Port $server_port; # proxy_set_header Host $http_host; # proxy_pass_header Authorization; #} From 7b0d3ed29def8ffe2b62c503f50efc14575ad85a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 17 Nov 2024 07:08:23 +0100 Subject: [PATCH 032/361] simplify X-Forwarded-Proto --- contrib/apache/radicale.conf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/contrib/apache/radicale.conf b/contrib/apache/radicale.conf index 98a25a72..102dc794 100644 --- a/contrib/apache/radicale.conf +++ b/contrib/apache/radicale.conf @@ -43,10 +43,7 @@ RequestHeader set X-Script-Name /radicale RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s" - RequestHeader unset X-Forwarded-Proto - - RequestHeader set X-Forwarded-Proto "https" - + RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} ProxyPass http://localhost:5232/ retry=0 ProxyPassReverse http://localhost:5232/ @@ -172,7 +169,7 @@ CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" RequestHeader set X-Script-Name / RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s" - RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} ProxyPass http://localhost:5232/ retry=0 ProxyPassReverse http://localhost:5232/ From 18e8ab1ccc130d30d1628853080cd47b26eaae75 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 17 Nov 2024 07:08:52 +0100 Subject: [PATCH 033/361] add X-Forwarded-Proto --- contrib/nginx/radicale.conf | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/contrib/nginx/radicale.conf b/contrib/nginx/radicale.conf index b05183eb..5d63e523 100644 --- a/contrib/nginx/radicale.conf +++ b/contrib/nginx/radicale.conf @@ -3,15 +3,16 @@ ### Usual configuration file location: /etc/nginx/default.d/ ## Base URI: /radicale/ -#location /radicale/ { -# proxy_pass http://localhost:5232/; -# proxy_set_header X-Script-Name /radicale; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_set_header X-Forwarded-Host $host; -# proxy_set_header X-Forwarded-Port $server_port; -# proxy_set_header Host $http_host; -# proxy_pass_header Authorization; -#} +location /radicale/ { + proxy_pass http://localhost:5232/; + proxy_set_header X-Script-Name /radicale; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_pass_header Authorization; +} ## Base URI: / #location / { @@ -20,6 +21,7 @@ # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Port $server_port; +# proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header Host $http_host; # proxy_pass_header Authorization; #} From a64f0e10939a08e6fa862b0df96295312743dcff Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 17 Nov 2024 07:12:20 +0100 Subject: [PATCH 034/361] update related to nginx/apache proxy configs --- DOCUMENTATION.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index d3de50d4..c736c219 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -338,11 +338,16 @@ removed from the example below. Example **nginx** configuration: +See for latest examples: https://github.com/Kozea/Radicale/tree/master/contrib/nginx/ + ```nginx location /radicale/ { # The trailing / is important! proxy_pass http://localhost:5232/; # The / is important! proxy_set_header X-Script-Name /radicale; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_pass_header Authorization; } @@ -361,6 +366,8 @@ handle_path /radicale/* { Example **Apache** configuration: +See for latest examples: https://github.com/Kozea/Radicale/tree/master/contrib/apache/ + ```apache RewriteEngine On RewriteRule ^/radicale$ /radicale/ [R,L] @@ -370,10 +377,7 @@ RewriteRule ^/radicale$ /radicale/ [R,L] ProxyPassReverse http://localhost:5232/ RequestHeader set X-Script-Name /radicale RequestHeader set X-Forwarded-Port "%{SERVER_PORT}s" - RequestHeader unset X-Forwarded-Proto - - RequestHeader set X-Forwarded-Proto "https" - + RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME} ``` From a6b1e000e716db8df72e1eafe557cb401739702b Mon Sep 17 00:00:00 2001 From: fang Date: Sun, 17 Nov 2024 14:25:55 +0100 Subject: [PATCH 035/361] warn of possible client-side SSL requirement MacOS's Calendar.app may not send auth credentials when connecting to a CalDAV server over unsecured HTTP. Attempting to set up an account that way will give error messages about authentication, even though the credential the user entered are correct. Here, we point out this case in the documentation, prompting users to try enabling SSL if they encounter this. --- DOCUMENTATION.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index c736c219..d2d8a451 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1171,6 +1171,11 @@ In some clients you can just enter the URL of the Radicale server enter the URL of the collection directly (e.g. `http://localhost:5232/user/calendar`). +Some clients (notably macOS's Calendar.app) may silently refuse to include +account credentials over unsecured HTTP, leading to unexpected authentication +failures. In these cases, you want to make sure the Radicale server is +[accessible over HTTPS](#ssl). + #### DAVx⁵ Enter the URL of the Radicale server (e.g. `http://localhost:5232`) and your From c13e0e60fd5c3ff0fb5c4a2e264b76ee51cdec77 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 21 Nov 2024 07:51:20 +0100 Subject: [PATCH 036/361] remove unused dateutil references https://github.com/Kozea/Radicale/issues/1626 --- pyproject.toml | 1 - radicale/storage/__init__.py | 2 +- setup.py.legacy | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index ff95d0a0..0310fbfd 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -33,7 +33,6 @@ dependencies = [ "defusedxml", "passlib", "vobject>=0.9.6", - "python-dateutil>=2.7.3", "pika>=1.1.0", ] diff --git a/radicale/storage/__init__.py b/radicale/storage/__init__.py index 73cf77b9..3a5ef586 100644 --- a/radicale/storage/__init__.py +++ b/radicale/storage/__init__.py @@ -38,7 +38,7 @@ from radicale.item import filter as radicale_filter INTERNAL_TYPES: Sequence[str] = ("multifilesystem", "multifilesystem_nolock",) -CACHE_DEPS: Sequence[str] = ("radicale", "vobject", "python-dateutil",) +CACHE_DEPS: Sequence[str] = ("radicale", "vobject") CACHE_VERSION: bytes = "".join( "%s=%s;" % (pkg, utils.package_version(pkg)) for pkg in CACHE_DEPS).encode() diff --git a/setup.py.legacy b/setup.py.legacy index d82d289e..63ae2a46 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -36,7 +36,6 @@ web_files = ["web/internal_data/css/icon.png", "web/internal_data/index.html"] install_requires = ["defusedxml", "passlib", "vobject>=0.9.6", - "python-dateutil>=2.7.3", "pika>=1.1.0", ] bcrypt_requires = ["bcrypt"] From 1ea782e3b2eaae2f1dc17d3403051edc86f00823 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 21 Nov 2024 08:02:18 +0100 Subject: [PATCH 037/361] drop test on pytest-3.8, anyhow EOL since 2024-10 --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 32961e86..09a65258 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,7 +6,7 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] - python-version: ['3.8', '3.9', '3.10', '3.11', '3.12.3', '3.13.0-beta.4', pypy-3.8, pypy-3.9] + python-version: ['3.8', '3.9', '3.10', '3.11', '3.12.3', '3.13.0-beta.4', pypy-3.9] exclude: - os: windows-latest python-version: pypy-3.8 From f7e46ebf39e297eefc2cc86888edb9e3fff2b243 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 21 Nov 2024 08:05:35 +0100 Subject: [PATCH 038/361] change from 3.13.0.beta to final --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 09a65258..8339a975 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,7 +6,7 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] - python-version: ['3.8', '3.9', '3.10', '3.11', '3.12.3', '3.13.0-beta.4', pypy-3.9] + python-version: ['3.8', '3.9', '3.10', '3.11', '3.12.3', '3.13.0', pypy-3.9] exclude: - os: windows-latest python-version: pypy-3.8 From 6f2c1037d5ac3d252fd693d9ce46d80bdbb8186f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 23 Nov 2024 21:34:07 +0100 Subject: [PATCH 039/361] catch errors during execution of hook, do not raise exception but log error --- radicale/storage/multifilesystem/lock.py | 32 +++++++++++++++--------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/radicale/storage/multifilesystem/lock.py b/radicale/storage/multifilesystem/lock.py index 7e814391..68a92792 100644 --- a/radicale/storage/multifilesystem/lock.py +++ b/radicale/storage/multifilesystem/lock.py @@ -75,27 +75,35 @@ class StoragePartLock(StorageBase): preexec_fn = os.setpgrp command = self._hook % { "user": shlex.quote(user or "Anonymous")} - logger.debug("Running storage hook") - p = subprocess.Popen( - command, stdin=subprocess.DEVNULL, - stdout=subprocess.PIPE if debug else subprocess.DEVNULL, - stderr=subprocess.PIPE if debug else subprocess.DEVNULL, - shell=True, universal_newlines=True, preexec_fn=preexec_fn, - cwd=self._filesystem_folder, creationflags=creationflags) + logger.debug("Executing storage hook: '%s'" % command) + try: + p = subprocess.Popen( + command, stdin=subprocess.DEVNULL, + stdout=subprocess.PIPE if debug else subprocess.DEVNULL, + stderr=subprocess.PIPE if debug else subprocess.DEVNULL, + shell=True, universal_newlines=True, preexec_fn=preexec_fn, + cwd=self._filesystem_folder, creationflags=creationflags) + except Exception as e: + logger.error("Execution of storage hook not successful on 'Popen': %s" % e) + return + logger.debug("Executing storage hook started 'Popen'") try: stdout_data, stderr_data = p.communicate() - except BaseException: # e.g. KeyboardInterrupt or SystemExit + except BaseException as e: # e.g. KeyboardInterrupt or SystemExit + logger.error("Execution of storage hook not successful on 'communicate': %s" % e) p.kill() p.wait() - raise + return finally: if sys.platform != "win32": # Kill remaining children identified by process group with contextlib.suppress(OSError): os.killpg(p.pid, signal.SIGKILL) + logger.debug("Executing storage hook finished") if stdout_data: - logger.debug("Captured stdout from hook:\n%s", stdout_data) + logger.debug("Captured stdout from storage hook:\n%s", stdout_data) if stderr_data: - logger.debug("Captured stderr from hook:\n%s", stderr_data) + logger.debug("Captured stderr from storage hook:\n%s", stderr_data) if p.returncode != 0: - raise subprocess.CalledProcessError(p.returncode, p.args) + logger.error("Execution of storage hook not successful: %s" % subprocess.CalledProcessError(p.returncode, p.args)) + return From 4781b48a1c3b2698fe6d2110ec4829224ad95c76 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 23 Nov 2024 21:35:58 +0100 Subject: [PATCH 040/361] review storage hook git part --- DOCUMENTATION.md | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index d2d8a451..e90e2d8a 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -578,14 +578,30 @@ authentication over HTTP. This tutorial describes how to keep track of all changes to calendars and address books with **git** (or any other version control system). -The repository must be initialized by running `git init` in the file -system folder. Internal files of Radicale can be excluded by creating the -file `.gitignore` with the following content: +The repository must be initialized in the collection base directory +of the user running `radicale` daemon. -```gitignore +```bash +## assuming "radicale" user is starting "radicale" service +# change to user "radicale" +su -l -s /bin/bash radicale + +# change to collection base directory, assumed /var/lib/radicale/collections +cd /var/lib/radicale/collections + +# initialize git repository +git init + +# set user and e-mail, here minimum example +git config user.name "$USER" +git config user.email "$USER@$HOSTNAME" + +# define ignore of cache/lock/tmp files +cat <<'END' >.gitignore .Radicale.cache .Radicale.lock .Radicale.tmp-* +END ``` The configuration option `hook` in the `storage` section must be set to @@ -598,16 +614,16 @@ git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s The command gets executed after every change to the storage and commits the changes into the **git** repository. -For the hook to not cause errors either **git** user details need to be set and match the owner of the collections directory or the repository needs to be marked as safe. +Log of `git` can be investigated using -When using the systemd unit file from the [Running as a service](#running-as-a-service) section this **cannot** be done via a `.gitconfig` file in the users home directory, as Radicale won't have read permissions! - -In `/var/lib/radicale/collections/.git` run: ```bash -git config user.name "radicale" -git config user.email "radicale@example.com" +su -l -s /bin/bash radicale +cd /var/lib/radicale/collections +git log ``` +In case of error messages in log, check SELinux status and related audit log and file/directory permissions. + ## Documentation ### Configuration From 69780dd0ee954162f5b4f2203fdfa84c80dd4c26 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 15:53:53 +0100 Subject: [PATCH 041/361] adjust test: verify that a request succeeded if the hook still fails (anyhow no rollback implemented) --- radicale/tests/test_storage.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index 9072a354..b03dadf7 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -80,9 +80,9 @@ class TestMultiFileSystem(BaseTest): self.propfind("/created_by_hook/") def test_hook_fail(self) -> None: - """Verify that a request fails if the hook fails.""" + """Verify that a request succeeded if the hook still fails (anyhow no rollback implemented).""" self.configure({"storage": {"hook": "exit 1"}}) - self.mkcalendar("/calendar.ics/", check=500) + self.mkcalendar("/calendar.ics/", check=200) def test_item_cache_rebuild(self) -> None: """Delete the item cache and verify that it is rebuild.""" From 5b64ef9fe7925980c41a48adceebdba9343ba3e8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:29:14 +0100 Subject: [PATCH 042/361] extend hook doc --- DOCUMENTATION.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index e90e2d8a..44654d4c 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1017,6 +1017,11 @@ Command that is run after changes to storage. Take a look at the Default: +Supported placeholders: + - `%(user)`: logged-in user + +Command will be executed with base directory defined in `filesystem_folder` (see above) + ##### predefined_collections Create predefined user collections From 6fa15dae4a2b24222bad55e45a57911a20a6f9d7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:29:48 +0100 Subject: [PATCH 043/361] extend hook doc in config --- config | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config b/config index 8415807b..bf134fb7 100644 --- a/config +++ b/config @@ -145,7 +145,11 @@ #skip_broken_item = True # Command that is run after changes to storage -# Example: ([ -d .git ] || git init) && git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"") +# Supported placeholders: +# %(user): logged-in user +# Command will be executed with base directory defined in filesystem_folder +# For "git" check DOCUMENTATION.md for bootstrap instructions +# Example: git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"") #hook = # Create predefined user collections From 92e5032278490a74a0cdc54872e51fc1982a4140 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:30:13 +0100 Subject: [PATCH 044/361] fix result code --- radicale/tests/test_storage.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index b03dadf7..22cc1f4c 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -82,7 +82,7 @@ class TestMultiFileSystem(BaseTest): def test_hook_fail(self) -> None: """Verify that a request succeeded if the hook still fails (anyhow no rollback implemented).""" self.configure({"storage": {"hook": "exit 1"}}) - self.mkcalendar("/calendar.ics/", check=200) + self.mkcalendar("/calendar.ics/", check=201) def test_item_cache_rebuild(self) -> None: """Delete the item cache and verify that it is rebuild.""" From 19f5aa0eddfc2102543c82b2a45099257e882428 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:37:35 +0100 Subject: [PATCH 045/361] extend doc as partially suggested by https://github.com/Kozea/Radicale/pull/914 --- DOCUMENTATION.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 44654d4c..cfc41558 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -586,7 +586,8 @@ of the user running `radicale` daemon. # change to user "radicale" su -l -s /bin/bash radicale -# change to collection base directory, assumed /var/lib/radicale/collections +# change to collection base directory defined in [storage] -> filesystem_folder +# assumed here /var/lib/radicale/collections cd /var/lib/radicale/collections # initialize git repository @@ -622,7 +623,14 @@ cd /var/lib/radicale/collections git log ``` -In case of error messages in log, check SELinux status and related audit log and file/directory permissions. +In case of problems, make sure you run radicale with ``--debug`` switch and +inspect the log output. For more information, please visit +[section on logging.]({{ site.baseurl }}/logging/) . + +Reason for problems can be + - SELinux status -> check related audit log + - problematic file/directory permissions + - command is not fond or cannot be executed or argument problem ## Documentation From 82064f823a0fd993eece83c7af06a2d21cf1665a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:39:40 +0100 Subject: [PATCH 046/361] add doc hint from https://github.com/Kozea/Radicale/pull/913 --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index bf134fb7..2b02d0b0 100644 --- a/config +++ b/config @@ -144,7 +144,7 @@ # Skip broken item instead of triggering an exception #skip_broken_item = True -# Command that is run after changes to storage +# Command that is run after changes to storage, default is emtpy # Supported placeholders: # %(user): logged-in user # Command will be executed with base directory defined in filesystem_folder From fbb6b1684a35860c51e6207d14bb55eeb10b66ae Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:46:19 +0100 Subject: [PATCH 047/361] replace eol URL --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index cfc41558..58ae1719 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1557,7 +1557,7 @@ The ``radicale`` package offers the following modules. `ìtem` : Internal representation of address book and calendar entries. Based on - [VObject](https://eventable.github.io/vobject/). + [VObject](https://github.com/py-vobject/vobject/). `log` : The logger for Radicale based on the default Python logging module. From 4696d252f4b2f35cd33348961303a3f1b0d3a25b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 16:56:00 +0100 Subject: [PATCH 048/361] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20d2ff32..8a32b9fe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Fix: expand does not support overridden recurring events * Fix: expand does not honor start and end times * Add: option [server] protocol + ciphersuite for optional restrictions on SSL socket +* Enhancement: [storage] hook documentation, logging, error behavior (no longer throwing an exception) ## 3.3.0 From f26facba3ece936add9fd452949fd4ce1760b31a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 17:10:07 +0100 Subject: [PATCH 049/361] cosmetics related to logging doc --- DOCUMENTATION.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 58ae1719..62ed0ade 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -625,7 +625,7 @@ git log In case of problems, make sure you run radicale with ``--debug`` switch and inspect the log output. For more information, please visit -[section on logging.]({{ site.baseurl }}/logging/) . +[section on logging](#logging-overview). Reason for problems can be - SELinux status -> check related audit log @@ -1485,11 +1485,11 @@ address books that are direct children of the path `/USERNAME/`. Delete collections by deleting the corresponding folders. -### Logging +### Logging overview Radicale logs to `stderr`. The verbosity of the log output can be controlled with `--debug` command line argument or the `level` configuration option in -the `logging` section. +the [logging](#logging) section. ### Architecture From 37f7df278610d156dc63ecdb97de24b86cbf0020 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 17:57:47 +0100 Subject: [PATCH 050/361] remove not supported option --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 2b02d0b0..d3139133 100644 --- a/config +++ b/config @@ -116,7 +116,7 @@ [rights] # Rights backend -# Value: none | authenticated | owner_only | owner_write | from_file +# Value: authenticated | owner_only | owner_write | from_file #type = owner_only # File for rights management from_file From 62e6aad2d2737b8c14efde89723beca15dc465ee Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 18:30:59 +0100 Subject: [PATCH 051/361] align logging of path --- radicale/app/put.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 710e4435..fc40f7b4 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -179,11 +179,11 @@ class ApplicationPartPut(ApplicationBase): return httputils.NOT_ALLOWED if not self._permit_overwrite_collection: if ("O") not in access.permissions: - logger.info("overwrite of collection is prevented by config/option [rights] permit_overwrite_collection and not explicit allowed by permssion 'O': %s", path) + logger.info("overwrite of collection is prevented by config/option [rights] permit_overwrite_collection and not explicit allowed by permssion 'O': %r", path) return httputils.NOT_ALLOWED else: if ("o") in access.permissions: - logger.info("overwrite of collection is allowed by config/option [rights] permit_overwrite_collection but explicit forbidden by permission 'o': %s", path) + logger.info("overwrite of collection is allowed by config/option [rights] permit_overwrite_collection but explicit forbidden by permission 'o': %r", path) return httputils.NOT_ALLOWED elif "w" not in access.parent_permissions: return httputils.NOT_ALLOWED From e07a248451b3ed64d215111df004d22c9c7fdb75 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 18:53:00 +0100 Subject: [PATCH 052/361] log if destination directory is not a collection --- radicale/app/put.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/app/put.py b/radicale/app/put.py index fc40f7b4..6f883dca 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -176,6 +176,8 @@ class ApplicationPartPut(ApplicationBase): if write_whole_collection: if ("w" if tag else "W") not in access.permissions: + if not parent_item.tag: + logger.warning("Not a collection (check .Radicale.props): %r", parent_item.path) return httputils.NOT_ALLOWED if not self._permit_overwrite_collection: if ("O") not in access.permissions: From 48bab4b033d7bae80f35cc38a2dddc6f5aa0563f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 24 Nov 2024 19:02:54 +0100 Subject: [PATCH 053/361] update version --- CHANGELOG.md | 2 ++ pyproject.toml | 4 ++-- setup.py.legacy | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a32b9fe..4b1d5389 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog +## 3.3.1 + * Add: option [auth] type=dovecot * Enhancement: log content in case of multiple main components error * Fix: expand does not take timezones into account diff --git a/pyproject.toml b/pyproject.toml index 0310fbfd..e79fc9ec 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,8 +3,8 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.1.dev" -authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}] +version = "3.3.1" +authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" keywords = ["calendar", "addressbook", "CalDAV", "CardDAV"] diff --git a/setup.py.legacy b/setup.py.legacy index 63ae2a46..0f5829c9 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -1,6 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2009-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -19,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.1.dev" +VERSION = "3.3.1" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 64acfe27f40ab6b99ba50a18615e94325714d2f3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 27 Nov 2024 06:06:44 +0100 Subject: [PATCH 054/361] add reference to donation page --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..4d90bb44 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +custom: https://github.com/Kozea/Radicale/wiki/Donations From 2c234b97d183440045edabbfa35d9d1f5a3e51d1 Mon Sep 17 00:00:00 2001 From: Alex Claman Date: Mon, 2 Dec 2024 15:51:39 -0500 Subject: [PATCH 055/361] Update DOCUMENTATION.md remove unnecessary call for `proxy_ssl_trusted_certificate` in example SSL-enabled reverse proxy config --- DOCUMENTATION.md | 1 - 1 file changed, 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 62ed0ade..e964cd53 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -537,7 +537,6 @@ location /radicale/ { # Place the files somewhere nginx is allowed to access (e.g. /etc/nginx/...). proxy_ssl_certificate /path/to/client_cert.pem; proxy_ssl_certificate_key /path/to/client_key.pem; - proxy_ssl_trusted_certificate /path/to/server_cert.pem; } ``` From a54fb10e17b39508f3af0e4902d145d30902b802 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:19:12 +0100 Subject: [PATCH 056/361] Fix: debug logging in rights/from_file --- CHANGELOG.md | 3 +++ radicale/rights/from_file.py | 5 +---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b1d5389..75298767 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 3.3.2.dev +* Fix: debug logging in rights/from_file + ## 3.3.1 * Add: option [auth] type=dovecot diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py index 20928a64..aaec8307 100644 --- a/radicale/rights/from_file.py +++ b/radicale/rights/from_file.py @@ -99,12 +99,9 @@ class Rights(rights.BaseRights): user, sane_path, user_pattern, collection_pattern, section, permission) return permission - logger.debug("Rule %r:%r doesn't match %r:%r from section %r", - user, sane_path, user_pattern, collection_pattern, - section) if self._log_rights_rule_doesnt_match_on_debug: logger.debug("Rule %r:%r doesn't match %r:%r from section %r", user, sane_path, user_pattern, collection_pattern, section) - logger.info("Rights: %r:%r doesn't match any section", user, sane_path) + logger.debug("Rights: %r:%r doesn't match any section", user, sane_path) return "" From 8f80e0eb92bda55619f61cfe3d1cb80409030936 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:20:44 +0100 Subject: [PATCH 057/361] update copyright --- radicale/rights/from_file.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py index aaec8307..6d63c801 100644 --- a/radicale/rights/from_file.py +++ b/radicale/rights/from_file.py @@ -1,6 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2019 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 43466078e78828d79d2c5dfce05341da8c0a3cd6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:29:57 +0100 Subject: [PATCH 058/361] use_cache_subfolder_for_item: extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75298767..5a942bda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 3.3.2.dev * Fix: debug logging in rights/from_file +* Add: option [storage] use_cache_subfolder_for_item for storing item cache outside collection-root ## 3.3.1 From d6bacc90478b0792b8e9629201533930f9b25fc2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:31:12 +0100 Subject: [PATCH 059/361] use_cache_subfolder_for_item: doc --- DOCUMENTATION.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index e964cd53..ab28c6ce 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1005,6 +1005,12 @@ Folder for storing local collections, created if not present. Default: `/var/lib/radicale/collections` +##### use_cache_subfolder_for_item + +Use subfolder `collections-cache' for cache file structure of item instead of inside collection folders, created if not present + +Default: `False` + ##### max_sync_token_age Delete sync-token that are older than the specified time. (seconds) From 1d241d9e2fc0d7c9e0d00b98698cd15afd6291f2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:31:28 +0100 Subject: [PATCH 060/361] use_cache_subfolder_for_item: config --- config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config b/config index d3139133..1522e17a 100644 --- a/config +++ b/config @@ -138,6 +138,9 @@ # Folder for storing local collections, created if not present #filesystem_folder = /var/lib/radicale/collections +# Use subfolder `collections-cache' for item cache file structure instead of inside collection folder +#use_cache_subfolder_for_item = False + # Delete sync token that are older (seconds) #max_sync_token_age = 2592000 From f754f285187c31c1436b65998f5ad344532d6bb1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:31:57 +0100 Subject: [PATCH 061/361] use_cache_subfolder_for_item: config option --- radicale/config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/radicale/config.py b/radicale/config.py index 2a70a7e7..da7877ae 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -279,6 +279,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "/var/lib/radicale/collections", "help": "path where collections are stored", "type": filepath}), + ("use_cache_subfolder_for_item", { + "value": "False", + "help": "use subfolder `collections-cache' for item cache file structure instead of inside collection folder", + "type": bool}), ("max_sync_token_age", { "value": "2592000", # 30 days "help": "delete sync token that are older", From 0fe53e62dbf11ed9f50281d3fd020009f31702f5 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:32:57 +0100 Subject: [PATCH 062/361] use_cache_subfolder_for_item: feature --- radicale/storage/multifilesystem/__init__.py | 3 +++ radicale/storage/multifilesystem/base.py | 8 ++++++++ radicale/storage/multifilesystem/cache.py | 6 +++--- radicale/storage/multifilesystem/move.py | 4 ++-- radicale/storage/multifilesystem/upload.py | 2 +- 5 files changed, 17 insertions(+), 6 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 67aa6a52..c30e3972 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -28,6 +28,7 @@ import time from typing import ClassVar, Iterator, Optional, Type from radicale import config +from radicale.log import logger from radicale.storage.multifilesystem.base import CollectionBase, StorageBase from radicale.storage.multifilesystem.cache import CollectionPartCache from radicale.storage.multifilesystem.create_collection import \ @@ -89,3 +90,5 @@ class Storage( def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._makedirs_synced(self._filesystem_folder) + logger.info("storage location: %r", self._filesystem_folder); + logger.info("storage cache subfolder usage for item: %s", self._use_cache_subfolder_for_item); diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index a7cc0bee..f39eaeaa 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -70,6 +70,7 @@ class StorageBase(storage.BaseStorage): _filesystem_folder: str _filesystem_fsync: bool + _use_cache_subfolder_for_item: bool def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) @@ -77,10 +78,17 @@ class StorageBase(storage.BaseStorage): "storage", "filesystem_folder") self._filesystem_fsync = configuration.get( "storage", "_filesystem_fsync") + self._use_cache_subfolder_for_item = configuration.get( + "storage", "use_cache_subfolder_for_item") def _get_collection_root_folder(self) -> str: return os.path.join(self._filesystem_folder, "collection-root") + def _get_collection_cache_folder(self, path, folder, subfolder) -> str: + if self._use_cache_subfolder_for_item == True and subfolder == "item": + path = path.replace(os.path.join(self._filesystem_folder, "collection-root"), os.path.join(self._filesystem_folder, "collection-cache")) + return os.path.join(path, folder, subfolder) + def _fsync(self, f: IO[AnyStr]) -> None: if self._filesystem_fsync: try: diff --git a/radicale/storage/multifilesystem/cache.py b/radicale/storage/multifilesystem/cache.py index 31ab4715..ec586458 100644 --- a/radicale/storage/multifilesystem/cache.py +++ b/radicale/storage/multifilesystem/cache.py @@ -81,7 +81,7 @@ class CollectionPartCache(CollectionBase): if not cache_hash: cache_hash = self._item_cache_hash( item.serialize().encode(self._encoding)) - cache_folder = os.path.join(self._filesystem_path, ".Radicale.cache", + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") content = self._item_cache_content(item) self._storage._makedirs_synced(cache_folder) @@ -95,7 +95,7 @@ class CollectionPartCache(CollectionBase): def _load_item_cache(self, href: str, cache_hash: str ) -> Optional[CacheContent]: - cache_folder = os.path.join(self._filesystem_path, ".Radicale.cache", + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") try: with open(os.path.join(cache_folder, href), "rb") as f: @@ -110,7 +110,7 @@ class CollectionPartCache(CollectionBase): return None def _clean_item_cache(self) -> None: - cache_folder = os.path.join(self._filesystem_path, ".Radicale.cache", + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") self._clean_cache(cache_folder, ( e.name for e in os.scandir(cache_folder) if not diff --git a/radicale/storage/multifilesystem/move.py b/radicale/storage/multifilesystem/move.py index 30995c4f..1c614d6d 100644 --- a/radicale/storage/multifilesystem/move.py +++ b/radicale/storage/multifilesystem/move.py @@ -41,9 +41,9 @@ class StoragePartMove(StorageBase): if item.collection._filesystem_path != to_collection._filesystem_path: self._sync_directory(item.collection._filesystem_path) # Move the item cache entry - cache_folder = os.path.join(item.collection._filesystem_path, + cache_folder = self._get_collection_cache_folder(item.collection._filesystem_path, ".Radicale.cache", "item") - to_cache_folder = os.path.join(to_collection._filesystem_path, + to_cache_folder = self._get_collection_cache_folder(to_collection._filesystem_path, ".Radicale.cache", "item") self._makedirs_synced(to_cache_folder) try: diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index a9fcdc2c..af25bb6b 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -75,7 +75,7 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, yield radicale_item.find_available_uid( lambda href: not is_safe_free_href(href), suffix) - cache_folder = os.path.join(self._filesystem_path, + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") self._storage._makedirs_synced(cache_folder) for item in items: From 92ce13e348c67a7fd70ca9fcf82d1317bf06766d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:34:00 +0100 Subject: [PATCH 063/361] update copyrights --- radicale/storage/__init__.py | 2 +- radicale/storage/multifilesystem/__init__.py | 3 ++- radicale/storage/multifilesystem/cache.py | 3 ++- radicale/storage/multifilesystem/move.py | 3 ++- radicale/storage/multifilesystem/upload.py | 3 ++- radicale/tests/test_storage.py | 3 ++- 6 files changed, 11 insertions(+), 6 deletions(-) diff --git a/radicale/storage/__init__.py b/radicale/storage/__init__.py index 3a5ef586..58f2a499 100644 --- a/radicale/storage/__init__.py +++ b/radicale/storage/__init__.py @@ -1,7 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2022 Unrud # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index c30e3972..bc60e2ae 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -1,7 +1,8 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2019 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/storage/multifilesystem/cache.py b/radicale/storage/multifilesystem/cache.py index ec586458..80cf83a4 100644 --- a/radicale/storage/multifilesystem/cache.py +++ b/radicale/storage/multifilesystem/cache.py @@ -1,7 +1,8 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/storage/multifilesystem/move.py b/radicale/storage/multifilesystem/move.py index 1c614d6d..22df99a5 100644 --- a/radicale/storage/multifilesystem/move.py +++ b/radicale/storage/multifilesystem/move.py @@ -1,7 +1,8 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index af25bb6b..91c487c3 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -1,7 +1,8 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2022 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index 22cc1f4c..38d9e397 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -1,6 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2019 Unrud +# Copyright © 2017-2022 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From edd6d0a513d8bfbfc55afff6355ce1ba4ebbf377 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:34:11 +0100 Subject: [PATCH 064/361] use_cache_subfolder_for_item: add test case --- radicale/tests/test_storage.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index 38d9e397..5eca0753 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -100,6 +100,22 @@ class TestMultiFileSystem(BaseTest): assert answer1 == answer2 assert os.path.exists(os.path.join(cache_folder, "event1.ics")) + def test_item_cache_rebuild_subfolder(self) -> None: + """Delete the item cache and verify that it is rebuild.""" + self.configure({"storage": {"use_cache_subfolder_for_item": "True"}}) + self.mkcalendar("/calendar.ics/") + event = get_file_content("event1.ics") + path = "/calendar.ics/event1.ics" + self.put(path, event) + _, answer1 = self.get(path) + cache_folder = os.path.join(self.colpath, "collection-cache", + "calendar.ics", ".Radicale.cache", "item") + assert os.path.exists(os.path.join(cache_folder, "event1.ics")) + shutil.rmtree(cache_folder) + _, answer2 = self.get(path) + assert answer1 == answer2 + assert os.path.exists(os.path.join(cache_folder, "event1.ics")) + def test_put_whole_calendar_uids_used_as_file_names(self) -> None: """Test if UIDs are used as file names.""" _TestBaseRequests.test_put_whole_calendar( From 24f5f9b98e712e3a1f7a488ebeda75c8673e3bc3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 3 Dec 2024 21:42:50 +0100 Subject: [PATCH 065/361] make flake8 happy --- radicale/storage/multifilesystem/__init__.py | 4 ++-- radicale/storage/multifilesystem/base.py | 2 +- radicale/storage/multifilesystem/cache.py | 9 +++------ radicale/storage/multifilesystem/move.py | 6 ++---- radicale/storage/multifilesystem/upload.py | 3 +-- 5 files changed, 9 insertions(+), 15 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index bc60e2ae..1b908239 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -91,5 +91,5 @@ class Storage( def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._makedirs_synced(self._filesystem_folder) - logger.info("storage location: %r", self._filesystem_folder); - logger.info("storage cache subfolder usage for item: %s", self._use_cache_subfolder_for_item); + logger.info("storage location: %r", self._filesystem_folder) + logger.info("storage cache subfolder usage for item: %s", self._use_cache_subfolder_for_item) diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index f39eaeaa..8d9f1940 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -85,7 +85,7 @@ class StorageBase(storage.BaseStorage): return os.path.join(self._filesystem_folder, "collection-root") def _get_collection_cache_folder(self, path, folder, subfolder) -> str: - if self._use_cache_subfolder_for_item == True and subfolder == "item": + if (self._use_cache_subfolder_for_item is True) and (subfolder == "item"): path = path.replace(os.path.join(self._filesystem_folder, "collection-root"), os.path.join(self._filesystem_folder, "collection-cache")) return os.path.join(path, folder, subfolder) diff --git a/radicale/storage/multifilesystem/cache.py b/radicale/storage/multifilesystem/cache.py index 80cf83a4..bf596eb3 100644 --- a/radicale/storage/multifilesystem/cache.py +++ b/radicale/storage/multifilesystem/cache.py @@ -82,8 +82,7 @@ class CollectionPartCache(CollectionBase): if not cache_hash: cache_hash = self._item_cache_hash( item.serialize().encode(self._encoding)) - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", - "item") + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") content = self._item_cache_content(item) self._storage._makedirs_synced(cache_folder) # Race: Other processes might have created and locked the file. @@ -96,8 +95,7 @@ class CollectionPartCache(CollectionBase): def _load_item_cache(self, href: str, cache_hash: str ) -> Optional[CacheContent]: - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", - "item") + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") try: with open(os.path.join(cache_folder, href), "rb") as f: hash_, *remainder = pickle.load(f) @@ -111,8 +109,7 @@ class CollectionPartCache(CollectionBase): return None def _clean_item_cache(self) -> None: - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", - "item") + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") self._clean_cache(cache_folder, ( e.name for e in os.scandir(cache_folder) if not os.path.isfile(os.path.join(self._filesystem_path, e.name)))) diff --git a/radicale/storage/multifilesystem/move.py b/radicale/storage/multifilesystem/move.py index 22df99a5..3518a3b4 100644 --- a/radicale/storage/multifilesystem/move.py +++ b/radicale/storage/multifilesystem/move.py @@ -42,10 +42,8 @@ class StoragePartMove(StorageBase): if item.collection._filesystem_path != to_collection._filesystem_path: self._sync_directory(item.collection._filesystem_path) # Move the item cache entry - cache_folder = self._get_collection_cache_folder(item.collection._filesystem_path, - ".Radicale.cache", "item") - to_cache_folder = self._get_collection_cache_folder(to_collection._filesystem_path, - ".Radicale.cache", "item") + cache_folder = self._get_collection_cache_folder(item.collection._filesystem_path, ".Radicale.cache", "item") + to_cache_folder = self._get_collection_cache_folder(to_collection._filesystem_path, ".Radicale.cache", "item") self._makedirs_synced(to_cache_folder) try: os.replace(os.path.join(cache_folder, item.href), diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index 91c487c3..01c52b75 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -76,8 +76,7 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, yield radicale_item.find_available_uid( lambda href: not is_safe_free_href(href), suffix) - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, - ".Radicale.cache", "item") + cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") self._storage._makedirs_synced(cache_folder) for item in items: uid = item.uid From 2a5b12e21c51f2fbbacb7fe9590a6ac03c6c0fe7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 4 Dec 2024 06:48:43 +0100 Subject: [PATCH 066/361] update version to next dev --- pyproject.toml | 2 +- setup.py.legacy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index e79fc9ec..5cb754c5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.1" +version = "3.3.2.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 0f5829c9..a1f7ee75 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.1" +VERSION = "3.3.2.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 804170a4d5a95dc836577ec4ecbe3e963b7e2a5a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 5 Dec 2024 07:54:03 +0100 Subject: [PATCH 067/361] fix-issue-1635: extend changelog --- CHANGELOG.md | 1 + .../static/event_exdate_without_rrule.ics | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 radicale/tests/static/event_exdate_without_rrule.ics diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a942bda..8528af80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.3.2.dev * Fix: debug logging in rights/from_file * Add: option [storage] use_cache_subfolder_for_item for storing item cache outside collection-root +* Fix: ignore empty RRULESET in item ## 3.3.1 diff --git a/radicale/tests/static/event_exdate_without_rrule.ics b/radicale/tests/static/event_exdate_without_rrule.ics new file mode 100644 index 00000000..ed6027da --- /dev/null +++ b/radicale/tests/static/event_exdate_without_rrule.ics @@ -0,0 +1,55 @@ +BEGIN:VCALENDAR +VERSION:2.0 +PRODID:DAVx5/4.4.3.2-ose ical4j/3.2.19 +BEGIN:VEVENT +DTSTAMP:20241125T195941Z +UID:9fb6578a-07a6-4c61-8406-69229713d40e +SEQUENCE:3 +SUMMARY:Escalade +DTSTART;TZID=Europe/Paris:20240606T193000 +DTEND;TZID=Europe/Paris:20240606T203000 +RRULE:FREQ=WEEKLY;WKST=MO;BYDAY=TH +EXDATE;TZID=Europe/Paris:20240704T193000 +CLASS:PUBLIC +STATUS:CONFIRMED +BEGIN:VALARM +TRIGGER:-P1D +ACTION:DISPLAY +DESCRIPTION:Escalade +END:VALARM +END:VEVENT +BEGIN:VEVENT +DTSTAMP:20241125T195941Z +UID:9fb6578a-07a6-4c61-8406-69229713d40e +RECURRENCE-ID;TZID=Europe/Paris:20241128T193000 +SEQUENCE:1 +SUMMARY:Escalade avec Romain +DTSTART;TZID=Europe/Paris:20241128T193000 +DTEND;TZID=Europe/Paris:20241128T203000 +EXDATE;TZID=Europe/Paris:20240704T193000 +CLASS:PUBLIC +STATUS:CONFIRMED +BEGIN:VALARM +TRIGGER:-P1D +ACTION:DISPLAY +DESCRIPTION:Escalade avec Romain +END:VALARM +END:VEVENT +BEGIN:VTIMEZONE +TZID:Europe/Paris +BEGIN:STANDARD +TZNAME:CET +TZOFFSETFROM:+0200 +TZOFFSETTO:+0100 +DTSTART:19961027T030000 +RRULE:FREQ=YEARLY;BYMONTH=10;BYDAY=-1SU +END:STANDARD +BEGIN:DAYLIGHT +TZNAME:CEST +TZOFFSETFROM:+0100 +TZOFFSETTO:+0200 +DTSTART:19810329T020000 +RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=-1SU +END:DAYLIGHT +END:VTIMEZONE +END:VCALENDAR From f725ee780f6cdf659dfc4ed0210f4b091c94c695 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 5 Dec 2024 07:54:32 +0100 Subject: [PATCH 068/361] fix-issue-1635: update copyright --- radicale/item/filter.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/item/filter.py b/radicale/item/filter.py index 61b7c1b4..23b65987 100644 --- a/radicale/item/filter.py +++ b/radicale/item/filter.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2015 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 38c236aa029f376c79bce63171d41d7fc32248b2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 5 Dec 2024 07:54:52 +0100 Subject: [PATCH 069/361] fix-issue-1635: code --- radicale/item/filter.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/radicale/item/filter.py b/radicale/item/filter.py index 23b65987..f69284ce 100644 --- a/radicale/item/filter.py +++ b/radicale/item/filter.py @@ -274,8 +274,11 @@ def visit_time_ranges(vobject_item: vobject.base.Component, child_name: str, if hasattr(comp, "recurrence_id") and comp.recurrence_id.value: recurrences.append(comp.recurrence_id.value) if comp.rruleset: - # Prevent possible infinite loop - raise ValueError("Overwritten recurrence with RRULESET") + if comp.rruleset._len == None: + logger.warning("Ignore empty RRULESET in item at RECURRENCE-ID with value '%s' and UID '%s'", comp.recurrence_id.value, comp.uid.value) + else: + # Prevent possible infinite loop + raise ValueError("Overwritten recurrence with RRULESET") rec_main = comp yield comp, True, [] else: From 873bf80131671271221db15767f7bb2dea2d2cc8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 5 Dec 2024 08:03:00 +0100 Subject: [PATCH 070/361] make flake8 happy --- radicale/item/filter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/item/filter.py b/radicale/item/filter.py index f69284ce..209bd1cb 100644 --- a/radicale/item/filter.py +++ b/radicale/item/filter.py @@ -274,7 +274,7 @@ def visit_time_ranges(vobject_item: vobject.base.Component, child_name: str, if hasattr(comp, "recurrence_id") and comp.recurrence_id.value: recurrences.append(comp.recurrence_id.value) if comp.rruleset: - if comp.rruleset._len == None: + if comp.rruleset._len is None: logger.warning("Ignore empty RRULESET in item at RECURRENCE-ID with value '%s' and UID '%s'", comp.recurrence_id.value, comp.uid.value) else: # Prevent possible infinite loop From 3232b34392570ec6e1529fda8dc9f945b70ab7b9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 5 Dec 2024 08:14:06 +0100 Subject: [PATCH 071/361] fix-issue-1635: add test case --- radicale/tests/test_base.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index 6440542f..620ef6a2 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -166,6 +166,12 @@ permissions: RrWw""") event = get_file_content("event_mixed_datetime_and_date.ics") self.put("/calendar.ics/event.ics", event) + def test_add_event_with_exdate_without_rrule(self) -> None: + """Test event with EXDATE but not having RRULE.""" + self.mkcalendar("/calendar.ics/") + event = get_file_content("event_exdate_without_rrule.ics") + self.put("/calendar.ics/event.ics", event) + def test_add_todo(self) -> None: """Add a todo.""" self.mkcalendar("/calendar.ics/") From b85c0758d80d6b19ff951321c9ac27020ac51b5f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 5 Dec 2024 08:14:21 +0100 Subject: [PATCH 072/361] extend copyright --- radicale/tests/test_base.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/tests/test_base.py b/radicale/tests/test_base.py index 620ef6a2..69864366 100644 --- a/radicale/tests/test_base.py +++ b/radicale/tests/test_base.py @@ -1,6 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2019 Unrud +# Copyright © 2017-2022 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From d9e15dd7c6ea8a3bf66f4e4c33099a4e6904e773 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 6 Dec 2024 06:13:50 +0100 Subject: [PATCH 073/361] fix for https://github.com/Kozea/Radicale/issues/1516 --- radicale/httputils.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/radicale/httputils.py b/radicale/httputils.py index 04898b40..3983d7eb 100644 --- a/radicale/httputils.py +++ b/radicale/httputils.py @@ -42,7 +42,10 @@ else: import importlib.abc from importlib import resources - _TRAVERSABLE_LIKE_TYPE = Union[importlib.abc.Traversable, pathlib.Path] + if sys.version_info < (3, 13): + _TRAVERSABLE_LIKE_TYPE = Union[importlib.abc.Traversable, pathlib.Path] + else: + _TRAVERSABLE_LIKE_TYPE = Union[importlib.resources.abc.Traversable, pathlib.Path] NOT_ALLOWED: types.WSGIResponse = ( client.FORBIDDEN, (("Content-Type", "text/plain"),), From 916c9db3c811e1cc2697aea2474944c7401922a5 Mon Sep 17 00:00:00 2001 From: TownCube <15699466+TownCube@users.noreply.github.com> Date: Sat, 7 Dec 2024 18:24:29 +0000 Subject: [PATCH 074/361] Skip group collection match when groups are not used --- DOCUMENTATION.md | 2 +- radicale/rights/from_file.py | 3 ++- radicale/tests/__init__.py | 3 ++- radicale/tests/test_rights.py | 18 ++++++++++++++---- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ab28c6ce..ac7d2d71 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -888,7 +888,7 @@ Default: `(cn={0})` Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. * The group calendar will be placed under collection_root_folder/GROUPS * The name of the calendar directory is the base64 encoded group name. -* The group calneder folders will not be created automaticaly. This must be created manualy. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calneder folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication +* The group calendar folders will not be created automaticaly. This must be created manualy. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication Default: False diff --git a/radicale/rights/from_file.py b/radicale/rights/from_file.py index 6d63c801..7ebe38cf 100644 --- a/radicale/rights/from_file.py +++ b/radicale/rights/from_file.py @@ -84,7 +84,8 @@ class Rights(rights.BaseRights): collection_pattern.format( *(re.escape(s) for s in user_match.groups()), user=escaped_user), sane_path) - group_collection_match = re.fullmatch(collection_pattern.format(user=escaped_user), sane_path) + group_collection_match = group_match and re.fullmatch( + collection_pattern.format(user=escaped_user), sane_path) except Exception as e: raise RuntimeError("Error in section %r of rights file %r: " "%s" % (section, self._filename, e)) from e diff --git a/radicale/tests/__init__.py b/radicale/tests/__init__.py index ceb155b4..e5ecb1f9 100644 --- a/radicale/tests/__init__.py +++ b/radicale/tests/__init__.py @@ -29,6 +29,7 @@ import wsgiref.util import xml.etree.ElementTree as ET from io import BytesIO from typing import Any, Dict, List, Optional, Tuple, Union +from urllib.parse import quote import defusedxml.ElementTree as DefusedET import vobject @@ -167,7 +168,7 @@ class BaseTest: assert answer is not None responses = self.parse_responses(answer) if kwargs.get("HTTP_DEPTH", "0") == "0": - assert len(responses) == 1 and path in responses + assert len(responses) == 1 and quote(path) in responses return status, responses def proppatch(self, path: str, data: Optional[str] = None, diff --git a/radicale/tests/test_rights.py b/radicale/tests/test_rights.py index c8efa4b5..896c910e 100644 --- a/radicale/tests/test_rights.py +++ b/radicale/tests/test_rights.py @@ -30,10 +30,10 @@ class TestBaseRightsRequests(BaseTest): def _test_rights(self, rights_type: str, user: str, path: str, mode: str, expected_status: int, with_auth: bool = True) -> None: assert mode in ("r", "w") - assert user in ("", "tmp") + assert user in ("", "tmp", "user@domain.test") htpasswd_file_path = os.path.join(self.colpath, ".htpasswd") with open(htpasswd_file_path, "w") as f: - f.write("tmp:bepo\nother:bepo") + f.write("tmp:bepo\nother:bepo\nuser@domain.test:bepo") self.configure({ "rights": {"type": rights_type}, "auth": {"type": "htpasswd" if with_auth else "none", @@ -42,8 +42,9 @@ class TestBaseRightsRequests(BaseTest): for u in ("tmp", "other"): # Indirect creation of principal collection self.propfind("/%s/" % u, login="%s:bepo" % u) + os.makedirs(os.path.join(self.colpath, "collection-root", "domain.test"), exist_ok=True) (self.propfind if mode == "r" else self.proppatch)( - path, check=expected_status, login="tmp:bepo" if user else None) + path, check=expected_status, login="%s:bepo" % user if user else None) def test_owner_only(self) -> None: self._test_rights("owner_only", "", "/", "r", 401) @@ -110,14 +111,23 @@ permissions: RrWw [custom] user: .* collection: custom(/.*)? -permissions: Rr""") +permissions: Rr +[read-domain-principal] +user: .+@([^@]+) +collection: {0} +permissions: R""") self.configure({"rights": {"file": rights_file_path}}) self._test_rights("from_file", "", "/other/", "r", 401) + self._test_rights("from_file", "tmp", "/tmp/", "r", 207) self._test_rights("from_file", "tmp", "/other/", "r", 403) self._test_rights("from_file", "", "/custom/sub", "r", 404) self._test_rights("from_file", "tmp", "/custom/sub", "r", 404) self._test_rights("from_file", "", "/custom/sub", "w", 401) self._test_rights("from_file", "tmp", "/custom/sub", "w", 403) + self._test_rights("from_file", "tmp", "/custom/sub", "w", 403) + self._test_rights("from_file", "user@domain.test", "/domain.test/", "r", 207) + self._test_rights("from_file", "user@domain.test", "/tmp/", "r", 403) + self._test_rights("from_file", "user@domain.test", "/other/", "r", 403) def test_from_file_limited_get(self): rights_file_path = os.path.join(self.colpath, "rights") From 05c349a15f94db1a38321349a9f2e21c0b4bb67e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 8 Dec 2024 09:46:50 +0100 Subject: [PATCH 075/361] Update DOCUMENTATION.md fix typo --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ac7d2d71..a7c13fed 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -888,7 +888,7 @@ Default: `(cn={0})` Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. * The group calendar will be placed under collection_root_folder/GROUPS * The name of the calendar directory is the base64 encoded group name. -* The group calendar folders will not be created automaticaly. This must be created manualy. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication +* The group calendar folders will not be created automaticaly. This must be created manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication Default: False From 5515d1e79085920dc4d5ec620c68d0a0e324f26d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 8 Dec 2024 15:34:33 +0100 Subject: [PATCH 076/361] fix typos --- DOCUMENTATION.md | 2 +- config | 2 +- radicale/config.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a7c13fed..6bcac293 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1007,7 +1007,7 @@ Default: `/var/lib/radicale/collections` ##### use_cache_subfolder_for_item -Use subfolder `collections-cache' for cache file structure of item instead of inside collection folders, created if not present +Use subfolder `collection-cache` for cache file structure of item instead of inside collection folders, created if not present Default: `False` diff --git a/config b/config index 1522e17a..dbe8c68e 100644 --- a/config +++ b/config @@ -138,7 +138,7 @@ # Folder for storing local collections, created if not present #filesystem_folder = /var/lib/radicale/collections -# Use subfolder `collections-cache' for item cache file structure instead of inside collection folder +# Use subfolder 'collection-cache' for item cache file structure instead of inside collection folder #use_cache_subfolder_for_item = False # Delete sync token that are older (seconds) diff --git a/radicale/config.py b/radicale/config.py index da7877ae..44a4381b 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -281,7 +281,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "type": filepath}), ("use_cache_subfolder_for_item", { "value": "False", - "help": "use subfolder `collections-cache' for item cache file structure instead of inside collection folder", + "help": "use subfolder 'collection-cache' for item cache file structure instead of inside collection folder", "type": bool}), ("max_sync_token_age", { "value": "2592000", # 30 days From 5681b4529847768a26957fa6a7125d6835b1fdc1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:23:00 +0100 Subject: [PATCH 077/361] update with latest changes --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8528af80..9bcd13d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,12 @@ ## 3.3.2.dev * Fix: debug logging in rights/from_file -* Add: option [storage] use_cache_subfolder_for_item for storing item cache outside collection-root +* Add: option [storage] use_cache_subfolder_for_item for storing 'item' cache outside collection-root * Fix: ignore empty RRULESET in item +* Add: option [storage] filesystem_cache_folder for defining location of cache outside collection-root +* Add: option [storage] use_cache_subfolder_for_history for storing 'history' cache outside collection-root +* Add: option [storage] use_cache_subfolder_for_synctoken for storing 'sync-token' cache outside collection-root +* Add: option [storage] folder_umask for configuration of umask (overwrite system-default) ## 3.3.1 From 2d8903dc440fc954f9541aa153bbae22414ced3c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:23:32 +0100 Subject: [PATCH 078/361] add new options --- DOCUMENTATION.md | 38 +++++++++++++++++++++++++++++++++++++- config | 20 +++++++++++++++++++- radicale/config.py | 18 +++++++++++++++++- 3 files changed, 73 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 6bcac293..ac5f7c5d 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1005,12 +1005,48 @@ Folder for storing local collections, created if not present. Default: `/var/lib/radicale/collections` +##### filesystem_cache_folder + +Folder for storing cache of local collections, created if not present + +Default_ `/var/lib/radicale/collections` + +Note: only used in case of use_cache_subfolder_* options are active + +Note: can be used on multi-instance setup to cache files on local node (see below) + ##### use_cache_subfolder_for_item -Use subfolder `collection-cache` for cache file structure of item instead of inside collection folders, created if not present +Use subfolder `collection-cache` for cache file structure of 'item' instead of inside collection folders, created if not present Default: `False` +Note: can be used on multi-instance setup to cache 'item' on local node + +##### use_cache_subfolder_for_history + +Use subfolder `collection-cache` for cache file structure of 'history' instead of inside collection folders, created if not present + +Default: `False` + +Note: use only on single-instance setup, will break consistency with client in multi-instance setup + +##### use_cache_subfolder_for_synctoken + +Use subfolder `collection-cache` for cache file structure of 'sync-token' instead of inside collection folders, created if not present + +Default: `False` + +Note: use only on single-instance setup, will break consistency with client in multi-instance setup + +##### folder_umask + +Use configured umask for folder creation (not applicable for OS Windows) + +Default: (system-default, usual `0022`) + +Useful value: `0077` (user:rw group:- other:-) or `0027` (user:rw group:r other:-) or `0007` (user:rw group:rw other:-) or `0022` (user:rw group:r other:r) + ##### max_sync_token_age Delete sync-token that are older than the specified time. (seconds) diff --git a/config b/config index dbe8c68e..0d62912d 100644 --- a/config +++ b/config @@ -138,9 +138,27 @@ # Folder for storing local collections, created if not present #filesystem_folder = /var/lib/radicale/collections -# Use subfolder 'collection-cache' for item cache file structure instead of inside collection folder +# Folder for storing cache of local collections, created if not present +# Note: only used in case of use_cache_subfolder_* options are active +# Note: can be used on multi-instance setup to cache files on local node (see below) +#filesystem_cache_folder = /var/lib/radicale/collections + +# Use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder +# Note: can be used on multi-instance setup to cache 'item' on local node #use_cache_subfolder_for_item = False +# Use subfolder 'collection-cache' for 'history' cache file structure instead of inside collection folder +# Note: use only on single-instance setup, will break consistency with client in multi-instance setup +#use_cache_subfolder_for_history = False + +# Use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder +# Note: use only on single-instance setup, will break consistency with client in multi-instance setup +#use_cache_subfolder_for_synctoken = False + +# Use configured umask for folder creation (not applicable for OS Windows) +# Useful value: 0077 | 0027 | 0007 | 0022 +#folder_umask = (system default, usual 0022) + # Delete sync token that are older (seconds) #max_sync_token_age = 2592000 diff --git a/radicale/config.py b/radicale/config.py index 44a4381b..af4eec74 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -279,10 +279,26 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "/var/lib/radicale/collections", "help": "path where collections are stored", "type": filepath}), + ("filesystem_cache_folder", { + "value": "/var/lib/radicale/collections", + "help": "path where cache of collections is stored in case of use_cache_subfolder_* options are active", + "type": filepath}), ("use_cache_subfolder_for_item", { "value": "False", - "help": "use subfolder 'collection-cache' for item cache file structure instead of inside collection folder", + "help": "use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder", "type": bool}), + ("use_cache_subfolder_for_history", { + "value": "False", + "help": "use subfolder 'collection-cache' for 'history' cache file structure instead of inside collection folder", + "type": bool}), + ("use_cache_subfolder_for_synctoken", { + "value": "False", + "help": "use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder", + "type": bool}), + ("folder_umask", { + "value": "", + "help": "umask for folder creation (empty: system default)", + "type": str}), ("max_sync_token_age", { "value": "2592000", # 30 days "help": "delete sync token that are older", From 99b6889d917054f556533ba1424e5bed07f6371b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:24:12 +0100 Subject: [PATCH 079/361] implement new options --- radicale/storage/multifilesystem/__init__.py | 26 ++++++++++++++++++-- radicale/storage/multifilesystem/base.py | 24 ++++++++++++++++-- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 1b908239..2f273a7f 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -25,6 +25,7 @@ Uses one folder per collection and one file per collection entry. """ import os +import sys import time from typing import ClassVar, Iterator, Optional, Type @@ -90,6 +91,27 @@ class Storage( def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) - self._makedirs_synced(self._filesystem_folder) logger.info("storage location: %r", self._filesystem_folder) - logger.info("storage cache subfolder usage for item: %s", self._use_cache_subfolder_for_item) + self._makedirs_synced(self._filesystem_folder) + logger.info("storage location subfolder: %r", self._get_collection_root_folder()) + logger.info("storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) + logger.info("storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) + logger.info("storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: + logger.info("storage cache subfolder: %r", self._get_collection_cache_folder()) + self._makedirs_synced(self._get_collection_cache_folder()) + if sys.platform != "win32": + if not self._folder_umask: + # retrieve current umask by setting a dummy umask + current_umask = os.umask(0o0022) + logger.info("storage folder umask (from system): '%04o'", current_umask) + # reset to original + os.umask(current_umask) + else: + try: + config_umask = int(self._folder_umask, 8) + except: + logger.critical("storage folder umask defined but invalid: '%s'", self._folder_umask) + raise + logger.info("storage folder umask defined: '%04o'", config_umask) + self._config_umask = config_umask diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index 8d9f1940..67071d8e 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -69,8 +69,13 @@ class StorageBase(storage.BaseStorage): _collection_class: ClassVar[Type["multifilesystem.Collection"]] _filesystem_folder: str + _filesystem_cache_folder: str _filesystem_fsync: bool _use_cache_subfolder_for_item: bool + _use_cache_subfolder_for_history: bool + _use_cache_subfolder_for_synctoken: bool + _folder_umask: str + _config_umask: int def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) @@ -78,15 +83,30 @@ class StorageBase(storage.BaseStorage): "storage", "filesystem_folder") self._filesystem_fsync = configuration.get( "storage", "_filesystem_fsync") + self._filesystem_cache_folder = configuration.get( + "storage", "filesystem_cache_folder") self._use_cache_subfolder_for_item = configuration.get( "storage", "use_cache_subfolder_for_item") + self._use_cache_subfolder_for_history = configuration.get( + "storage", "use_cache_subfolder_for_history") + self._use_cache_subfolder_for_synctoken = configuration.get( + "storage", "use_cache_subfolder_for_synctoken") + self._folder_umask = configuration.get( + "storage", "folder_umask") def _get_collection_root_folder(self) -> str: return os.path.join(self._filesystem_folder, "collection-root") - def _get_collection_cache_folder(self, path, folder, subfolder) -> str: + def _get_collection_cache_folder(self) -> str: + return os.path.join(self._filesystem_cache_folder, "collection-cache") + + def _get_collection_cache_subfolder(self, path, folder, subfolder) -> str: if (self._use_cache_subfolder_for_item is True) and (subfolder == "item"): - path = path.replace(os.path.join(self._filesystem_folder, "collection-root"), os.path.join(self._filesystem_folder, "collection-cache")) + path = path.replace(self._get_collection_root_folder(), self._get_collection_cache_folder()) + elif (self._use_cache_subfolder_for_history is True) and (subfolder == "history"): + path = path.replace(self._get_collection_root_folder(), self._get_collection_cache_folder()) + elif (self._use_cache_subfolder_for_synctoken is True) and (subfolder == "sync-token"): + path = path.replace(self._get_collection_root_folder(), self._get_collection_cache_folder()) return os.path.join(path, folder, subfolder) def _fsync(self, f: IO[AnyStr]) -> None: From 05d4e91856133f0ec6b1730410734ce5f79c4201 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:24:41 +0100 Subject: [PATCH 080/361] implement umask feature --- radicale/storage/multifilesystem/base.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index 67071d8e..a8549436 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -145,6 +145,8 @@ class StorageBase(storage.BaseStorage): if os.path.isdir(filesystem_path): return parent_filesystem_path = os.path.dirname(filesystem_path) + if sys.platform != "win32" and self._folder_umask: + oldmask = os.umask(self._config_umask) # Prevent infinite loop if filesystem_path != parent_filesystem_path: # Create parent dirs recursively @@ -152,3 +154,5 @@ class StorageBase(storage.BaseStorage): # Possible race! os.makedirs(filesystem_path, exist_ok=True) self._sync_directory(parent_filesystem_path) + if sys.platform != "win32" and self._folder_umask: + os.umask(oldmask) From 644548c866dc07f7172cae0d53219577aca7c6a0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:25:14 +0100 Subject: [PATCH 081/361] rename function --- radicale/storage/multifilesystem/cache.py | 6 +++--- radicale/storage/multifilesystem/history.py | 9 +++------ radicale/storage/multifilesystem/move.py | 4 ++-- radicale/storage/multifilesystem/sync.py | 3 +-- radicale/storage/multifilesystem/upload.py | 2 +- 5 files changed, 10 insertions(+), 14 deletions(-) diff --git a/radicale/storage/multifilesystem/cache.py b/radicale/storage/multifilesystem/cache.py index bf596eb3..1d90f975 100644 --- a/radicale/storage/multifilesystem/cache.py +++ b/radicale/storage/multifilesystem/cache.py @@ -82,7 +82,7 @@ class CollectionPartCache(CollectionBase): if not cache_hash: cache_hash = self._item_cache_hash( item.serialize().encode(self._encoding)) - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") + cache_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "item") content = self._item_cache_content(item) self._storage._makedirs_synced(cache_folder) # Race: Other processes might have created and locked the file. @@ -95,7 +95,7 @@ class CollectionPartCache(CollectionBase): def _load_item_cache(self, href: str, cache_hash: str ) -> Optional[CacheContent]: - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") + cache_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "item") try: with open(os.path.join(cache_folder, href), "rb") as f: hash_, *remainder = pickle.load(f) @@ -109,7 +109,7 @@ class CollectionPartCache(CollectionBase): return None def _clean_item_cache(self) -> None: - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") + cache_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "item") self._clean_cache(cache_folder, ( e.name for e in os.scandir(cache_folder) if not os.path.isfile(os.path.join(self._filesystem_path, e.name)))) diff --git a/radicale/storage/multifilesystem/history.py b/radicale/storage/multifilesystem/history.py index c385c32a..f618c99a 100644 --- a/radicale/storage/multifilesystem/history.py +++ b/radicale/storage/multifilesystem/history.py @@ -47,8 +47,7 @@ class CollectionPartHistory(CollectionBase): string for deleted items) and a history etag, which is a hash over the previous history etag and the etag separated by "/". """ - history_folder = os.path.join(self._filesystem_path, - ".Radicale.cache", "history") + history_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "history") try: with open(os.path.join(history_folder, href), "rb") as f: cache_etag, history_etag = pickle.load(f) @@ -76,8 +75,7 @@ class CollectionPartHistory(CollectionBase): def _get_deleted_history_hrefs(self): """Returns the hrefs of all deleted items that are still in the history cache.""" - history_folder = os.path.join(self._filesystem_path, - ".Radicale.cache", "history") + history_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "history") with contextlib.suppress(FileNotFoundError): for entry in os.scandir(history_folder): href = entry.name @@ -89,7 +87,6 @@ class CollectionPartHistory(CollectionBase): def _clean_history(self): # Delete all expired history entries of deleted items. - history_folder = os.path.join(self._filesystem_path, - ".Radicale.cache", "history") + history_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "history") self._clean_cache(history_folder, self._get_deleted_history_hrefs(), max_age=self._max_sync_token_age) diff --git a/radicale/storage/multifilesystem/move.py b/radicale/storage/multifilesystem/move.py index 3518a3b4..7b1eb490 100644 --- a/radicale/storage/multifilesystem/move.py +++ b/radicale/storage/multifilesystem/move.py @@ -42,8 +42,8 @@ class StoragePartMove(StorageBase): if item.collection._filesystem_path != to_collection._filesystem_path: self._sync_directory(item.collection._filesystem_path) # Move the item cache entry - cache_folder = self._get_collection_cache_folder(item.collection._filesystem_path, ".Radicale.cache", "item") - to_cache_folder = self._get_collection_cache_folder(to_collection._filesystem_path, ".Radicale.cache", "item") + cache_folder = self._get_collection_cache_subfolder(item.collection._filesystem_path, ".Radicale.cache", "item") + to_cache_folder = self._get_collection_cache_subfolder(to_collection._filesystem_path, ".Radicale.cache", "item") self._makedirs_synced(to_cache_folder) try: os.replace(os.path.join(cache_folder, item.href), diff --git a/radicale/storage/multifilesystem/sync.py b/radicale/storage/multifilesystem/sync.py index ae703c91..6a315c4f 100644 --- a/radicale/storage/multifilesystem/sync.py +++ b/radicale/storage/multifilesystem/sync.py @@ -67,8 +67,7 @@ class CollectionPartSync(CollectionPartCache, CollectionPartHistory, if token_name == old_token_name: # Nothing changed return token, () - token_folder = os.path.join(self._filesystem_path, - ".Radicale.cache", "sync-token") + token_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "sync-token") token_path = os.path.join(token_folder, token_name) old_state = {} if old_token_name: diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index 01c52b75..41af0a36 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -76,7 +76,7 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, yield radicale_item.find_available_uid( lambda href: not is_safe_free_href(href), suffix) - cache_folder = self._storage._get_collection_cache_folder(self._filesystem_path, ".Radicale.cache", "item") + cache_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "item") self._storage._makedirs_synced(cache_folder) for item in items: uid = item.uid From e1ee3d45290c32bf8db78243acaba3acd13f09b2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:26:32 +0100 Subject: [PATCH 082/361] also remove 'item' from cache on delete --- CHANGELOG.md | 1 + radicale/storage/multifilesystem/delete.py | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9bcd13d0..9263f50d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Add: option [storage] use_cache_subfolder_for_history for storing 'history' cache outside collection-root * Add: option [storage] use_cache_subfolder_for_synctoken for storing 'sync-token' cache outside collection-root * Add: option [storage] folder_umask for configuration of umask (overwrite system-default) +* Fix: also remove 'item' from cache on delete ## 3.3.1 diff --git a/radicale/storage/multifilesystem/delete.py b/radicale/storage/multifilesystem/delete.py index dd7a26e2..86c184ba 100644 --- a/radicale/storage/multifilesystem/delete.py +++ b/radicale/storage/multifilesystem/delete.py @@ -2,6 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -53,3 +54,9 @@ class CollectionPartDelete(CollectionPartHistory, CollectionBase): # Track the change self._update_history_etag(href, None) self._clean_history() + # Remove item from cache + cache_folder = self._storage._get_collection_cache_subfolder(os.path.dirname(path), ".Radicale.cache", "item") + cache_file = os.path.join(cache_folder, os.path.basename(path)) + if os.path.isfile(cache_file): + os.remove(cache_file) + self._storage._sync_directory(cache_folder) From b3d0c164077e7633fd9014dffca2ba4a8facc31e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:52:31 +0100 Subject: [PATCH 083/361] fix code --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 2f273a7f..b32a9148 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -110,7 +110,7 @@ class Storage( else: try: config_umask = int(self._folder_umask, 8) - except: + except Exception: logger.critical("storage folder umask defined but invalid: '%s'", self._folder_umask) raise logger.info("storage folder umask defined: '%04o'", config_umask) From 2bb2d6385b21305b30befbcc4e90a567fec3c6ee Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 10 Dec 2024 08:52:51 +0100 Subject: [PATCH 084/361] default for filesystem_cache_folder is filesystem_folder --- DOCUMENTATION.md | 2 +- config | 2 +- radicale/config.py | 2 +- radicale/storage/multifilesystem/base.py | 5 ++++- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ac5f7c5d..283dbb63 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1009,7 +1009,7 @@ Default: `/var/lib/radicale/collections` Folder for storing cache of local collections, created if not present -Default_ `/var/lib/radicale/collections` +Default: (filesystem_folder) Note: only used in case of use_cache_subfolder_* options are active diff --git a/config b/config index 0d62912d..ea56b606 100644 --- a/config +++ b/config @@ -141,7 +141,7 @@ # Folder for storing cache of local collections, created if not present # Note: only used in case of use_cache_subfolder_* options are active # Note: can be used on multi-instance setup to cache files on local node (see below) -#filesystem_cache_folder = /var/lib/radicale/collections +#filesystem_cache_folder = (filesystem_folder) # Use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder # Note: can be used on multi-instance setup to cache 'item' on local node diff --git a/radicale/config.py b/radicale/config.py index af4eec74..d2af2ece 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -280,7 +280,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "path where collections are stored", "type": filepath}), ("filesystem_cache_folder", { - "value": "/var/lib/radicale/collections", + "value": "", "help": "path where cache of collections is stored in case of use_cache_subfolder_* options are active", "type": filepath}), ("use_cache_subfolder_for_item", { diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index a8549436..cb2ea03c 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -98,7 +98,10 @@ class StorageBase(storage.BaseStorage): return os.path.join(self._filesystem_folder, "collection-root") def _get_collection_cache_folder(self) -> str: - return os.path.join(self._filesystem_cache_folder, "collection-cache") + if self._filesystem_cache_folder: + return os.path.join(self._filesystem_cache_folder, "collection-cache") + else: + return os.path.join(self._filesystem_folder, "collection-cache") def _get_collection_cache_subfolder(self, path, folder, subfolder) -> str: if (self._use_cache_subfolder_for_item is True) and (subfolder == "item"): From 3983b5c887d4f1649773927934e291971d469c19 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 08:21:54 +0100 Subject: [PATCH 085/361] Improve: avoid automatically invalid cache on upgrade in case no change on cache structure --- CHANGELOG.md | 1 + radicale/storage/__init__.py | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9263f50d..8d8f465d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Add: option [storage] use_cache_subfolder_for_synctoken for storing 'sync-token' cache outside collection-root * Add: option [storage] folder_umask for configuration of umask (overwrite system-default) * Fix: also remove 'item' from cache on delete +* Improve: avoid automatically invalid cache on upgrade in case no change on cache structure ## 3.3.1 diff --git a/radicale/storage/__init__.py b/radicale/storage/__init__.py index 58f2a499..44f2e758 100644 --- a/radicale/storage/__init__.py +++ b/radicale/storage/__init__.py @@ -32,20 +32,22 @@ from typing import (Callable, ContextManager, Iterable, Iterator, Mapping, import vobject from radicale import config +from radicale.log import logger from radicale import item as radicale_item from radicale import types, utils from radicale.item import filter as radicale_filter INTERNAL_TYPES: Sequence[str] = ("multifilesystem", "multifilesystem_nolock",) -CACHE_DEPS: Sequence[str] = ("radicale", "vobject") -CACHE_VERSION: bytes = "".join( - "%s=%s;" % (pkg, utils.package_version(pkg)) - for pkg in CACHE_DEPS).encode() +# NOTE: change only if cache structure is modified to avoid cache invalidation on update +CACHE_VERSION_RADICALE = "3.3.1" + +CACHE_VERSION: bytes = ("%s=%s;%s=%s;" % ("radicale", CACHE_VERSION_RADICALE, "vobject", utils.package_version("vobject"))).encode() def load(configuration: "config.Configuration") -> "BaseStorage": """Load the storage module chosen in configuration.""" + logger.debug("storage cache version: %r", str(CACHE_VERSION)) return utils.load_plugin(INTERNAL_TYPES, "storage", "Storage", BaseStorage, configuration) From 119cefce347f4ee2ba2ed8e7ede9daee362e97eb Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 08:22:22 +0100 Subject: [PATCH 086/361] Improve: log important module versions on startup --- CHANGELOG.md | 1 + radicale/server.py | 2 +- radicale/utils.py | 6 ++++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d8f465d..cce047e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ * Add: option [storage] folder_umask for configuration of umask (overwrite system-default) * Fix: also remove 'item' from cache on delete * Improve: avoid automatically invalid cache on upgrade in case no change on cache structure +* Improve: log important module versions on startup ## 3.3.1 diff --git a/radicale/server.py b/radicale/server.py index 80e58fd3..23396330 100644 --- a/radicale/server.py +++ b/radicale/server.py @@ -301,7 +301,7 @@ def serve(configuration: config.Configuration, """ - logger.info("Starting Radicale") + logger.info("Starting Radicale (%s)", utils.packages_version()) # Copy configuration before modifying configuration = configuration.copy() configuration.update({"server": {"_internal_server": "True"}}, "server", diff --git a/radicale/utils.py b/radicale/utils.py index 50a8d822..1223d330 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -26,6 +26,7 @@ from radicale.log import logger _T_co = TypeVar("_T_co", covariant=True) +RADICALE_MODULES: Sequence[str] = ("radicale", "vobject", "passlib", "defusedxml") def load_plugin(internal_types: Sequence[str], module_name: str, class_name: str, base_class: Type[_T_co], @@ -50,6 +51,11 @@ def load_plugin(internal_types: Sequence[str], module_name: str, def package_version(name): return metadata.version(name) +def packages_version(): + versions = [] + for pkg in RADICALE_MODULES: + versions.append("%s=%s" % (pkg, package_version(pkg))) + return " ".join(versions) def ssl_context_options_by_protocol(protocol: str, ssl_context_options): logger.debug("SSL protocol string: '%s' and current SSL context options: '0x%x'", protocol, ssl_context_options) From 1e318c81cf7c103cb24b6f20121793a3e6b566bc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 08:22:51 +0100 Subject: [PATCH 087/361] fix copyright --- radicale/server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/server.py b/radicale/server.py index 23396330..77080117 100644 --- a/radicale/server.py +++ b/radicale/server.py @@ -2,7 +2,7 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2019 Unrud +# Copyright © 2017-2023 Unrud # Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify From 9787f87cc79265359b8fcb742334c34e7892fc31 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 08:36:03 +0100 Subject: [PATCH 088/361] make tox happy --- radicale/storage/__init__.py | 3 ++- radicale/utils.py | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/radicale/storage/__init__.py b/radicale/storage/__init__.py index 44f2e758..da89bcf3 100644 --- a/radicale/storage/__init__.py +++ b/radicale/storage/__init__.py @@ -2,6 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -32,10 +33,10 @@ from typing import (Callable, ContextManager, Iterable, Iterator, Mapping, import vobject from radicale import config -from radicale.log import logger from radicale import item as radicale_item from radicale import types, utils from radicale.item import filter as radicale_filter +from radicale.log import logger INTERNAL_TYPES: Sequence[str] = ("multifilesystem", "multifilesystem_nolock",) diff --git a/radicale/utils.py b/radicale/utils.py index 1223d330..097be3fb 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -28,6 +28,7 @@ _T_co = TypeVar("_T_co", covariant=True) RADICALE_MODULES: Sequence[str] = ("radicale", "vobject", "passlib", "defusedxml") + def load_plugin(internal_types: Sequence[str], module_name: str, class_name: str, base_class: Type[_T_co], configuration: "config.Configuration") -> _T_co: @@ -51,12 +52,14 @@ def load_plugin(internal_types: Sequence[str], module_name: str, def package_version(name): return metadata.version(name) + def packages_version(): versions = [] for pkg in RADICALE_MODULES: versions.append("%s=%s" % (pkg, package_version(pkg))) return " ".join(versions) + def ssl_context_options_by_protocol(protocol: str, ssl_context_options): logger.debug("SSL protocol string: '%s' and current SSL context options: '0x%x'", protocol, ssl_context_options) # disable any protocol by default From 0e0592e3b86ce09224fad12261ab021901331a2f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 09:02:36 +0100 Subject: [PATCH 089/361] extend copyright --- radicale/auth/ldap.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index a8e94794..a4c8f38c 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -1,5 +1,6 @@ # This file is part of Radicale - CalDAV and CardDAV server -# Copyright 2022 Peter Varkoly +# Copyright © 2022-2024 Peter Varkoly +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 46acbfd9876b74fd4b02ad48cdb8a1adb48b1239 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 09:04:15 +0100 Subject: [PATCH 090/361] Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user --- CHANGELOG.md | 1 + radicale/auth/ldap.py | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cce047e0..80845b21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ * Fix: also remove 'item' from cache on delete * Improve: avoid automatically invalid cache on upgrade in case no change on cache structure * Improve: log important module versions on startup +* Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user ## 3.3.1 diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index a4c8f38c..b70affb9 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -79,6 +79,30 @@ class Auth(auth.BaseAuth): self._ldap_ssl_verify_mode = ssl.CERT_NONE elif tmp == "OPTIONAL": self._ldap_ssl_verify_mode = ssl.CERT_OPTIONAL + logger.info("auth.ldap_uri : %r" % self._ldap_uri) + logger.info("auth.ldap_base : %r" % self._ldap_base) + logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn) + logger.info("auth.ldap_load_groups : %s" % self._ldap_load_groups) + logger.info("auth.ldap_filter : %r" % self._ldap_filter) + if ldap_secret_file_path: + logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) + if self._ldap_secret: + logger.info("auth.ldap_secret : (from file)") + else: + logger.info("auth.ldap_secret_file_path: (not provided)") + if self._ldap_secret: + logger.info("auth.ldap_secret : (from config)") + if self._ldap_reader_dn and not self._ldap_secret: + logger.error("auth.ldap_secret : (not provided)") + raise RuntimeError("LDAP authentication requires ldap_secret for reader_dn") + logger.info("auth.ldap_use_ssl : %s" % self._ldap_use_ssl) + if self._ldap_use_ssl is True: + logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode) + if self._ldap_ssl_ca_file: + logger.info("auth.ldap_ssl_ca_file : %r" % self._ldap_ssl_ca_file) + else: + logger.info("auth.ldap_ssl_ca_file : (not provided)") + def _login2(self, login: str, password: str) -> str: try: From 886f4ee8d05612eaa608a5956296dda8835e0ad0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 09:09:36 +0100 Subject: [PATCH 091/361] make tox happy --- radicale/auth/ldap.py | 1 - 1 file changed, 1 deletion(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index b70affb9..2db88c95 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -103,7 +103,6 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") - def _login2(self, login: str, password: str) -> str: try: """Bind as reader dn""" From 3ebe51a4cbad7eefa2e91e4bb524dc2203174715 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 09:25:36 +0100 Subject: [PATCH 092/361] Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) --- CHANGELOG.md | 1 + DOCUMENTATION.md | 11 +++++++++++ radicale/auth/__init__.py | 9 +++++++++ radicale/config.py | 4 ++++ radicale/tests/test_auth.py | 5 +++++ 5 files changed, 30 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 80845b21..2689fea0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * Improve: avoid automatically invalid cache on upgrade in case no change on cache structure * Improve: log important module versions on startup * Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user +* Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) ## 3.3.1 diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 283dbb63..0d914911 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -923,6 +923,17 @@ providers like ldap, kerberos Default: `False` +Note: cannot be enabled together with `uc_username` + +##### uc_username + +Сonvert username to uppercase, must be true for case-insensitive auth +providers like ldap, kerberos + +Default: `False` + +Note: cannot be enabled together with `lc_username` + ##### strip_domain Strip domain from username diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 256ebe9e..566b9965 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -55,6 +55,7 @@ class BaseAuth: _ldap_groups: Set[str] = set([]) _lc_username: bool + _uc_username: bool _strip_domain: bool def __init__(self, configuration: "config.Configuration") -> None: @@ -67,7 +68,13 @@ class BaseAuth: """ self.configuration = configuration self._lc_username = configuration.get("auth", "lc_username") + self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") + logger.info("auth.strip_domain: %s", self._strip_domain) + logger.info("auth.lc_username: %s", self._lc_username) + logger.info("auth.uc_username: %s", self._uc_username) + if self._lc_username is True and self._uc_username is True: + raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") def get_external_login(self, environ: types.WSGIEnviron) -> Union[ Tuple[()], Tuple[str, str]]: @@ -98,6 +105,8 @@ class BaseAuth: def login(self, login: str, password: str) -> str: if self._lc_username: login = login.lower() + if self._uc_username: + login = login.upper() if self._strip_domain: login = login.split('@')[0] return self._login(login, password) diff --git a/radicale/config.py b/radicale/config.py index d2af2ece..8ff1e14d 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -247,6 +247,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "strip domain from username", "type": bool}), + ("uc_username", { + "value": "False", + "help": "convert username to uppercase, must be true for case-insensitive auth providers", + "type": bool}), ("lc_username", { "value": "False", "help": "convert username to lowercase, must be true for case-insensitive auth providers", diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 5358e218..1142caf4 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -121,6 +121,11 @@ class TestBaseAuthRequests(BaseTest): self._test_htpasswd("plain", "tmp:bepo", ( ("tmp", "bepo", True), ("TMP", "bepo", True), ("tmp1", "bepo", False))) + def test_htpasswd_uc_username(self) -> None: + self.configure({"auth": {"uc_username": "True"}}) + self._test_htpasswd("plain", "TMP:bepo", ( + ("tmp", "bepo", True), ("TMP", "bepo", True), ("TMP1", "bepo", False))) + def test_htpasswd_strip_domain(self) -> None: self.configure({"auth": {"strip_domain": "True"}}) self._test_htpasswd("plain", "tmp:bepo", ( From a7ce8f032cd7b3df2995e4d9c3a391bd6dfc8303 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 16:49:54 +0100 Subject: [PATCH 093/361] Add: option [debug] storage_cache_action for conditional logging --- CHANGELOG.md | 1 + DOCUMENTATION.md | 10 ++++++++-- config | 2 ++ radicale/config.py | 4 ++++ radicale/storage/multifilesystem/__init__.py | 1 + radicale/storage/multifilesystem/base.py | 3 +++ radicale/storage/multifilesystem/create_collection.py | 5 ++++- radicale/storage/multifilesystem/get.py | 2 ++ radicale/storage/multifilesystem/upload.py | 10 ++++++++-- 9 files changed, 33 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2689fea0..2292dd77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ * Improve: log important module versions on startup * Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user * Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) +* Add: option [debug] storage_cache_action for conditional logging ## 3.3.1 diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 0d914911..76a0b65c 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1158,18 +1158,24 @@ Log request on level=debug Default: `False` -##### response_content_on_debug = True +##### response_content_on_debug Log response on level=debug Default: `False` -##### rights_rule_doesnt_match_on_debug = True +##### rights_rule_doesnt_match_on_debug Log rights rule which doesn't match on level=debug Default: `False` +##### #storage_cache_actions + +Log storage cache actions + +Default: `False` + #### headers In this section additional HTTP headers that are sent to clients can be diff --git a/config b/config index ea56b606..11c6bc91 100644 --- a/config +++ b/config @@ -226,6 +226,8 @@ # Log rights rule which doesn't match on level=debug #rights_rule_doesnt_match_on_debug = False +# Log storage cache actions +#storage_cache_actions = False [headers] diff --git a/radicale/config.py b/radicale/config.py index 8ff1e14d..e824009b 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -376,6 +376,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "log rights rules which doesn't match on level=debug", "type": bool}), + ("storage_cache_actions", { + "value": "False", + "help": "log storage cache action on level=debug", + "type": bool}), ("mask_passwords", { "value": "True", "help": "mask passwords in logs", diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index b32a9148..6592b515 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -97,6 +97,7 @@ class Storage( logger.info("storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) logger.info("storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) logger.info("storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + logger.debug("storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("storage cache subfolder: %r", self._get_collection_cache_folder()) self._makedirs_synced(self._get_collection_cache_folder()) diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index cb2ea03c..a580cf19 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -74,6 +74,7 @@ class StorageBase(storage.BaseStorage): _use_cache_subfolder_for_item: bool _use_cache_subfolder_for_history: bool _use_cache_subfolder_for_synctoken: bool + _debug_cache_actions: bool _folder_umask: str _config_umask: int @@ -93,6 +94,8 @@ class StorageBase(storage.BaseStorage): "storage", "use_cache_subfolder_for_synctoken") self._folder_umask = configuration.get( "storage", "folder_umask") + self._debug_cache_actions = configuration.get( + "logging", "storage_cache_actions") def _get_collection_root_folder(self) -> str: return os.path.join(self._filesystem_folder, "collection-root") diff --git a/radicale/storage/multifilesystem/create_collection.py b/radicale/storage/multifilesystem/create_collection.py index 75d3a387..4d8c7be8 100644 --- a/radicale/storage/multifilesystem/create_collection.py +++ b/radicale/storage/multifilesystem/create_collection.py @@ -1,7 +1,8 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -24,6 +25,7 @@ import radicale.item as radicale_item from radicale import pathutils from radicale.storage import multifilesystem from radicale.storage.multifilesystem.base import StorageBase +from radicale.log import logger class StoragePartCreateCollection(StorageBase): @@ -36,6 +38,7 @@ class StoragePartCreateCollection(StorageBase): # Path should already be sanitized sane_path = pathutils.strip_path(href) filesystem_path = pathutils.path_to_filesystem(folder, sane_path) + logger.debug("Create collection: %r" % filesystem_path) if not props: self._makedirs_synced(filesystem_path) diff --git a/radicale/storage/multifilesystem/get.py b/radicale/storage/multifilesystem/get.py index f5d25816..543f004a 100644 --- a/radicale/storage/multifilesystem/get.py +++ b/radicale/storage/multifilesystem/get.py @@ -81,6 +81,8 @@ class CollectionPartGet(CollectionPartCache, CollectionPartLock, # The hash of the component in the file system. This is used to check, # if the entry in the cache is still valid. cache_hash = self._item_cache_hash(raw_text) + if self._storage._debug_cache_actions is True: + logger.debug("Check cache for: %r with hash %r", path, cache_hash) cache_content = self._load_item_cache(href, cache_hash) if cache_content is None: with self._acquire_cache_lock("item"): diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index 41af0a36..3ce0f4ab 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -29,6 +29,7 @@ from radicale.storage.multifilesystem.base import CollectionBase from radicale.storage.multifilesystem.cache import CollectionPartCache from radicale.storage.multifilesystem.get import CollectionPartGet from radicale.storage.multifilesystem.history import CollectionPartHistory +from radicale.log import logger class CollectionPartUpload(CollectionPartGet, CollectionPartCache, @@ -38,12 +39,14 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, ) -> radicale_item.Item: if not pathutils.is_safe_filesystem_path_component(href): raise pathutils.UnsafePathError(href) + path = pathutils.path_to_filesystem(self._filesystem_path, href) try: - self._store_item_cache(href, item) + cache_hash = self._item_cache_hash(item.serialize().encode(self._encoding)) + logger.debug("Store cache for: %r with hash %r", path, cache_hash) + self._store_item_cache(href, item, cache_hash) except Exception as e: raise ValueError("Failed to store item %r in collection %r: %s" % (href, self.path, e)) from e - path = pathutils.path_to_filesystem(self._filesystem_path, href) # TODO: better fix for "mypy" with self._atomic_write(path, newline="") as fo: # type: ignore f = cast(TextIO, fo) @@ -80,6 +83,7 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, self._storage._makedirs_synced(cache_folder) for item in items: uid = item.uid + logger.debug("Store item from list with uid: '%s'" % uid) try: cache_content = self._item_cache_content(item) except Exception as e: @@ -105,6 +109,8 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, f.flush() self._storage._fsync(f) with open(os.path.join(cache_folder, href), "wb") as fb: + cache_hash = self._item_cache_hash(item.serialize().encode(self._encoding)) + logger.debug("Store cache for: %r with hash %r", fb.name, cache_hash) pickle.dump(cache_content, fb) fb.flush() self._storage._fsync(fb) From f7d6f6442f40699636f964a346b132a16dac71b1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 14 Dec 2024 17:02:31 +0100 Subject: [PATCH 094/361] make tox happy --- radicale/storage/multifilesystem/create_collection.py | 2 +- radicale/storage/multifilesystem/upload.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/storage/multifilesystem/create_collection.py b/radicale/storage/multifilesystem/create_collection.py index 4d8c7be8..2e6e9ce7 100644 --- a/radicale/storage/multifilesystem/create_collection.py +++ b/radicale/storage/multifilesystem/create_collection.py @@ -23,9 +23,9 @@ from typing import Iterable, Optional, cast import radicale.item as radicale_item from radicale import pathutils +from radicale.log import logger from radicale.storage import multifilesystem from radicale.storage.multifilesystem.base import StorageBase -from radicale.log import logger class StoragePartCreateCollection(StorageBase): diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index 3ce0f4ab..e9783e85 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -25,11 +25,11 @@ from typing import Iterable, Iterator, TextIO, cast import radicale.item as radicale_item from radicale import pathutils +from radicale.log import logger from radicale.storage.multifilesystem.base import CollectionBase from radicale.storage.multifilesystem.cache import CollectionPartCache from radicale.storage.multifilesystem.get import CollectionPartGet from radicale.storage.multifilesystem.history import CollectionPartHistory -from radicale.log import logger class CollectionPartUpload(CollectionPartGet, CollectionPartCache, From f1d007a51e58f90286c468202a19df3caf619688 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 08:28:37 +0100 Subject: [PATCH 095/361] Fix: set PRODID on collection upload --- radicale/app/put.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 6f883dca..bf559da0 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -29,7 +29,7 @@ from typing import Iterator, List, Mapping, MutableMapping, Optional, Tuple import vobject import radicale.item as radicale_item -from radicale import httputils, pathutils, rights, storage, types, xmlutils +from radicale import httputils, pathutils, rights, storage, types, xmlutils, utils from radicale.app.base import Access, ApplicationBase from radicale.hook import HookNotificationItem, HookNotificationItemTypes from radicale.log import logger @@ -37,6 +37,8 @@ from radicale.log import logger MIMETYPE_TAGS: Mapping[str, str] = {value: key for key, value in xmlutils.MIMETYPES.items()} +PRODID = u"-//Radicale//NONSGML Version " + utils.package_version("radicale") + "//EN" + def prepare(vobject_items: List[vobject.base.Component], path: str, content_type: str, permission: bool, parent_permission: bool, @@ -80,6 +82,7 @@ def prepare(vobject_items: List[vobject.base.Component], path: str, vobject_collection = vobject.iCalendar() for component in components: vobject_collection.add(component) + vobject_collection.add(vobject.base.ContentLine("PRODID", [], PRODID)) item = radicale_item.Item(collection_path=collection_path, vobject_item=vobject_collection) item.prepare() From 0a5773a844bb702fad3936b592a3c3607dfdecf0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 08:29:09 +0100 Subject: [PATCH 096/361] Extend copyright --- radicale/app/put.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index bf559da0..17c103f5 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2020 Unrud +# Copyright © 2020-2023 Tuna Celik # Copyright © 2024-2024 Peter Bieringer # # This library is free software: you can redistribute it and/or modify From 855e983ae2712391a5996b006dcf8956cdbf47f8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 08:29:53 +0100 Subject: [PATCH 097/361] Fix: set PRODID on collection upload (instead of vobject is inserting default one) --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2292dd77..4ed800a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ * Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user * Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) * Add: option [debug] storage_cache_action for conditional logging +* Fix: set PRODID on collection upload (instead of vobject is inserting default one) ## 3.3.1 From 7597c7d4a54b6dc020672625c6123c18c001cd6f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 08:37:35 +0100 Subject: [PATCH 098/361] make tox happy --- radicale/app/put.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 17c103f5..c1f0eacd 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -30,7 +30,8 @@ from typing import Iterator, List, Mapping, MutableMapping, Optional, Tuple import vobject import radicale.item as radicale_item -from radicale import httputils, pathutils, rights, storage, types, xmlutils, utils +from radicale import (httputils, pathutils, rights, storage, types, utils, + xmlutils) from radicale.app.base import Access, ApplicationBase from radicale.hook import HookNotificationItem, HookNotificationItemTypes from radicale.log import logger From 4bb00e607021be606cf450e9fee72cbec8fa54ce Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 11:40:02 +0100 Subject: [PATCH 099/361] item-cache-mtime-size: add new option --- config | 4 ++++ radicale/config.py | 4 ++++ radicale/storage/multifilesystem/__init__.py | 1 + radicale/storage/multifilesystem/base.py | 3 +++ 4 files changed, 12 insertions(+) diff --git a/config b/config index 11c6bc91..731c60f6 100644 --- a/config +++ b/config @@ -155,6 +155,10 @@ # Note: use only on single-instance setup, will break consistency with client in multi-instance setup #use_cache_subfolder_for_synctoken = False +# Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) +# Note: check used filesystem mtime precision before enabling +#use_mtime_and_size_for_item_cache=False + # Use configured umask for folder creation (not applicable for OS Windows) # Useful value: 0077 | 0027 | 0007 | 0022 #folder_umask = (system default, usual 0022) diff --git a/radicale/config.py b/radicale/config.py index e824009b..73b04dc4 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -299,6 +299,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder", "type": bool}), + ("use_mtime_and_size_for_item_cache", { + "value": "False", + "help": "use mtime and file size instead of SHA256 for 'item' cache (improves speed)", + "type": bool}), ("folder_umask", { "value": "", "help": "umask for folder creation (empty: system default)", diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 6592b515..4e5271f5 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -97,6 +97,7 @@ class Storage( logger.info("storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) logger.info("storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) logger.info("storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + logger.info("storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) logger.debug("storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("storage cache subfolder: %r", self._get_collection_cache_folder()) diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index a580cf19..dc013b34 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -74,6 +74,7 @@ class StorageBase(storage.BaseStorage): _use_cache_subfolder_for_item: bool _use_cache_subfolder_for_history: bool _use_cache_subfolder_for_synctoken: bool + _use_mtime_and_size_for_item_cache: bool _debug_cache_actions: bool _folder_umask: str _config_umask: int @@ -92,6 +93,8 @@ class StorageBase(storage.BaseStorage): "storage", "use_cache_subfolder_for_history") self._use_cache_subfolder_for_synctoken = configuration.get( "storage", "use_cache_subfolder_for_synctoken") + self._use_mtime_and_size_for_item_cache = configuration.get( + "storage", "use_mtime_and_size_for_item_cache") self._folder_umask = configuration.get( "storage", "folder_umask") self._debug_cache_actions = configuration.get( From ff3f2fc3dea49311af58ce65b172b80231b2d223 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 11:40:20 +0100 Subject: [PATCH 100/361] item-cache-mtime-size new option doc --- DOCUMENTATION.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 76a0b65c..c7a1d9ee 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1050,6 +1050,14 @@ Default: `False` Note: use only on single-instance setup, will break consistency with client in multi-instance setup +##### use_mtime_and_size_for_item_cache + +Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) + +Default: `False` + +Note: check used filesystem mtime precision before enabling + ##### folder_umask Use configured umask for folder creation (not applicable for OS Windows) From 62bdfeab406e10c64ab63349111dd4489b8195d9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 11:40:58 +0100 Subject: [PATCH 101/361] item-cache-mtime-size: feature --- radicale/storage/multifilesystem/cache.py | 21 ++++++- radicale/storage/multifilesystem/get.py | 18 +++++- radicale/storage/multifilesystem/upload.py | 68 ++++++++++++++-------- 3 files changed, 77 insertions(+), 30 deletions(-) diff --git a/radicale/storage/multifilesystem/cache.py b/radicale/storage/multifilesystem/cache.py index 1d90f975..0f37381c 100644 --- a/radicale/storage/multifilesystem/cache.py +++ b/radicale/storage/multifilesystem/cache.py @@ -73,6 +73,10 @@ class CollectionPartCache(CollectionBase): _hash.update(raw_text) return _hash.hexdigest() + @staticmethod + def _item_cache_mtime_and_size(size: bytes, raw_text: bytes) -> str: + return str(storage.CACHE_VERSION.decode()) + "size=" + str(size) + ";mtime=" + str(raw_text) + def _item_cache_content(self, item: radicale_item.Item) -> CacheContent: return CacheContent(item.uid, item.etag, item.serialize(), item.name, item.component_name, *item.time_range) @@ -80,8 +84,11 @@ class CollectionPartCache(CollectionBase): def _store_item_cache(self, href: str, item: radicale_item.Item, cache_hash: str = "") -> CacheContent: if not cache_hash: - cache_hash = self._item_cache_hash( - item.serialize().encode(self._encoding)) + if self._storage._use_mtime_and_size_for_item_cache is True: + raise RuntimeError("_store_item_cache called without cache_hash is not supported if [storage] use_mtime_and_size_for_item_cache is True") + else: + cache_hash = self._item_cache_hash( + item.serialize().encode(self._encoding)) cache_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "item") content = self._item_cache_content(item) self._storage._makedirs_synced(cache_folder) @@ -96,12 +103,20 @@ class CollectionPartCache(CollectionBase): def _load_item_cache(self, href: str, cache_hash: str ) -> Optional[CacheContent]: cache_folder = self._storage._get_collection_cache_subfolder(self._filesystem_path, ".Radicale.cache", "item") + path = os.path.join(cache_folder, href) try: - with open(os.path.join(cache_folder, href), "rb") as f: + with open(path, "rb") as f: hash_, *remainder = pickle.load(f) if hash_ and hash_ == cache_hash: + if self._storage._debug_cache_actions is True: + logger.debug("Item cache match : %r with hash %r", path, cache_hash) return CacheContent(*remainder) + else: + if self._storage._debug_cache_actions is True: + logger.debug("Item cache no match : %r with hash %r", path, cache_hash) except FileNotFoundError: + if self._storage._debug_cache_actions is True: + logger.debug("Item cache not found : %r with hash %r", path, cache_hash) pass except (pickle.UnpicklingError, ValueError) as e: logger.warning("Failed to load item cache entry %r in %r: %s", diff --git a/radicale/storage/multifilesystem/get.py b/radicale/storage/multifilesystem/get.py index 543f004a..f74c8fb6 100644 --- a/radicale/storage/multifilesystem/get.py +++ b/radicale/storage/multifilesystem/get.py @@ -80,11 +80,18 @@ class CollectionPartGet(CollectionPartCache, CollectionPartLock, raise # The hash of the component in the file system. This is used to check, # if the entry in the cache is still valid. - cache_hash = self._item_cache_hash(raw_text) - if self._storage._debug_cache_actions is True: - logger.debug("Check cache for: %r with hash %r", path, cache_hash) + if self._storage._use_mtime_and_size_for_item_cache is True: + cache_hash = self._item_cache_mtime_and_size(os.stat(path).st_size, os.stat(path).st_mtime_ns) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache check for: %r with mtime and size %r", path, cache_hash) + else: + cache_hash = self._item_cache_hash(raw_text) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache check for: %r with hash %r", path, cache_hash) cache_content = self._load_item_cache(href, cache_hash) if cache_content is None: + if self._storage._debug_cache_actions is True: + logger.debug("Item cache miss for: %r", path) with self._acquire_cache_lock("item"): # Lock the item cache to prevent multiple processes from # generating the same data in parallel. @@ -101,6 +108,8 @@ class CollectionPartGet(CollectionPartCache, CollectionPartLock, vobject_item, = vobject_items temp_item = radicale_item.Item( collection=self, vobject_item=vobject_item) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache store for: %r", path) cache_content = self._store_item_cache( href, temp_item, cache_hash) except Exception as e: @@ -115,6 +124,9 @@ class CollectionPartGet(CollectionPartCache, CollectionPartLock, if not self._item_cache_cleaned: self._item_cache_cleaned = True self._clean_item_cache() + else: + if self._storage._debug_cache_actions is True: + logger.debug("Item cache hit for: %r", path) last_modified = time.strftime( "%a, %d %b %Y %H:%M:%S GMT", time.gmtime(os.path.getmtime(path))) diff --git a/radicale/storage/multifilesystem/upload.py b/radicale/storage/multifilesystem/upload.py index e9783e85..3814f428 100644 --- a/radicale/storage/multifilesystem/upload.py +++ b/radicale/storage/multifilesystem/upload.py @@ -41,19 +41,26 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, raise pathutils.UnsafePathError(href) path = pathutils.path_to_filesystem(self._filesystem_path, href) try: - cache_hash = self._item_cache_hash(item.serialize().encode(self._encoding)) - logger.debug("Store cache for: %r with hash %r", path, cache_hash) - self._store_item_cache(href, item, cache_hash) + with self._atomic_write(path, newline="") as fo: # type: ignore + f = cast(TextIO, fo) + f.write(item.serialize()) except Exception as e: raise ValueError("Failed to store item %r in collection %r: %s" % (href, self.path, e)) from e - # TODO: better fix for "mypy" - with self._atomic_write(path, newline="") as fo: # type: ignore - f = cast(TextIO, fo) - f.write(item.serialize()) - # Clean the cache after the actual item is stored, or the cache entry - # will be removed again. - self._clean_item_cache() + # store cache file + if self._storage._use_mtime_and_size_for_item_cache is True: + cache_hash = self._item_cache_mtime_and_size(os.stat(path).st_size, os.stat(path).st_mtime_ns) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache store for: %r with mtime and size %r", path, cache_hash) + else: + cache_hash = self._item_cache_hash(item.serialize().encode(self._encoding)) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache store for: %r with hash %r", path, cache_hash) + try: + self._store_item_cache(href, item, cache_hash) + except Exception as e: + raise ValueError("Failed to store item cache of %r in collection %r: %s" % + (href, self.path, e)) from e # Track the change self._update_history_etag(href, item) self._clean_history() @@ -84,15 +91,11 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, for item in items: uid = item.uid logger.debug("Store item from list with uid: '%s'" % uid) - try: - cache_content = self._item_cache_content(item) - except Exception as e: - raise ValueError( - "Failed to store item %r in temporary collection %r: %s" % - (uid, self.path, e)) from e + cache_content = self._item_cache_content(item) for href in get_safe_free_hrefs(uid): + path = os.path.join(self._filesystem_path, href) try: - f = open(os.path.join(self._filesystem_path, href), + f = open(path, "w", newline="", encoding=self._encoding) except OSError as e: if (sys.platform != "win32" and e.errno == errno.EINVAL or @@ -104,14 +107,31 @@ class CollectionPartUpload(CollectionPartGet, CollectionPartCache, else: raise RuntimeError("No href found for item %r in temporary " "collection %r" % (uid, self.path)) - with f: - f.write(item.serialize()) - f.flush() - self._storage._fsync(f) - with open(os.path.join(cache_folder, href), "wb") as fb: + + try: + with f: + f.write(item.serialize()) + f.flush() + self._storage._fsync(f) + except Exception as e: + raise ValueError( + "Failed to store item %r in temporary collection %r: %s" % + (uid, self.path, e)) from e + + # store cache file + if self._storage._use_mtime_and_size_for_item_cache is True: + cache_hash = self._item_cache_mtime_and_size(os.stat(path).st_size, os.stat(path).st_mtime_ns) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache store for: %r with mtime and size %r", path, cache_hash) + else: cache_hash = self._item_cache_hash(item.serialize().encode(self._encoding)) - logger.debug("Store cache for: %r with hash %r", fb.name, cache_hash) - pickle.dump(cache_content, fb) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache store for: %r with hash %r", path, cache_hash) + path_cache = os.path.join(cache_folder, href) + if self._storage._debug_cache_actions is True: + logger.debug("Item cache store into: %r", path_cache) + with open(os.path.join(cache_folder, href), "wb") as fb: + pickle.dump((cache_hash, *cache_content), fb) fb.flush() self._storage._fsync(fb) self._storage._sync_directory(cache_folder) From dc20f518dd3e948242e77e6b49fc4b5f2f82c7c4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 11:41:08 +0100 Subject: [PATCH 102/361] item-cache-mtime-size: changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ed800a2..9b38513a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ * Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) * Add: option [debug] storage_cache_action for conditional logging * Fix: set PRODID on collection upload (instead of vobject is inserting default one) +* Add: option [storage] use_mtime_and_size_for_item_cache for changing cache lookup from SHA256 to mtime_ns + size +* Fix: buggy cache file content creation on collection upload ## 3.3.1 From 11dad85404b48be80a702c9d97bfc30fe0d76456 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 11:45:38 +0100 Subject: [PATCH 103/361] fix types (mpy) --- radicale/storage/multifilesystem/cache.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/cache.py b/radicale/storage/multifilesystem/cache.py index 0f37381c..158641e4 100644 --- a/radicale/storage/multifilesystem/cache.py +++ b/radicale/storage/multifilesystem/cache.py @@ -74,7 +74,7 @@ class CollectionPartCache(CollectionBase): return _hash.hexdigest() @staticmethod - def _item_cache_mtime_and_size(size: bytes, raw_text: bytes) -> str: + def _item_cache_mtime_and_size(size: int, raw_text: int) -> str: return str(storage.CACHE_VERSION.decode()) + "size=" + str(size) + ";mtime=" + str(raw_text) def _item_cache_content(self, item: radicale_item.Item) -> CacheContent: From fc7c50b4cbb949159f7389b56eca3aaf58d2208f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 12:20:24 +0100 Subject: [PATCH 104/361] add note about storage verification --- DOCUMENTATION.md | 2 ++ config | 1 + 2 files changed, 3 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index c7a1d9ee..d2dce4e7 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1058,6 +1058,8 @@ Default: `False` Note: check used filesystem mtime precision before enabling +Note: conversion is done on access, bulk conversion can be done offline using storage verification option `radicale --verify-storage` + ##### folder_umask Use configured umask for folder creation (not applicable for OS Windows) diff --git a/config b/config index 731c60f6..c8e9802b 100644 --- a/config +++ b/config @@ -157,6 +157,7 @@ # Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) # Note: check used filesystem mtime precision before enabling +# Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage #use_mtime_and_size_for_item_cache=False # Use configured umask for folder creation (not applicable for OS Windows) From 5f79b089c8076035c9541accd53c259df18da4e7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 12:21:39 +0100 Subject: [PATCH 105/361] fix option name --- CHANGELOG.md | 2 +- DOCUMENTATION.md | 4 ++-- config | 4 ++-- radicale/config.py | 2 +- radicale/storage/multifilesystem/base.py | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b38513a..63ee7acb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ * Improve: log important module versions on startup * Improve: auth.ldap config shown on startup, terminate in case no password is supplied for bind user * Add: option [auth] uc_username for uppercase conversion (similar to existing lc_username) -* Add: option [debug] storage_cache_action for conditional logging +* Add: option [logging] storage_cache_action_on_debug for conditional logging * Fix: set PRODID on collection upload (instead of vobject is inserting default one) * Add: option [storage] use_mtime_and_size_for_item_cache for changing cache lookup from SHA256 to mtime_ns + size * Fix: buggy cache file content creation on collection upload diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index d2dce4e7..cf8b8058 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1180,9 +1180,9 @@ Log rights rule which doesn't match on level=debug Default: `False` -##### #storage_cache_actions +##### storage_cache_actions_on_debug -Log storage cache actions +Log storage cache actions on level=debug Default: `False` diff --git a/config b/config index c8e9802b..9d30509e 100644 --- a/config +++ b/config @@ -231,8 +231,8 @@ # Log rights rule which doesn't match on level=debug #rights_rule_doesnt_match_on_debug = False -# Log storage cache actions -#storage_cache_actions = False +# Log storage cache actions on level=debug +#storage_cache_actions_on_debug = False [headers] diff --git a/radicale/config.py b/radicale/config.py index 73b04dc4..0ac5970c 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -380,7 +380,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "log rights rules which doesn't match on level=debug", "type": bool}), - ("storage_cache_actions", { + ("storage_cache_actions_on_debug", { "value": "False", "help": "log storage cache action on level=debug", "type": bool}), diff --git a/radicale/storage/multifilesystem/base.py b/radicale/storage/multifilesystem/base.py index dc013b34..394e89bf 100644 --- a/radicale/storage/multifilesystem/base.py +++ b/radicale/storage/multifilesystem/base.py @@ -98,7 +98,7 @@ class StorageBase(storage.BaseStorage): self._folder_umask = configuration.get( "storage", "folder_umask") self._debug_cache_actions = configuration.get( - "logging", "storage_cache_actions") + "logging", "storage_cache_actions_on_debug") def _get_collection_root_folder(self) -> str: return os.path.join(self._filesystem_folder, "collection-root") From dc51a74e5a600744c31c80372292f33667cd1d8b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 12:51:02 +0100 Subject: [PATCH 106/361] add test case --- radicale/tests/test_storage.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/radicale/tests/test_storage.py b/radicale/tests/test_storage.py index 5eca0753..1957a137 100644 --- a/radicale/tests/test_storage.py +++ b/radicale/tests/test_storage.py @@ -116,6 +116,22 @@ class TestMultiFileSystem(BaseTest): assert answer1 == answer2 assert os.path.exists(os.path.join(cache_folder, "event1.ics")) + def test_item_cache_rebuild_mtime_and_size(self) -> None: + """Delete the item cache and verify that it is rebuild.""" + self.configure({"storage": {"use_mtime_and_size_for_item_cache": "True"}}) + self.mkcalendar("/calendar.ics/") + event = get_file_content("event1.ics") + path = "/calendar.ics/event1.ics" + self.put(path, event) + _, answer1 = self.get(path) + cache_folder = os.path.join(self.colpath, "collection-root", + "calendar.ics", ".Radicale.cache", "item") + assert os.path.exists(os.path.join(cache_folder, "event1.ics")) + shutil.rmtree(cache_folder) + _, answer2 = self.get(path) + assert answer1 == answer2 + assert os.path.exists(os.path.join(cache_folder, "event1.ics")) + def test_put_whole_calendar_uids_used_as_file_names(self) -> None: """Test if UIDs are used as file names.""" _TestBaseRequests.test_put_whole_calendar( From a606477e3f07358e84b53686608a08f8ca8da75c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 15 Dec 2024 13:08:59 +0100 Subject: [PATCH 107/361] update for 3.3.2 --- CHANGELOG.md | 2 +- pyproject.toml | 4 ++-- setup.py.legacy | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63ee7acb..20b6bda6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.3.2.dev +## 3.3.2 * Fix: debug logging in rights/from_file * Add: option [storage] use_cache_subfolder_for_item for storing 'item' cache outside collection-root * Fix: ignore empty RRULESET in item diff --git a/pyproject.toml b/pyproject.toml index 5cb754c5..aaeb805c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,8 +3,8 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.2.dev" -authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}] +version = "3.3.2" +authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" keywords = ["calendar", "addressbook", "CalDAV", "CardDAV"] diff --git a/setup.py.legacy b/setup.py.legacy index a1f7ee75..ba97b8e0 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.2.dev" +VERSION = "3.3.2" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 3d4cd7f034c8f3f9960f18ca3f6692e2571e90a9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 08:58:42 +0100 Subject: [PATCH 108/361] Add: display mtime_ns precision of storage folder with condition warning if too less --- CHANGELOG.md | 3 + pyproject.toml | 2 +- radicale/storage/multifilesystem/__init__.py | 74 +++++++++++++++++--- setup.py.legacy | 2 +- 4 files changed, 70 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20b6bda6..94b74d73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 3.3.3.dev +* Add: display mtime_ns precision of storage folder with condition warning if too less + ## 3.3.2 * Fix: debug logging in rights/from_file * Add: option [storage] use_cache_subfolder_for_item for storing 'item' cache outside collection-root diff --git a/pyproject.toml b/pyproject.toml index aaeb805c..7c9aa260 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.2" +version = "3.3.3.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 4e5271f5..6aafae8e 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -47,6 +47,8 @@ from radicale.storage.multifilesystem.sync import CollectionPartSync from radicale.storage.multifilesystem.upload import CollectionPartUpload from radicale.storage.multifilesystem.verify import StoragePartVerify +# 999 second, 999 ms, 999 us, 999 ns +MTIME_NS_TEST: int = 999999999999 class Collection( CollectionPartDelete, CollectionPartMeta, CollectionPartSync, @@ -91,22 +93,76 @@ class Storage( def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) - logger.info("storage location: %r", self._filesystem_folder) + logger.info("Storage location: %r", self._filesystem_folder) self._makedirs_synced(self._filesystem_folder) - logger.info("storage location subfolder: %r", self._get_collection_root_folder()) - logger.info("storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) - logger.info("storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) - logger.info("storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) - logger.info("storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) - logger.debug("storage cache action logging: %s", self._debug_cache_actions) + logger.info("Storage location subfolder: %r", self._get_collection_root_folder()) + logger.info("Storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) + logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) + logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) + if self._use_mtime_and_size_for_item_cache is True: + # calculate and display mtime resolution + path = os.path.join(self._get_collection_root_folder(), ".Radicale.mtime_test") + try: + with open(path, "w") as f: + f.write("mtime_test") + f.close + except Exception: + logger.error("Storage item mtime resolution test not possible") + raise + # set mtime_ns for tests + os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) + mtime_ns = os.stat(path).st_mtime_ns + mtime_ns = int(MTIME_NS_TEST / 100000000) * 100000000 + logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) + # start analysis + precision = 1 + mtime_ns_test = MTIME_NS_TEST + while mtime_ns > 0: + if mtime_ns == mtime_ns_test: + break + factor = 2 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + factor = 5 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + precision = precision * 10 + mtime_ns = int(mtime_ns / 10) + mtime_ns_test = int(mtime_ns_test / 10) + unit = "ns" + precision_log = precision + if precision >= 1000000000: + precision_log = precision / 1000000000 + unit = "s" + elif precision >= 1000000: + precision_log = precision / 1000000 + unit = "ms" + elif precision >= 1000: + precision_log = precision / 1000 + unit = "us" + os.remove(path) + if precision >= 100000000: + # >= 100 ms + logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) + elif precision >= 10000000: + # >= 10 ms + logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) + else: + logger.info("Storage item mtime resolution test result: %d %s" % (precision_log, unit)) + raise + logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: - logger.info("storage cache subfolder: %r", self._get_collection_cache_folder()) + logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) self._makedirs_synced(self._get_collection_cache_folder()) if sys.platform != "win32": if not self._folder_umask: # retrieve current umask by setting a dummy umask current_umask = os.umask(0o0022) - logger.info("storage folder umask (from system): '%04o'", current_umask) + logger.info("Storage folder umask (from system): '%04o'", current_umask) # reset to original os.umask(current_umask) else: diff --git a/setup.py.legacy b/setup.py.legacy index ba97b8e0..91bdc16a 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.2" +VERSION = "3.3.3.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 836827ac8f4dce83a4de03a0cd7ee98501552472 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 08:59:23 +0100 Subject: [PATCH 109/361] remove test code --- radicale/storage/multifilesystem/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 6aafae8e..c4130dfb 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -153,7 +153,6 @@ class Storage( logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) else: logger.info("Storage item mtime resolution test result: %d %s" % (precision_log, unit)) - raise logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) From c1c8ab2887984eab26aebc4927b12612f0f6b6a3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 09:00:06 +0100 Subject: [PATCH 110/361] remove test code --- radicale/storage/multifilesystem/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index c4130dfb..458004ba 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -114,7 +114,6 @@ class Storage( os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) mtime_ns = os.stat(path).st_mtime_ns - mtime_ns = int(MTIME_NS_TEST / 100000000) * 100000000 logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) # start analysis precision = 1 From 4b1183ae002956a78bd552b5af924803a3322d43 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 20:34:16 +0100 Subject: [PATCH 111/361] disable fsync during storage verification --- radicale/storage/multifilesystem/verify.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/storage/multifilesystem/verify.py b/radicale/storage/multifilesystem/verify.py index 776f1bfd..4c644c19 100644 --- a/radicale/storage/multifilesystem/verify.py +++ b/radicale/storage/multifilesystem/verify.py @@ -29,6 +29,8 @@ class StoragePartVerify(StoragePartDiscover, StorageBase): def verify(self) -> bool: item_errors = collection_errors = 0 + logger.info("Disable fsync during storage verification") + self._filesystem_fsync = False @types.contextmanager def exception_cm(sane_path: str, href: Optional[str] From 0f6dcb71923123f44f0177a9294eba3ed188dfc6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 20:34:38 +0100 Subject: [PATCH 112/361] disable fsync during storage verification --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 94b74d73..330fa4b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 3.3.3.dev * Add: display mtime_ns precision of storage folder with condition warning if too less +* Improve: disable fsync during storage verification ## 3.3.2 * Fix: debug logging in rights/from_file From 6214111f4fa518120d241b50238d83ca0222138f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 20:58:59 +0100 Subject: [PATCH 113/361] make tox happy --- radicale/storage/multifilesystem/__init__.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 458004ba..4c4f321a 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -50,6 +50,7 @@ from radicale.storage.multifilesystem.verify import StoragePartVerify # 999 second, 999 ms, 999 us, 999 ns MTIME_NS_TEST: int = 999999999999 + class Collection( CollectionPartDelete, CollectionPartMeta, CollectionPartSync, CollectionPartUpload, CollectionPartGet, CollectionPartCache, @@ -102,13 +103,13 @@ class Storage( logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) if self._use_mtime_and_size_for_item_cache is True: # calculate and display mtime resolution - path = os.path.join(self._get_collection_root_folder(), ".Radicale.mtime_test") + path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") try: with open(path, "w") as f: f.write("mtime_test") f.close - except Exception: - logger.error("Storage item mtime resolution test not possible") + except Exception as e: + logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) raise # set mtime_ns for tests os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) @@ -135,13 +136,13 @@ class Storage( unit = "ns" precision_log = precision if precision >= 1000000000: - precision_log = precision / 1000000000 + precision_log = int(precision / 1000000000) unit = "s" elif precision >= 1000000: - precision_log = precision / 1000000 + precision_log = int(precision / 1000000) unit = "ms" elif precision >= 1000: - precision_log = precision / 1000 + precision_log = int(precision / 1000) unit = "us" os.remove(path) if precision >= 100000000: From 1a76e1ad5046dd20e13ee50899b21aeee7bad71c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 19:40:32 +0100 Subject: [PATCH 114/361] cosmetics --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 9d30509e..c34b9d28 100644 --- a/config +++ b/config @@ -158,7 +158,7 @@ # Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) # Note: check used filesystem mtime precision before enabling # Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage -#use_mtime_and_size_for_item_cache=False +#use_mtime_and_size_for_item_cache = False # Use configured umask for folder creation (not applicable for OS Windows) # Useful value: 0077 | 0027 | 0007 | 0022 From 59450e8c2da108072d7c9f4902556483ad85172f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 20:14:56 +0100 Subject: [PATCH 115/361] add additional ReadWritePaths entry, fix existing one --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index cf8b8058..25bd8936 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -248,7 +248,7 @@ ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true NoNewPrivileges=true -ReadWritePaths=/var/lib/radicale/collections +ReadWritePaths=/var/lib/radicale/ /var/cache/radicale/ [Install] WantedBy=multi-user.target From b356edd6bef26ec45f235ca72470a3f3cc646224 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 20:51:33 +0100 Subject: [PATCH 116/361] Improve: suppress duplicate log lines on startup --- CHANGELOG.md | 1 + radicale/log.py | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 330fa4b3..a0592f66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.3.3.dev * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification +* Improve: suppress duplicate log lines on startup ## 3.3.2 * Fix: debug logging in rights/from_file diff --git a/radicale/log.py b/radicale/log.py index 313b4933..ef2eb703 100644 --- a/radicale/log.py +++ b/radicale/log.py @@ -221,18 +221,31 @@ def setup() -> None: logger.error("Invalid RADICALE_LOG_FORMAT: %r", format_name) +logger_display_backtrace_disabled: bool = False +logger_display_backtrace_enabled: bool = False + + def set_level(level: Union[int, str], backtrace_on_debug: bool) -> None: """Set logging level for global logger.""" + global logger_display_backtrace_disabled + global logger_display_backtrace_enabled if isinstance(level, str): level = getattr(logging, level.upper()) assert isinstance(level, int) logger.setLevel(level) if level > logging.DEBUG: - logger.info("Logging of backtrace is disabled in this loglevel") + if logger_display_backtrace_disabled is False: + logger.info("Logging of backtrace is disabled in this loglevel") + logger_display_backtrace_disabled = True logger.addFilter(REMOVE_TRACEBACK_FILTER) else: if not backtrace_on_debug: - logger.debug("Logging of backtrace is disabled by option in this loglevel") + if logger_display_backtrace_disabled is False: + logger.debug("Logging of backtrace is disabled by option in this loglevel") + logger_display_backtrace_disabled = True logger.addFilter(REMOVE_TRACEBACK_FILTER) else: + if logger_display_backtrace_enabled is False: + logger.debug("Logging of backtrace is enabled by option in this loglevel") + logger_display_backtrace_enabled = True logger.removeFilter(REMOVE_TRACEBACK_FILTER) From 9e9d036387f28ed25eaf980bb8d6d55de3d574e1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 22:18:38 +0100 Subject: [PATCH 117/361] display always mtime result --- radicale/storage/multifilesystem/__init__.py | 49 +++++++++++--------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 4c4f321a..b9a525dc 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -92,16 +92,7 @@ class Storage( _collection_class: ClassVar[Type[Collection]] = Collection - def __init__(self, configuration: config.Configuration) -> None: - super().__init__(configuration) - logger.info("Storage location: %r", self._filesystem_folder) - self._makedirs_synced(self._filesystem_folder) - logger.info("Storage location subfolder: %r", self._get_collection_root_folder()) - logger.info("Storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) - logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) - logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) - logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) - if self._use_mtime_and_size_for_item_cache is True: + def _analyse_mtime(self) -> None: # calculate and display mtime resolution path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") try: @@ -134,25 +125,39 @@ class Storage( mtime_ns = int(mtime_ns / 10) mtime_ns_test = int(mtime_ns_test / 10) unit = "ns" - precision_log = precision + precision_unit = precision if precision >= 1000000000: - precision_log = int(precision / 1000000000) + precision_unit = int(precision / 1000000000) unit = "s" elif precision >= 1000000: - precision_log = int(precision / 1000000) + precision_unit = int(precision / 1000000) unit = "ms" elif precision >= 1000: - precision_log = int(precision / 1000) + precision_unit = int(precision / 1000) unit = "us" os.remove(path) - if precision >= 100000000: - # >= 100 ms - logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) - elif precision >= 10000000: - # >= 10 ms - logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) - else: - logger.info("Storage item mtime resolution test result: %d %s" % (precision_log, unit)) + return (precision, precision_unit, unit) + + def __init__(self, configuration: config.Configuration) -> None: + super().__init__(configuration) + logger.info("Storage location: %r", self._filesystem_folder) + self._makedirs_synced(self._filesystem_folder) + logger.info("Storage location subfolder: %r", self._get_collection_root_folder()) + logger.info("Storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) + logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) + logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) + (precision, precision_unit, unit) = self._analyse_mtime() + if precision >= 100000000: + # >= 100 ms + logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + elif precision >= 10000000: + # >= 10 ms + logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + else: + logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) + if self._use_mtime_and_size_for_item_cache is False: + logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) From 335584a6b70aefecc991526de5bd0bce706e6e33 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 22:28:02 +0100 Subject: [PATCH 118/361] make tox happy --- radicale/storage/multifilesystem/__init__.py | 90 ++++++++++---------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index b9a525dc..3bf9202f 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -92,51 +92,51 @@ class Storage( _collection_class: ClassVar[Type[Collection]] = Collection - def _analyse_mtime(self) -> None: - # calculate and display mtime resolution - path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") - try: - with open(path, "w") as f: - f.write("mtime_test") - f.close - except Exception as e: - logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) - raise - # set mtime_ns for tests - os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) - logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) - mtime_ns = os.stat(path).st_mtime_ns - logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) - # start analysis - precision = 1 - mtime_ns_test = MTIME_NS_TEST - while mtime_ns > 0: - if mtime_ns == mtime_ns_test: - break - factor = 2 - if int(mtime_ns / factor) == int(mtime_ns_test / factor): - precision = precision * factor - break - factor = 5 - if int(mtime_ns / factor) == int(mtime_ns_test / factor): - precision = precision * factor - break - precision = precision * 10 - mtime_ns = int(mtime_ns / 10) - mtime_ns_test = int(mtime_ns_test / 10) - unit = "ns" - precision_unit = precision - if precision >= 1000000000: - precision_unit = int(precision / 1000000000) - unit = "s" - elif precision >= 1000000: - precision_unit = int(precision / 1000000) - unit = "ms" - elif precision >= 1000: - precision_unit = int(precision / 1000) - unit = "us" - os.remove(path) - return (precision, precision_unit, unit) + def _analyse_mtime(self): + # calculate and display mtime resolution + path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") + try: + with open(path, "w") as f: + f.write("mtime_test") + f.close + except Exception as e: + logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) + raise + # set mtime_ns for tests + os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) + mtime_ns = os.stat(path).st_mtime_ns + logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) + # start analysis + precision = 1 + mtime_ns_test = MTIME_NS_TEST + while mtime_ns > 0: + if mtime_ns == mtime_ns_test: + break + factor = 2 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + factor = 5 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + precision = precision * 10 + mtime_ns = int(mtime_ns / 10) + mtime_ns_test = int(mtime_ns_test / 10) + unit = "ns" + precision_unit = precision + if precision >= 1000000000: + precision_unit = int(precision / 1000000000) + unit = "s" + elif precision >= 1000000: + precision_unit = int(precision / 1000000) + unit = "ms" + elif precision >= 1000: + precision_unit = int(precision / 1000) + unit = "us" + os.remove(path) + return (precision, precision_unit, unit) def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) From c8010fa4bed346ec0b847be71f9512a1e7b21574 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 23 Dec 2024 07:07:43 +0100 Subject: [PATCH 119/361] fix https://github.com/Kozea/Radicale/issues/1647 --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 25bd8936..2a88844c 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1401,7 +1401,7 @@ An example rights file: [root] user: .+ collection: -permissions: r +permissions: R # Allow reading and writing principal collection (same as username) [principal] From e2934a12c0f494ecbd7b042d2cc138a0848627f3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 08:24:13 +0100 Subject: [PATCH 120/361] Contrib: logwatch config and script --- contrib/logwatch/radicale | 135 +++++++++++++++++++++++++++++++++ contrib/logwatch/radicale.conf | 12 +++ 2 files changed, 147 insertions(+) create mode 100644 contrib/logwatch/radicale create mode 100644 contrib/logwatch/radicale.conf diff --git a/contrib/logwatch/radicale b/contrib/logwatch/radicale new file mode 100644 index 00000000..75243759 --- /dev/null +++ b/contrib/logwatch/radicale @@ -0,0 +1,135 @@ +# This file is related to Radicale - CalDAV and CardDAV server +# for logwatch (script) +# Copyright © 2024-2024 Peter Bieringer + +$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; + +my %ResponseTimes; +my %Requests; +my %Logins; +my %Loglevel; +my %OtherEvents; + +sub ResponseTimesMinMaxAvg($$) { + my $req = $_[0]; + my $time = $_[1]; + + $ResponseTimes{$req}->{'cnt'}++; + + if (! defined $ResponseTimes{$req}->{'min'}) { + $ResponseTimes{$req}->{'min'} = $time; + } elsif ($ResponseTimes->{$req}->{'min'} > $time) { + $ResponseTimes{$req}->{'min'} = $time; + } + + if (! defined $ResponseTimes{$req}->{'max'}) { + $ResponseTimes{$req}{'max'} = $time; + } elsif ($ResponseTimes{$req}->{'max'} < $time) { + $ResponseTimes{$req}{'max'} = $time; + } + + if (! defined $ResponseTimes{$req}->{'avg'}) { + $ResponseTimes{$req}->{'avg'} = $time; + } else { + $ResponseTimes{$req}->{'avg'} = ($ResponseTimes{$req}->{'avg'} * ($ResponseTimes{$req}->{'cnt'} - 1) + $time) / $ResponseTimes{$req}->{'cnt'}; + } +} + +while (defined($ThisLine = )) { + # count loglevel + if ( $ThisLine =~ /\[(DEBUG|INFO|WARNING|ERROR|CRITICAL)\] /o ) { + $Loglevel{$1}++ + } + + # parse log for events + if ( $ThisLine =~ /Radicale server ready/o ) { + $OtherEvents{"Radicale server started"}++; + } + elsif ( $ThisLine =~ /Stopping Radicale/o ) { + $OtherEvents{"Radicale server stopped"}++; + } + elsif ( $ThisLine =~ / (\S+ response status)/o ) { + if ( $ThisLine =~ / (\S+) response status for .* with depth '(\d)' in ([0-9.]+) seconds: (\d+)/o ) { + ResponseTimesMinMaxAvg($1 . "|R=" . $4 . "|D=" . $2, $3); + } elsif ( $ThisLine =~ / (\S+) response status for .* in ([0-9.]+) seconds: (\d+)/ ) { + ResponseTimesMinMaxAvg($1 . "|R=" . $3, $2); + } + } + elsif ( $ThisLine =~ / (\S+) request for/o ) { + $Requests{$1}++; + } + elsif ( $ThisLine =~ / Successful login: '([^']+)'/o ) { + $Logins{$1}++; + } + elsif ( $ThisLine =~ / (Failed login attempt) /o ) { + $OtherEvents{$1}++; + } + elsif ( $ThisLine =~ /\[(DEBUG|INFO)\] /o ) { + # skip if DEBUG+INFO + } + else { + # Report any unmatched entries... + $ThisLine =~ s/^\[\d+(\/Thread-\d+)?\] //; # remove process/Thread ID + chomp($ThisLine); + $OtherList{$ThisLine}++; + } +} + +if ($Started) { + print "\nStatistics:\n"; + print " Radicale started: $Started Time(s)\n"; +} + +if (keys %Loglevel) { + print "\n**Loglevel counters**\n"; + printf "%-18s | %7s |\n", "Loglevel", "cnt"; + print "-" x30 . "\n"; + foreach my $level (sort keys %Loglevel) { + printf "%-18s | %7d |\n", $level, $Loglevel{$level}; + } +} + +if (keys %Requests) { + print "\n**Request counters**\n"; + printf "%-18s | %7s |\n", "Request", "cnt"; + print "-" x30 . "\n"; + foreach my $req (sort keys %Requests) { + printf "%-18s | %7d |\n", $req, $Requests{$req}; + } +} + +if ($Details >= 5 && keys %Requests) { + print "\n**Successful login counters**\n"; + printf "%-25s | %7s |\n", "Login", "cnt"; + print "-" x37 . "\n"; + foreach my $login (sort keys %Logins) { + printf "%-25s | %7d |\n", $login, $Logins{$login}; + } +} + +if ($Detail >= 5 && keys %ResponseTimes) { + print "\n**Response timings (counts, seconds) (R= D=)**\n"; + printf "%-18s | %7s | %7s | %7s | %7s |\n", "Response", "cnt", "min", "max", "avg"; + print "-" x60 . "\n"; + foreach my $req (sort keys %ResponseTimes) { + printf "%-18s | %7d | %7.3f | %7.3f | %7.3f |\n", $req, $ResponseTimes{$req}->{'cnt'}, $ResponseTimes{$req}->{'min'}, $ResponseTimes{$req}->{'max'}, $ResponseTimes{$req}->{'avg'}; + } +} + +if (keys %OtherEvents) { + print "\n**Other Events**\n"; + foreach $ThisOne (sort keys %OtherEvents) { + print "$ThisOne: $OtherEvents{$ThisOne} Time(s)\n"; + } +} + +if (keys %OtherList) { + print "\n**Unmatched Entries**\n"; + foreach $ThisOne (sort keys %OtherList) { + print "$ThisOne: $OtherList{$ThisOne} Time(s)\n"; + } +} + +exit(0); + +# vim: shiftwidth=3 tabstop=3 syntax=perl et smartindent diff --git a/contrib/logwatch/radicale.conf b/contrib/logwatch/radicale.conf new file mode 100644 index 00000000..9ac633f7 --- /dev/null +++ b/contrib/logwatch/radicale.conf @@ -0,0 +1,12 @@ +# This file is related to Radicale - CalDAV and CardDAV server +# for logwatch (config) +# Copyright © 2024-2024 Peter Bieringer + +Title = "Radicale" + +LogFile = messages + +*OnlyService = radicale +*RemoveHeaders + +# vi: shiftwidth=3 tabstop=3 et From b19418f43c35797d6a53a0fe4666f297d67091b4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 08:25:31 +0100 Subject: [PATCH 121/361] update --- CHANGELOG.md | 1 + contrib/logwatch/radicale | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0592f66..d90d6c91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification * Improve: suppress duplicate log lines on startup +* Contrib: logwatch config and script ## 3.3.2 * Fix: debug logging in rights/from_file diff --git a/contrib/logwatch/radicale b/contrib/logwatch/radicale index 75243759..873ea064 100644 --- a/contrib/logwatch/radicale +++ b/contrib/logwatch/radicale @@ -1,6 +1,9 @@ # This file is related to Radicale - CalDAV and CardDAV server # for logwatch (script) # Copyright © 2024-2024 Peter Bieringer +# +# Detail levels +# >= 5: Logins, ResponseTimes $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; @@ -98,7 +101,7 @@ if (keys %Requests) { } } -if ($Details >= 5 && keys %Requests) { +if ($Detail >= 5 && keys %Requests) { print "\n**Successful login counters**\n"; printf "%-25s | %7s |\n", "Login", "cnt"; print "-" x37 . "\n"; From 7e23c603c1d5731681b799e145af031237d5ce70 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 12:04:05 +0100 Subject: [PATCH 122/361] log precondition result on PUT request --- radicale/app/put.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/radicale/app/put.py b/radicale/app/put.py index c1f0eacd..a3961269 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -198,15 +198,22 @@ class ApplicationPartPut(ApplicationBase): etag = environ.get("HTTP_IF_MATCH", "") if not item and etag: # Etag asked but no item found: item has been removed + logger.warning("Precondition failed on PUT request for %r (HTTP_IF_MATCH: %s, item not existing)", path, etag) return httputils.PRECONDITION_FAILED if item and etag and item.etag != etag: # Etag asked but item not matching: item has changed + logger.warning("Precondition failed on PUT request for %r (HTTP_IF_MATCH: %s, item has different etag: %s)", path, etag, item.etag) return httputils.PRECONDITION_FAILED + if etag: + logger.debug("Precondition passed on PUT request for %r (HTTP_IF_MATCH: %s, item has etag: %s)", path, etag, item.etag) match = environ.get("HTTP_IF_NONE_MATCH", "") == "*" if item and match: # Creation asked but item found: item can't be replaced + logger.warning("Precondition failed on PUT request for %r (HTTP_IF_NONE_MATCH: *, creation requested but item found with etag: %s)", path, item.etag) return httputils.PRECONDITION_FAILED + if match: + logger.debug("Precondition passed on PUT request for %r (HTTP_IF_NONE_MATCH: *)", path) if (tag != prepared_tag or prepared_write_whole_collection != write_whole_collection): From 0b00218d753f200658c638dae6efcfa4b408892d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 12:04:09 +0100 Subject: [PATCH 123/361] log precondition result on PUT request / changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d90d6c91..b4dcea9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Improve: disable fsync during storage verification * Improve: suppress duplicate log lines on startup * Contrib: logwatch config and script +* Improve: log precondition result on PUT request ## 3.3.2 * Fix: debug logging in rights/from_file From 1e8d9eda50e482d84e05bfa19405709735169dc9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 12:10:47 +0100 Subject: [PATCH 124/361] fix found by mypy --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index a3961269..6e1ba215 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -204,7 +204,7 @@ class ApplicationPartPut(ApplicationBase): # Etag asked but item not matching: item has changed logger.warning("Precondition failed on PUT request for %r (HTTP_IF_MATCH: %s, item has different etag: %s)", path, etag, item.etag) return httputils.PRECONDITION_FAILED - if etag: + if item and etag: logger.debug("Precondition passed on PUT request for %r (HTTP_IF_MATCH: %s, item has etag: %s)", path, etag, item.etag) match = environ.get("HTTP_IF_NONE_MATCH", "") == "*" From 7df2fb35a72e8581ceba4d2354ee5d34edf71009 Mon Sep 17 00:00:00 2001 From: IM Date: Wed, 25 Dec 2024 21:56:04 +0300 Subject: [PATCH 125/361] Disable overloading BaseAuth login method --- radicale/auth/__init__.py | 4 ++-- radicale/auth/dovecot.py | 2 +- radicale/auth/ldap.py | 2 +- radicale/tests/custom/auth.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 566b9965..4bb4b33d 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -29,7 +29,7 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. """ -from typing import Sequence, Set, Tuple, Union +from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils from radicale.log import logger @@ -50,7 +50,6 @@ def load(configuration: "config.Configuration") -> "BaseAuth": return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth, configuration) - class BaseAuth: _ldap_groups: Set[str] = set([]) @@ -102,6 +101,7 @@ class BaseAuth: raise NotImplementedError + @final def login(self, login: str, password: str) -> str: if self._lc_username: login = login.lower() diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py index 34180eb5..ce2353a0 100644 --- a/radicale/auth/dovecot.py +++ b/radicale/auth/dovecot.py @@ -32,7 +32,7 @@ class Auth(auth.BaseAuth): self.timeout = 5 self.request_id_gen = itertools.count(1) - def login(self, login, password): + def _login(self, login, password): """Validate credentials. Check if the ``login``/``password`` pair is valid according to Dovecot. diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 2db88c95..cb3858dc 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -202,7 +202,7 @@ class Auth(auth.BaseAuth): pass return "" - def login(self, login: str, password: str) -> str: + def _login(self, login: str, password: str) -> str: """Validate credentials. In first step we make a connection to the ldap server with the ldap_reader_dn credential. In next step the DN of the user to authenticate will be searched. diff --git a/radicale/tests/custom/auth.py b/radicale/tests/custom/auth.py index 490ec313..2927ee4d 100644 --- a/radicale/tests/custom/auth.py +++ b/radicale/tests/custom/auth.py @@ -29,7 +29,7 @@ from radicale import auth class Auth(auth.BaseAuth): - def login(self, login: str, password: str) -> str: + def _login(self, login: str, password: str) -> str: if login == "tmp": return login return "" From 94898ef6c19815a95c4b3b88379becc70fca4555 Mon Sep 17 00:00:00 2001 From: IM Date: Wed, 25 Dec 2024 22:28:01 +0300 Subject: [PATCH 126/361] flake8 E302 --- radicale/auth/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 4bb4b33d..812649c5 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -50,6 +50,7 @@ def load(configuration: "config.Configuration") -> "BaseAuth": return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth, configuration) + class BaseAuth: _ldap_groups: Set[str] = set([]) From 51960bcab81ea991297af5ed635f2fbd924411b4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 27 Dec 2024 08:32:29 +0100 Subject: [PATCH 127/361] extend doc related to config options used --- DOCUMENTATION.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 2a88844c..f590a294 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -672,6 +672,24 @@ python3 -m radicale --server-hosts 0.0.0.0:5232,[::]:5232 \ Add the argument `--config ""` to stop Radicale from loading the default configuration files. Run `python3 -m radicale --help` for more information. +One can also use command line options in startup scripts using following examples: + +```bash +## simple variable containing multiple options +RADICALE_OPTIONS="--logging-level=debug --config=/etc/radicale/config --logging-request-header-on-debug --logging-rights-rule-doesnt-match-on-debug" +/usr/bin/radicale $RADICALE_OPTIONS + +## variable as array method #1 +RADICALE_OPTIONS=("--logging-level=debug" "--config=/etc/radicale/config" "--logging-request-header-on-debug" "--logging-rights-rule-doesnt-match-on-debug") +/usr/bin/radicale ${RADICALE_OPTIONS[@]} + +## variable as array method #2 +RADICALE_OPTIONS=() +RADICALE_OPTIONS+=("--logging-level=debug") +RADICALE_OPTIONS+=("--config=/etc/radicale/config") +/usr/bin/radicale ${RADICALE_OPTIONS[@]} +``` + In the following, all configuration categories and options are described. #### server From 2674f9a382540fb75c39090638d7ebf90265fa25 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 28 Dec 2024 07:56:10 +0100 Subject: [PATCH 128/361] enhance and fix logwatch --- contrib/logwatch/radicale | 111 +++++++++++++----- contrib/logwatch/radicale-journald.conf | 11 ++ .../{radicale.conf => radicale-syslog.conf} | 3 +- 3 files changed, 96 insertions(+), 29 deletions(-) create mode 100644 contrib/logwatch/radicale-journald.conf rename contrib/logwatch/{radicale.conf => radicale-syslog.conf} (82%) diff --git a/contrib/logwatch/radicale b/contrib/logwatch/radicale index 873ea064..45298ad4 100644 --- a/contrib/logwatch/radicale +++ b/contrib/logwatch/radicale @@ -3,17 +3,22 @@ # Copyright © 2024-2024 Peter Bieringer # # Detail levels -# >= 5: Logins, ResponseTimes +# >= 5: Logins +# >= 10: ResponseTimes $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %ResponseTimes; +my %Responses; my %Requests; my %Logins; my %Loglevel; my %OtherEvents; -sub ResponseTimesMinMaxAvg($$) { +my $sum; +my $length; + +sub ResponseTimesMinMaxSum($$) { my $req = $_[0]; my $time = $_[1]; @@ -31,11 +36,25 @@ sub ResponseTimesMinMaxAvg($$) { $ResponseTimes{$req}{'max'} = $time; } - if (! defined $ResponseTimes{$req}->{'avg'}) { - $ResponseTimes{$req}->{'avg'} = $time; - } else { - $ResponseTimes{$req}->{'avg'} = ($ResponseTimes{$req}->{'avg'} * ($ResponseTimes{$req}->{'cnt'} - 1) + $time) / $ResponseTimes{$req}->{'cnt'}; + $ResponseTimes{$req}->{'sum'} += $time; +} + +sub Sum($) { + my $phash = $_[0]; + my $sum = 0; + foreach my $entry (keys %$phash) { + $sum += $phash->{$entry}; } + return $sum; +} + +sub MaxLength($) { + my $phash = $_[0]; + my $length = 0; + foreach my $entry (keys %$phash) { + $length = length($entry) if (length($entry) > $length); + } + return $length; } while (defined($ThisLine = )) { @@ -51,18 +70,27 @@ while (defined($ThisLine = )) { elsif ( $ThisLine =~ /Stopping Radicale/o ) { $OtherEvents{"Radicale server stopped"}++; } - elsif ( $ThisLine =~ / (\S+ response status)/o ) { - if ( $ThisLine =~ / (\S+) response status for .* with depth '(\d)' in ([0-9.]+) seconds: (\d+)/o ) { - ResponseTimesMinMaxAvg($1 . "|R=" . $4 . "|D=" . $2, $3); - } elsif ( $ThisLine =~ / (\S+) response status for .* in ([0-9.]+) seconds: (\d+)/ ) { - ResponseTimesMinMaxAvg($1 . "|R=" . $3, $2); + elsif ( $ThisLine =~ / (\S+) response status/o ) { + my $req = $1; + if ( $ThisLine =~ / \S+ response status for .* with depth '(\d)' in ([0-9.]+) seconds: (\d+)/o ) { + $req .= ":D=" . $1 . ":R=" . $3; + ResponseTimesMinMaxSum($req, $2) if ($Detail >= 10); + } elsif ( $ThisLine =~ / \S+ response status for .* in ([0-9.]+) seconds: (\d+)/ ) { + $req .= ":R=" . $2; + ResponseTimesMinMaxSum($req, $1) if ($Detail >= 10); } + $Responses{$req}++; } elsif ( $ThisLine =~ / (\S+) request for/o ) { - $Requests{$1}++; + my $req = $1; + if ( $ThisLine =~ / \S+ request for .* with depth '(\d)' received/o ) { + $req .= ":D=" . $1; + } + $Requests{$req}++; } - elsif ( $ThisLine =~ / Successful login: '([^']+)'/o ) { - $Logins{$1}++; + elsif ( $ThisLine =~ / (Successful login): '([^']+)'/o ) { + $Logins{$2}++ if ($Detail >= 5); + $OtherEvents{$1}++; } elsif ( $ThisLine =~ / (Failed login attempt) /o ) { $OtherEvents{$1}++; @@ -84,39 +112,66 @@ if ($Started) { } if (keys %Loglevel) { + $sum = Sum(\%Loglevel); print "\n**Loglevel counters**\n"; - printf "%-18s | %7s |\n", "Loglevel", "cnt"; - print "-" x30 . "\n"; + printf "%-18s | %7s | %5s |\n", "Loglevel", "cnt", "ratio"; + print "-" x38 . "\n"; foreach my $level (sort keys %Loglevel) { - printf "%-18s | %7d |\n", $level, $Loglevel{$level}; + printf "%-18s | %7d | %3d%% |\n", $level, $Loglevel{$level}, int(($Loglevel{$level} * 100) / $sum); } + print "-" x38 . "\n"; + printf "%-18s | %7d | %3d%% |\n", "", $sum, 100; } if (keys %Requests) { - print "\n**Request counters**\n"; - printf "%-18s | %7s |\n", "Request", "cnt"; - print "-" x30 . "\n"; + $sum = Sum(\%Requests); + print "\n**Request counters (D=)**\n"; + printf "%-18s | %7s | %5s |\n", "Request", "cnt", "ratio"; + print "-" x38 . "\n"; foreach my $req (sort keys %Requests) { - printf "%-18s | %7d |\n", $req, $Requests{$req}; + printf "%-18s | %7d | %3d%% |\n", $req, $Requests{$req}, int(($Requests{$req} * 100) / $sum); } + print "-" x38 . "\n"; + printf "%-18s | %7d | %3d%% |\n", "", $sum, 100; } -if ($Detail >= 5 && keys %Requests) { +if (keys %Responses) { + $sum = Sum(\%Responses); + print "\n**Response result counters ((D= R=)**\n"; + printf "%-18s | %7s | %5s |\n", "Response", "cnt", "ratio"; + print "-" x38 . "\n"; + foreach my $req (sort keys %Responses) { + printf "%-18s | %7d | %3d%% |\n", $req, $Responses{$req}, int(($Responses{$req} * 100) / $sum); + } + print "-" x38 . "\n"; + printf "%-18s | %7d | %3d%% |\n", "", $sum, 100; +} + +if (keys %Logins) { + $sum = Sum(\%Logins); + $length = MaxLength(\%Logins); print "\n**Successful login counters**\n"; - printf "%-25s | %7s |\n", "Login", "cnt"; - print "-" x37 . "\n"; + printf "%-" . $length . "s | %7s | %5s |\n", "Login", "cnt", "ratio"; + print "-" x($length + 20) . "\n"; foreach my $login (sort keys %Logins) { - printf "%-25s | %7d |\n", $login, $Logins{$login}; + printf "%-" . $length . "s | %7d | %3d%% |\n", $login, $Logins{$login}, int(($Logins{$login} * 100) / $sum); } + print "-" x($length + 20) . "\n"; + printf "%-" . $length . "s | %7d | %3d%% |\n", "", $sum, 100; } -if ($Detail >= 5 && keys %ResponseTimes) { - print "\n**Response timings (counts, seconds) (R= D=)**\n"; +if (keys %ResponseTimes) { + print "\n**Response timings (counts, seconds) (D= R=)**\n"; printf "%-18s | %7s | %7s | %7s | %7s |\n", "Response", "cnt", "min", "max", "avg"; print "-" x60 . "\n"; foreach my $req (sort keys %ResponseTimes) { - printf "%-18s | %7d | %7.3f | %7.3f | %7.3f |\n", $req, $ResponseTimes{$req}->{'cnt'}, $ResponseTimes{$req}->{'min'}, $ResponseTimes{$req}->{'max'}, $ResponseTimes{$req}->{'avg'}; + printf "%-18s | %7d | %7.3f | %7.3f | %7.3f |\n", $req + , $ResponseTimes{$req}->{'cnt'} + , $ResponseTimes{$req}->{'min'} + , $ResponseTimes{$req}->{'max'} + , $ResponseTimes{$req}->{'sum'} / $ResponseTimes{$req}->{'cnt'}; } + print "-" x60 . "\n"; } if (keys %OtherEvents) { diff --git a/contrib/logwatch/radicale-journald.conf b/contrib/logwatch/radicale-journald.conf new file mode 100644 index 00000000..522062da --- /dev/null +++ b/contrib/logwatch/radicale-journald.conf @@ -0,0 +1,11 @@ +# This file is related to Radicale - CalDAV and CardDAV server +# for logwatch (config) - input from journald +# Copyright © 2024-2024 Peter Bieringer + +Title = "Radicale" + +LogFile = none + +*JournalCtl = "--output=cat --unit=radicale.service" + +# vi: shiftwidth=3 tabstop=3 et diff --git a/contrib/logwatch/radicale.conf b/contrib/logwatch/radicale-syslog.conf similarity index 82% rename from contrib/logwatch/radicale.conf rename to contrib/logwatch/radicale-syslog.conf index 9ac633f7..89d85f16 100644 --- a/contrib/logwatch/radicale.conf +++ b/contrib/logwatch/radicale-syslog.conf @@ -1,5 +1,5 @@ # This file is related to Radicale - CalDAV and CardDAV server -# for logwatch (config) +# for logwatch (config) - input from syslog file # Copyright © 2024-2024 Peter Bieringer Title = "Radicale" @@ -7,6 +7,7 @@ Title = "Radicale" LogFile = messages *OnlyService = radicale + *RemoveHeaders # vi: shiftwidth=3 tabstop=3 et From c2b2274dad3bc8ab0a06bf83a952f1012000a62a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 28 Dec 2024 08:05:39 +0100 Subject: [PATCH 129/361] update release --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4dcea9c..5578f108 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.3.3.dev +## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification * Improve: suppress duplicate log lines on startup diff --git a/pyproject.toml b/pyproject.toml index 7c9aa260..ac2505a4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.3.dev" +version = "3.3.3" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 91bdc16a..6f2cd5c1 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.3.dev" +VERSION = "3.3.3" with open("README.md", encoding="utf-8") as f: long_description = f.read() From b22038c7467698347146c6ecdcf22d592d88041d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 17:02:39 +0100 Subject: [PATCH 130/361] LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version --- radicale/auth/ldap.py | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index cb3858dc..80ceb448 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -15,11 +15,11 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . """ -Authentication backend that checks credentials with a ldap server. +Authentication backend that checks credentials with a LDAP server. Following parameters are needed in the configuration: - ldap_uri The ldap url to the server like ldap://localhost - ldap_base The baseDN of the ldap server - ldap_reader_dn The DN of a ldap user with read access to get the user accounts + ldap_uri The LDAP URL to the server like ldap://localhost + ldap_base The baseDN of the LDAP server + ldap_reader_dn The DN of a LDAP user with read access to get the user accounts ldap_secret The password of the ldap_reader_dn ldap_secret_file The path of the file containing the password of the ldap_reader_dn ldap_filter The search filter to find the user to authenticate by the username @@ -43,7 +43,7 @@ class Auth(auth.BaseAuth): _ldap_secret: str _ldap_filter: str _ldap_load_groups: bool - _ldap_version: int = 3 + _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED _ldap_ssl_ca_file: str = "" @@ -56,7 +56,7 @@ class Auth(auth.BaseAuth): except ImportError: try: import ldap - self._ldap_version = 2 + self._ldap_module_version = 2 self.ldap = ldap except ImportError as e: raise RuntimeError("LDAP authentication requires the ldap3 module") from e @@ -70,7 +70,7 @@ class Auth(auth.BaseAuth): if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: self._ldap_secret = file.read().rstrip('\n') - if self._ldap_version == 3: + if self._ldap_module_version == 3: self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl") if self._ldap_use_ssl: self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file") @@ -94,7 +94,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_secret : (from config)") if self._ldap_reader_dn and not self._ldap_secret: logger.error("auth.ldap_secret : (not provided)") - raise RuntimeError("LDAP authentication requires ldap_secret for reader_dn") + raise RuntimeError("LDAP authentication requires ldap_secret for ldap_reader_dn") logger.info("auth.ldap_use_ssl : %s" % self._ldap_use_ssl) if self._ldap_use_ssl is True: logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode) @@ -114,14 +114,14 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" res = conn.search_s(self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(login), attrlist=['memberOf']) if len(res) == 0: - """User could not be find""" + """User could not be found""" return "" user_dn = res[0][0] logger.debug("LDAP Auth user: %s", user_dn) - """Close ldap connection""" + """Close LDAP connection""" conn.unbind() except Exception as e: - raise RuntimeError(f"Invalid ldap configuration:{e}") + raise RuntimeError(f"Invalid LDAP configuration:{e}") try: """Bind as user to authenticate""" @@ -157,14 +157,14 @@ class Auth(auth.BaseAuth): server = self.ldap3.Server(self._ldap_uri) conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret) except self.ldap3.core.exceptions.LDAPSocketOpenError: - raise RuntimeError("Unable to reach ldap server") + raise RuntimeError("Unable to reach LDAP server") except Exception as e: logger.debug(f"_login3 error 1 {e}") pass if not conn.bind(): - logger.debug("_login3 can not bind") - raise RuntimeError("Unable to read from ldap server") + logger.debug("_login3 cannot bind") + raise RuntimeError("Unable to read from LDAP server") logger.debug(f"_login3 bind as {self._ldap_reader_dn}") """Search the user dn""" @@ -175,8 +175,8 @@ class Auth(auth.BaseAuth): attributes=['memberOf'] ) if len(conn.entries) == 0: - logger.debug(f"_login3 user '{login}' can not be find") - """User could not be find""" + """User could not be found""" + logger.debug(f"_login3 user '{login}' cannot be found") return "" user_entry = conn.response[0] @@ -187,7 +187,7 @@ class Auth(auth.BaseAuth): """Try to bind as the user itself""" conn = self.ldap3.Connection(server, user_dn, password=password) if not conn.bind(): - logger.debug(f"_login3 user '{login}' can not be find") + logger.debug(f"_login3 user '{login}' cannot be found") return "" if self._ldap_load_groups: tmp = [] @@ -195,7 +195,7 @@ class Auth(auth.BaseAuth): tmp.append(g.split(',')[0][3:]) self._ldap_groups = set(tmp) conn.unbind() - logger.debug(f"_login3 {login} successfully authorized") + logger.debug(f"_login3 {login} successfully authenticated") return login except Exception as e: logger.debug(f"_login3 error 2 {e}") @@ -204,10 +204,10 @@ class Auth(auth.BaseAuth): def _login(self, login: str, password: str) -> str: """Validate credentials. - In first step we make a connection to the ldap server with the ldap_reader_dn credential. + In first step we make a connection to the LDAP server with the ldap_reader_dn credential. In next step the DN of the user to authenticate will be searched. In the last step the authentication of the user will be proceeded. """ - if self._ldap_version == 2: + if self._ldap_module_version == 2: return self._login2(login, password) return self._login3(login, password) From 74311560c9e8d62fcaefb7e6b8c7c03dc2958786 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:16:45 +0100 Subject: [PATCH 131/361] add cache_logins* options --- DOCUMENTATION.md | 12 ++++++++++++ config | 6 ++++++ radicale/config.py | 8 ++++++++ 3 files changed, 26 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index f590a294..640025fe 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -812,6 +812,18 @@ Available backends: Default: `none` +##### cache_logins + +Cache successful logins until expiration time + +Default: `false` + +##### cache_logins_expiry + +Expiration time of caching successful logins in seconds + +Default: `5` + ##### htpasswd_filename Path to the htpasswd file. diff --git a/config b/config index c34b9d28..429cfca1 100644 --- a/config +++ b/config @@ -62,6 +62,12 @@ # Value: none | htpasswd | remote_user | http_x_remote_user | ldap | denyall #type = none +# Cache successful logins for until expiration time +#cache_logins = false + +# Expiration time for caching successful logins in seconds +#cache_logins_expiry = 5 + # URI to the LDAP server #ldap_uri = ldap://localhost diff --git a/radicale/config.py b/radicale/config.py index 0ac5970c..486e9223 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -183,6 +183,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "authentication method", "type": str_or_callable, "internal": auth.INTERNAL_TYPES}), + ("cache_logins", { + "value": "false", + "help": "cache successful logins for until expiration time", + "type": bool}), + ("cache_logins_expiry", { + "value": "5", + "help": "expiration time for caching successful logins in seconds", + "type": int}), ("htpasswd_filename", { "value": "/etc/radicale/users", "help": "htpasswd filename", From 8e97b709bf5cb4fb09ba6fe42113ea965a07b57d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:17:15 +0100 Subject: [PATCH 132/361] implement cache_logins* option --- radicale/auth/__init__.py | 56 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 812649c5..9cb70bb8 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -29,6 +29,8 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. """ +import hashlib +import time from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils @@ -57,6 +59,10 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool + _cache: dict + _cache_logins: bool + _cache_logins_expiry: int + _cache_logins_expiry_ns: int def __init__(self, configuration: "config.Configuration") -> None: """Initialize BaseAuth. @@ -70,11 +76,27 @@ class BaseAuth: self._lc_username = configuration.get("auth", "lc_username") self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") + self._cache_logins = configuration.get("auth", "cache_logins") + self._cache_logins_expiry = configuration.get("auth", "cache_logins_expiry") + if self._cache_logins_expiry < 0: + raise RuntimeError("self._cache_logins_expiry cannot be < 0") logger.info("auth.strip_domain: %s", self._strip_domain) logger.info("auth.lc_username: %s", self._lc_username) logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") + logger.info("auth.cache_logins: %s", self._cache_logins) + if self._cache_logins is True: + logger.info("auth.cache_logins_expiry: %s seconds", self._cache_logins_expiry) + self._cache_logins_expiry_ns = self._cache_logins_expiry * 1000 * 1000 * 1000 + self._cache = dict() + + def _cache_digest(self, login: str, password: str, salt: str) -> str: + h = hashlib.sha3_512() + h.update(salt.encode()) + h.update(login.encode()) + h.update(password.encode()) + return h.digest() def get_external_login(self, environ: types.WSGIEnviron) -> Union[ Tuple[()], Tuple[str, str]]: @@ -110,4 +132,36 @@ class BaseAuth: login = login.upper() if self._strip_domain: login = login.split('@')[0] - return self._login(login, password) + if self._cache_logins is True: + # time_ns is also used as salt + result = "" + digest = "" + time_ns = time.time_ns() + if self._cache.get(login): + # entry found in cache + (digest_cache, time_ns_cache) = self._cache[login] + digest = self._cache_digest(login, password, str(time_ns_cache)) + if digest == digest_cache: + if (time_ns - time_ns_cache) > self._cache_logins_expiry_ns: + logger.debug("Login cache entry for user found but expired: '%s'", login) + digest = "" + else: + logger.debug("Login cache entry for user found: '%s'", login) + result = login + else: + logger.debug("Login cache entry for user not matching: '%s'", login) + else: + # entry not found in cache, caculate always to avoid timing attacks + digest = self._cache_digest(login, password, str(time_ns)) + if result == "": + result = self._login(login, password) + if result is not "": + if digest is "": + # successful login, but expired, digest must be recalculated + digest = self._cache_digest(login, password, str(time_ns)) + # store successful login in cache + self._cache[login] = (digest, time_ns) + logger.debug("Login cache for user set: '%s'", login) + return result + else: + return self._login(login, password) From ddd099accd311236c0c3b4be9fb32cb4c15a8c19 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:17:44 +0100 Subject: [PATCH 133/361] debug log which password hash method was used --- radicale/auth/htpasswd.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 7422e16d..43fee1b9 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -96,19 +96,19 @@ class Auth(auth.BaseAuth): def _plain(self, hash_value: str, password: str) -> bool: """Check if ``hash_value`` and ``password`` match, plain method.""" - return hmac.compare_digest(hash_value.encode(), password.encode()) + return ("PLAIN", hmac.compare_digest(hash_value.encode(), password.encode())) def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> bool: - return bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode()) + return ("BCRYPT", bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode())) def _md5apr1(self, hash_value: str, password: str) -> bool: - return apr_md5_crypt.verify(password, hash_value.strip()) + return ("MD5-APR1", apr_md5_crypt.verify(password, hash_value.strip())) def _sha256(self, hash_value: str, password: str) -> bool: - return sha256_crypt.verify(password, hash_value.strip()) + return ("SHA-256", sha256_crypt.verify(password, hash_value.strip())) def _sha512(self, hash_value: str, password: str) -> bool: - return sha512_crypt.verify(password, hash_value.strip()) + return ("SHA-512", sha512_crypt.verify(password, hash_value.strip())) def _autodetect(self, hash_value: str, password: str) -> bool: if hash_value.startswith("$apr1$", 0, 6) and len(hash_value) == 37: @@ -151,8 +151,9 @@ class Auth(auth.BaseAuth): # timing attacks, see #591. login_ok = hmac.compare_digest( hash_login.encode(), login.encode()) - password_ok = self._verify(hash_value, password) + (method, password_ok) = self._verify(hash_value, password) if login_ok and password_ok: + logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) return login except ValueError as e: raise RuntimeError("Invalid htpasswd file %r: %s" % From 30e2ab490ef1e896a3687ca49eaccc69b819cfb2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:19:20 +0100 Subject: [PATCH 134/361] cache_logins+htpasswd --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88cb2e1e..353a4e68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # Changelog ## 3.3.4.dev +* Add: option [auth] cache_logins/cache_logins_expiry for caching successful logins +* Improve: log used hash method on debug for htpasswd authentication ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 9af15e6656f3fb28916726e4be419a798d80d078 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 05:25:10 +0100 Subject: [PATCH 135/361] fixes triggered by tox --- radicale/auth/__init__.py | 6 +++--- radicale/auth/htpasswd.py | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 9cb70bb8..39e07026 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -96,7 +96,7 @@ class BaseAuth: h.update(salt.encode()) h.update(login.encode()) h.update(password.encode()) - return h.digest() + return str(h.digest()) def get_external_login(self, environ: types.WSGIEnviron) -> Union[ Tuple[()], Tuple[str, str]]: @@ -155,8 +155,8 @@ class BaseAuth: digest = self._cache_digest(login, password, str(time_ns)) if result == "": result = self._login(login, password) - if result is not "": - if digest is "": + if result != "": + if digest == "": # successful login, but expired, digest must be recalculated digest = self._cache_digest(login, password, str(time_ns)) # store successful login in cache diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 43fee1b9..1767c9e1 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -94,23 +94,23 @@ class Auth(auth.BaseAuth): raise RuntimeError("The htpasswd encryption method %r is not " "supported." % encryption) - def _plain(self, hash_value: str, password: str) -> bool: + def _plain(self, hash_value: str, password: str) -> tuple[str, bool]: """Check if ``hash_value`` and ``password`` match, plain method.""" return ("PLAIN", hmac.compare_digest(hash_value.encode(), password.encode())) - def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> bool: + def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> tuple[str, bool]: return ("BCRYPT", bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode())) - def _md5apr1(self, hash_value: str, password: str) -> bool: + def _md5apr1(self, hash_value: str, password: str) -> tuple[str, bool]: return ("MD5-APR1", apr_md5_crypt.verify(password, hash_value.strip())) - def _sha256(self, hash_value: str, password: str) -> bool: + def _sha256(self, hash_value: str, password: str) -> tuple[str, bool]: return ("SHA-256", sha256_crypt.verify(password, hash_value.strip())) - def _sha512(self, hash_value: str, password: str) -> bool: + def _sha512(self, hash_value: str, password: str) -> tuple[str, bool]: return ("SHA-512", sha512_crypt.verify(password, hash_value.strip())) - def _autodetect(self, hash_value: str, password: str) -> bool: + def _autodetect(self, hash_value: str, password: str) -> tuple[str, bool]: if hash_value.startswith("$apr1$", 0, 6) and len(hash_value) == 37: # MD5-APR1 return self._md5apr1(hash_value, password) From ac8abbd12c4457fb87e4f5804a62f32db5067b9d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:15:55 +0100 Subject: [PATCH 136/361] 3.3.4.dev --- CHANGELOG.md | 2 ++ pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5578f108..88cb2e1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog +## 3.3.4.dev + ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification diff --git a/pyproject.toml b/pyproject.toml index ac2505a4..d01e3967 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.3" +version = "3.3.4.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 6f2cd5c1..52d74dda 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.3" +VERSION = "3.3.4.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 4f2990342dc42f5b254b0cbec2c0d7f73d00b1b2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 07:57:13 +0100 Subject: [PATCH 137/361] add additional debug line --- radicale/auth/htpasswd.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 1767c9e1..f872eba5 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -155,6 +155,8 @@ class Auth(auth.BaseAuth): if login_ok and password_ok: logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) return login + elif login_ok: + logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) except ValueError as e: raise RuntimeError("Invalid htpasswd file %r: %s" % (self._filename, e)) from e From a794a518854c4d5d358a0e0b533ec43f573301b0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 07:57:54 +0100 Subject: [PATCH 138/361] fix failed_login cache, improve coding --- DOCUMENTATION.md | 10 ++++-- radicale/auth/__init__.py | 72 ++++++++++++++++++++++++++++----------- radicale/config.py | 8 +++-- 3 files changed, 67 insertions(+), 23 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 640025fe..dc31d9b1 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -814,16 +814,22 @@ Default: `none` ##### cache_logins -Cache successful logins until expiration time +Cache successful/failed logins until expiration time Default: `false` -##### cache_logins_expiry +##### cache_successful_logins_expiry Expiration time of caching successful logins in seconds Default: `5` +##### cache_failed_logins_expiry + +Expiration time of caching failed logins in seconds + +Default: `60` + ##### htpasswd_filename Path to the htpasswd file. diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 39e07026..e9640f30 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -59,10 +59,12 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool - _cache: dict _cache_logins: bool - _cache_logins_expiry: int - _cache_logins_expiry_ns: int + _cache_successful: dict # login -> (digest, time_ns) + _cache_successful_logins_expiry: int + _cache_failed: dict # digest_failed -> (time_ns) + _cache_failed_logins_expiry: int + _cache_failed_logins_salt_ns: int # persistent over runtime def __init__(self, configuration: "config.Configuration") -> None: """Initialize BaseAuth. @@ -77,19 +79,25 @@ class BaseAuth: self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") self._cache_logins = configuration.get("auth", "cache_logins") - self._cache_logins_expiry = configuration.get("auth", "cache_logins_expiry") - if self._cache_logins_expiry < 0: - raise RuntimeError("self._cache_logins_expiry cannot be < 0") + self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry") + if self._cache_successful_logins_expiry < 0: + raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0") + self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry") + if self._cache_failed_logins_expiry < 0: + raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0") logger.info("auth.strip_domain: %s", self._strip_domain) logger.info("auth.lc_username: %s", self._lc_username) logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") + # cache_successful_logins logger.info("auth.cache_logins: %s", self._cache_logins) + self._cache_successful = dict() + self._cache_failed = dict() + self._cache_failed_logins_salt_ns = time.time_ns() if self._cache_logins is True: - logger.info("auth.cache_logins_expiry: %s seconds", self._cache_logins_expiry) - self._cache_logins_expiry_ns = self._cache_logins_expiry * 1000 * 1000 * 1000 - self._cache = dict() + logger.info("auth.cache_successful_logins_expiry: %s seconds", self._cache_successful_logins_expiry) + logger.info("auth.cache_failed_logins_expiry: %s seconds", self._cache_failed_logins_expiry) def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() @@ -137,31 +145,57 @@ class BaseAuth: result = "" digest = "" time_ns = time.time_ns() - if self._cache.get(login): - # entry found in cache - (digest_cache, time_ns_cache) = self._cache[login] + digest_failed = login + ":" + self._cache_digest(login, password, str(self._cache_failed_logins_salt_ns)) + if self._cache_failed.get(digest_failed): + # login+password found in cache "failed" + time_ns_cache = self._cache_failed[digest_failed] + age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) + if age_failed > self._cache_failed_logins_expiry: + logger.debug("Login failed cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_failed, self._cache_failed_logins_expiry) + # delete expired failed from cache + del self._cache_failed[digest_failed] + else: + # shortcut return + logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login, age_failed) + return "" + if self._cache_successful.get(login): + # login found in cache "successful" + (digest_cache, time_ns_cache) = self._cache_successful[login] digest = self._cache_digest(login, password, str(time_ns_cache)) if digest == digest_cache: - if (time_ns - time_ns_cache) > self._cache_logins_expiry_ns: - logger.debug("Login cache entry for user found but expired: '%s'", login) + age_success = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) + if age_success > self._cache_successful_logins_expiry: + logger.debug("Login successful cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_success, self._cache_successful_logins_expiry) + # delete expired success from cache + del self._cache_successful[login] digest = "" else: - logger.debug("Login cache entry for user found: '%s'", login) + logger.debug("Login successful cache entry for user+password found: '%s' (age: %d sec)", login, age_success) result = login else: - logger.debug("Login cache entry for user not matching: '%s'", login) + logger.debug("Login successful cache entry for user+password not matching: '%s'", login) else: - # entry not found in cache, caculate always to avoid timing attacks + # login not found in cache, caculate always to avoid timing attacks digest = self._cache_digest(login, password, str(time_ns)) if result == "": + # verify login+password via configured backend + logger.debug("Login verification for user+password via backend: '%s'", login) result = self._login(login, password) if result != "": + logger.debug("Login successful for user+password via backend: '%s'", login) if digest == "": # successful login, but expired, digest must be recalculated digest = self._cache_digest(login, password, str(time_ns)) # store successful login in cache - self._cache[login] = (digest, time_ns) - logger.debug("Login cache for user set: '%s'", login) + self._cache_successful[login] = (digest, time_ns) + logger.debug("Login successful cache for user set: '%s'", login) + if self._cache_failed.get(digest_failed): + logger.debug("Login failed cache for user cleared: '%s'", login) + del self._cache_failed[digest_failed] + else: + logger.debug("Login failed for user+password via backend: '%s'", login) + self._cache_failed[digest_failed] = time_ns + logger.debug("Login failed cache for user set: '%s'", login) return result else: return self._login(login, password) diff --git a/radicale/config.py b/radicale/config.py index 486e9223..f71f312b 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -185,12 +185,16 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "internal": auth.INTERNAL_TYPES}), ("cache_logins", { "value": "false", - "help": "cache successful logins for until expiration time", + "help": "cache successful/failed logins for until expiration time", "type": bool}), - ("cache_logins_expiry", { + ("cache_successful_logins_expiry", { "value": "5", "help": "expiration time for caching successful logins in seconds", "type": int}), + ("cache_failed_logins_expiry", { + "value": "60", + "help": "expiration time for caching failed logins in seconds", + "type": int}), ("htpasswd_filename", { "value": "/etc/radicale/users", "help": "htpasswd filename", From b75e303556842347761840e7a746020998d46808 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 08:11:19 +0100 Subject: [PATCH 139/361] reorg code, disable caching on not required types --- radicale/auth/__init__.py | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index e9640f30..1e9d0f2f 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -59,6 +59,7 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool + _type: str _cache_logins: bool _cache_successful: dict # login -> (digest, time_ns) _cache_successful_logins_expiry: int @@ -78,26 +79,32 @@ class BaseAuth: self._lc_username = configuration.get("auth", "lc_username") self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") - self._cache_logins = configuration.get("auth", "cache_logins") - self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry") - if self._cache_successful_logins_expiry < 0: - raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0") - self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry") - if self._cache_failed_logins_expiry < 0: - raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0") logger.info("auth.strip_domain: %s", self._strip_domain) logger.info("auth.lc_username: %s", self._lc_username) logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") # cache_successful_logins - logger.info("auth.cache_logins: %s", self._cache_logins) - self._cache_successful = dict() - self._cache_failed = dict() - self._cache_failed_logins_salt_ns = time.time_ns() + self._cache_logins = configuration.get("auth", "cache_logins") + self._type = configuration.get("auth", "type") + if (self._type in [ "dovecot", "ldap", "htpasswd" ]) or (self._cache_logins is False): + logger.info("auth.cache_logins: %s", self._cache_logins) + else: + logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type) + self._cache_logins = False if self._cache_logins is True: + self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry") + if self._cache_successful_logins_expiry < 0: + raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0") + self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry") + if self._cache_failed_logins_expiry < 0: + raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0") logger.info("auth.cache_successful_logins_expiry: %s seconds", self._cache_successful_logins_expiry) logger.info("auth.cache_failed_logins_expiry: %s seconds", self._cache_failed_logins_expiry) + # cache init + self._cache_successful = dict() + self._cache_failed = dict() + self._cache_failed_logins_salt_ns = time.time_ns() def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() From c0acbd4402b06269f89cbc8622e3ab38b128277f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 08:12:49 +0100 Subject: [PATCH 140/361] update changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 353a4e68..e9836cd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # Changelog ## 3.3.4.dev -* Add: option [auth] cache_logins/cache_logins_expiry for caching successful logins -* Improve: log used hash method on debug for htpasswd authentication +* Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins +* Improve: log used hash method and result on debug for htpasswd authentication ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 79ba07e16b1955f795f75c5e3d4a9f4a84f3bdb3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:13:05 +0100 Subject: [PATCH 141/361] change default cache times --- DOCUMENTATION.md | 7 ++++--- config | 7 +++++-- radicale/config.py | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index dc31d9b1..a5238bc6 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -814,7 +814,8 @@ Default: `none` ##### cache_logins -Cache successful/failed logins until expiration time +Cache successful/failed logins until expiration time. Enable this to avoid +overload of authentication backends. Default: `false` @@ -822,13 +823,13 @@ Default: `false` Expiration time of caching successful logins in seconds -Default: `5` +Default: `15` ##### cache_failed_logins_expiry Expiration time of caching failed logins in seconds -Default: `60` +Default: `90` ##### htpasswd_filename diff --git a/config b/config index 429cfca1..9ac082cf 100644 --- a/config +++ b/config @@ -62,11 +62,14 @@ # Value: none | htpasswd | remote_user | http_x_remote_user | ldap | denyall #type = none -# Cache successful logins for until expiration time +# Cache logins for until expiration time #cache_logins = false # Expiration time for caching successful logins in seconds -#cache_logins_expiry = 5 +#cache_successful_logins_expiry = 15 + +## Expiration time of caching failed logins in seconds +#cache_failed_logins_expiry = 90 # URI to the LDAP server #ldap_uri = ldap://localhost diff --git a/radicale/config.py b/radicale/config.py index f71f312b..b165345f 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -188,11 +188,11 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "cache successful/failed logins for until expiration time", "type": bool}), ("cache_successful_logins_expiry", { - "value": "5", + "value": "15", "help": "expiration time for caching successful logins in seconds", "type": int}), ("cache_failed_logins_expiry", { - "value": "60", + "value": "90", "help": "expiration time for caching failed logins in seconds", "type": int}), ("htpasswd_filename", { From 5ce0cee8bfee63b05b318b90d2bd872abe9bce48 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:13:52 +0100 Subject: [PATCH 142/361] add chache cleanup and locking --- radicale/auth/__init__.py | 46 +++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 1e9d0f2f..d8f35e83 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -31,6 +31,7 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. import hashlib import time +import threading from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils @@ -63,9 +64,10 @@ class BaseAuth: _cache_logins: bool _cache_successful: dict # login -> (digest, time_ns) _cache_successful_logins_expiry: int - _cache_failed: dict # digest_failed -> (time_ns) + _cache_failed: dict # digest_failed -> (time_ns, login) _cache_failed_logins_expiry: int _cache_failed_logins_salt_ns: int # persistent over runtime + _lock: threading.Lock def __init__(self, configuration: "config.Configuration") -> None: """Initialize BaseAuth. @@ -105,6 +107,7 @@ class BaseAuth: self._cache_successful = dict() self._cache_failed = dict() self._cache_failed_logins_salt_ns = time.time_ns() + self._lock = threading.Lock() def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() @@ -152,19 +155,34 @@ class BaseAuth: result = "" digest = "" time_ns = time.time_ns() + # cleanup failed login cache to avoid out-of-memory + cache_failed_entries = len(self._cache_failed) + if cache_failed_entries > 0: + logger.debug("Login failed cache investigation start (entries: %d)", cache_failed_entries) + self._lock.acquire() + cache_failed_cleanup = dict() + for digest in self._cache_failed: + (time_ns_cache, login_cache) = self._cache_failed[digest] + age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) + if age_failed > self._cache_failed_logins_expiry: + cache_failed_cleanup[digest] = (login_cache, age_failed) + cache_failed_cleanup_entries = len(cache_failed_cleanup) + logger.debug("Login failed cache cleanup start (entries: %d)", cache_failed_cleanup_entries) + if cache_failed_cleanup_entries > 0: + for digest in cache_failed_cleanup: + (login, age_failed) = cache_failed_cleanup[digest] + logger.debug("Login failed cache entry for user+password expired: '%s' (age: %d > %d sec)", login_cache, age_failed, self._cache_failed_logins_expiry) + del self._cache_failed[digest] + self._lock.release() + logger.debug("Login failed cache investigation finished") + # check for cache failed login digest_failed = login + ":" + self._cache_digest(login, password, str(self._cache_failed_logins_salt_ns)) if self._cache_failed.get(digest_failed): - # login+password found in cache "failed" - time_ns_cache = self._cache_failed[digest_failed] + # login+password found in cache "failed" -> shortcut return + (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) - if age_failed > self._cache_failed_logins_expiry: - logger.debug("Login failed cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_failed, self._cache_failed_logins_expiry) - # delete expired failed from cache - del self._cache_failed[digest_failed] - else: - # shortcut return - logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login, age_failed) - return "" + logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) + return "" if self._cache_successful.get(login): # login found in cache "successful" (digest_cache, time_ns_cache) = self._cache_successful[login] @@ -194,14 +212,18 @@ class BaseAuth: # successful login, but expired, digest must be recalculated digest = self._cache_digest(login, password, str(time_ns)) # store successful login in cache + self._lock.acquire() self._cache_successful[login] = (digest, time_ns) + self._lock.release() logger.debug("Login successful cache for user set: '%s'", login) if self._cache_failed.get(digest_failed): logger.debug("Login failed cache for user cleared: '%s'", login) del self._cache_failed[digest_failed] else: logger.debug("Login failed for user+password via backend: '%s'", login) - self._cache_failed[digest_failed] = time_ns + self._lock.acquire() + self._cache_failed[digest_failed] = (time_ns, login) + self._lock.release() logger.debug("Login failed cache for user set: '%s'", login) return result else: From 2489356dda05af19754702f58e0ddc600754dc1b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:14:38 +0100 Subject: [PATCH 143/361] implement htpasswd file caching --- radicale/auth/htpasswd.py | 130 ++++++++++++++++++++++++++++++-------- 1 file changed, 102 insertions(+), 28 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index f872eba5..24cf742f 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -48,8 +48,11 @@ When bcrypt is installed: """ +import os +import time import functools import hmac +import threading from typing import Any from passlib.hash import apr_md5_crypt, sha256_crypt, sha512_crypt @@ -61,15 +64,26 @@ class Auth(auth.BaseAuth): _filename: str _encoding: str + _htpasswd: dict # login -> digest + _htpasswd_mtime_ns: int + _htpasswd_size: bytes + _htpasswd_ok: bool + _htpasswd_not_ok_seconds: int + _htpasswd_not_ok_reminder_seconds: int + _lock: threading.Lock def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("auth", "htpasswd_filename") self._encoding = configuration.get("encoding", "stock") encryption: str = configuration.get("auth", "htpasswd_encryption") - logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption) + self._htpasswd_ok = False + self._htpasswd_not_ok_reminder_seconds = 60 # currently hardcoded + self._htpasswd_read = self._read_htpasswd(True) + self._lock = threading.Lock() + if encryption == "plain": self._verify = self._plain elif encryption == "md5": @@ -127,6 +141,68 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) + def _read_htpasswd(self, init: bool) -> bool: + """Read htpasswd file + + init == True: stop on error + init == False: warn/skip on error and set mark to log reminder every interval + + """ + htpasswd_ok = True + if init is True: + info = "Read" + else: + info = "Re-read" + logger.info("%s content of htpasswd file start: %r", info, self._filename) + htpasswd = dict() + try: + with open(self._filename, encoding=self._encoding) as f: + line_num = 0 + entries = 0 + duplicates = 0 + for line in f: + line_num += 1 + line = line.rstrip("\n") + if line.lstrip() and not line.lstrip().startswith("#"): + try: + login, digest = line.split( ":", maxsplit=1) + if login == "" or digest == "": + if init is True: + raise ValueError("htpasswd file contains problematic line not matching : in line: %d" % line_num) + else: + logger.warning("htpasswd file contains problematic line not matching : in line: %d (ignored)", line_num) + htpasswd_ok = False + else: + if htpasswd.get(login): + duplicates += 1 + if init is True: + raise ValueError("htpasswd file contains duplicate login: '%s'", login, line_num) + else: + logger.warning("htpasswd file contains duplicate login: '%s' (line: %d / ignored)", login, line_num) + htpasswd_ok = False + else: + htpasswd[login] = digest + entries += 1 + except ValueError as e: + if init is True: + raise RuntimeError("Invalid htpasswd file %r: %s" % (self._filename, e)) from e + except OSError as e: + if init is True: + raise RuntimeError("Failed to load htpasswd file %r: %s" % (self._filename, e)) from e + else: + logger.warning("Failed to load htpasswd file on re-read: %r" % (self._filename, e)) + htpasswd_ok = False + else: + self._htpasswd_size = os.stat(self._filename).st_size + self._htpasswd_time_ns = os.stat(self._filename).st_mtime_ns + self._htpasswd = htpasswd + logger.info("%s content of htpasswd file done: %r (entries: %d, duplicates: %d)", info, self._filename, entries, duplicates) + if htpasswd_ok is True: + self._htpasswd_not_ok_time = 0 + else: + self._htpasswd_not_ok_time = time.time() + return htpasswd_ok + def _login(self, login: str, password: str) -> str: """Validate credentials. @@ -134,33 +210,31 @@ class Auth(auth.BaseAuth): hash (encrypted password) and check hash against password, using the method specified in the Radicale config. - The content of the file is not cached because reading is generally a - very cheap operation, and it's useful to get live updates of the - htpasswd file. + The content of the file is cached and live updates will be detected by + comparing mtime_ns and size """ - try: - with open(self._filename, encoding=self._encoding) as f: - for line in f: - line = line.rstrip("\n") - if line.lstrip() and not line.lstrip().startswith("#"): - try: - hash_login, hash_value = line.split( - ":", maxsplit=1) - # Always compare both login and password to avoid - # timing attacks, see #591. - login_ok = hmac.compare_digest( - hash_login.encode(), login.encode()) - (method, password_ok) = self._verify(hash_value, password) - if login_ok and password_ok: - logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) - return login - elif login_ok: - logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) - except ValueError as e: - raise RuntimeError("Invalid htpasswd file %r: %s" % - (self._filename, e)) from e - except OSError as e: - raise RuntimeError("Failed to load htpasswd file %r: %s" % - (self._filename, e)) from e + # check and re-read file if required + htpasswd_size = os.stat(self._filename).st_size + htpasswd_time_ns = os.stat(self._filename).st_mtime_ns + if (htpasswd_size != self._htpasswd_size) or (htpasswd_time_ns != self._htpasswd_time_ns): + with self._lock: + self._htpasswd_ok = self._read_htpasswd(False) + else: + # log reminder of problemantic file every interval + if (self._htpasswd_ok is False) and (self._htpasswd_not_ok_time > 0): + current_time = time.time() + if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: + logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) + self._htpasswd_not_ok_time = current_time + if self._htpasswd.get(login): + digest = self._htpasswd[login] + (method, password_ok) = self._verify(digest, password) + logger.debug("Login verification successful for user: '%s' (method '%s')", login, method) + if password_ok: + return login + else: + logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) + else: + logger.debug("Login verification user not found: '%s'", login) return "" From 9cac3008b7170441924aa5ad583a89c5949cf99e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:15:51 +0100 Subject: [PATCH 144/361] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9836cd1..505202ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.3.4.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: log used hash method and result on debug for htpasswd authentication +* Improve: htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 5357e692d9af661b35f69c47cced0bb3f648a490 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 17:09:21 +0100 Subject: [PATCH 145/361] [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file --- radicale/auth/htpasswd.py | 44 +++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 24cf742f..a5f46f93 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -70,6 +70,8 @@ class Auth(auth.BaseAuth): _htpasswd_ok: bool _htpasswd_not_ok_seconds: int _htpasswd_not_ok_reminder_seconds: int + _htpasswd_bcrypt_use: int + _has_bcrypt: bool _lock: threading.Lock def __init__(self, configuration: config.Configuration) -> None: @@ -79,9 +81,10 @@ class Auth(auth.BaseAuth): encryption: str = configuration.get("auth", "htpasswd_encryption") logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption) + self._has_bcrypt = False self._htpasswd_ok = False self._htpasswd_not_ok_reminder_seconds = 60 # currently hardcoded - self._htpasswd_read = self._read_htpasswd(True) + (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(True) self._lock = threading.Lock() if encryption == "plain": @@ -96,14 +99,24 @@ class Auth(auth.BaseAuth): try: import bcrypt except ImportError as e: - raise RuntimeError( - "The htpasswd encryption method 'bcrypt' or 'autodetect' requires " - "the bcrypt module.") from e + if (encryption == "autodetect") and (self._htpasswd_bcrypt_use == 0): + logger.warning("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' which can require bycrypt module, but currently no entries found", encryption) + else: + raise RuntimeError( + "The htpasswd encryption method 'bcrypt' or 'autodetect' requires " + "the bcrypt module (entries found: %d)." % self._htpasswd_bcrypt_use) from e + else: + if encryption == "autodetect": + if self._htpasswd_bcrypt_use == 0: + logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found, but currently not required", encryption) + else: + logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found (entries found: %d)", encryption, self._htpasswd_bcrypt_use) if encryption == "bcrypt": self._verify = functools.partial(self._bcrypt, bcrypt) else: self._verify = self._autodetect self._verify_bcrypt = functools.partial(self._bcrypt, bcrypt) + self._has_bcrypt = True else: raise RuntimeError("The htpasswd encryption method %r is not " "supported." % encryption) @@ -141,7 +154,7 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool) -> bool: + def _read_htpasswd(self, init: bool) -> (bool, int): """Read htpasswd file init == True: stop on error @@ -149,6 +162,7 @@ class Auth(auth.BaseAuth): """ htpasswd_ok = True + bcrypt_use = 0 if init is True: info = "Read" else: @@ -166,12 +180,14 @@ class Auth(auth.BaseAuth): if line.lstrip() and not line.lstrip().startswith("#"): try: login, digest = line.split( ":", maxsplit=1) + skip = False if login == "" or digest == "": if init is True: raise ValueError("htpasswd file contains problematic line not matching : in line: %d" % line_num) else: logger.warning("htpasswd file contains problematic line not matching : in line: %d (ignored)", line_num) htpasswd_ok = False + skip = True else: if htpasswd.get(login): duplicates += 1 @@ -180,9 +196,19 @@ class Auth(auth.BaseAuth): else: logger.warning("htpasswd file contains duplicate login: '%s' (line: %d / ignored)", login, line_num) htpasswd_ok = False + skip = True else: - htpasswd[login] = digest - entries += 1 + if digest.startswith("$2y$", 0, 4) and len(digest) == 60: + if init is True: + bcrypt_use += 1 + else: + if self._has_bcrypt is False: + logger.warning("htpasswd file contains bcrypt digest login: '%s' (line: %d / ignored because module is not loaded)", login, line_num) + skip = True + htpasswd_ok = False + if skip is False: + htpasswd[login] = digest + entries += 1 except ValueError as e: if init is True: raise RuntimeError("Invalid htpasswd file %r: %s" % (self._filename, e)) from e @@ -201,7 +227,7 @@ class Auth(auth.BaseAuth): self._htpasswd_not_ok_time = 0 else: self._htpasswd_not_ok_time = time.time() - return htpasswd_ok + return (htpasswd_ok, bcrypt_use) def _login(self, login: str, password: str) -> str: """Validate credentials. @@ -219,7 +245,7 @@ class Auth(auth.BaseAuth): htpasswd_time_ns = os.stat(self._filename).st_mtime_ns if (htpasswd_size != self._htpasswd_size) or (htpasswd_time_ns != self._htpasswd_time_ns): with self._lock: - self._htpasswd_ok = self._read_htpasswd(False) + (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(False) else: # log reminder of problemantic file every interval if (self._htpasswd_ok is False) and (self._htpasswd_not_ok_time > 0): From c00ab76c831488850c48ed9cea3818b0a0fef7b6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 17:09:29 +0100 Subject: [PATCH 146/361] [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file / changelog --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 505202ed..4d8bbaa1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,9 @@ ## 3.3.4.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins -* Improve: log used hash method and result on debug for htpasswd authentication -* Improve: htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) +* Improve: [auth] log used hash method and result on debug for htpasswd authentication +* Improve: [auth] htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) +* Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From c1be04abd1a3c23ffe8bac5982a04076e8dec5ff Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 18:26:43 +0100 Subject: [PATCH 147/361] fixes suggested by tox --- radicale/auth/__init__.py | 4 ++-- radicale/auth/htpasswd.py | 17 +++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index d8f35e83..fc453a84 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -30,8 +30,8 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. """ import hashlib -import time import threading +import time from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils @@ -89,7 +89,7 @@ class BaseAuth: # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") - if (self._type in [ "dovecot", "ldap", "htpasswd" ]) or (self._cache_logins is False): + if (self._type in ["dovecot", "ldap", "htpasswd"]) or (self._cache_logins is False): logger.info("auth.cache_logins: %s", self._cache_logins) else: logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index a5f46f93..e4c420cd 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -48,12 +48,12 @@ When bcrypt is installed: """ -import os -import time import functools import hmac +import os import threading -from typing import Any +import time +from typing import Any, Tuple from passlib.hash import apr_md5_crypt, sha256_crypt, sha512_crypt @@ -66,9 +66,9 @@ class Auth(auth.BaseAuth): _encoding: str _htpasswd: dict # login -> digest _htpasswd_mtime_ns: int - _htpasswd_size: bytes + _htpasswd_size: int _htpasswd_ok: bool - _htpasswd_not_ok_seconds: int + _htpasswd_not_ok_time: float _htpasswd_not_ok_reminder_seconds: int _htpasswd_bcrypt_use: int _has_bcrypt: bool @@ -154,7 +154,7 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool) -> (bool, int): + def _read_htpasswd(self, init: bool) -> Tuple[bool, int]: """Read htpasswd file init == True: stop on error @@ -168,6 +168,7 @@ class Auth(auth.BaseAuth): else: info = "Re-read" logger.info("%s content of htpasswd file start: %r", info, self._filename) + htpasswd: dict[str, str] htpasswd = dict() try: with open(self._filename, encoding=self._encoding) as f: @@ -179,7 +180,7 @@ class Auth(auth.BaseAuth): line = line.rstrip("\n") if line.lstrip() and not line.lstrip().startswith("#"): try: - login, digest = line.split( ":", maxsplit=1) + login, digest = line.split(":", maxsplit=1) skip = False if login == "" or digest == "": if init is True: @@ -216,7 +217,7 @@ class Auth(auth.BaseAuth): if init is True: raise RuntimeError("Failed to load htpasswd file %r: %s" % (self._filename, e)) from e else: - logger.warning("Failed to load htpasswd file on re-read: %r" % (self._filename, e)) + logger.warning("Failed to load htpasswd file on re-read: %r" % self._filename) htpasswd_ok = False else: self._htpasswd_size = os.stat(self._filename).st_size From 6ebca084237fe315ab5fe78831709b80300aeb5c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 15:47:22 +0100 Subject: [PATCH 148/361] extend copyright --- radicale/app/__init__.py | 2 +- radicale/auth/__init__.py | 2 +- radicale/auth/htpasswd.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index 4f11ad3f..28c98802 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2019 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index fc453a84..679ecf9d 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index e4c420cd..8ed1ad33 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2019 Unrud -# Copyright © 2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From c10ce7ae4661f2be8e46fd74db009d88e31f4c25 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:30:34 +0100 Subject: [PATCH 149/361] add support for login info log --- radicale/app/__init__.py | 10 +++++----- radicale/auth/__init__.py | 13 +++++++++---- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index 28c98802..eabac455 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -252,7 +252,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead, self.configuration, environ, base64.b64decode( authorization.encode("ascii"))).split(":", 1) - user = self._auth.login(login, password) or "" if login else "" + (user, info) = self._auth.login(login, password) or ("", "") if login else ("", "") if self.configuration.get("auth", "type") == "ldap": try: logger.debug("Groups %r", ",".join(self._auth._ldap_groups)) @@ -260,12 +260,12 @@ class Application(ApplicationPartDelete, ApplicationPartHead, except AttributeError: pass if user and login == user: - logger.info("Successful login: %r", user) + logger.info("Successful login: %r (%s)", user, info) elif user: - logger.info("Successful login: %r -> %r", login, user) + logger.info("Successful login: %r -> %r (%s)", login, user, info) elif login: - logger.warning("Failed login attempt from %s: %r", - remote_host, login) + logger.warning("Failed login attempt from %s: %r (%s)", + remote_host, login, info) # Random delay to avoid timing oracles and bruteforce attacks if self._auth_delay > 0: random_delay = self._auth_delay * (0.5 + random.random()) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 679ecf9d..c1c7e884 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -143,7 +143,8 @@ class BaseAuth: raise NotImplementedError @final - def login(self, login: str, password: str) -> str: + def login(self, login: str, password: str) -> Tuple[str, str]: + result_from_cache = False if self._lc_username: login = login.lower() if self._uc_username: @@ -182,7 +183,7 @@ class BaseAuth: (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) - return "" + return ("", self._type + " / cached") if self._cache_successful.get(login): # login found in cache "successful" (digest_cache, time_ns_cache) = self._cache_successful[login] @@ -197,6 +198,7 @@ class BaseAuth: else: logger.debug("Login successful cache entry for user+password found: '%s' (age: %d sec)", login, age_success) result = login + result_from_cache = True else: logger.debug("Login successful cache entry for user+password not matching: '%s'", login) else: @@ -225,6 +227,9 @@ class BaseAuth: self._cache_failed[digest_failed] = (time_ns, login) self._lock.release() logger.debug("Login failed cache for user set: '%s'", login) - return result + if result_from_cache is True: + return (result, self._type + " / cached") + else: + return (result, self._type) else: - return self._login(login, password) + return (self._login(login, password), self._type) From 46fe98f60b3cdc967144024b5d53727294d5dea0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:31:31 +0100 Subject: [PATCH 150/361] make htpasswd cache optional --- DOCUMENTATION.md | 6 ++++ config | 3 ++ radicale/auth/htpasswd.py | 61 +++++++++++++++++++++++++-------------- radicale/config.py | 4 +++ 4 files changed, 53 insertions(+), 21 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a5238bc6..8f166e6e 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -872,6 +872,12 @@ Available methods: Default: `autodetect` +##### htpasswd_cache + +Enable caching of htpasswd file based on size and mtime_ns + +Default: `False` + ##### delay Average delay after failed login attempts in seconds. diff --git a/config b/config index 9ac082cf..3b6108fe 100644 --- a/config +++ b/config @@ -109,6 +109,9 @@ # bcrypt requires the installation of 'bcrypt' module. #htpasswd_encryption = autodetect +# Enable caching of htpasswd file based on size and mtime_ns +#htpasswd_cache = False + # Incorrect authentication delay (seconds) #delay = 1 diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 8ed1ad33..ec5bd280 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -71,6 +71,7 @@ class Auth(auth.BaseAuth): _htpasswd_not_ok_time: float _htpasswd_not_ok_reminder_seconds: int _htpasswd_bcrypt_use: int + _htpasswd_cache: bool _has_bcrypt: bool _lock: threading.Lock @@ -78,13 +79,15 @@ class Auth(auth.BaseAuth): super().__init__(configuration) self._filename = configuration.get("auth", "htpasswd_filename") self._encoding = configuration.get("encoding", "stock") + self._htpasswd_cache = configuration.get("auth", "htpasswd_cache") + logger.info("auth htpasswd cache: %s", self._htpasswd_cache) encryption: str = configuration.get("auth", "htpasswd_encryption") logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption) self._has_bcrypt = False self._htpasswd_ok = False self._htpasswd_not_ok_reminder_seconds = 60 # currently hardcoded - (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(True) + (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(True, False) self._lock = threading.Lock() if encryption == "plain": @@ -154,27 +157,32 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool) -> Tuple[bool, int]: + def _read_htpasswd(self, init: bool, suppress: bool) -> Tuple[bool, int, dict]: """Read htpasswd file init == True: stop on error init == False: warn/skip on error and set mark to log reminder every interval + suppress == True: suppress warnings, change info to debug (used in non-caching mode) + suppress == False: do not suppress warnings (used in caching mode) """ htpasswd_ok = True bcrypt_use = 0 - if init is True: + if (init is True) or (suppress is True): info = "Read" else: info = "Re-read" - logger.info("%s content of htpasswd file start: %r", info, self._filename) - htpasswd: dict[str, str] - htpasswd = dict() + if suppress is False: + logger.info("%s content of htpasswd file start: %r", info, self._filename) + else: + logger.debug("%s content of htpasswd file start: %r", info, self._filename) + htpasswd: dict[str, str] = dict() + entries = 0 + duplicates = 0 + errors = 0 try: with open(self._filename, encoding=self._encoding) as f: line_num = 0 - entries = 0 - duplicates = 0 for line in f: line_num += 1 line = line.rstrip("\n") @@ -186,6 +194,7 @@ class Auth(auth.BaseAuth): if init is True: raise ValueError("htpasswd file contains problematic line not matching : in line: %d" % line_num) else: + errors += 1 logger.warning("htpasswd file contains problematic line not matching : in line: %d (ignored)", line_num) htpasswd_ok = False skip = True @@ -219,16 +228,17 @@ class Auth(auth.BaseAuth): else: logger.warning("Failed to load htpasswd file on re-read: %r" % self._filename) htpasswd_ok = False + htpasswd_size = os.stat(self._filename).st_size + htpasswd_mtime_ns = os.stat(self._filename).st_mtime_ns + if suppress is False: + logger.info("%s content of htpasswd file done: %r (entries: %d, duplicates: %d, errors: %d)", info, self._filename, entries, duplicates, errors) else: - self._htpasswd_size = os.stat(self._filename).st_size - self._htpasswd_time_ns = os.stat(self._filename).st_mtime_ns - self._htpasswd = htpasswd - logger.info("%s content of htpasswd file done: %r (entries: %d, duplicates: %d)", info, self._filename, entries, duplicates) + logger.debug("%s content of htpasswd file done: %r (entries: %d, duplicates: %d, errors: %d)", info, self._filename, entries, duplicates, errors) if htpasswd_ok is True: self._htpasswd_not_ok_time = 0 else: self._htpasswd_not_ok_time = time.time() - return (htpasswd_ok, bcrypt_use) + return (htpasswd_ok, bcrypt_use, htpasswd, htpasswd_size, htpasswd_mtime_ns) def _login(self, login: str, password: str) -> str: """Validate credentials. @@ -241,19 +251,28 @@ class Auth(auth.BaseAuth): comparing mtime_ns and size """ - # check and re-read file if required - htpasswd_size = os.stat(self._filename).st_size - htpasswd_time_ns = os.stat(self._filename).st_mtime_ns - if (htpasswd_size != self._htpasswd_size) or (htpasswd_time_ns != self._htpasswd_time_ns): + if self._htpasswd_cache is True: + # check and re-read file if required with self._lock: - (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(False) + htpasswd_size = os.stat(self._filename).st_size + htpasswd_mtime_ns = os.stat(self._filename).st_mtime_ns + if (htpasswd_size != self._htpasswd_size) or (htpasswd_mtime_ns != self._htpasswd_mtime_ns): + (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, False) + self._htpasswd_not_ok_time = 0 else: - # log reminder of problemantic file every interval - if (self._htpasswd_ok is False) and (self._htpasswd_not_ok_time > 0): - current_time = time.time() + # read file on every request + (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, True) + + # log reminder of problemantic file every interval + current_time = time.time() + if (self._htpasswd_ok is False): + if (self._htpasswd_not_ok_time > 0): if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) self._htpasswd_not_ok_time = current_time + else: + self._htpasswd_not_ok_time = current_time + if self._htpasswd.get(login): digest = self._htpasswd[login] (method, password_ok) = self._verify(digest, password) diff --git a/radicale/config.py b/radicale/config.py index b165345f..224f68d3 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -203,6 +203,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "autodetect", "help": "htpasswd encryption method", "type": str}), + ("htpasswd_cache", { + "value": "False", + "help": "enable caching of htpasswd file", + "type": bool}), ("dovecot_socket", { "value": "/var/run/dovecot/auth-client", "help": "dovecot auth socket", From 8fdbd0dbf6e69b35e8651988dfff58de69f8f84c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:31:47 +0100 Subject: [PATCH 151/361] log cosmetics --- radicale/auth/htpasswd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index ec5bd280..1f6c3865 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -113,7 +113,7 @@ class Auth(auth.BaseAuth): if self._htpasswd_bcrypt_use == 0: logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found, but currently not required", encryption) else: - logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found (entries found: %d)", encryption, self._htpasswd_bcrypt_use) + logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found (bcrypt entries found: %d)", encryption, self._htpasswd_bcrypt_use) if encryption == "bcrypt": self._verify = functools.partial(self._bcrypt, bcrypt) else: From ca665c4849267a5be56f692558b1182b398a2e93 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:32:07 +0100 Subject: [PATCH 152/361] add a dummy delay action --- radicale/auth/htpasswd.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 1f6c3865..57bf1a40 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -282,5 +282,7 @@ class Auth(auth.BaseAuth): else: logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) else: + # dummy delay + (method, password_ok) = self._plain(str(htpasswd_mtime_ns), password) logger.debug("Login verification user not found: '%s'", login) return "" From 8604dacad07e0619e9eb44d793328193d3cfb0f5 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:40:55 +0100 Subject: [PATCH 153/361] fix typing --- radicale/auth/htpasswd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 57bf1a40..f444fdc3 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -157,7 +157,7 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool, suppress: bool) -> Tuple[bool, int, dict]: + def _read_htpasswd(self, init: bool, suppress: bool) -> Tuple[bool, int, dict, int, int]: """Read htpasswd file init == True: stop on error From 5a591b6471b676291cba07854fa2c9b13d1f2d62 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:41:11 +0100 Subject: [PATCH 154/361] use different token --- radicale/auth/htpasswd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index f444fdc3..22b1b1ba 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -283,6 +283,6 @@ class Auth(auth.BaseAuth): logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) else: # dummy delay - (method, password_ok) = self._plain(str(htpasswd_mtime_ns), password) + (method, password_ok) = self._plain(str(time.time_ns()), password) logger.debug("Login verification user not found: '%s'", login) return "" From 5d48ba5d1ec4e28469a9553e7217a24284f40160 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:28:09 +0100 Subject: [PATCH 155/361] add test cases --- radicale/tests/test_auth.py | 48 ++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 1142caf4..23042b20 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -2,7 +2,7 @@ # Copyright © 2012-2016 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -28,6 +28,7 @@ import sys from typing import Iterable, Tuple, Union import pytest +import logging from radicale import xmlutils from radicale.tests import BaseTest @@ -101,6 +102,51 @@ class TestBaseAuthRequests(BaseTest): def test_htpasswd_multi(self) -> None: self._test_htpasswd("plain", "ign:ign\ntmp:bepo") + # login cache successful + def test_htpasswd_login_cache_successful_plain(self, caplog) -> None: + caplog.set_level(logging.INFO) + self.configure({"auth": {"cache_logins": "True"}}) + self._test_htpasswd("plain", "tmp:bepo", (("tmp", "bepo", True), ("tmp", "bepo", True))) + htpasswd_found = False + htpasswd_cached_found = False + for line in caplog.messages: + if line == "Successful login: 'tmp' (htpasswd)": + htpasswd_found = True + elif line == "Successful login: 'tmp' (htpasswd / cached)": + htpasswd_cached_found = True + if (htpasswd_found is False) or (htpasswd_cached_found is False): + raise ValueError("Logging misses expected log lines") + + # login cache failed + def test_htpasswd_login_cache_failed_plain(self, caplog) -> None: + caplog.set_level(logging.INFO) + self.configure({"auth": {"cache_logins": "True"}}) + self._test_htpasswd("plain", "tmp:bepo", (("tmp", "bepo1", False), ("tmp", "bepo1", False))) + htpasswd_found = False + htpasswd_cached_found = False + for line in caplog.messages: + if line == "Failed login attempt from unknown: 'tmp' (htpasswd)": + htpasswd_found = True + elif line == "Failed login attempt from unknown: 'tmp' (htpasswd / cached)": + htpasswd_cached_found = True + if (htpasswd_found is False) or (htpasswd_cached_found is False): + raise ValueError("Logging misses expected log lines") + + # htpasswd file cache + def test_htpasswd_file_cache(self, caplog) -> None: + self.configure({"auth": {"htpasswd_cache": "True"}}) + self._test_htpasswd("plain", "tmp:bepo") + + # detection of broken htpasswd file entries + def test_htpasswd_broken(self) -> None: + for userpass in ["tmp:", ":tmp" ]: + try: + self._test_htpasswd("plain", userpass) + except RuntimeError: + pass + else: + raise + @pytest.mark.skipif(sys.platform == "win32", reason="leading and trailing " "whitespaces not allowed in file names") def test_htpasswd_whitespace_user(self) -> None: From 0a5ae5b0b4faa9690c48f909f30c39157ef847c9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:31:16 +0100 Subject: [PATCH 156/361] extend startup logging for htpasswd --- radicale/auth/htpasswd.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 22b1b1ba..cc94a8f9 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -78,7 +78,9 @@ class Auth(auth.BaseAuth): def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("auth", "htpasswd_filename") + logger.info("auth htpasswd file: %r", self._filename) self._encoding = configuration.get("encoding", "stock") + logger.info("auth htpasswd file encoding: %r", self._encoding) self._htpasswd_cache = configuration.get("auth", "htpasswd_cache") logger.info("auth htpasswd cache: %s", self._htpasswd_cache) encryption: str = configuration.get("auth", "htpasswd_encryption") From 3763f28ae4eab549a444a2921923138d1238a098 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:36:15 +0100 Subject: [PATCH 157/361] tox fixes --- radicale/tests/test_auth.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 23042b20..f2ba577b 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -23,12 +23,12 @@ Radicale tests with simple requests and authentication. """ import base64 +import logging import os import sys from typing import Iterable, Tuple, Union import pytest -import logging from radicale import xmlutils from radicale.tests import BaseTest @@ -139,7 +139,7 @@ class TestBaseAuthRequests(BaseTest): # detection of broken htpasswd file entries def test_htpasswd_broken(self) -> None: - for userpass in ["tmp:", ":tmp" ]: + for userpass in ["tmp:", ":tmp"]: try: self._test_htpasswd("plain", userpass) except RuntimeError: From 70c4a34eb8c6072cb3658f3fe7b3b44fbdb0616d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:36:33 +0100 Subject: [PATCH 158/361] fix/extend changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d8bbaa1..bade4998 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,10 @@ ## 3.3.4.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication -* Improve: [auth] htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) +* Improve: [auth] htpasswd file now read and verified on start +* Add: option [auth] htpasswd_cache to automatic re-read triggered on change (mtime or size) instead reading on each request * Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file +* Improve: [auth] successful/failed login logs now type and whether result was taken from cache ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 6f0ac545f0f35438c5105d874118abd381fd2603 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 08:08:22 +0100 Subject: [PATCH 159/361] code fix --- radicale/auth/htpasswd.py | 43 ++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index cc94a8f9..842481fd 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -249,10 +249,19 @@ class Auth(auth.BaseAuth): hash (encrypted password) and check hash against password, using the method specified in the Radicale config. - The content of the file is cached and live updates will be detected by + Optional: the content of the file is cached and live updates will be detected by comparing mtime_ns and size + TODO: improve against timing attacks + see also issue 591 + but also do not delay that much + see also issue 1466 + + As several hash methods are supported which have different speed a time based gap would be required + """ + login_ok = False + digest: str if self._htpasswd_cache is True: # check and re-read file if required with self._lock: @@ -261,22 +270,28 @@ class Auth(auth.BaseAuth): if (htpasswd_size != self._htpasswd_size) or (htpasswd_mtime_ns != self._htpasswd_mtime_ns): (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, False) self._htpasswd_not_ok_time = 0 + + # log reminder of problemantic file every interval + current_time = time.time() + if (self._htpasswd_ok is False): + if (self._htpasswd_not_ok_time > 0): + if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: + logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) + self._htpasswd_not_ok_time = current_time + else: + self._htpasswd_not_ok_time = current_time + + if self._htpasswd.get(login): + digest = self._htpasswd[login] + login_ok = True else: # read file on every request - (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, True) + (htpasswd_ok, htpasswd_bcrypt_use, htpasswd, htpasswd_size, htpasswd_mtime_ns) = self._read_htpasswd(False, True) + if htpasswd.get(login): + digest = htpasswd[login] + login_ok = True - # log reminder of problemantic file every interval - current_time = time.time() - if (self._htpasswd_ok is False): - if (self._htpasswd_not_ok_time > 0): - if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: - logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) - self._htpasswd_not_ok_time = current_time - else: - self._htpasswd_not_ok_time = current_time - - if self._htpasswd.get(login): - digest = self._htpasswd[login] + if login_ok is True: (method, password_ok) = self._verify(digest, password) logger.debug("Login verification successful for user: '%s' (method '%s')", login, method) if password_ok: From 6f82333ff7ab69d5ed8c7d6d11bbdb77f535f7cf Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 17:18:00 +0100 Subject: [PATCH 160/361] LDAP auth: harmonize _login2() and _login3() methods --- radicale/auth/ldap.py | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 80ceb448..4833d18d 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -112,12 +112,18 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(self._ldap_reader_dn, self._ldap_secret) """Search for the dn of user to authenticate""" - res = conn.search_s(self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(login), attrlist=['memberOf']) + res = conn.search_s( + self._ldap_base, + self.ldap.SCOPE_SUBTREE, + filterstr=self._ldap_filter.format(login), + attrlist=['memberOf'] + ) if len(res) == 0: """User could not be found""" return "" - user_dn = res[0][0] - logger.debug("LDAP Auth user: %s", user_dn) + user_entry = res[0] + user_dn = user_entry[0] + logger.debug(f"_login2 found LDAP user DN {user_dn}") """Close LDAP connection""" conn.unbind() except Exception as e: @@ -132,11 +138,12 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for t in res[0][1]['memberOf']: - tmp.append(t.decode('utf-8').split(',')[0][3:]) + for g in user_entry[1]['memberOf']: + tmp.append(g.decode('utf-8').split(',')[0][3:]) self._ldap_groups = set(tmp) - logger.debug("LDAP Auth groups of user: %s", ",".join(self._ldap_groups)) + logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() + logger.debug(f"_login2 {login} successfully authenticated") return login except self.ldap.INVALID_CREDENTIALS: return "" @@ -182,18 +189,20 @@ class Auth(auth.BaseAuth): user_entry = conn.response[0] conn.unbind() user_dn = user_entry['dn'] - logger.debug(f"_login3 found user_dn {user_dn}") + logger.debug(f"_login3 found LDAP user DN {user_dn}") try: """Try to bind as the user itself""" conn = self.ldap3.Connection(server, user_dn, password=password) if not conn.bind(): logger.debug(f"_login3 user '{login}' cannot be found") return "" + tmp: list[str] = [] if self._ldap_load_groups: tmp = [] for g in user_entry['attributes']['memberOf']: tmp.append(g.split(',')[0][3:]) self._ldap_groups = set(tmp) + logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() logger.debug(f"_login3 {login} successfully authenticated") return login From c243ae4ebf52a833ebe04d71001d8bad4fa93f72 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 07:16:27 +0100 Subject: [PATCH 161/361] LDAP auth: require exactly one result when searching for the LDAP user DN This makes sure not fail securely when the query returns multiple entries - correct grammar in some cases - we're doing _authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version - align formatting & messages better between _login2() and _login3() --- radicale/auth/ldap.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4833d18d..4f80a362 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -118,8 +118,9 @@ class Auth(auth.BaseAuth): filterstr=self._ldap_filter.format(login), attrlist=['memberOf'] ) - if len(res) == 0: - """User could not be found""" + if len(res) != 1: + """User could not be found unambiguously""" + logger.debug(f"_login2 no unique DN found for '{login}'") return "" user_entry = res[0] user_dn = user_entry[0] @@ -181,9 +182,9 @@ class Auth(auth.BaseAuth): search_scope=self.ldap3.SUBTREE, attributes=['memberOf'] ) - if len(conn.entries) == 0: - """User could not be found""" - logger.debug(f"_login3 user '{login}' cannot be found") + if len(conn.entries) != 1: + """User could not be found unambiguously""" + logger.debug(f"_login3 no unique DN found for '{login}'") return "" user_entry = conn.response[0] From 8c2feb4726857746d1afbf10f77cb43f3a3d1aad Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 08:29:27 +0100 Subject: [PATCH 162/361] LDAP auth: escape values used in LDAP filters to avoid possible injection of malicious code. --- radicale/auth/ldap.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4f80a362..25da242c 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -112,10 +112,12 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(self._ldap_reader_dn, self._ldap_secret) """Search for the dn of user to authenticate""" + escaped_login = self.ldap.filter.escape_filter_chars(login) + logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, - filterstr=self._ldap_filter.format(login), + filterstr=self._ldap_filter.format(escaped_login), attrlist=['memberOf'] ) if len(res) != 1: @@ -176,9 +178,11 @@ class Auth(auth.BaseAuth): logger.debug(f"_login3 bind as {self._ldap_reader_dn}") """Search the user dn""" + escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) + logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") conn.search( search_base=self._ldap_base, - search_filter=self._ldap_filter.format(login), + search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, attributes=['memberOf'] ) From 0253682c0049011ed267887d1bff8b5b02e49050 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 13:18:39 +0100 Subject: [PATCH 163/361] LDAP auth: do not blindly assume groups have a 2-letter naming attribute Instead, strip away everything before (and including) the '=' sign of ther RDN. --- radicale/auth/ldap.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 25da242c..40f0ef09 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -142,7 +142,9 @@ class Auth(auth.BaseAuth): if self._ldap_load_groups: tmp = [] for g in user_entry[1]['memberOf']: - tmp.append(g.decode('utf-8').split(',')[0][3:]) + """Get group g's RDN's attribute value""" + g = g.decode('utf-8').split(',')[0] + tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() @@ -205,7 +207,9 @@ class Auth(auth.BaseAuth): if self._ldap_load_groups: tmp = [] for g in user_entry['attributes']['memberOf']: - tmp.append(g.split(',')[0][3:]) + """Get group g's RDN's attribute value""" + g = g.split(',')[0] + tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() From 99f5ec389d3f4ca01d3c50f97c629977168497f4 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 08:05:42 +0100 Subject: [PATCH 164/361] LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them) --- DOCUMENTATION.md | 6 ++++++ config | 3 +++ radicale/auth/ldap.py | 42 +++++++++++++++++++++++++++++++++--------- radicale/config.py | 4 ++++ 4 files changed, 46 insertions(+), 9 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index f590a294..e0dd6e39 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -901,6 +901,12 @@ The search filter to find the user DN to authenticate by the username. User '{0} Default: `(cn={0})` +#### ldap_user_attribute + +The LDAP attribute whose value shall be used as the user name after successful authentication + +Default: not set, i.e. the login name given is used directly. + ##### ldap_load_groups Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. diff --git a/config b/config index c34b9d28..38b845c3 100644 --- a/config +++ b/config @@ -83,6 +83,9 @@ # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login #ldap_filter = (&(objectClass=person)(uid={0})) +# the attribute holding the value to be used as username after authentication +#ldap_user_attribute = cn + # Use ssl on the ldap connection #ldap_use_ssl = False diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 40f0ef09..ee256fed 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -17,13 +17,14 @@ """ Authentication backend that checks credentials with a LDAP server. Following parameters are needed in the configuration: - ldap_uri The LDAP URL to the server like ldap://localhost - ldap_base The baseDN of the LDAP server - ldap_reader_dn The DN of a LDAP user with read access to get the user accounts - ldap_secret The password of the ldap_reader_dn - ldap_secret_file The path of the file containing the password of the ldap_reader_dn - ldap_filter The search filter to find the user to authenticate by the username - ldap_load_groups If the groups of the authenticated users need to be loaded + ldap_uri The LDAP URL to the server like ldap://localhost + ldap_base The baseDN of the LDAP server + ldap_reader_dn The DN of a LDAP user with read access to get the user accounts + ldap_secret The password of the ldap_reader_dn + ldap_secret_file The path of the file containing the password of the ldap_reader_dn + ldap_filter The search filter to find the user to authenticate by the username + ldap_user_attribute The attribute to be used as username after authentication + ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED @@ -42,6 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str + _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 _ldap_use_ssl: bool = False @@ -66,6 +68,7 @@ class Auth(auth.BaseAuth): self._ldap_load_groups = configuration.get("auth", "ldap_load_groups") self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") + self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") ldap_secret_file_path = configuration.get("auth", "ldap_secret_file") if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: @@ -84,6 +87,10 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn) logger.info("auth.ldap_load_groups : %s" % self._ldap_load_groups) logger.info("auth.ldap_filter : %r" % self._ldap_filter) + if self._ldap_user_attr: + logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) + else: + logger.info("auth.ldap_user_attribute : (not provided)") if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -114,11 +121,15 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" escaped_login = self.ldap.filter.escape_filter_chars(login) logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") + attrs = ['memberof'] + if self._ldap_user_attr: + attrs = ['memberOf', self._ldap_user_attr] + logger.debug(f"_login2 attrs: {attrs}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(escaped_login), - attrlist=['memberOf'] + attrlist=attrs ) if len(res) != 1: """User could not be found unambiguously""" @@ -147,6 +158,11 @@ class Auth(auth.BaseAuth): tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) + if self._ldap_user_attr: + if user_entry[1][self._ldap_user_attr]: + tmplogin = user_entry[1][self._ldap_user_attr][0] + login = tmplogin.decode('utf-8') + logger.debug(f"_login2 user set to: '{login}'") conn.unbind() logger.debug(f"_login2 {login} successfully authenticated") return login @@ -182,11 +198,15 @@ class Auth(auth.BaseAuth): """Search the user dn""" escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") + attrs = ['memberof'] + if self._ldap_user_attr: + attrs = ['memberOf', self._ldap_user_attr] + logger.debug(f"_login3 attrs: {attrs}") conn.search( search_base=self._ldap_base, search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, - attributes=['memberOf'] + attributes=attrs ) if len(conn.entries) != 1: """User could not be found unambiguously""" @@ -212,6 +232,10 @@ class Auth(auth.BaseAuth): tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) + if self._ldap_user_attr: + if user_entry['attributes'][self._ldap_user_attr]: + login = user_entry['attributes'][self._ldap_user_attr][0] + logger.debug(f"_login3 user set to: '{login}'") conn.unbind() logger.debug(f"_login3 {login} successfully authenticated") return login diff --git a/radicale/config.py b/radicale/config.py index 0ac5970c..7a085f71 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -227,6 +227,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "(cn={0})", "help": "the search filter to find the user DN to authenticate by the username", "type": str}), + ("ldap_user_attribute", { + "value": "", + "help": "the attribute to be used as username after authentication", + "type": str}), ("ldap_load_groups", { "value": "False", "help": "load the ldap groups of the authenticated user", From 532fad9ba6a6f8845c3f5efa5a87c6936111d419 Mon Sep 17 00:00:00 2001 From: Jack Wilsdon Date: Thu, 2 Jan 2025 12:18:53 +0000 Subject: [PATCH 165/361] Fix test failing on systems without IPv6 support --- radicale/tests/test_server.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/radicale/tests/test_server.py b/radicale/tests/test_server.py index ecc493a4..b344dddf 100644 --- a/radicale/tests/test_server.py +++ b/radicale/tests/test_server.py @@ -141,13 +141,19 @@ class TestBaseServerRequests(BaseTest): def test_bind_fail(self) -> None: for address_family, address in [(socket.AF_INET, "::1"), (socket.AF_INET6, "127.0.0.1")]: - with socket.socket(address_family, socket.SOCK_STREAM) as sock: - if address_family == socket.AF_INET6: - # Only allow IPv6 connections to the IPv6 socket - sock.setsockopt(server.COMPAT_IPPROTO_IPV6, - socket.IPV6_V6ONLY, 1) - with pytest.raises(OSError) as exc_info: - sock.bind((address, 0)) + try: + with socket.socket(address_family, socket.SOCK_STREAM) as sock: + if address_family == socket.AF_INET6: + # Only allow IPv6 connections to the IPv6 socket + sock.setsockopt(server.COMPAT_IPPROTO_IPV6, + socket.IPV6_V6ONLY, 1) + with pytest.raises(OSError) as exc_info: + sock.bind((address, 0)) + except OSError as e: + if e.errno in (errno.EADDRNOTAVAIL, errno.EAFNOSUPPORT, + errno.EPROTONOSUPPORT): + continue + raise # See ``radicale.server.serve`` assert (isinstance(exc_info.value, socket.gaierror) and exc_info.value.errno in ( From 0d43a49ffb0ee4a65e630ca8ad6a7a6b8fc7c1a7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 22:33:54 +0100 Subject: [PATCH 166/361] add variable sleep to have a constant execution time on failed login --- radicale/auth/__init__.py | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index c1c7e884..eb620e29 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -60,6 +60,8 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool + _auth_delay: float + _failed_auth_delay: float _type: str _cache_logins: bool _cache_successful: dict # login -> (digest, time_ns) @@ -86,6 +88,9 @@ class BaseAuth: logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") + self._auth_delay = configuration.get("auth", "delay") + logger.info("auth.delay: %f", self._auth_delay) + self._failed_auth_delay = self._auth_delay # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") @@ -142,8 +147,22 @@ class BaseAuth: raise NotImplementedError + def _sleep(self, time_ns_begin): + """Sleep some time to reach a constant execution time finally + Increase final execution time in case initial limit exceeded + """ + time_delta = (time.time_ns() - time_ns_begin) / 1000 / 1000 / 1000 + if time_delta > self._failed_auth_delay: + logger.debug("Increase failed auth_delay %.3f -> %.3f seconds", self._failed_auth_delay, time_delta) + with self._lock: + self._failed_auth_delay = time_delta + sleep = self._failed_auth_delay - time_delta + logger.debug("Sleeping %.3f seconds", sleep) + time.sleep(sleep) + @final def login(self, login: str, password: str) -> Tuple[str, str]: + time_ns_begin = time.time_ns() result_from_cache = False if self._lc_username: login = login.lower() @@ -183,6 +202,7 @@ class BaseAuth: (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) + self._sleep(time_ns_begin) return ("", self._type + " / cached") if self._cache_successful.get(login): # login found in cache "successful" @@ -228,8 +248,16 @@ class BaseAuth: self._lock.release() logger.debug("Login failed cache for user set: '%s'", login) if result_from_cache is True: + if result == "": + self._sleep(time_ns_begin) return (result, self._type + " / cached") else: + if result == "": + self._sleep(time_ns_begin) return (result, self._type) else: - return (self._login(login, password), self._type) + # self._cache_logins is False + result = self._login(login, password) + if result == "": + self._sleep(time_ns_begin) + return (result, self._type) From cf914450ee08ddaf19005e22f62cc8f409526323 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:02:29 +0100 Subject: [PATCH 167/361] remove obsolete code and comment as constant execution time is now done by __init__.py --- radicale/auth/htpasswd.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 842481fd..8d007cb8 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -252,13 +252,6 @@ class Auth(auth.BaseAuth): Optional: the content of the file is cached and live updates will be detected by comparing mtime_ns and size - TODO: improve against timing attacks - see also issue 591 - but also do not delay that much - see also issue 1466 - - As several hash methods are supported which have different speed a time based gap would be required - """ login_ok = False digest: str @@ -299,7 +292,5 @@ class Auth(auth.BaseAuth): else: logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) else: - # dummy delay - (method, password_ok) = self._plain(str(time.time_ns()), password) logger.debug("Login verification user not found: '%s'", login) return "" From 5a00baab3f17a4e5355a10061b00c1e5d07e6e6b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:11:51 +0100 Subject: [PATCH 168/361] cosmetics --- radicale/app/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index eabac455..7f8301f2 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -269,7 +269,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead, # Random delay to avoid timing oracles and bruteforce attacks if self._auth_delay > 0: random_delay = self._auth_delay * (0.5 + random.random()) - logger.debug("Sleeping %.3f seconds", random_delay) + logger.debug("Failed login, sleeping random: %.3f sec", random_delay) time.sleep(random_delay) if user and not pathutils.is_safe_path_component(user): From a9f2e6fe7b57ca51a1a48d4eb5775c56eedfe812 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:14:32 +0100 Subject: [PATCH 169/361] improve code/adjustments --- radicale/auth/__init__.py | 43 ++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index eb620e29..a0974296 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -90,7 +90,7 @@ class BaseAuth: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") self._auth_delay = configuration.get("auth", "delay") logger.info("auth.delay: %f", self._auth_delay) - self._failed_auth_delay = self._auth_delay + self._failed_auth_delay = 0 # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") @@ -147,18 +147,33 @@ class BaseAuth: raise NotImplementedError - def _sleep(self, time_ns_begin): - """Sleep some time to reach a constant execution time finally + def _sleep_for_constant_exec_time(self, time_ns_begin): + """Sleep some time to reach a constant execution time for failed logins + + Independent of time required by external backend or used digest methods + Increase final execution time in case initial limit exceeded + + See also issue 591 + """ time_delta = (time.time_ns() - time_ns_begin) / 1000 / 1000 / 1000 - if time_delta > self._failed_auth_delay: - logger.debug("Increase failed auth_delay %.3f -> %.3f seconds", self._failed_auth_delay, time_delta) - with self._lock: - self._failed_auth_delay = time_delta - sleep = self._failed_auth_delay - time_delta - logger.debug("Sleeping %.3f seconds", sleep) - time.sleep(sleep) + with self._lock: + # avoid that another thread is changing global value at the same time + failed_auth_delay = self._failed_auth_delay + failed_auth_delay_old = failed_auth_delay + if time_delta > failed_auth_delay: + # set new + failed_auth_delay = time_delta + # store globally + self._failed_auth_delay = failed_auth_delay + if (failed_auth_delay_old != failed_auth_delay): + logger.debug("Failed login constant execution time need increase of failed_auth_delay: %.9f -> %.9f sec", failed_auth_delay_old, failed_auth_delay) + # sleep == 0 + else: + sleep = failed_auth_delay - time_delta + logger.debug("Failed login constant exection time alignment, sleeping: %.9f sec", sleep) + time.sleep(sleep) @final def login(self, login: str, password: str) -> Tuple[str, str]: @@ -202,7 +217,7 @@ class BaseAuth: (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return ("", self._type + " / cached") if self._cache_successful.get(login): # login found in cache "successful" @@ -249,15 +264,15 @@ class BaseAuth: logger.debug("Login failed cache for user set: '%s'", login) if result_from_cache is True: if result == "": - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return (result, self._type + " / cached") else: if result == "": - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return (result, self._type) else: # self._cache_logins is False result = self._login(login, password) if result == "": - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return (result, self._type) From 2442a794ae8aebae10ae1e7d435dde58191e21e8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 23:17:34 +0100 Subject: [PATCH 170/361] tox fixes --- radicale/auth/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index a0974296..b30a3c79 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -91,6 +91,7 @@ class BaseAuth: self._auth_delay = configuration.get("auth", "delay") logger.info("auth.delay: %f", self._auth_delay) self._failed_auth_delay = 0 + self._lock = threading.Lock() # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") @@ -112,7 +113,6 @@ class BaseAuth: self._cache_successful = dict() self._cache_failed = dict() self._cache_failed_logins_salt_ns = time.time_ns() - self._lock = threading.Lock() def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() @@ -147,7 +147,7 @@ class BaseAuth: raise NotImplementedError - def _sleep_for_constant_exec_time(self, time_ns_begin): + def _sleep_for_constant_exec_time(self, time_ns_begin: int): """Sleep some time to reach a constant execution time for failed logins Independent of time required by external backend or used digest methods From ad94acddf1d7131f29d3fed02c50f006adff23f8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 23:19:58 +0100 Subject: [PATCH 171/361] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bade4998..53978fd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Add: option [auth] htpasswd_cache to automatic re-read triggered on change (mtime or size) instead reading on each request * Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file * Improve: [auth] successful/failed login logs now type and whether result was taken from cache +* Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From b1220020778d2f27df3554222345cac9e5cb2ccc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 00:41:26 +0100 Subject: [PATCH 172/361] drop support of python 3.8, fixes https://github.com/Kozea/Radicale/issues/1628 --- .github/workflows/test.yml | 4 +--- DOCUMENTATION.md | 2 +- pyproject.toml | 3 +-- setup.py.legacy | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8339a975..82ac574f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,10 +6,8 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] - python-version: ['3.8', '3.9', '3.10', '3.11', '3.12.3', '3.13.0', pypy-3.9] + python-version: ['3.9', '3.10', '3.11', '3.12.3', '3.13.0', pypy-3.9] exclude: - - os: windows-latest - python-version: pypy-3.8 - os: windows-latest python-version: pypy-3.9 runs-on: ${{ matrix.os }} diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8f166e6e..1a3ba9b4 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -55,7 +55,7 @@ Follow one of the chapters below depending on your operating system. #### Linux / \*BSD -First, make sure that **python** 3.8 or later and **pip** are installed. On most distributions it should be +First, make sure that **python** 3.9 or later and **pip** are installed. On most distributions it should be enough to install the package ``python3-pip``. Then open a console and type: diff --git a/pyproject.toml b/pyproject.toml index d01e3967..15af7e1a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -17,7 +17,6 @@ classifiers = [ "License :: OSI Approved :: GNU General Public License (GPL)", "Operating System :: OS Independent", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", @@ -28,7 +27,7 @@ classifiers = [ "Topic :: Office/Business :: Groupware", ] urls = {Homepage = "https://radicale.org/"} -requires-python = ">=3.8.0" +requires-python = ">=3.9.0" dependencies = [ "defusedxml", "passlib", diff --git a/setup.py.legacy b/setup.py.legacy index 52d74dda..c1cbe249 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -61,7 +61,7 @@ setup( install_requires=install_requires, extras_require={"test": test_requires, "bcrypt": bcrypt_requires, "ldap": ldap_requires}, keywords=["calendar", "addressbook", "CalDAV", "CardDAV"], - python_requires=">=3.8.0", + python_requires=">=3.9.0", classifiers=[ "Development Status :: 5 - Production/Stable", "Environment :: Console", @@ -71,7 +71,6 @@ setup( "License :: OSI Approved :: GNU General Public License (GPL)", "Operating System :: OS Independent", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", From 976dfe4a3fcc71afb5de10cf50df5f89eb4a5837 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 00:42:08 +0100 Subject: [PATCH 173/361] drop Python 3.8 changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53978fd0..bbed6051 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file * Improve: [auth] successful/failed login logs now type and whether result was taken from cache * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method +* Drop: support for Python 3.8 ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 73f8f950d057166e7111508be1c5f802c7a2a37a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:19:01 +0100 Subject: [PATCH 174/361] add content from https://github.com/Kozea/Radicale/pull/1073 --- DOCUMENTATION.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index e0dd6e39..b9e46bcf 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1272,7 +1272,8 @@ Default: 10000 Radicale has been tested with: * [Android](https://android.com/) with - [DAVx⁵](https://www.davx5.com/) (formerly DAVdroid) + [DAVx⁵](https://www.davx5.com/) (formerly DAVdroid), +* [OneCalendar](https://www.onecalendar.nl/) * [GNOME Calendar](https://wiki.gnome.org/Apps/Calendar), [Contacts](https://wiki.gnome.org/Apps/Contacts) and [Evolution](https://wiki.gnome.org/Apps/Evolution) @@ -1303,6 +1304,13 @@ Enter the URL of the Radicale server (e.g. `http://localhost:5232`) and your username. DAVx⁵ will show all existing calendars and address books and you can create new. +#### OneCalendar + +When adding account, select CalDAV account type, then enter user name, password and the +Radicale server (e.g. `https://yourdomain:5232`). OneCalendar will show all +existing calendars and (FIXME: address books), you need to select which ones +you want to see. OneCalendar supports many other server types too. + #### GNOME Calendar, Contacts GNOME 46 added CalDAV and CardDAV support to _GNOME Online Accounts_. From c81e19616cb4d04b9915745cacdc7cc365631cd2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 09:14:01 +0100 Subject: [PATCH 175/361] bump dev version --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bbed6051..ee5e8787 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.3.4.dev +## 3.4.0.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication * Improve: [auth] htpasswd file now read and verified on start diff --git a/pyproject.toml b/pyproject.toml index 15af7e1a..31fecdc2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.4.dev" +version = "3.4.0.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index c1cbe249..d61c374d 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.4.dev" +VERSION = "3.4.0.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 841df093120fb6a5c49ebc2055cad5ac309e1fac Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 09:16:22 +0100 Subject: [PATCH 176/361] changelog for https://github.com/Kozea/Radicale/pull/1666 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee5e8787..18ec7df5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Improve: [auth] successful/failed login logs now type and whether result was taken from cache * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method * Drop: support for Python 3.8 +* Add: option [auth] ldap_user_attribute ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 607b3af67b91bcfc8e340cf17ce6a0d38299d15d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 18:09:00 +0100 Subject: [PATCH 177/361] LDAP auth: calculate attributes to query in __init__() Remove code duplication by factoring out the calculation of the LDAP query attributes out of _login2() resp. _login3() into __init__(). --- radicale/auth/ldap.py | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index ee256fed..2290794b 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,6 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str + _ldap_attributes: list[str] = ['memberOf'] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -109,6 +110,10 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_ssl_ca_file : %r" % self._ldap_ssl_ca_file) else: logger.info("auth.ldap_ssl_ca_file : (not provided)") + """Extend attributes to to be returned in the user query""" + if self._ldap_user_attr: + self._ldap_attributes.append(self._ldap_user_attr) + logger.info("ldap_attributes : %r" % self._ldap_attributes) def _login2(self, login: str, password: str) -> str: try: @@ -121,15 +126,11 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" escaped_login = self.ldap.filter.escape_filter_chars(login) logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") - attrs = ['memberof'] - if self._ldap_user_attr: - attrs = ['memberOf', self._ldap_user_attr] - logger.debug(f"_login2 attrs: {attrs}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(escaped_login), - attrlist=attrs + attrlist=self._ldap_attributes ) if len(res) != 1: """User could not be found unambiguously""" @@ -198,15 +199,11 @@ class Auth(auth.BaseAuth): """Search the user dn""" escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") - attrs = ['memberof'] - if self._ldap_user_attr: - attrs = ['memberOf', self._ldap_user_attr] - logger.debug(f"_login3 attrs: {attrs}") conn.search( search_base=self._ldap_base, search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, - attributes=attrs + attributes=self._ldap_attributes ) if len(conn.entries) != 1: """User could not be found unambiguously""" From 1ca41e2128e792ee7644908c4c341b598f6a6fe2 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 20:43:14 +0100 Subject: [PATCH 178/361] LDAP auth: only ask for memberOf if ldap_load_groups = True Ask for the 'memberOf' attribute to be returned in the user query only if 'ldap_load_groups' is set to True. This fixes the issue that currently LDAP authentication can only be used on LDAP servers that know this non-standard (it's an Active Directory extension) attribute. Other LDAP servers either do not necessarily have the group memberships stored in the user object (e.g. OpenLDAP), or use different attributes for this purpose (e.g. Novell eDirectory uses 'groupMembership') --- radicale/auth/ldap.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 2290794b..50b2768a 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,7 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str - _ldap_attributes: list[str] = ['memberOf'] + _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -111,6 +111,8 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" + if self._ldap_load_groups: + self._ldap_attributes.append('memberOf') if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes) From 6c1445d8db794897241bf23b5e9a81b04d4cf53a Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 20:41:55 +0100 Subject: [PATCH 179/361] LDAP auth: introduce config option 'ldap_groups_attribute' This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'. --- DOCUMENTATION.md | 6 ++++++ config | 3 +++ radicale/auth/ldap.py | 10 +++++++--- radicale/config.py | 4 ++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 7c02cc58..cbca8899 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -941,6 +941,12 @@ Load the ldap groups of the authenticated user. These groups can be used later o Default: False +##### ldap_groups_attribute + +The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True. + +Default: `memberOf` + ##### ldap_use_ssl Use ssl on the ldap connection diff --git a/config b/config index ef7263a0..64fd0f9f 100644 --- a/config +++ b/config @@ -89,6 +89,9 @@ # If the ldap groups of the user need to be loaded #ldap_load_groups = True +# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True. +#ldap_groups_attribute = memberOf + # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login #ldap_filter = (&(objectClass=person)(uid={0})) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 50b2768a..4d576ef2 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -24,6 +24,7 @@ Following parameters are needed in the configuration: ldap_secret_file The path of the file containing the password of the ldap_reader_dn ldap_filter The search filter to find the user to authenticate by the username ldap_user_attribute The attribute to be used as username after authentication + ldap_groups_attribute The attribute containing group memberships in the LDAP user entry ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection @@ -46,6 +47,7 @@ class Auth(auth.BaseAuth): _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool + _ldap_groups_attr: str = "memberOf" _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED @@ -70,6 +72,7 @@ class Auth(auth.BaseAuth): self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") + self._ldap_groups_attr = configuration.get("auth", "ldap_groups_attribute") ldap_secret_file_path = configuration.get("auth", "ldap_secret_file") if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: @@ -92,6 +95,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) else: logger.info("auth.ldap_user_attribute : (not provided)") + logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -112,7 +116,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" if self._ldap_load_groups: - self._ldap_attributes.append('memberOf') + self._ldap_attributes.append(self._ldap_groups_attr) if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes) @@ -155,7 +159,7 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for g in user_entry[1]['memberOf']: + for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" g = g.decode('utf-8').split(',')[0] tmp.append(g.partition('=')[2]) @@ -225,7 +229,7 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for g in user_entry['attributes']['memberOf']: + for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" g = g.split(',')[0] tmp.append(g.partition('=')[2]) diff --git a/radicale/config.py b/radicale/config.py index 3af6c807..6b3205d1 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -251,6 +251,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "load the ldap groups of the authenticated user", "type": bool}), + ("ldap_groups_attribute", { + "value": "memberOf", + "help": "attribute to read the group memberships from", + "type": str}), ("ldap_use_ssl", { "value": "False", "help": "Use ssl on the ldap connection", From f9dd3efc3ac9b21128c5e34d9abd07b4455be0af Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 20:52:55 +0100 Subject: [PATCH 180/361] LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation. --- DOCUMENTATION.md | 24 ++++++++++++------------ config | 5 +---- radicale/auth/ldap.py | 17 ++++++++--------- radicale/config.py | 6 +----- 4 files changed, 22 insertions(+), 30 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index cbca8899..8bc2554e 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -926,26 +926,26 @@ The search filter to find the user DN to authenticate by the username. User '{0} Default: `(cn={0})` -#### ldap_user_attribute +##### ldap_user_attribute The LDAP attribute whose value shall be used as the user name after successful authentication Default: not set, i.e. the login name given is used directly. -##### ldap_load_groups - -Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. -* The group calendar will be placed under collection_root_folder/GROUPS -* The name of the calendar directory is the base64 encoded group name. -* The group calendar folders will not be created automaticaly. This must be created manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication - -Default: False - ##### ldap_groups_attribute -The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True. +The LDAP attribute to read the group memberships from in the authenticated user's LDAP entry. -Default: `memberOf` +If set, load the LDAP group memberships from the attribute given +These memberships can be used later on to define rights. +This also gives you access to the group calendars, if they exist. +* The group calendar will be placed under collection_root_folder/GROUPS +* The name of the calendar directory is the base64 encoded group name. +* The group calendar folders will not be created automatically. This must be done manually. In the [LDAP-authentication section of Radicale's wiki](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create a group calendar. + +Use 'memberOf' if you want to load groups on Active Directory and alikes, 'groupMembership' on Novell eDirectory, ... + +Default: unset ##### ldap_use_ssl diff --git a/config b/config index 64fd0f9f..dc2dc551 100644 --- a/config +++ b/config @@ -86,10 +86,7 @@ # Path of the file containing password of the reader DN #ldap_secret_file = /run/secrets/ldap_password -# If the ldap groups of the user need to be loaded -#ldap_load_groups = True - -# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True. +# the attribute to read the group memberships from in the user's LDAP entry (default: not set) #ldap_groups_attribute = memberOf # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4d576ef2..cdba9f12 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -25,7 +25,6 @@ Following parameters are needed in the configuration: ldap_filter The search filter to find the user to authenticate by the username ldap_user_attribute The attribute to be used as username after authentication ldap_groups_attribute The attribute containing group memberships in the LDAP user entry - ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED @@ -46,8 +45,7 @@ class Auth(auth.BaseAuth): _ldap_filter: str _ldap_attributes: list[str] = [] _ldap_user_attr: str - _ldap_load_groups: bool - _ldap_groups_attr: str = "memberOf" + _ldap_groups_attr: str _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED @@ -68,7 +66,6 @@ class Auth(auth.BaseAuth): self._ldap_uri = configuration.get("auth", "ldap_uri") self._ldap_base = configuration.get("auth", "ldap_base") self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn") - self._ldap_load_groups = configuration.get("auth", "ldap_load_groups") self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") @@ -89,13 +86,15 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_uri : %r" % self._ldap_uri) logger.info("auth.ldap_base : %r" % self._ldap_base) logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn) - logger.info("auth.ldap_load_groups : %s" % self._ldap_load_groups) logger.info("auth.ldap_filter : %r" % self._ldap_filter) if self._ldap_user_attr: logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) else: logger.info("auth.ldap_user_attribute : (not provided)") - logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) + if self._ldap_groups_attr: + logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) + else: + logger.info("auth.ldap_groups_attribute: (not provided)") if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -115,7 +114,7 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" - if self._ldap_load_groups: + if self._ldap_groups_attr: self._ldap_attributes.append(self._ldap_groups_attr) if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) @@ -157,7 +156,7 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(user_dn, password) tmp: list[str] = [] - if self._ldap_load_groups: + if self._ldap_groups_attr: tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" @@ -227,7 +226,7 @@ class Auth(auth.BaseAuth): logger.debug(f"_login3 user '{login}' cannot be found") return "" tmp: list[str] = [] - if self._ldap_load_groups: + if self._ldap_groups_attr: tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" diff --git a/radicale/config.py b/radicale/config.py index 6b3205d1..ed294812 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -247,12 +247,8 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "the attribute to be used as username after authentication", "type": str}), - ("ldap_load_groups", { - "value": "False", - "help": "load the ldap groups of the authenticated user", - "type": bool}), ("ldap_groups_attribute", { - "value": "memberOf", + "value": "", "help": "attribute to read the group memberships from", "type": str}), ("ldap_use_ssl", { From d6c4e6487aa79f071d216a8615cd97c9d6867117 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Thu, 2 Jan 2025 14:23:15 +0100 Subject: [PATCH 181/361] LDAP auth: flexibilize parsing of 'ldap_groups_attribute' Use helper methods from the LDAP modules to get individual elements (like in our case the RDN value) out of attributes with DN syntax in a standard compliant way instead fiddling around ourselves. If these methods fail, fall back to using the whole attribute value, which allows us to also use attributes with non-DN syntax for groups and permissions. --- radicale/auth/ldap.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index cdba9f12..a4c73808 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -160,8 +160,11 @@ class Auth(auth.BaseAuth): tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.decode('utf-8').split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap.dn.explode_dn(g, notypes=True) + tmp.append(rdns[0]) + except Exception: + tmp.append(g.decode('utf8')) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: @@ -230,8 +233,11 @@ class Auth(auth.BaseAuth): tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap3.utils.dn.parse_dn(g) + tmp.append(rdns[0][1]) + except Exception: + tmp.append(g) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: From 5ebaf4ef1cf1bef9c265f79c485e6d512b325d5d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Fri, 3 Jan 2025 21:56:25 +0100 Subject: [PATCH 182/361] changelog for https://github.com/Kozea/Radicale/pull/1669 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18ec7df5..75ee148a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method * Drop: support for Python 3.8 * Add: option [auth] ldap_user_attribute +* Add: option [auth] ldap_groups_attribute as a more flexible replacement of removed ldap_load_groups ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 8172b8707749ab137455fe3d101206ffa15d7c64 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 9 Jan 2025 20:06:57 +0100 Subject: [PATCH 183/361] 3.4.0 --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75ee148a..f4e3d890 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.4.0.dev +## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication * Improve: [auth] htpasswd file now read and verified on start diff --git a/pyproject.toml b/pyproject.toml index 31fecdc2..3193379d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.0.dev" +version = "3.4.0" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index d61c374d..ff0a5e7d 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.0.dev" +VERSION = "3.4.0" with open("README.md", encoding="utf-8") as f: long_description = f.read() From be64e57ae880acc3a14273ed3db2e42a2ec2dee3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 9 Jan 2025 22:50:51 +0100 Subject: [PATCH 184/361] fix topic level --- DOCUMENTATION.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8bc2554e..32f659cb 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1267,20 +1267,20 @@ Available types: Default: `none` -#### rabbitmq_endpoint +##### rabbitmq_endpoint End-point address for rabbitmq server. Ex: amqp://user:password@localhost:5672/ Default: -#### rabbitmq_topic +##### rabbitmq_topic RabbitMQ topic to publish message. Default: -#### rabbitmq_queue_type +##### rabbitmq_queue_type RabbitMQ queue type for the topic. From 1634ce94988aca1412fe06dd93ae4d3ee8739e0c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 9 Jan 2025 23:08:01 +0100 Subject: [PATCH 185/361] add note about install --- DOCUMENTATION.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 32f659cb..a08dc2cc 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -20,7 +20,7 @@ Radicale is a small but powerful CalDAV (calendars, to-do lists) and CardDAV #### Installation -Radicale is really easy to install and works out-of-the-box. +Radicale is really easy to install (for testing purposes) and works out-of-the-box. ```bash python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz @@ -33,6 +33,8 @@ You can login with any username and password. Want more? Check the [tutorials](#tutorials) and the [documentation](#documentation-1). +Instead of downloading from PyPI look for packages provided by used distribution (#linux-distribution-packages), they contain also startup scripts to run daemonized. + #### What's New? Read the From 08a35b19c8b6e378d582f6403c78b914e97a743f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 10 Jan 2025 07:21:26 +0100 Subject: [PATCH 186/361] doc bugfix --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a08dc2cc..969f8235 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -33,7 +33,7 @@ You can login with any username and password. Want more? Check the [tutorials](#tutorials) and the [documentation](#documentation-1). -Instead of downloading from PyPI look for packages provided by used distribution (#linux-distribution-packages), they contain also startup scripts to run daemonized. +Instead of downloading from PyPI look for packages provided by used [distribution](#linux-distribution-packages), they contain also startup scripts to run daemonized. #### What's New? From 1c77fd819f4a502922c940b4b514bbd2ebde5b10 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 12 Jan 2025 06:09:45 +0100 Subject: [PATCH 187/361] add missing dovecot option --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index dc2dc551..ee187339 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | ldap | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | denyall #type = none # Cache logins for until expiration time From 3f04914de49ee052bf868a6c118c126d03612149 Mon Sep 17 00:00:00 2001 From: HmBMvXXiSivMcLGFWoqc <> Date: Mon, 13 Jan 2025 23:10:18 -0800 Subject: [PATCH 188/361] Add support for Dovecot auth over network --- radicale/auth/__init__.py | 2 ++ radicale/auth/dovecot.py | 21 ++++++++++++++++----- radicale/config.py | 15 ++++++++++++++- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index b30a3c79..8bc8ffad 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -43,6 +43,8 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "ldap", "dovecot") +AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") + def load(configuration: "config.Configuration") -> "BaseAuth": """Load the authentication module chosen in configuration.""" diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py index ce2353a0..340253c1 100644 --- a/radicale/auth/dovecot.py +++ b/radicale/auth/dovecot.py @@ -28,10 +28,21 @@ from radicale.log import logger class Auth(auth.BaseAuth): def __init__(self, configuration): super().__init__(configuration) - self.socket = configuration.get("auth", "dovecot_socket") self.timeout = 5 self.request_id_gen = itertools.count(1) + config_family = configuration.get("auth", "dovecot_connection_type") + if config_family == "AF_UNIX": + self.family = socket.AF_UNIX + self.address = configuration.get("auth", "dovecot_socket") + return + + self.address = configuration.get("auth", "dovecot_host"), configuration.get("auth", "dovecot_port") + if config_family == "AF_INET": + self.family = socket.AF_INET + else: + self.family = socket.AF_INET6 + def _login(self, login, password): """Validate credentials. @@ -49,12 +60,12 @@ class Auth(auth.BaseAuth): return "" with closing(socket.socket( - socket.AF_UNIX, + self.family, socket.SOCK_STREAM) ) as sock: try: sock.settimeout(self.timeout) - sock.connect(self.socket) + sock.connect(self.address) buf = bytes() supported_mechs = [] @@ -171,8 +182,8 @@ class Auth(auth.BaseAuth): except socket.error as e: logger.fatal( - "Failed to communicate with Dovecot socket %r: %s" % - (self.socket, e) + "Failed to communicate with Dovecot: %s" % + (e) ) return "" diff --git a/radicale/config.py b/radicale/config.py index ed294812..743fe926 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -207,10 +207,23 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "enable caching of htpasswd file", "type": bool}), + ("dovecot_connection_type", { + "value": "AF_UNIX", + "help": "Connection type for dovecot authentication", + "type": str_or_callable, + "internal": auth.AUTH_SOCKET_FAMILY}), ("dovecot_socket", { "value": "/var/run/dovecot/auth-client", - "help": "dovecot auth socket", + "help": "dovecot auth AF_UNIX socket", "type": str}), + ("dovecot_host", { + "value": "", + "help": "dovecot auth AF_INET or AF_INET6 host", + "type": str}), + ("dovecot_port", { + "value": "12345", + "help": "dovecot auth port", + "type": int}), ("realm", { "value": "Radicale - Password Required", "help": "message displayed when a password is needed", From dd9bb2beff1272324963d6e33dc748695d394165 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 14 Jan 2025 08:48:58 +0100 Subject: [PATCH 189/361] 3.4.1.dev --- CHANGELOG.md | 2 ++ pyproject.toml | 2 +- setup.py.legacy | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4e3d890..7f8b21ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog +## 3.4.1.dev + ## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication diff --git a/pyproject.toml b/pyproject.toml index 3193379d..c72edc8d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.0" +version = "3.4.1.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index ff0a5e7d..a5068002 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -1,7 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2009-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.0" +VERSION = "3.4.1.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From ed6a5a834e46d7acb33871a5a1d7aeb50fc9ff85 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 14 Jan 2025 08:57:15 +0100 Subject: [PATCH 190/361] add proper default for dovecot_host --- radicale/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/config.py b/radicale/config.py index 743fe926..86970732 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -3,7 +3,7 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2017-2020 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -217,7 +217,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "dovecot auth AF_UNIX socket", "type": str}), ("dovecot_host", { - "value": "", + "value": "localhost", "help": "dovecot auth AF_INET or AF_INET6 host", "type": str}), ("dovecot_port", { From a93af6f17794f9667ffe0ef1df97fa5f22036c2a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 14 Jan 2025 08:57:35 +0100 Subject: [PATCH 191/361] update changelog and doc and config for https://github.com/Kozea/Radicale/pull/1678 --- CHANGELOG.md | 1 + DOCUMENTATION.md | 22 +++++++++++++++++++++- config | 13 +++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f8b21ad..f0b8cbc8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Changelog ## 3.4.1.dev +* Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port ## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 969f8235..a68cc2c4 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -967,11 +967,31 @@ The path to the CA file in pem format which is used to certificate the server ce Default: +##### dovecot_connection_type = AF_UNIX + +Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6) + +Note: credentials are transmitted in cleartext + +Default: `AF_UNIX` + ##### dovecot_socket The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. -Default: +Default: `/var/run/dovecot/auth-client` + +##### dovecot_host + +Host of via network exposed dovecot socket + +Default: `localhost` + +##### dovecot_port + +Port of via network exposed dovecot socket + +Default: `12345` ##### lc_username diff --git a/config b/config index ee187339..a0f6cfa7 100644 --- a/config +++ b/config @@ -104,6 +104,19 @@ # The path to the CA file in pem format which is used to certificate the server certificate #ldap_ssl_ca_file = +# Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6) +# Note: credentials are transmitted in cleartext +#dovecot_connection_type = AF_UNIX + +# The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. +#dovecot_socket = /var/run/dovecot/auth-client + +# Host of via network exposed dovecot socket +#dovecot_host = localhost + +# Port of via network exposed dovecot socket +#dovecot_port = 12345 + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 3e18644423430cb81fecc9601c7f8130c95fda00 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 05:59:52 +0100 Subject: [PATCH 192/361] imap: changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0b8cbc8..cb7952a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 3.4.1.dev * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port +* Add: option [auth] type imap by code migration from https://github.com/Unrud/RadicaleIMAP/ ## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins From c24659c5ec01708d634dcf1cc6d32d8e69aa1a17 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:01:01 +0100 Subject: [PATCH 193/361] imap: doc and default config --- DOCUMENTATION.md | 15 +++++++++++++++ config | 8 ++++++++ 2 files changed, 23 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a68cc2c4..ddfaa547 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -812,6 +812,9 @@ Available backends: `dovecot` : Use a local Dovecot server to authenticate users. +`imap` +: Use a IMAP server to authenticate users. + Default: `none` ##### cache_logins @@ -993,6 +996,18 @@ Port of via network exposed dovecot socket Default: `12345` +##### imap_host + +IMAP server hostname: address | address:port | [address]:port | imap.server.tld + +Default: `localhost` + +##### imap_security + +Secure the IMAP connection: tls | starttls | none + +Default: `tls` + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth diff --git a/config b/config index a0f6cfa7..c775a3c1 100644 --- a/config +++ b/config @@ -117,6 +117,14 @@ # Port of via network exposed dovecot socket #dovecot_port = 12345 +# IMAP server hostname +# Syntax: address | address:port | [address]:port | imap.server.tld +#imap_host = localhost + +# Secure the IMAP connection +# Value: tls | starttls | none +#imap_security = tls + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 72c7d32e44060ca70e1903b8cadeab29d3a1c8c9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:01:29 +0100 Subject: [PATCH 194/361] dovecot: extend doc --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ddfaa547..30566c33 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -810,7 +810,7 @@ Available backends: : Use a LDAP or AD server to authenticate users. `dovecot` -: Use a local Dovecot server to authenticate users. +: Use a Dovecot server to authenticate users. `imap` : Use a IMAP server to authenticate users. From 50b76f71143d9b79a0b12106d9016bcc52b7cc17 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:02:06 +0100 Subject: [PATCH 195/361] imap: config parse --- radicale/auth/__init__.py | 10 +++++++++- radicale/config.py | 31 +++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 8bc8ffad..71854e2a 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -41,8 +41,16 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "denyall", "htpasswd", "ldap", + "imap", "dovecot") +CACHE_LOGIN_TYPES: Sequence[str] = ( + "dovecot", + "ldap", + "htpasswd", + "imap", + ) + AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") @@ -97,7 +105,7 @@ class BaseAuth: # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") - if (self._type in ["dovecot", "ldap", "htpasswd"]) or (self._cache_logins is False): + if (self._type in CACHE_LOGIN_TYPES) or (self._cache_logins is False): logger.info("auth.cache_logins: %s", self._cache_logins) else: logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type) diff --git a/radicale/config.py b/radicale/config.py index 86970732..9b4e9af4 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -104,6 +104,29 @@ def _convert_to_bool(value: Any) -> bool: return RawConfigParser.BOOLEAN_STATES[value.lower()] +def imap_address(value): + if "]" in value: + pre_address, pre_address_port = value.rsplit("]", 1) + else: + pre_address, pre_address_port = "", value + if ":" in pre_address_port: + pre_address2, port = pre_address_port.rsplit(":", 1) + address = pre_address + pre_address2 + else: + address, port = pre_address + pre_address_port, None + try: + return (address.strip(string.whitespace + "[]"), + None if port is None else int(port)) + except ValueError: + raise ValueError("malformed IMAP address: %r" % value) + + +def imap_security(value): + if value not in ("tls", "starttls", "none"): + raise ValueError("unsupported IMAP security: %r" % value) + return value + + def json_str(value: Any) -> dict: if not value: return {} @@ -276,6 +299,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "The path to the CA file in pem format which is used to certificate the server certificate", "type": str}), + ("imap_host", { + "value": "localhost", + "help": "IMAP server hostname: address|address:port|[address]:port|*localhost*", + "type": imap_address}), + ("imap_security", { + "value": "tls", + "help": "Secure the IMAP connection: *tls*|starttls|none", + "type": imap_security}), ("strip_domain", { "value": "False", "help": "strip domain from username", From bc939522dc3ad3b56026d23234ac06a2008e5847 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:02:22 +0100 Subject: [PATCH 196/361] imap: migrate from https://github.com/Unrud/RadicaleIMAP/ --- radicale/auth/imap.py | 71 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 radicale/auth/imap.py diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py new file mode 100644 index 00000000..66b67935 --- /dev/null +++ b/radicale/auth/imap.py @@ -0,0 +1,71 @@ +# RadicaleIMAP IMAP authentication plugin for Radicale. +# Copyright © 2017, 2020 Unrud +# Copyright © 2025-2025 Peter Bieringer +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import imaplib +import ssl +import string + +from radicale import auth +from radicale.log import logger + + +class Auth(auth.BaseAuth): + """Authenticate user with IMAP.""" + + def __init__(self, configuration) -> None: + super().__init__(configuration) + self._host, self._port = self.configuration.get("auth", "imap_host") + logger.info("auth imap host: %r", self._host) + self._security = self.configuration.get("auth", "imap_security") + if self._security == "none": + logger.info("auth imap security: %s (INSECURE, credentials are transmitted in clear text)", self._security) + else: + logger.info("auth imap security: %s", self._security) + if self._security == "tls": + if self._port is None: + self._port = 993 + logger.info("auth imap port (autoselected): %d", self._port) + else: + logger.info("auth imap port: %d", self._port) + else: + if self._port is None: + self._port = 143 + logger.info("auth imap port (autoselected): %d", self._port) + else: + logger.info("auth imap port: %d", self._port) + + def _login(self, login, password) -> str: + try: + if self._security == "tls": + connection = imaplib.IMAP4_SSL( + host=self._host, port=self._port, + ssl_context=ssl.create_default_context()) + else: + connection = imaplib.IMAP4(host=self._host, port=self._port) + if self._security == "starttls": + connection.starttls(ssl.create_default_context()) + try: + connection.login(login, password) + except imaplib.IMAP4.error as e: + logger.warning("IMAP authentication failed for user %r: %s", login, e, exc_info=False) + return "" + connection.logout() + return login + except (OSError, imaplib.IMAP4.error) as e: + logger.error("Failed to communicate with IMAP server %r: " + "%s" % ("[%s]:%d" % (self._host, self._port), e)) + return "" From e80bf589012a8fcb4864c439f709fe8d97682521 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:05:14 +0100 Subject: [PATCH 197/361] imap: flake8 fixes --- radicale/auth/imap.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py index 66b67935..0f78bca9 100644 --- a/radicale/auth/imap.py +++ b/radicale/auth/imap.py @@ -17,7 +17,6 @@ import imaplib import ssl -import string from radicale import auth from radicale.log import logger @@ -66,6 +65,5 @@ class Auth(auth.BaseAuth): connection.logout() return login except (OSError, imaplib.IMAP4.error) as e: - logger.error("Failed to communicate with IMAP server %r: " - "%s" % ("[%s]:%d" % (self._host, self._port), e)) + logger.error("Failed to communicate with IMAP server %r: %s" % ("[%s]:%d" % (self._host, self._port), e)) return "" From 3df5d28432e76a269d2212949b8fc81e07229a16 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:11:57 +0100 Subject: [PATCH 198/361] imap: mypy fix --- radicale/auth/imap.py | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py index 0f78bca9..8b3c2972 100644 --- a/radicale/auth/imap.py +++ b/radicale/auth/imap.py @@ -49,6 +49,7 @@ class Auth(auth.BaseAuth): def _login(self, login, password) -> str: try: + connection: imaplib.IMAP4 | imaplib.IMAP4_SSL if self._security == "tls": connection = imaplib.IMAP4_SSL( host=self._host, port=self._port, From 26637a1240bfb839ab5e52a342807dc481641628 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 20 Jan 2025 06:31:56 +0100 Subject: [PATCH 199/361] add logging entries for dovecot, adjust for imap --- radicale/auth/dovecot.py | 3 +++ radicale/auth/imap.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py index 340253c1..b3f3fb81 100644 --- a/radicale/auth/dovecot.py +++ b/radicale/auth/dovecot.py @@ -1,6 +1,7 @@ # This file is part of Radicale Server - Calendar Server # Copyright © 2014 Giel van Schijndel # Copyright © 2019 (GalaxyMaster) +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -35,9 +36,11 @@ class Auth(auth.BaseAuth): if config_family == "AF_UNIX": self.family = socket.AF_UNIX self.address = configuration.get("auth", "dovecot_socket") + logger.info("auth dovecot socket: %r", self.address) return self.address = configuration.get("auth", "dovecot_host"), configuration.get("auth", "dovecot_port") + logger.warning("auth dovecot address: %r (INSECURE, credentials are transmitted in clear text)", self.address) if config_family == "AF_INET": self.family = socket.AF_INET else: diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py index 8b3c2972..3fdbaa70 100644 --- a/radicale/auth/imap.py +++ b/radicale/auth/imap.py @@ -31,7 +31,7 @@ class Auth(auth.BaseAuth): logger.info("auth imap host: %r", self._host) self._security = self.configuration.get("auth", "imap_security") if self._security == "none": - logger.info("auth imap security: %s (INSECURE, credentials are transmitted in clear text)", self._security) + logger.warning("auth imap security: %s (INSECURE, credentials are transmitted in clear text)", self._security) else: logger.info("auth imap security: %s", self._security) if self._security == "tls": From 98e65d88a4753a6d869165fad261b5240307f2f3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 26 Jan 2025 08:15:14 +0100 Subject: [PATCH 200/361] release 3.4.1 --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb7952a7..620073c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.4.1.dev +## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port * Add: option [auth] type imap by code migration from https://github.com/Unrud/RadicaleIMAP/ diff --git a/pyproject.toml b/pyproject.toml index c72edc8d..5784971a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.1.dev" +version = "3.4.1" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index a5068002..547f9dda 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.1.dev" +VERSION = "3.4.1" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 780aaa7e3e349d46236ae72defcfcf4eccb12245 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 26 Jan 2025 12:10:37 +0100 Subject: [PATCH 201/361] clarify quick installation guides --- DOCUMENTATION.md | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 30566c33..84b3a0cf 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -23,7 +23,8 @@ Radicale is a small but powerful CalDAV (calendars, to-do lists) and CardDAV Radicale is really easy to install (for testing purposes) and works out-of-the-box. ```bash -python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz +# Run as normal user +python3 -m pip install --user --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz python3 -m radicale --logging-level info --storage-filesystem-folder=~/.var/lib/radicale/collections ``` @@ -63,10 +64,20 @@ enough to install the package ``python3-pip``. Then open a console and type: ```bash -# Run the following command as root or -# add the --user argument to only install for the current user -$ python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz -$ python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collections +# Run the following command to only install for the current user +# data is also stored for the current user only +python3 -m pip install --user --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz +python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collections +``` + +Alternative one can install as root or system user + +```bash +# Run the following command as root +# or non-root system user (can require --user in case of dependencies are not available system-wide) +# requires existence of and write permissions to /var/lib/radicale/collections +python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz +python3 -m radicale --storage-filesystem-folder=/var/lib/radicale/collections ``` Victory! Open in your browser! From 30389f45255ada48a5a80fee05297ca373bf2a37 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 08:29:02 +0100 Subject: [PATCH 202/361] initial from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/radicale_auth_oauth2/__init__.py --- radicale/auth/oauth2.py | 44 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 radicale/auth/oauth2.py diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py new file mode 100644 index 00000000..4efde374 --- /dev/null +++ b/radicale/auth/oauth2.py @@ -0,0 +1,44 @@ +""" +Authentication backend that checks credentials against an oauth2 server auth endpoint +""" + +from radicale import auth +from radicale.log import logger +import requests +from requests.utils import quote + + +class Auth(auth.BaseAuth): + def __init__(self, configuration): + super().__init__(configuration) + self._endpoint = configuration.get("auth", "oauth2_token_endpoint") + logger.warning("Using oauth2 token endpoint: %s" % (self._endpoint)) + + def login(self, login, password): + """Validate credentials. + Sends login credentials to oauth auth endpoint and checks that a token is returned + """ + try: + # authenticate to authentication endpoint and return login if ok, else "" + req_params = { + "username": login, + "password": password, + "grant_type": "password", + "client_id": "radicale", + } + req_headers = {"Content-Type": "application/x-www-form-urlencoded"} + response = requests.post( + self._endpoint, data=req_params, headers=req_headers + ) + if ( + response.status_code == requests.codes.ok + and "access_token" in response.json() + ): + return login + except OSError as e: + raise RuntimeError( + "Failed to authenticate against oauth server %r: %s" + % (self._endpoint, e) + ) from e + logger.warning("User %s failed to authenticate" % (str(login))) + return "" From 063883797ce703c4b862b74ea56f92b6435caa94 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 08:32:42 +0100 Subject: [PATCH 203/361] add copyright --- radicale/auth/oauth2.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index 4efde374..cfa5dbe5 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -1,3 +1,25 @@ +# This file is part of Radicale Server - Calendar Server +# +# Original from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/ +# Copyright © 2021-2022 Bruno Boiget +# Copyright © 2022-2022 Daniel Dehennin +# +# Since migration into upstream +# Copyright © 2025-2025 Peter Bieringer +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + """ Authentication backend that checks credentials against an oauth2 server auth endpoint """ From 937acf38f7f26c578c8a6ae912d1d9d4fce6e26b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 08:33:49 +0100 Subject: [PATCH 204/361] oauth2 config check improvement --- radicale/auth/oauth2.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index cfa5dbe5..644bdb8a 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -29,12 +29,14 @@ from radicale.log import logger import requests from requests.utils import quote - class Auth(auth.BaseAuth): def __init__(self, configuration): super().__init__(configuration) self._endpoint = configuration.get("auth", "oauth2_token_endpoint") - logger.warning("Using oauth2 token endpoint: %s" % (self._endpoint)) + if not self._endpoint: + logger.error("auth.oauth2_token_endpoint URL missing") + raise RuntimeError("OAuth2 token endpoint URL is required") + logger.info("auth OAuth2 token endpoint: %s" % (self._endpoint)) def login(self, login, password): """Validate credentials. From e28b719233a58b04517abfda2e206cc520a8a15a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:01:40 +0100 Subject: [PATCH 205/361] oauth2 example config --- config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config b/config index c775a3c1..ba53ef3e 100644 --- a/config +++ b/config @@ -125,6 +125,9 @@ # Value: tls | starttls | none #imap_security = tls +# OAuth2 token endpoint URL +#oauth2_token_endpoint = + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 87dc5538d201e3e2587d70fcf5a84e0953c7a4d4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:01:58 +0100 Subject: [PATCH 206/361] oauth2 module enabling --- radicale/auth/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 71854e2a..e92272f8 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -42,6 +42,7 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "htpasswd", "ldap", "imap", + "oauth2", "dovecot") CACHE_LOGIN_TYPES: Sequence[str] = ( @@ -49,6 +50,7 @@ CACHE_LOGIN_TYPES: Sequence[str] = ( "ldap", "htpasswd", "imap", + "oauth2", ) AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") From 23a68b2fb1a923aa23be3296ca43ef4d00248388 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:03:25 +0100 Subject: [PATCH 207/361] extend mypy options --- pyproject.toml | 2 +- setup.cfg.legacy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5784971a..16d539fc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -72,7 +72,7 @@ skip_install = true [tool.tox.env.mypy] deps = ["mypy==1.11.0"] -commands = [["mypy", "."]] +commands = [["mypy", "--install-types", "--non-interactive", "."]] skip_install = true diff --git a/setup.cfg.legacy b/setup.cfg.legacy index 94a39915..e27241b4 100644 --- a/setup.cfg.legacy +++ b/setup.cfg.legacy @@ -24,7 +24,7 @@ skip_install = True [testenv:mypy] deps = mypy==1.11.0 -commands = mypy . +commands = mypy --install-types --non-interactive . skip_install = True [tool:isort] From 04523e50874d72e8b489b2e56780f706bda07730 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:03:42 +0100 Subject: [PATCH 208/361] oauth2 config option --- radicale/config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/radicale/config.py b/radicale/config.py index 9b4e9af4..5f46022e 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -307,6 +307,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "tls", "help": "Secure the IMAP connection: *tls*|starttls|none", "type": imap_security}), + ("oauth2_token_endpoint", { + "value": "", + "help": "OAuth2 token endpoint URL", + "type": str}), ("strip_domain", { "value": "False", "help": "strip domain from username", From 7b6146405f014adf1c3073b6f84e44f0ce5a8a12 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:04:06 +0100 Subject: [PATCH 209/361] make tox happy --- radicale/auth/oauth2.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index 644bdb8a..c9ae4359 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -24,10 +24,11 @@ Authentication backend that checks credentials against an oauth2 server auth endpoint """ +import requests + from radicale import auth from radicale.log import logger -import requests -from requests.utils import quote + class Auth(auth.BaseAuth): def __init__(self, configuration): From d2be086cd1de73df1ebb7270f40b2e8bc0b0db05 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:04:20 +0100 Subject: [PATCH 210/361] oauth2 adjustments to radicale changes in the past --- radicale/auth/oauth2.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index c9ae4359..7ca5eb9d 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -39,9 +39,9 @@ class Auth(auth.BaseAuth): raise RuntimeError("OAuth2 token endpoint URL is required") logger.info("auth OAuth2 token endpoint: %s" % (self._endpoint)) - def login(self, login, password): + def _login(self, login, password): """Validate credentials. - Sends login credentials to oauth auth endpoint and checks that a token is returned + Sends login credentials to oauth token endpoint and checks that a token is returned """ try: # authenticate to authentication endpoint and return login if ok, else "" From e0d20edbcd8116790dd02b387b04177c6ca46e69 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:04:42 +0100 Subject: [PATCH 211/361] oauth2 do not throw exception in case server is not reachable --- radicale/auth/oauth2.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index 7ca5eb9d..838a786e 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -61,9 +61,6 @@ class Auth(auth.BaseAuth): ): return login except OSError as e: - raise RuntimeError( - "Failed to authenticate against oauth server %r: %s" - % (self._endpoint, e) - ) from e - logger.warning("User %s failed to authenticate" % (str(login))) + logger.critical("Failed to authenticate against OAuth2 server %s: %s" % (self._endpoint, e)) + logger.warning("User failed to authenticate using OAuth2: %r" % login) return "" From cfcfbbd231cc4ba48102fb7f436149841eae674c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:08:57 +0100 Subject: [PATCH 212/361] oauth2 changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 620073c1..3a1d896e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 3.4.2.dev + +* Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ + ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port * Add: option [auth] type imap by code migration from https://github.com/Unrud/RadicaleIMAP/ From f3a7641baa73a96feeab51bdd795716520b35083 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:09:08 +0100 Subject: [PATCH 213/361] 3.4.2.dev --- pyproject.toml | 2 +- setup.py.legacy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 16d539fc..eac75049 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.1" +version = "3.4.2.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 547f9dda..09d323a9 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.1" +VERSION = "3.4.2.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 6f68a64855b2d2e266fa23d8fca11363410c94de Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:14:04 +0100 Subject: [PATCH 214/361] oauth2 doc --- DOCUMENTATION.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 84b3a0cf..c2e586ef 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -824,7 +824,10 @@ Available backends: : Use a Dovecot server to authenticate users. `imap` -: Use a IMAP server to authenticate users. +: Use an IMAP server to authenticate users. + +`oauth2` +: Use an OAuth2 server to authenticate users. Default: `none` @@ -1019,6 +1022,12 @@ Secure the IMAP connection: tls | starttls | none Default: `tls` +##### oauth2_token_endpoint + +OAuth2 token endpoint URL + +Default: + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth From 938f6a97fdd670049dee91ede9d2a1fcfae0db1d Mon Sep 17 00:00:00 2001 From: Rob Aguilar Date: Thu, 6 Feb 2025 21:56:03 -0500 Subject: [PATCH 215/361] Update DOCUMENTATION.md Corrected the method override in the authentication plugin example. The original example suggested overriding login(), but BaseAuth expects _login() to be implemented instead. Overriding login() causes a Too many values to unpack error. --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index c2e586ef..b9c4c572 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1819,7 +1819,7 @@ class Auth(BaseAuth): def __init__(self, configuration): super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA)) - def login(self, login, password): + def _login(self, login, password): # Get password from configuration option static_password = self.configuration.get("auth", "password") # Check authentication From dcaec206816b2e44f3a793bc3228cd139d56e250 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:33:28 +0100 Subject: [PATCH 216/361] extend copyright year --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 6e1ba215..4e1e0c9b 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -4,7 +4,7 @@ # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2020 Unrud # Copyright © 2020-2023 Tuna Celik -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From b011fa4e61b3f8dfcd484b0af546da9059ea842c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:34:13 +0100 Subject: [PATCH 217/361] extend copyright year --- radicale/httputils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/httputils.py b/radicale/httputils.py index 3983d7eb..f3c53965 100644 --- a/radicale/httputils.py +++ b/radicale/httputils.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 77f69f2b1e6f772e6811d12381b4699ffb360bbf Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:34:29 +0100 Subject: [PATCH 218/361] add new error code --- radicale/httputils.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radicale/httputils.py b/radicale/httputils.py index f3c53965..23cc3677 100644 --- a/radicale/httputils.py +++ b/radicale/httputils.py @@ -79,6 +79,9 @@ REMOTE_DESTINATION: types.WSGIResponse = ( DIRECTORY_LISTING: types.WSGIResponse = ( client.FORBIDDEN, (("Content-Type", "text/plain"),), "Directory listings are not supported.") +INSUFFICIENT_STORAGE: types.WSGIResponse = ( + client.INSUFFICIENT_STORAGE, (("Content-Type", "text/plain"),), + "Insufficient Storage. Please contact the administrator.") INTERNAL_SERVER_ERROR: types.WSGIResponse = ( client.INTERNAL_SERVER_ERROR, (("Content-Type", "text/plain"),), "A server error occurred. Please contact the administrator.") From f0d06cbc7d8b1c133d84db6dc4b51febbdbe888c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:37:19 +0100 Subject: [PATCH 219/361] catch server errors on put --- radicale/app/put.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 4e1e0c9b..976b7bfd 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -19,8 +19,10 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import itertools import posixpath +import re import socket import sys from http import client @@ -264,9 +266,22 @@ class ApplicationPartPut(ApplicationBase): ) self._hook.notify(hook_notification_item) except ValueError as e: - logger.warning( - "Bad PUT request on %r (upload): %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.warning( + "Failed PUT request on %r (upload): %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif (errno_e == errno.EPERM) or (errno_e == errno.EACCES): + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad PUT request on %r (upload): %s", path, e, exc_info=True) + return httputils.BAD_REQUEST headers = {"ETag": etag} return client.CREATED, headers, None From 605fc655847efbd2be7f6d65c16581614825895d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:17:47 +0100 Subject: [PATCH 220/361] improve coding --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 976b7bfd..7bd37035 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -274,7 +274,7 @@ class ApplicationPartPut(ApplicationBase): errno_e = int(errno_match.group(1)) if errno_e == errno.ENOSPC: return httputils.INSUFFICIENT_STORAGE - elif (errno_e == errno.EPERM) or (errno_e == errno.EACCES): + elif errno_e in [errno.EPERM, errno.EACCES]: return httputils.FORBIDDEN else: return httputils.INTERNAL_SERVER_ERROR From c157dd7d19f2101c957a4992394595359cb32020 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:18:45 +0100 Subject: [PATCH 221/361] extend copyright --- radicale/app/mkcol.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/mkcol.py b/radicale/app/mkcol.py index 5bccc50c..50c94dce 100644 --- a/radicale/app/mkcol.py +++ b/radicale/app/mkcol.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 88accdb6723acda526d1bad30513ba6c826fea35 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:19:16 +0100 Subject: [PATCH 222/361] catch server errors and return proper message --- radicale/app/mkcol.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/mkcol.py b/radicale/app/mkcol.py index 50c94dce..953508ad 100644 --- a/radicale/app/mkcol.py +++ b/radicale/app/mkcol.py @@ -18,7 +18,9 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import posixpath +import re import socket from http import client @@ -75,8 +77,21 @@ class ApplicationPartMkcol(ApplicationBase): try: self._storage.create_collection(path, props=props) except ValueError as e: - logger.warning( - "Bad MKCOL request on %r (type:%s): %s", path, collection_type, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.error( + "Failed MKCOL request on %r (type:%s): %s", path, collection_type, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad MKCOL request on %r (type:%s): %s", path, collection_type, e, exc_info=True) + return httputils.BAD_REQUEST logger.info("MKCOL request %r (type:%s): %s", path, collection_type, "successful") return client.CREATED, {}, None From cd51581f389024dbec6b04d790ac1725cf085352 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:20:29 +0100 Subject: [PATCH 223/361] extend copyright --- radicale/storage/multifilesystem/create_collection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/create_collection.py b/radicale/storage/multifilesystem/create_collection.py index 2e6e9ce7..f300f59a 100644 --- a/radicale/storage/multifilesystem/create_collection.py +++ b/radicale/storage/multifilesystem/create_collection.py @@ -2,7 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2021 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 37b18cf5a2c3c986e739eb973e79ec9ca46ab205 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:20:51 +0100 Subject: [PATCH 224/361] catch error during create_collection --- .../multifilesystem/create_collection.py | 44 ++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/radicale/storage/multifilesystem/create_collection.py b/radicale/storage/multifilesystem/create_collection.py index f300f59a..cbbdee53 100644 --- a/radicale/storage/multifilesystem/create_collection.py +++ b/radicale/storage/multifilesystem/create_collection.py @@ -50,27 +50,31 @@ class StoragePartCreateCollection(StorageBase): self._makedirs_synced(parent_dir) # Create a temporary directory with an unsafe name - with TemporaryDirectory(prefix=".Radicale.tmp-", dir=parent_dir - ) as tmp_dir: - # The temporary directory itself can't be renamed - tmp_filesystem_path = os.path.join(tmp_dir, "collection") - os.makedirs(tmp_filesystem_path) - col = self._collection_class( - cast(multifilesystem.Storage, self), - pathutils.unstrip_path(sane_path, True), - filesystem_path=tmp_filesystem_path) - col.set_meta(props) - if items is not None: - if props.get("tag") == "VCALENDAR": - col._upload_all_nonatomic(items, suffix=".ics") - elif props.get("tag") == "VADDRESSBOOK": - col._upload_all_nonatomic(items, suffix=".vcf") + try: + with TemporaryDirectory(prefix=".Radicale.tmp-", dir=parent_dir + ) as tmp_dir: + # The temporary directory itself can't be renamed + tmp_filesystem_path = os.path.join(tmp_dir, "collection") + os.makedirs(tmp_filesystem_path) + col = self._collection_class( + cast(multifilesystem.Storage, self), + pathutils.unstrip_path(sane_path, True), + filesystem_path=tmp_filesystem_path) + col.set_meta(props) + if items is not None: + if props.get("tag") == "VCALENDAR": + col._upload_all_nonatomic(items, suffix=".ics") + elif props.get("tag") == "VADDRESSBOOK": + col._upload_all_nonatomic(items, suffix=".vcf") - if os.path.lexists(filesystem_path): - pathutils.rename_exchange(tmp_filesystem_path, filesystem_path) - else: - os.rename(tmp_filesystem_path, filesystem_path) - self._sync_directory(parent_dir) + if os.path.lexists(filesystem_path): + pathutils.rename_exchange(tmp_filesystem_path, filesystem_path) + else: + os.rename(tmp_filesystem_path, filesystem_path) + self._sync_directory(parent_dir) + except Exception as e: + raise ValueError("Failed to create collection %r as %r %s" % + (href, filesystem_path, e)) from e return self._collection_class( cast(multifilesystem.Storage, self), From 803763729a1a9310f32fdfb3126b540324d794b9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:26:57 +0100 Subject: [PATCH 225/361] extend copyright --- radicale/app/mkcalendar.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/mkcalendar.py b/radicale/app/mkcalendar.py index c507ae44..20c3445f 100644 --- a/radicale/app/mkcalendar.py +++ b/radicale/app/mkcalendar.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From fde0ecb9b20b070a1c1205aa5b1d578b351bc218 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:29:33 +0100 Subject: [PATCH 226/361] change loglevel --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 7bd37035..962bf756 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -269,7 +269,7 @@ class ApplicationPartPut(ApplicationBase): # return better matching HTTP result in case errno is provided and catched errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) if errno_match: - logger.warning( + logger.error( "Failed PUT request on %r (upload): %s", path, e, exc_info=True) errno_e = int(errno_match.group(1)) if errno_e == errno.ENOSPC: From b078a8f00233ff4c19ae2b14dfbbd61949dc21d7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:29:56 +0100 Subject: [PATCH 227/361] catch os errors --- radicale/app/mkcalendar.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/mkcalendar.py b/radicale/app/mkcalendar.py index 20c3445f..b9f2063a 100644 --- a/radicale/app/mkcalendar.py +++ b/radicale/app/mkcalendar.py @@ -18,7 +18,9 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import posixpath +import re import socket from http import client @@ -71,7 +73,20 @@ class ApplicationPartMkcalendar(ApplicationBase): try: self._storage.create_collection(path, props=props) except ValueError as e: - logger.warning( - "Bad MKCALENDAR request on %r: %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.error( + "Failed MKCALENDAR request on %r: %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad MKCALENDAR request on %r: %s", path, e, exc_info=True) + return httputils.BAD_REQUEST return client.CREATED, {}, None From 718089e3bfc512aa45479d62500216896439f5c6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:34:46 +0100 Subject: [PATCH 228/361] extend copyright --- radicale/app/proppatch.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/radicale/app/proppatch.py b/radicale/app/proppatch.py index c15fddfe..1d2701a0 100644 --- a/radicale/app/proppatch.py +++ b/radicale/app/proppatch.py @@ -2,7 +2,9 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2020 Unrud +# Copyright © 2020-2020 Tuna Celik +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 484616f3631a24c5a8d3bcd6a87e8bc1a2b01a01 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:35:03 +0100 Subject: [PATCH 229/361] catch os error --- radicale/app/proppatch.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/proppatch.py b/radicale/app/proppatch.py index 1d2701a0..faa8c25b 100644 --- a/radicale/app/proppatch.py +++ b/radicale/app/proppatch.py @@ -19,6 +19,8 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno +import re import socket import xml.etree.ElementTree as ET from http import client @@ -109,7 +111,20 @@ class ApplicationPartProppatch(ApplicationBase): ) self._hook.notify(hook_notification_item) except ValueError as e: - logger.warning( - "Bad PROPPATCH request on %r: %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.warning( + "Failed PROPPATCH request on %r: %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad PROPPATCH request on %r: %s", path, e, exc_info=True) + return httputils.BAD_REQUEST return client.MULTI_STATUS, headers, self._xml_response(xml_answer) From dc83c6d7d01d7e2fcfa97c648ce0de07073805ad Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:39:40 +0100 Subject: [PATCH 230/361] extend copyright --- radicale/app/move.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/move.py b/radicale/app/move.py index 5bd8a579..b2909cd2 100644 --- a/radicale/app/move.py +++ b/radicale/app/move.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2023 Unrud +# Copyright © 2023-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 67bbc9a31b5334af64a25de0944bf055ea8d2e4c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:39:54 +0100 Subject: [PATCH 231/361] catch os error --- radicale/app/move.py | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/radicale/app/move.py b/radicale/app/move.py index b2909cd2..f555e871 100644 --- a/radicale/app/move.py +++ b/radicale/app/move.py @@ -18,6 +18,7 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import posixpath import re from http import client @@ -110,7 +111,20 @@ class ApplicationPartMove(ApplicationBase): try: self._storage.move(item, to_collection, to_href) except ValueError as e: - logger.warning( - "Bad MOVE request on %r: %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.error( + "Failed MOVE request on %r: %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad MOVE request on %r: %s", path, e, exc_info=True) + return httputils.BAD_REQUEST return client.NO_CONTENT if to_item else client.CREATED, {}, None From a62da71aa22077a7c3a9d2176d84bcba17956e0a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:44:30 +0100 Subject: [PATCH 232/361] fix loglevel --- radicale/app/proppatch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/proppatch.py b/radicale/app/proppatch.py index faa8c25b..76b4a1a1 100644 --- a/radicale/app/proppatch.py +++ b/radicale/app/proppatch.py @@ -114,7 +114,7 @@ class ApplicationPartProppatch(ApplicationBase): # return better matching HTTP result in case errno is provided and catched errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) if errno_match: - logger.warning( + logger.error( "Failed PROPPATCH request on %r: %s", path, e, exc_info=True) errno_e = int(errno_match.group(1)) if errno_e == errno.ENOSPC: From 19a47158bdf982f5809df8f74fb36f8b6ff37841 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:48:48 +0100 Subject: [PATCH 233/361] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a1d896e..cd0ab4f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.4.2.dev * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ +* Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 018978edd8349af7700f3b7ea483f6174047807c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 17:00:05 +0100 Subject: [PATCH 234/361] update from https://github.com/Kozea/Radicale/issues/740 --- contrib/nginx/radicale.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/nginx/radicale.conf b/contrib/nginx/radicale.conf index 5d63e523..acf91a18 100644 --- a/contrib/nginx/radicale.conf +++ b/contrib/nginx/radicale.conf @@ -2,6 +2,10 @@ ### ### Usual configuration file location: /etc/nginx/default.d/ +## "well-known" redirect at least for Apple devices +rewrite ^/.well-known/carddav /radicale/ redirect; +rewrite ^/.well-known/caldav /radicale/ redirect; + ## Base URI: /radicale/ location /radicale/ { proxy_pass http://localhost:5232/; From 3d50ae4a70097c72b76db0b35c8f466d15ad751b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:13:11 +0100 Subject: [PATCH 235/361] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd0ab4f4..f9e2a473 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) +* Test: skip bcrypt related tests if module is missing ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 48a634af9fe77e037535df59d4a7a41151049ccb Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:13:19 +0100 Subject: [PATCH 236/361] check whether bcrypt module is available --- radicale/tests/test_auth.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index f2ba577b..7abb23e9 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -41,6 +41,14 @@ class TestBaseAuthRequests(BaseTest): """ + # test for available bcrypt module + try: + import bcrypt + except ImportError as e: + has_bcrypt = 0 + else: + has_bcrypt = 1 + def _test_htpasswd(self, htpasswd_encryption: str, htpasswd_content: str, test_matrix: Union[str, Iterable[Tuple[str, str, bool]]] = "ascii") -> None: From 3914735ec0e1a28ddd325d3ebfafbfeb4e522d78 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:13:39 +0100 Subject: [PATCH 237/361] skip bcrypt related tests if module is missing --- radicale/tests/test_auth.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 7abb23e9..6745e665 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -99,10 +99,12 @@ class TestBaseAuthRequests(BaseTest): def test_htpasswd_sha512(self) -> None: self._test_htpasswd("sha512", "tmp:$6$3Qhl8r6FLagYdHYa$UCH9yXCed4A.J9FQsFPYAOXImzZUMfvLa0lwcWOxWYLOF5sE/lF99auQ4jKvHY2vijxmefl7G6kMqZ8JPdhIJ/") + @pytest.mark.skipif(has_bcrypt == 0, reason="No bcrypt module installed") def test_htpasswd_bcrypt(self) -> None: self._test_htpasswd("bcrypt", "tmp:$2y$05$oD7hbiQFQlvCM7zoalo/T.MssV3V" "NTRI3w5KDnj8NTUKJNWfVpvRq") + @pytest.mark.skipif(has_bcrypt == 0, reason="No bcrypt module installed") def test_htpasswd_bcrypt_unicode(self) -> None: self._test_htpasswd("bcrypt", "😀:$2y$10$Oyz5aHV4MD9eQJbk6GPemOs4T6edK" "6U9Sqlzr.W1mMVCS8wJUftnW", "unicode") From f6b5cb8a1e79b7862b975541b1bc21342742f098 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:14:59 +0100 Subject: [PATCH 238/361] make flake8 happy --- radicale/tests/test_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 6745e665..6c356f97 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -44,7 +44,7 @@ class TestBaseAuthRequests(BaseTest): # test for available bcrypt module try: import bcrypt - except ImportError as e: + except ImportError: has_bcrypt = 0 else: has_bcrypt = 1 From 13a78d7365423f511e19c8d36b3805c93697cebc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:12:58 +0100 Subject: [PATCH 239/361] relax mtime check --- radicale/storage/multifilesystem/__init__.py | 35 ++++++++++++-------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 3bf9202f..6412ec1a 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -95,15 +95,21 @@ class Storage( def _analyse_mtime(self): # calculate and display mtime resolution path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") + logger.debug("Storage item mtime resolution test with file: %r", path) try: with open(path, "w") as f: f.write("mtime_test") f.close except Exception as e: - logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) + logger.warning("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) raise # set mtime_ns for tests - os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + try: + os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + except Exception as e: + logger.warning("Storage item mtime resolution test not possible, cannot set utime on file: %r (%s)", path, e) + os.remove(path) + raise logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) mtime_ns = os.stat(path).st_mtime_ns logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) @@ -147,17 +153,20 @@ class Storage( logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) - (precision, precision_unit, unit) = self._analyse_mtime() - if precision >= 100000000: - # >= 100 ms - logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) - elif precision >= 10000000: - # >= 10 ms - logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) - else: - logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) - if self._use_mtime_and_size_for_item_cache is False: - logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") + try: + (precision, precision_unit, unit) = self._analyse_mtime() + if precision >= 100000000: + # >= 100 ms + logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + elif precision >= 10000000: + # >= 10 ms + logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + else: + logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) + if self._use_mtime_and_size_for_item_cache is False: + logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") + except: + logger.warning("Storage item mtime resolution test result not successful") logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) From 4ab1cedee38ebf57d38d52d702fa04c8b5b8f073 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:13:43 +0100 Subject: [PATCH 240/361] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9e2a473..23f73485 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) * Test: skip bcrypt related tests if module is missing +* Improve: relax mtime check on storage filesystem ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From d5cb05f817923dd7f3507a54292b0af9b264a0a9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:17:24 +0100 Subject: [PATCH 241/361] extend copyright --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 6412ec1a..846f46b5 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -2,7 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2021 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 18338b3c6e9fe8eb413eec660a979ae60fc873dc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:17:34 +0100 Subject: [PATCH 242/361] flake8 fix --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 846f46b5..1a933d14 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -165,7 +165,7 @@ class Storage( logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) if self._use_mtime_and_size_for_item_cache is False: logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") - except: + except Exception: logger.warning("Storage item mtime resolution test result not successful") logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: From 53251231d4ef4a1c3fa02a82eacf2271c4ae5af9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 21 Feb 2025 07:41:01 +0100 Subject: [PATCH 243/361] change mtime test file location to collection-root --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 1a933d14..c5b8d439 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -94,7 +94,7 @@ class Storage( def _analyse_mtime(self): # calculate and display mtime resolution - path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") + path = os.path.join(self._get_collection_root_folder(), ".Radicale.mtime_test") logger.debug("Storage item mtime resolution test with file: %r", path) try: with open(path, "w") as f: From c3c61c692e35de1d28a1b06fcc3b15282f9c908f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 21 Feb 2025 07:41:54 +0100 Subject: [PATCH 244/361] update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23f73485..97869621 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) * Test: skip bcrypt related tests if module is missing -* Improve: relax mtime check on storage filesystem +* Improve: relax mtime check on storage filesystem, change test file location to "collection-root" directory ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 970d4ba4681067ec5a55e2397a95dd26b86d7704 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 16:22:18 +0100 Subject: [PATCH 245/361] add oauth2 to example --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index ba53ef3e..dfd8c4e2 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | denyall #type = none # Cache logins for until expiration time From 9791a4db0f4105990e31274db5cdcccee9841894 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:48:31 +0100 Subject: [PATCH 246/361] pam: doc --- DOCUMENTATION.md | 4 ++ radicale/auth/pam.py | 93 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 radicale/auth/pam.py diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index b9c4c572..8718c08f 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -829,6 +829,10 @@ Available backends: `oauth2` : Use an OAuth2 server to authenticate users. +`pam` +: Use local PAM to authenticate users. + + Default: `none` ##### cache_logins diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py new file mode 100644 index 00000000..25e66b19 --- /dev/null +++ b/radicale/auth/pam.py @@ -0,0 +1,93 @@ +# -*- coding: utf-8 -*- +# +# This file is part of Radicale Server - Calendar Server +# Copyright © 2011 Henry-Nicolas Tourneur +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + +""" +PAM authentication. + +Authentication based on the ``pam-python`` module. + +""" + +import grp +import pam +import pwd + +from .. import config, log + + +GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership") + + +# Compatibility for old versions of python-pam. +if hasattr(pam, "pam"): + def pam_authenticate(*args, **kwargs): + return pam.pam().authenticate(*args, **kwargs) +else: + def pam_authenticate(*args, **kwargs): + return pam.authenticate(*args, **kwargs) + + +def is_authenticated(user, password): + """Check if ``user``/``password`` couple is valid.""" + if user is None or password is None: + return False + + # Check whether the user exists in the PAM system + try: + pwd.getpwnam(user).pw_uid + except KeyError: + log.LOGGER.debug("User %s not found" % user) + return False + else: + log.LOGGER.debug("User %s found" % user) + + # Check whether the group exists + try: + # Obtain supplementary groups + members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem + except KeyError: + log.LOGGER.debug( + "The PAM membership required group (%s) doesn't exist" % + GROUP_MEMBERSHIP) + return False + + # Check whether the user exists + try: + # Get user primary group + primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name + except KeyError: + log.LOGGER.debug("The PAM user (%s) doesn't exist" % user) + return False + + # Check whether the user belongs to the required group + # (primary or supplementary) + if primary_group == GROUP_MEMBERSHIP or user in members: + log.LOGGER.debug( + "The PAM user belongs to the required group (%s)" % + GROUP_MEMBERSHIP) + # Check the password + if pam_authenticate(user, password, service='radicale'): + return True + else: + log.LOGGER.debug("Wrong PAM password") + else: + log.LOGGER.debug( + "The PAM user doesn't belong to the required group (%s)" % + GROUP_MEMBERSHIP) + + return False From 6683775c81968043bcdd929c1773d229ffb3638f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:48:51 +0100 Subject: [PATCH 247/361] pam: doc --- DOCUMENTATION.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8718c08f..fb86db70 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1032,6 +1032,18 @@ OAuth2 token endpoint URL Default: +##### pam_service + +PAM service + +Default: radicale + +##### pam_group_membership + +PAM group user should be member of + +Default: + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth From 954ddea0062f111b2eb7b1faa0d747099b53612f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:13 +0100 Subject: [PATCH 248/361] pam: config --- config | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config b/config index dfd8c4e2..2585c718 100644 --- a/config +++ b/config @@ -128,6 +128,12 @@ # OAuth2 token endpoint URL #oauth2_token_endpoint = +# PAM service +#pam_serivce = radicale + +# PAM group user should be member of +#pam_group_membership = + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 046d39b1bd87dbcb08617098eb36436f702de2a4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:36 +0100 Subject: [PATCH 249/361] pam: add support --- radicale/auth/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index e92272f8..62a7b34f 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -43,6 +43,7 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "ldap", "imap", "oauth2", + "pam", "dovecot") CACHE_LOGIN_TYPES: Sequence[str] = ( @@ -51,6 +52,7 @@ CACHE_LOGIN_TYPES: Sequence[str] = ( "htpasswd", "imap", "oauth2", + "pam", ) AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") From c8f650bc2c5699ad2c3dc3e43363d1041db915ae Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:52 +0100 Subject: [PATCH 250/361] extend copyright --- radicale/auth/pam.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 25e66b19..3194cb59 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -2,6 +2,8 @@ # # This file is part of Radicale Server - Calendar Server # Copyright © 2011 Henry-Nicolas Tourneur +# Copyright © 2021-2021 Unrud +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 855e3743caaf389643a8c567abe35565ea199823 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:07 +0100 Subject: [PATCH 251/361] pam: merge+adjust module from v1 --- radicale/auth/pam.py | 134 +++++++++++++++++++++++-------------------- 1 file changed, 72 insertions(+), 62 deletions(-) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 3194cb59..84cacb82 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -21,75 +21,85 @@ """ PAM authentication. -Authentication based on the ``pam-python`` module. +Authentication using the ``pam-python`` module. +Important: radicale user need access to /etc/shadow by e.g. + chgrp radicale /etc/shadow + chmod g+r """ import grp -import pam import pwd -from .. import config, log +from radicale import auth +from radicale.log import logger -GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership") - - -# Compatibility for old versions of python-pam. -if hasattr(pam, "pam"): - def pam_authenticate(*args, **kwargs): - return pam.pam().authenticate(*args, **kwargs) -else: - def pam_authenticate(*args, **kwargs): - return pam.authenticate(*args, **kwargs) - - -def is_authenticated(user, password): - """Check if ``user``/``password`` couple is valid.""" - if user is None or password is None: - return False - - # Check whether the user exists in the PAM system - try: - pwd.getpwnam(user).pw_uid - except KeyError: - log.LOGGER.debug("User %s not found" % user) - return False - else: - log.LOGGER.debug("User %s found" % user) - - # Check whether the group exists - try: - # Obtain supplementary groups - members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem - except KeyError: - log.LOGGER.debug( - "The PAM membership required group (%s) doesn't exist" % - GROUP_MEMBERSHIP) - return False - - # Check whether the user exists - try: - # Get user primary group - primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name - except KeyError: - log.LOGGER.debug("The PAM user (%s) doesn't exist" % user) - return False - - # Check whether the user belongs to the required group - # (primary or supplementary) - if primary_group == GROUP_MEMBERSHIP or user in members: - log.LOGGER.debug( - "The PAM user belongs to the required group (%s)" % - GROUP_MEMBERSHIP) - # Check the password - if pam_authenticate(user, password, service='radicale'): - return True +class Auth(auth.BaseAuth): + def __init__(self, configuration) -> None: + super().__init__(configuration) + try: + import pam + self.pam = pam + except ImportError as e: + raise RuntimeError("PAM authentication requires the Python pam module") from e + self._service = configuration.get("auth", "pam_service") + logger.info("auth.pam_service: %s" % self._service) + self._group_membership = configuration.get("auth", "pam_group_membership") + if (self._group_membership): + logger.info("auth.pam_group_membership: %s" % self._group_membership) else: - log.LOGGER.debug("Wrong PAM password") - else: - log.LOGGER.debug( - "The PAM user doesn't belong to the required group (%s)" % - GROUP_MEMBERSHIP) + logger.info("auth.pam_group_membership: (empty, nothing to check / INSECURE)") - return False + def pam_authenticate(self, *args, **kwargs): + return self.pam.authenticate(*args, **kwargs) + + def _login(self, login: str, password: str) -> str: + """Check if ``user``/``password`` couple is valid.""" + if login is None or password is None: + return "" + + # Check whether the user exists in the PAM system + try: + pwd.getpwnam(login).pw_uid + except KeyError: + logger.debug("PAM user not found: %r" % login) + return "" + else: + logger.debug("PAM user found: %r" % login) + + # Check whether the user has a primary group (mandatory) + try: + # Get user primary group + primary_group = grp.getgrgid(pwd.getpwnam(login).pw_gid).gr_name + logger.debug("PAM user %r has primary group: %r" % (login, primary_group)) + except KeyError: + logger.debug("PAM user has no primary group: %r" % login) + return "" + + # Obtain supplementary groups + members = [] + if (self._group_membership): + try: + members = grp.getgrnam(self._group_membership).gr_mem + except KeyError: + logger.debug( + "PAM membership required group doesn't exist: %r" % + self._group_membership) + return "" + + # Check whether the user belongs to the required group + # (primary or supplementary) + if (self._group_membership): + if (primary_group != self._group_membership) and (login not in members): + logger.warning("PAM user %r belongs not to the required group: %r" % (login, self._group_membership)) + return "" + else: + logger.debug("PAM user %r belongs to the required group: %r" % (login, self._group_membership)) + + # Check the password + if self.pam_authenticate(login, password, service=self._service): + return login + else: + logger.debug("PAM authentication not successful for user: %r (service %r)" % (login, self._service)) + return "" From 0759673e67ab0bd1f631f458cac15a5e4e308bb6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:24 +0100 Subject: [PATCH 252/361] pam: config parser --- radicale/config.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/radicale/config.py b/radicale/config.py index 5f46022e..6a218160 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -311,6 +311,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "OAuth2 token endpoint URL", "type": str}), + ("pam_group_membership", { + "value": "", + "help": "PAM group user should be member of", + "type": str}), + ("pam_service", { + "value": "radicale", + "help": "PAM service", + "type": str}), ("strip_domain", { "value": "False", "help": "strip domain from username", From 7f3fedc048576afd2bdbc439d8ec9ca0bc0890e4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:42 +0100 Subject: [PATCH 253/361] log used python version --- radicale/utils.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/utils.py b/radicale/utils.py index 097be3fb..a75e5089 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -18,6 +18,7 @@ # along with Radicale. If not, see . import ssl +import sys from importlib import import_module, metadata from typing import Callable, Sequence, Type, TypeVar, Union @@ -55,6 +56,7 @@ def package_version(name): def packages_version(): versions = [] + versions.append("python=%s.%s.%s" % (sys.version_info[0], sys.version_info[1], sys.version_info[2])) for pkg in RADICALE_MODULES: versions.append("%s=%s" % (pkg, package_version(pkg))) return " ".join(versions) From 6518f1b63aea24d8e0f0c7d6072930213dc639fa Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:51:06 +0100 Subject: [PATCH 254/361] pam: add to config selector --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 2585c718..e367083c 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall #type = none # Cache logins for until expiration time From 16ece44faf353822e867a27fdfd2a9ff629d37ff Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 18:00:23 +0100 Subject: [PATCH 255/361] pam: extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97869621..2c201fe4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) * Test: skip bcrypt related tests if module is missing * Improve: relax mtime check on storage filesystem, change test file location to "collection-root" directory +* Add: option [auth] type pam by code migration from v1, add new option pam_serivce ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 8218081f5882bd25814bb9d6ef85b2278b7adf1b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:19:51 +0100 Subject: [PATCH 256/361] fix loglevel --- radicale/auth/pam.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 84cacb82..02727c85 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -49,7 +49,7 @@ class Auth(auth.BaseAuth): if (self._group_membership): logger.info("auth.pam_group_membership: %s" % self._group_membership) else: - logger.info("auth.pam_group_membership: (empty, nothing to check / INSECURE)") + logger.warning("auth.pam_group_membership: (empty, nothing to check / INSECURE)") def pam_authenticate(self, *args, **kwargs): return self.pam.authenticate(*args, **kwargs) From 50f5d2e5ef3fc1b40200eeec294b84d5ea22e6d2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:20:03 +0100 Subject: [PATCH 257/361] extend copyright --- radicale/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/utils.py b/radicale/utils.py index a75e5089..2d7210ac 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -2,7 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 9b671becebcb90fcb8eb2ffe4d5946526df9f669 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:20:14 +0100 Subject: [PATCH 258/361] extend module list to display version on start --- radicale/utils.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/radicale/utils.py b/radicale/utils.py index 2d7210ac..87836a65 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -27,7 +27,13 @@ from radicale.log import logger _T_co = TypeVar("_T_co", covariant=True) -RADICALE_MODULES: Sequence[str] = ("radicale", "vobject", "passlib", "defusedxml") +RADICALE_MODULES: Sequence[str] = ("radicale", "vobject", "passlib", "defusedxml", + "dateutil", + "bcrypt", + "pika", + "ldap", + "ldap3", + "pam") def load_plugin(internal_types: Sequence[str], module_name: str, @@ -58,7 +64,13 @@ def packages_version(): versions = [] versions.append("python=%s.%s.%s" % (sys.version_info[0], sys.version_info[1], sys.version_info[2])) for pkg in RADICALE_MODULES: - versions.append("%s=%s" % (pkg, package_version(pkg))) + try: + versions.append("%s=%s" % (pkg, package_version(pkg))) + except Exception: + try: + versions.append("%s=%s" % (pkg, package_version("python-" + pkg))) + except Exception: + versions.append("%s=%s" % (pkg, "n/a")) return " ".join(versions) From 0b5dd82109e403783cad3ce35ca5d8d27adf6fab Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:21:15 +0100 Subject: [PATCH 259/361] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c201fe4..5b86d183 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Test: skip bcrypt related tests if module is missing * Improve: relax mtime check on storage filesystem, change test file location to "collection-root" directory * Add: option [auth] type pam by code migration from v1, add new option pam_serivce +* Cosmetics: extend list of used modules with their version on startup ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 29b1da465219add851ae2ac738e4e3a1ba7f31c5 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:33:50 +0100 Subject: [PATCH 260/361] takeover hints from https://github.com/Kozea/Radicale/issues/1168 --- DOCUMENTATION.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index fb86db70..b99b1d61 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -49,10 +49,8 @@ You want to try Radicale but only have 5 minutes free in your calendar? Let's go right now and play a bit with Radicale! When everything works, you can get a [client](#supported-clients) -and start creating calendars and address books. The server **only** binds to -localhost (is **not** reachable over the network) and you can log in with any -username and password. If Radicale fits your needs, it may be time for -[some basic configuration](#basic-configuration). +and start creating calendars and address books. By default, the server only binds to localhost (is not reachable over the network) +and you can log in with any user name and password. When everything works, you may get a local client and start creating calendars and address books. If Radicale fits your needs, it may be time for some [basic configuration](#basic-configuration) to support remote clients. Follow one of the chapters below depending on your operating system. From c2013ec901769250722b6911a0a764da7ccb8949 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 07:50:41 +0100 Subject: [PATCH 261/361] permit dot inside collection name, but not as first char, fixes https://github.com/Kozea/Radicale/issues/1632 --- radicale/web/internal_data/fn.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index af13ad0a..9b0bad3b 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -1348,8 +1348,10 @@ function cleanHREFinput(a) { href_form = a.target; } let currentTxtVal = href_form.value.trim().toLowerCase(); - //Clean the HREF to remove non lowercase letters and dashes - currentTxtVal = currentTxtVal.replace(/(?![0-9a-z\-\_])./g, ''); + //Clean the HREF to remove not permitted chars + currentTxtVal = currentTxtVal.replace(/(?![0-9a-z\-\_\.])./g, ''); + //Clean the HREF to remove leading . (would result in hidden directory) + currentTxtVal = currentTxtVal.replace(/^\./, ''); href_form.value = currentTxtVal; } From fcaee51ceb2714c33ea179064dacfd9a595e2fb4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 08:09:05 +0100 Subject: [PATCH 262/361] remove double / for MKCOL --- radicale/web/internal_data/fn.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 9b0bad3b..66d6f9bb 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -1213,7 +1213,7 @@ function CreateEditCollectionScene(user, password, collection) { alert("You must enter a valid HREF"); return false; } - href = collection.href + "/" + newhreftxtvalue + "/"; + href = collection.href + newhreftxtvalue + "/"; } displayname = displayname_form.value; description = description_form.value; From 3910457a8d0d35e2eba9f60166fa9be74fce58cc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 08:26:19 +0100 Subject: [PATCH 263/361] remove double / for PUT --- radicale/web/internal_data/fn.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 66d6f9bb..61492a34 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -927,7 +927,7 @@ function UploadCollectionScene(user, password, collection) { if(files.length > 1 || href.length == 0){ href = random_uuid(); } - let upload_href = collection.href + "/" + href + "/"; + let upload_href = collection.href + href + "/"; upload_req = upload_collection(user, password, upload_href, file, function(result) { upload_req = null; results.push(result); From 7318f592c84cddf566f8efbd04d1f7531e53f9cc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 08:32:26 +0100 Subject: [PATCH 264/361] use basename of uploaded file as default collection name, support https://github.com/Kozea/Radicale/issues/1633 --- radicale/web/internal_data/fn.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 61492a34..a83a6edd 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -874,8 +874,7 @@ function UploadCollectionScene(user, password, collection) { upload_btn.onclick = upload_start; uploadfile_form.onchange = onfileschange; - let href = random_uuid(); - href_form.value = href; + href_form.value = ""; /** @type {?number} */ let scene_index = null; /** @type {?XMLHttpRequest} */ let upload_req = null; @@ -993,10 +992,12 @@ function UploadCollectionScene(user, password, collection) { hreflimitmsg_html.classList.remove("hidden"); href_form.classList.add("hidden"); href_label.classList.add("hidden"); + href_form.value = random_uuid(); // dummy, will be replaced on upload }else{ hreflimitmsg_html.classList.add("hidden"); href_form.classList.remove("hidden"); href_label.classList.remove("hidden"); + href_form.value = files[0].name.replace(/\.(ics|vcf)$/, ''); } return false; } From eb8dc61952f6db88e86ca05f273c007e32615e7b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:11 +0100 Subject: [PATCH 265/361] extend copyright --- radicale/web/internal_data/fn.js | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index a83a6edd..2e30d1f6 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -2,6 +2,7 @@ * This file is part of Radicale Server - Calendar Server * Copyright © 2017-2024 Unrud * Copyright © 2023-2024 Matthew Hana + * Copyright © 2024-2025 Peter Bieringer * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by From 4419aa22854d07f49009ff2aef0ccd1b246bf995 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:24 +0100 Subject: [PATCH 266/361] display error --- radicale/web/internal_data/fn.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 2e30d1f6..745ea87d 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -1007,6 +1007,12 @@ function UploadCollectionScene(user, password, collection) { scene_index = scene_stack.length - 1; html_scene.classList.remove("hidden"); close_btn.onclick = onclose; + if(error){ + error_form.textContent = "Error: " + error; + error_form.classList.remove("hidden"); + }else{ + error_form.classList.add("hidden"); + } }; this.hide = function() { @@ -1319,6 +1325,12 @@ function CreateEditCollectionScene(user, password, collection) { fill_form(); submit_btn.onclick = onsubmit; cancel_btn.onclick = oncancel; + if(error){ + error_form.textContent = "Error: " + error; + error_form.classList.remove("hidden"); + }else{ + error_form.classList.add("hidden"); + } }; this.hide = function() { read_form(); From e3ae7b3ab546adf3e7b05ff3ecef911ad0bd854e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:37 +0100 Subject: [PATCH 267/361] add copyright --- radicale/web/internal_data/index.html | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radicale/web/internal_data/index.html b/radicale/web/internal_data/index.html index 7806765f..db241238 100644 --- a/radicale/web/internal_data/index.html +++ b/radicale/web/internal_data/index.html @@ -1,4 +1,10 @@ + From 78b94b1d4d64c11b7bbea10c523c4a53cb37cac8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:49 +0100 Subject: [PATCH 268/361] add html to display error --- radicale/web/internal_data/index.html | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radicale/web/internal_data/index.html b/radicale/web/internal_data/index.html index db241238..9ac96795 100644 --- a/radicale/web/internal_data/index.html +++ b/radicale/web/internal_data/index.html @@ -122,6 +122,8 @@ + +