From 3d4cd7f034c8f3f9960f18ca3f6692e2571e90a9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 08:58:42 +0100 Subject: [PATCH 001/254] Add: display mtime_ns precision of storage folder with condition warning if too less --- CHANGELOG.md | 3 + pyproject.toml | 2 +- radicale/storage/multifilesystem/__init__.py | 74 +++++++++++++++++--- setup.py.legacy | 2 +- 4 files changed, 70 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20b6bda6..94b74d73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog +## 3.3.3.dev +* Add: display mtime_ns precision of storage folder with condition warning if too less + ## 3.3.2 * Fix: debug logging in rights/from_file * Add: option [storage] use_cache_subfolder_for_item for storing 'item' cache outside collection-root diff --git a/pyproject.toml b/pyproject.toml index aaeb805c..7c9aa260 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.2" +version = "3.3.3.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 4e5271f5..6aafae8e 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -47,6 +47,8 @@ from radicale.storage.multifilesystem.sync import CollectionPartSync from radicale.storage.multifilesystem.upload import CollectionPartUpload from radicale.storage.multifilesystem.verify import StoragePartVerify +# 999 second, 999 ms, 999 us, 999 ns +MTIME_NS_TEST: int = 999999999999 class Collection( CollectionPartDelete, CollectionPartMeta, CollectionPartSync, @@ -91,22 +93,76 @@ class Storage( def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) - logger.info("storage location: %r", self._filesystem_folder) + logger.info("Storage location: %r", self._filesystem_folder) self._makedirs_synced(self._filesystem_folder) - logger.info("storage location subfolder: %r", self._get_collection_root_folder()) - logger.info("storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) - logger.info("storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) - logger.info("storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) - logger.info("storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) - logger.debug("storage cache action logging: %s", self._debug_cache_actions) + logger.info("Storage location subfolder: %r", self._get_collection_root_folder()) + logger.info("Storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) + logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) + logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) + if self._use_mtime_and_size_for_item_cache is True: + # calculate and display mtime resolution + path = os.path.join(self._get_collection_root_folder(), ".Radicale.mtime_test") + try: + with open(path, "w") as f: + f.write("mtime_test") + f.close + except Exception: + logger.error("Storage item mtime resolution test not possible") + raise + # set mtime_ns for tests + os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) + mtime_ns = os.stat(path).st_mtime_ns + mtime_ns = int(MTIME_NS_TEST / 100000000) * 100000000 + logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) + # start analysis + precision = 1 + mtime_ns_test = MTIME_NS_TEST + while mtime_ns > 0: + if mtime_ns == mtime_ns_test: + break + factor = 2 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + factor = 5 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + precision = precision * 10 + mtime_ns = int(mtime_ns / 10) + mtime_ns_test = int(mtime_ns_test / 10) + unit = "ns" + precision_log = precision + if precision >= 1000000000: + precision_log = precision / 1000000000 + unit = "s" + elif precision >= 1000000: + precision_log = precision / 1000000 + unit = "ms" + elif precision >= 1000: + precision_log = precision / 1000 + unit = "us" + os.remove(path) + if precision >= 100000000: + # >= 100 ms + logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) + elif precision >= 10000000: + # >= 10 ms + logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) + else: + logger.info("Storage item mtime resolution test result: %d %s" % (precision_log, unit)) + raise + logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: - logger.info("storage cache subfolder: %r", self._get_collection_cache_folder()) + logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) self._makedirs_synced(self._get_collection_cache_folder()) if sys.platform != "win32": if not self._folder_umask: # retrieve current umask by setting a dummy umask current_umask = os.umask(0o0022) - logger.info("storage folder umask (from system): '%04o'", current_umask) + logger.info("Storage folder umask (from system): '%04o'", current_umask) # reset to original os.umask(current_umask) else: diff --git a/setup.py.legacy b/setup.py.legacy index ba97b8e0..91bdc16a 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.2" +VERSION = "3.3.3.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 836827ac8f4dce83a4de03a0cd7ee98501552472 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 08:59:23 +0100 Subject: [PATCH 002/254] remove test code --- radicale/storage/multifilesystem/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 6aafae8e..c4130dfb 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -153,7 +153,6 @@ class Storage( logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) else: logger.info("Storage item mtime resolution test result: %d %s" % (precision_log, unit)) - raise logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) From c1c8ab2887984eab26aebc4927b12612f0f6b6a3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 09:00:06 +0100 Subject: [PATCH 003/254] remove test code --- radicale/storage/multifilesystem/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index c4130dfb..458004ba 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -114,7 +114,6 @@ class Storage( os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) mtime_ns = os.stat(path).st_mtime_ns - mtime_ns = int(MTIME_NS_TEST / 100000000) * 100000000 logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) # start analysis precision = 1 From 4b1183ae002956a78bd552b5af924803a3322d43 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 20:34:16 +0100 Subject: [PATCH 004/254] disable fsync during storage verification --- radicale/storage/multifilesystem/verify.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/storage/multifilesystem/verify.py b/radicale/storage/multifilesystem/verify.py index 776f1bfd..4c644c19 100644 --- a/radicale/storage/multifilesystem/verify.py +++ b/radicale/storage/multifilesystem/verify.py @@ -29,6 +29,8 @@ class StoragePartVerify(StoragePartDiscover, StorageBase): def verify(self) -> bool: item_errors = collection_errors = 0 + logger.info("Disable fsync during storage verification") + self._filesystem_fsync = False @types.contextmanager def exception_cm(sane_path: str, href: Optional[str] From 0f6dcb71923123f44f0177a9294eba3ed188dfc6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 20:34:38 +0100 Subject: [PATCH 005/254] disable fsync during storage verification --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 94b74d73..330fa4b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 3.3.3.dev * Add: display mtime_ns precision of storage folder with condition warning if too less +* Improve: disable fsync during storage verification ## 3.3.2 * Fix: debug logging in rights/from_file From 6214111f4fa518120d241b50238d83ca0222138f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 16 Dec 2024 20:58:59 +0100 Subject: [PATCH 006/254] make tox happy --- radicale/storage/multifilesystem/__init__.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 458004ba..4c4f321a 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -50,6 +50,7 @@ from radicale.storage.multifilesystem.verify import StoragePartVerify # 999 second, 999 ms, 999 us, 999 ns MTIME_NS_TEST: int = 999999999999 + class Collection( CollectionPartDelete, CollectionPartMeta, CollectionPartSync, CollectionPartUpload, CollectionPartGet, CollectionPartCache, @@ -102,13 +103,13 @@ class Storage( logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) if self._use_mtime_and_size_for_item_cache is True: # calculate and display mtime resolution - path = os.path.join(self._get_collection_root_folder(), ".Radicale.mtime_test") + path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") try: with open(path, "w") as f: f.write("mtime_test") f.close - except Exception: - logger.error("Storage item mtime resolution test not possible") + except Exception as e: + logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) raise # set mtime_ns for tests os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) @@ -135,13 +136,13 @@ class Storage( unit = "ns" precision_log = precision if precision >= 1000000000: - precision_log = precision / 1000000000 + precision_log = int(precision / 1000000000) unit = "s" elif precision >= 1000000: - precision_log = precision / 1000000 + precision_log = int(precision / 1000000) unit = "ms" elif precision >= 1000: - precision_log = precision / 1000 + precision_log = int(precision / 1000) unit = "us" os.remove(path) if precision >= 100000000: From 1a76e1ad5046dd20e13ee50899b21aeee7bad71c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 19:40:32 +0100 Subject: [PATCH 007/254] cosmetics --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 9d30509e..c34b9d28 100644 --- a/config +++ b/config @@ -158,7 +158,7 @@ # Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) # Note: check used filesystem mtime precision before enabling # Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage -#use_mtime_and_size_for_item_cache=False +#use_mtime_and_size_for_item_cache = False # Use configured umask for folder creation (not applicable for OS Windows) # Useful value: 0077 | 0027 | 0007 | 0022 From 59450e8c2da108072d7c9f4902556483ad85172f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 20:14:56 +0100 Subject: [PATCH 008/254] add additional ReadWritePaths entry, fix existing one --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index cf8b8058..25bd8936 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -248,7 +248,7 @@ ProtectKernelTunables=true ProtectKernelModules=true ProtectControlGroups=true NoNewPrivileges=true -ReadWritePaths=/var/lib/radicale/collections +ReadWritePaths=/var/lib/radicale/ /var/cache/radicale/ [Install] WantedBy=multi-user.target From b356edd6bef26ec45f235ca72470a3f3cc646224 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 20:51:33 +0100 Subject: [PATCH 009/254] Improve: suppress duplicate log lines on startup --- CHANGELOG.md | 1 + radicale/log.py | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 330fa4b3..a0592f66 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.3.3.dev * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification +* Improve: suppress duplicate log lines on startup ## 3.3.2 * Fix: debug logging in rights/from_file diff --git a/radicale/log.py b/radicale/log.py index 313b4933..ef2eb703 100644 --- a/radicale/log.py +++ b/radicale/log.py @@ -221,18 +221,31 @@ def setup() -> None: logger.error("Invalid RADICALE_LOG_FORMAT: %r", format_name) +logger_display_backtrace_disabled: bool = False +logger_display_backtrace_enabled: bool = False + + def set_level(level: Union[int, str], backtrace_on_debug: bool) -> None: """Set logging level for global logger.""" + global logger_display_backtrace_disabled + global logger_display_backtrace_enabled if isinstance(level, str): level = getattr(logging, level.upper()) assert isinstance(level, int) logger.setLevel(level) if level > logging.DEBUG: - logger.info("Logging of backtrace is disabled in this loglevel") + if logger_display_backtrace_disabled is False: + logger.info("Logging of backtrace is disabled in this loglevel") + logger_display_backtrace_disabled = True logger.addFilter(REMOVE_TRACEBACK_FILTER) else: if not backtrace_on_debug: - logger.debug("Logging of backtrace is disabled by option in this loglevel") + if logger_display_backtrace_disabled is False: + logger.debug("Logging of backtrace is disabled by option in this loglevel") + logger_display_backtrace_disabled = True logger.addFilter(REMOVE_TRACEBACK_FILTER) else: + if logger_display_backtrace_enabled is False: + logger.debug("Logging of backtrace is enabled by option in this loglevel") + logger_display_backtrace_enabled = True logger.removeFilter(REMOVE_TRACEBACK_FILTER) From 9e9d036387f28ed25eaf980bb8d6d55de3d574e1 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 22:18:38 +0100 Subject: [PATCH 010/254] display always mtime result --- radicale/storage/multifilesystem/__init__.py | 49 +++++++++++--------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 4c4f321a..b9a525dc 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -92,16 +92,7 @@ class Storage( _collection_class: ClassVar[Type[Collection]] = Collection - def __init__(self, configuration: config.Configuration) -> None: - super().__init__(configuration) - logger.info("Storage location: %r", self._filesystem_folder) - self._makedirs_synced(self._filesystem_folder) - logger.info("Storage location subfolder: %r", self._get_collection_root_folder()) - logger.info("Storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) - logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) - logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) - logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) - if self._use_mtime_and_size_for_item_cache is True: + def _analyse_mtime(self) -> None: # calculate and display mtime resolution path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") try: @@ -134,25 +125,39 @@ class Storage( mtime_ns = int(mtime_ns / 10) mtime_ns_test = int(mtime_ns_test / 10) unit = "ns" - precision_log = precision + precision_unit = precision if precision >= 1000000000: - precision_log = int(precision / 1000000000) + precision_unit = int(precision / 1000000000) unit = "s" elif precision >= 1000000: - precision_log = int(precision / 1000000) + precision_unit = int(precision / 1000000) unit = "ms" elif precision >= 1000: - precision_log = int(precision / 1000) + precision_unit = int(precision / 1000) unit = "us" os.remove(path) - if precision >= 100000000: - # >= 100 ms - logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) - elif precision >= 10000000: - # >= 10 ms - logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_log, unit)) - else: - logger.info("Storage item mtime resolution test result: %d %s" % (precision_log, unit)) + return (precision, precision_unit, unit) + + def __init__(self, configuration: config.Configuration) -> None: + super().__init__(configuration) + logger.info("Storage location: %r", self._filesystem_folder) + self._makedirs_synced(self._filesystem_folder) + logger.info("Storage location subfolder: %r", self._get_collection_root_folder()) + logger.info("Storage cache subfolder usage for 'item': %s", self._use_cache_subfolder_for_item) + logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) + logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) + logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) + (precision, precision_unit, unit) = self._analyse_mtime() + if precision >= 100000000: + # >= 100 ms + logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + elif precision >= 10000000: + # >= 10 ms + logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + else: + logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) + if self._use_mtime_and_size_for_item_cache is False: + logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) From 335584a6b70aefecc991526de5bd0bce706e6e33 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 18 Dec 2024 22:28:02 +0100 Subject: [PATCH 011/254] make tox happy --- radicale/storage/multifilesystem/__init__.py | 90 ++++++++++---------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index b9a525dc..3bf9202f 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -92,51 +92,51 @@ class Storage( _collection_class: ClassVar[Type[Collection]] = Collection - def _analyse_mtime(self) -> None: - # calculate and display mtime resolution - path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") - try: - with open(path, "w") as f: - f.write("mtime_test") - f.close - except Exception as e: - logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) - raise - # set mtime_ns for tests - os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) - logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) - mtime_ns = os.stat(path).st_mtime_ns - logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) - # start analysis - precision = 1 - mtime_ns_test = MTIME_NS_TEST - while mtime_ns > 0: - if mtime_ns == mtime_ns_test: - break - factor = 2 - if int(mtime_ns / factor) == int(mtime_ns_test / factor): - precision = precision * factor - break - factor = 5 - if int(mtime_ns / factor) == int(mtime_ns_test / factor): - precision = precision * factor - break - precision = precision * 10 - mtime_ns = int(mtime_ns / 10) - mtime_ns_test = int(mtime_ns_test / 10) - unit = "ns" - precision_unit = precision - if precision >= 1000000000: - precision_unit = int(precision / 1000000000) - unit = "s" - elif precision >= 1000000: - precision_unit = int(precision / 1000000) - unit = "ms" - elif precision >= 1000: - precision_unit = int(precision / 1000) - unit = "us" - os.remove(path) - return (precision, precision_unit, unit) + def _analyse_mtime(self): + # calculate and display mtime resolution + path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") + try: + with open(path, "w") as f: + f.write("mtime_test") + f.close + except Exception as e: + logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) + raise + # set mtime_ns for tests + os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) + mtime_ns = os.stat(path).st_mtime_ns + logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) + # start analysis + precision = 1 + mtime_ns_test = MTIME_NS_TEST + while mtime_ns > 0: + if mtime_ns == mtime_ns_test: + break + factor = 2 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + factor = 5 + if int(mtime_ns / factor) == int(mtime_ns_test / factor): + precision = precision * factor + break + precision = precision * 10 + mtime_ns = int(mtime_ns / 10) + mtime_ns_test = int(mtime_ns_test / 10) + unit = "ns" + precision_unit = precision + if precision >= 1000000000: + precision_unit = int(precision / 1000000000) + unit = "s" + elif precision >= 1000000: + precision_unit = int(precision / 1000000) + unit = "ms" + elif precision >= 1000: + precision_unit = int(precision / 1000) + unit = "us" + os.remove(path) + return (precision, precision_unit, unit) def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) From c8010fa4bed346ec0b847be71f9512a1e7b21574 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 23 Dec 2024 07:07:43 +0100 Subject: [PATCH 012/254] fix https://github.com/Kozea/Radicale/issues/1647 --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 25bd8936..2a88844c 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1401,7 +1401,7 @@ An example rights file: [root] user: .+ collection: -permissions: r +permissions: R # Allow reading and writing principal collection (same as username) [principal] From e2934a12c0f494ecbd7b042d2cc138a0848627f3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 08:24:13 +0100 Subject: [PATCH 013/254] Contrib: logwatch config and script --- contrib/logwatch/radicale | 135 +++++++++++++++++++++++++++++++++ contrib/logwatch/radicale.conf | 12 +++ 2 files changed, 147 insertions(+) create mode 100644 contrib/logwatch/radicale create mode 100644 contrib/logwatch/radicale.conf diff --git a/contrib/logwatch/radicale b/contrib/logwatch/radicale new file mode 100644 index 00000000..75243759 --- /dev/null +++ b/contrib/logwatch/radicale @@ -0,0 +1,135 @@ +# This file is related to Radicale - CalDAV and CardDAV server +# for logwatch (script) +# Copyright © 2024-2024 Peter Bieringer + +$Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; + +my %ResponseTimes; +my %Requests; +my %Logins; +my %Loglevel; +my %OtherEvents; + +sub ResponseTimesMinMaxAvg($$) { + my $req = $_[0]; + my $time = $_[1]; + + $ResponseTimes{$req}->{'cnt'}++; + + if (! defined $ResponseTimes{$req}->{'min'}) { + $ResponseTimes{$req}->{'min'} = $time; + } elsif ($ResponseTimes->{$req}->{'min'} > $time) { + $ResponseTimes{$req}->{'min'} = $time; + } + + if (! defined $ResponseTimes{$req}->{'max'}) { + $ResponseTimes{$req}{'max'} = $time; + } elsif ($ResponseTimes{$req}->{'max'} < $time) { + $ResponseTimes{$req}{'max'} = $time; + } + + if (! defined $ResponseTimes{$req}->{'avg'}) { + $ResponseTimes{$req}->{'avg'} = $time; + } else { + $ResponseTimes{$req}->{'avg'} = ($ResponseTimes{$req}->{'avg'} * ($ResponseTimes{$req}->{'cnt'} - 1) + $time) / $ResponseTimes{$req}->{'cnt'}; + } +} + +while (defined($ThisLine = )) { + # count loglevel + if ( $ThisLine =~ /\[(DEBUG|INFO|WARNING|ERROR|CRITICAL)\] /o ) { + $Loglevel{$1}++ + } + + # parse log for events + if ( $ThisLine =~ /Radicale server ready/o ) { + $OtherEvents{"Radicale server started"}++; + } + elsif ( $ThisLine =~ /Stopping Radicale/o ) { + $OtherEvents{"Radicale server stopped"}++; + } + elsif ( $ThisLine =~ / (\S+ response status)/o ) { + if ( $ThisLine =~ / (\S+) response status for .* with depth '(\d)' in ([0-9.]+) seconds: (\d+)/o ) { + ResponseTimesMinMaxAvg($1 . "|R=" . $4 . "|D=" . $2, $3); + } elsif ( $ThisLine =~ / (\S+) response status for .* in ([0-9.]+) seconds: (\d+)/ ) { + ResponseTimesMinMaxAvg($1 . "|R=" . $3, $2); + } + } + elsif ( $ThisLine =~ / (\S+) request for/o ) { + $Requests{$1}++; + } + elsif ( $ThisLine =~ / Successful login: '([^']+)'/o ) { + $Logins{$1}++; + } + elsif ( $ThisLine =~ / (Failed login attempt) /o ) { + $OtherEvents{$1}++; + } + elsif ( $ThisLine =~ /\[(DEBUG|INFO)\] /o ) { + # skip if DEBUG+INFO + } + else { + # Report any unmatched entries... + $ThisLine =~ s/^\[\d+(\/Thread-\d+)?\] //; # remove process/Thread ID + chomp($ThisLine); + $OtherList{$ThisLine}++; + } +} + +if ($Started) { + print "\nStatistics:\n"; + print " Radicale started: $Started Time(s)\n"; +} + +if (keys %Loglevel) { + print "\n**Loglevel counters**\n"; + printf "%-18s | %7s |\n", "Loglevel", "cnt"; + print "-" x30 . "\n"; + foreach my $level (sort keys %Loglevel) { + printf "%-18s | %7d |\n", $level, $Loglevel{$level}; + } +} + +if (keys %Requests) { + print "\n**Request counters**\n"; + printf "%-18s | %7s |\n", "Request", "cnt"; + print "-" x30 . "\n"; + foreach my $req (sort keys %Requests) { + printf "%-18s | %7d |\n", $req, $Requests{$req}; + } +} + +if ($Details >= 5 && keys %Requests) { + print "\n**Successful login counters**\n"; + printf "%-25s | %7s |\n", "Login", "cnt"; + print "-" x37 . "\n"; + foreach my $login (sort keys %Logins) { + printf "%-25s | %7d |\n", $login, $Logins{$login}; + } +} + +if ($Detail >= 5 && keys %ResponseTimes) { + print "\n**Response timings (counts, seconds) (R= D=)**\n"; + printf "%-18s | %7s | %7s | %7s | %7s |\n", "Response", "cnt", "min", "max", "avg"; + print "-" x60 . "\n"; + foreach my $req (sort keys %ResponseTimes) { + printf "%-18s | %7d | %7.3f | %7.3f | %7.3f |\n", $req, $ResponseTimes{$req}->{'cnt'}, $ResponseTimes{$req}->{'min'}, $ResponseTimes{$req}->{'max'}, $ResponseTimes{$req}->{'avg'}; + } +} + +if (keys %OtherEvents) { + print "\n**Other Events**\n"; + foreach $ThisOne (sort keys %OtherEvents) { + print "$ThisOne: $OtherEvents{$ThisOne} Time(s)\n"; + } +} + +if (keys %OtherList) { + print "\n**Unmatched Entries**\n"; + foreach $ThisOne (sort keys %OtherList) { + print "$ThisOne: $OtherList{$ThisOne} Time(s)\n"; + } +} + +exit(0); + +# vim: shiftwidth=3 tabstop=3 syntax=perl et smartindent diff --git a/contrib/logwatch/radicale.conf b/contrib/logwatch/radicale.conf new file mode 100644 index 00000000..9ac633f7 --- /dev/null +++ b/contrib/logwatch/radicale.conf @@ -0,0 +1,12 @@ +# This file is related to Radicale - CalDAV and CardDAV server +# for logwatch (config) +# Copyright © 2024-2024 Peter Bieringer + +Title = "Radicale" + +LogFile = messages + +*OnlyService = radicale +*RemoveHeaders + +# vi: shiftwidth=3 tabstop=3 et From b19418f43c35797d6a53a0fe4666f297d67091b4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 08:25:31 +0100 Subject: [PATCH 014/254] update --- CHANGELOG.md | 1 + contrib/logwatch/radicale | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a0592f66..d90d6c91 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification * Improve: suppress duplicate log lines on startup +* Contrib: logwatch config and script ## 3.3.2 * Fix: debug logging in rights/from_file diff --git a/contrib/logwatch/radicale b/contrib/logwatch/radicale index 75243759..873ea064 100644 --- a/contrib/logwatch/radicale +++ b/contrib/logwatch/radicale @@ -1,6 +1,9 @@ # This file is related to Radicale - CalDAV and CardDAV server # for logwatch (script) # Copyright © 2024-2024 Peter Bieringer +# +# Detail levels +# >= 5: Logins, ResponseTimes $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; @@ -98,7 +101,7 @@ if (keys %Requests) { } } -if ($Details >= 5 && keys %Requests) { +if ($Detail >= 5 && keys %Requests) { print "\n**Successful login counters**\n"; printf "%-25s | %7s |\n", "Login", "cnt"; print "-" x37 . "\n"; From 7e23c603c1d5731681b799e145af031237d5ce70 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 12:04:05 +0100 Subject: [PATCH 015/254] log precondition result on PUT request --- radicale/app/put.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/radicale/app/put.py b/radicale/app/put.py index c1f0eacd..a3961269 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -198,15 +198,22 @@ class ApplicationPartPut(ApplicationBase): etag = environ.get("HTTP_IF_MATCH", "") if not item and etag: # Etag asked but no item found: item has been removed + logger.warning("Precondition failed on PUT request for %r (HTTP_IF_MATCH: %s, item not existing)", path, etag) return httputils.PRECONDITION_FAILED if item and etag and item.etag != etag: # Etag asked but item not matching: item has changed + logger.warning("Precondition failed on PUT request for %r (HTTP_IF_MATCH: %s, item has different etag: %s)", path, etag, item.etag) return httputils.PRECONDITION_FAILED + if etag: + logger.debug("Precondition passed on PUT request for %r (HTTP_IF_MATCH: %s, item has etag: %s)", path, etag, item.etag) match = environ.get("HTTP_IF_NONE_MATCH", "") == "*" if item and match: # Creation asked but item found: item can't be replaced + logger.warning("Precondition failed on PUT request for %r (HTTP_IF_NONE_MATCH: *, creation requested but item found with etag: %s)", path, item.etag) return httputils.PRECONDITION_FAILED + if match: + logger.debug("Precondition passed on PUT request for %r (HTTP_IF_NONE_MATCH: *)", path) if (tag != prepared_tag or prepared_write_whole_collection != write_whole_collection): From 0b00218d753f200658c638dae6efcfa4b408892d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 12:04:09 +0100 Subject: [PATCH 016/254] log precondition result on PUT request / changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d90d6c91..b4dcea9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Improve: disable fsync during storage verification * Improve: suppress duplicate log lines on startup * Contrib: logwatch config and script +* Improve: log precondition result on PUT request ## 3.3.2 * Fix: debug logging in rights/from_file From 1e8d9eda50e482d84e05bfa19405709735169dc9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 24 Dec 2024 12:10:47 +0100 Subject: [PATCH 017/254] fix found by mypy --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index a3961269..6e1ba215 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -204,7 +204,7 @@ class ApplicationPartPut(ApplicationBase): # Etag asked but item not matching: item has changed logger.warning("Precondition failed on PUT request for %r (HTTP_IF_MATCH: %s, item has different etag: %s)", path, etag, item.etag) return httputils.PRECONDITION_FAILED - if etag: + if item and etag: logger.debug("Precondition passed on PUT request for %r (HTTP_IF_MATCH: %s, item has etag: %s)", path, etag, item.etag) match = environ.get("HTTP_IF_NONE_MATCH", "") == "*" From 7df2fb35a72e8581ceba4d2354ee5d34edf71009 Mon Sep 17 00:00:00 2001 From: IM Date: Wed, 25 Dec 2024 21:56:04 +0300 Subject: [PATCH 018/254] Disable overloading BaseAuth login method --- radicale/auth/__init__.py | 4 ++-- radicale/auth/dovecot.py | 2 +- radicale/auth/ldap.py | 2 +- radicale/tests/custom/auth.py | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 566b9965..4bb4b33d 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -29,7 +29,7 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. """ -from typing import Sequence, Set, Tuple, Union +from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils from radicale.log import logger @@ -50,7 +50,6 @@ def load(configuration: "config.Configuration") -> "BaseAuth": return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth, configuration) - class BaseAuth: _ldap_groups: Set[str] = set([]) @@ -102,6 +101,7 @@ class BaseAuth: raise NotImplementedError + @final def login(self, login: str, password: str) -> str: if self._lc_username: login = login.lower() diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py index 34180eb5..ce2353a0 100644 --- a/radicale/auth/dovecot.py +++ b/radicale/auth/dovecot.py @@ -32,7 +32,7 @@ class Auth(auth.BaseAuth): self.timeout = 5 self.request_id_gen = itertools.count(1) - def login(self, login, password): + def _login(self, login, password): """Validate credentials. Check if the ``login``/``password`` pair is valid according to Dovecot. diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 2db88c95..cb3858dc 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -202,7 +202,7 @@ class Auth(auth.BaseAuth): pass return "" - def login(self, login: str, password: str) -> str: + def _login(self, login: str, password: str) -> str: """Validate credentials. In first step we make a connection to the ldap server with the ldap_reader_dn credential. In next step the DN of the user to authenticate will be searched. diff --git a/radicale/tests/custom/auth.py b/radicale/tests/custom/auth.py index 490ec313..2927ee4d 100644 --- a/radicale/tests/custom/auth.py +++ b/radicale/tests/custom/auth.py @@ -29,7 +29,7 @@ from radicale import auth class Auth(auth.BaseAuth): - def login(self, login: str, password: str) -> str: + def _login(self, login: str, password: str) -> str: if login == "tmp": return login return "" From 94898ef6c19815a95c4b3b88379becc70fca4555 Mon Sep 17 00:00:00 2001 From: IM Date: Wed, 25 Dec 2024 22:28:01 +0300 Subject: [PATCH 019/254] flake8 E302 --- radicale/auth/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 4bb4b33d..812649c5 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -50,6 +50,7 @@ def load(configuration: "config.Configuration") -> "BaseAuth": return utils.load_plugin(INTERNAL_TYPES, "auth", "Auth", BaseAuth, configuration) + class BaseAuth: _ldap_groups: Set[str] = set([]) From 51960bcab81ea991297af5ed635f2fbd924411b4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 27 Dec 2024 08:32:29 +0100 Subject: [PATCH 020/254] extend doc related to config options used --- DOCUMENTATION.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 2a88844c..f590a294 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -672,6 +672,24 @@ python3 -m radicale --server-hosts 0.0.0.0:5232,[::]:5232 \ Add the argument `--config ""` to stop Radicale from loading the default configuration files. Run `python3 -m radicale --help` for more information. +One can also use command line options in startup scripts using following examples: + +```bash +## simple variable containing multiple options +RADICALE_OPTIONS="--logging-level=debug --config=/etc/radicale/config --logging-request-header-on-debug --logging-rights-rule-doesnt-match-on-debug" +/usr/bin/radicale $RADICALE_OPTIONS + +## variable as array method #1 +RADICALE_OPTIONS=("--logging-level=debug" "--config=/etc/radicale/config" "--logging-request-header-on-debug" "--logging-rights-rule-doesnt-match-on-debug") +/usr/bin/radicale ${RADICALE_OPTIONS[@]} + +## variable as array method #2 +RADICALE_OPTIONS=() +RADICALE_OPTIONS+=("--logging-level=debug") +RADICALE_OPTIONS+=("--config=/etc/radicale/config") +/usr/bin/radicale ${RADICALE_OPTIONS[@]} +``` + In the following, all configuration categories and options are described. #### server From 2674f9a382540fb75c39090638d7ebf90265fa25 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 28 Dec 2024 07:56:10 +0100 Subject: [PATCH 021/254] enhance and fix logwatch --- contrib/logwatch/radicale | 111 +++++++++++++----- contrib/logwatch/radicale-journald.conf | 11 ++ .../{radicale.conf => radicale-syslog.conf} | 3 +- 3 files changed, 96 insertions(+), 29 deletions(-) create mode 100644 contrib/logwatch/radicale-journald.conf rename contrib/logwatch/{radicale.conf => radicale-syslog.conf} (82%) diff --git a/contrib/logwatch/radicale b/contrib/logwatch/radicale index 873ea064..45298ad4 100644 --- a/contrib/logwatch/radicale +++ b/contrib/logwatch/radicale @@ -3,17 +3,22 @@ # Copyright © 2024-2024 Peter Bieringer # # Detail levels -# >= 5: Logins, ResponseTimes +# >= 5: Logins +# >= 10: ResponseTimes $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0; my %ResponseTimes; +my %Responses; my %Requests; my %Logins; my %Loglevel; my %OtherEvents; -sub ResponseTimesMinMaxAvg($$) { +my $sum; +my $length; + +sub ResponseTimesMinMaxSum($$) { my $req = $_[0]; my $time = $_[1]; @@ -31,11 +36,25 @@ sub ResponseTimesMinMaxAvg($$) { $ResponseTimes{$req}{'max'} = $time; } - if (! defined $ResponseTimes{$req}->{'avg'}) { - $ResponseTimes{$req}->{'avg'} = $time; - } else { - $ResponseTimes{$req}->{'avg'} = ($ResponseTimes{$req}->{'avg'} * ($ResponseTimes{$req}->{'cnt'} - 1) + $time) / $ResponseTimes{$req}->{'cnt'}; + $ResponseTimes{$req}->{'sum'} += $time; +} + +sub Sum($) { + my $phash = $_[0]; + my $sum = 0; + foreach my $entry (keys %$phash) { + $sum += $phash->{$entry}; } + return $sum; +} + +sub MaxLength($) { + my $phash = $_[0]; + my $length = 0; + foreach my $entry (keys %$phash) { + $length = length($entry) if (length($entry) > $length); + } + return $length; } while (defined($ThisLine = )) { @@ -51,18 +70,27 @@ while (defined($ThisLine = )) { elsif ( $ThisLine =~ /Stopping Radicale/o ) { $OtherEvents{"Radicale server stopped"}++; } - elsif ( $ThisLine =~ / (\S+ response status)/o ) { - if ( $ThisLine =~ / (\S+) response status for .* with depth '(\d)' in ([0-9.]+) seconds: (\d+)/o ) { - ResponseTimesMinMaxAvg($1 . "|R=" . $4 . "|D=" . $2, $3); - } elsif ( $ThisLine =~ / (\S+) response status for .* in ([0-9.]+) seconds: (\d+)/ ) { - ResponseTimesMinMaxAvg($1 . "|R=" . $3, $2); + elsif ( $ThisLine =~ / (\S+) response status/o ) { + my $req = $1; + if ( $ThisLine =~ / \S+ response status for .* with depth '(\d)' in ([0-9.]+) seconds: (\d+)/o ) { + $req .= ":D=" . $1 . ":R=" . $3; + ResponseTimesMinMaxSum($req, $2) if ($Detail >= 10); + } elsif ( $ThisLine =~ / \S+ response status for .* in ([0-9.]+) seconds: (\d+)/ ) { + $req .= ":R=" . $2; + ResponseTimesMinMaxSum($req, $1) if ($Detail >= 10); } + $Responses{$req}++; } elsif ( $ThisLine =~ / (\S+) request for/o ) { - $Requests{$1}++; + my $req = $1; + if ( $ThisLine =~ / \S+ request for .* with depth '(\d)' received/o ) { + $req .= ":D=" . $1; + } + $Requests{$req}++; } - elsif ( $ThisLine =~ / Successful login: '([^']+)'/o ) { - $Logins{$1}++; + elsif ( $ThisLine =~ / (Successful login): '([^']+)'/o ) { + $Logins{$2}++ if ($Detail >= 5); + $OtherEvents{$1}++; } elsif ( $ThisLine =~ / (Failed login attempt) /o ) { $OtherEvents{$1}++; @@ -84,39 +112,66 @@ if ($Started) { } if (keys %Loglevel) { + $sum = Sum(\%Loglevel); print "\n**Loglevel counters**\n"; - printf "%-18s | %7s |\n", "Loglevel", "cnt"; - print "-" x30 . "\n"; + printf "%-18s | %7s | %5s |\n", "Loglevel", "cnt", "ratio"; + print "-" x38 . "\n"; foreach my $level (sort keys %Loglevel) { - printf "%-18s | %7d |\n", $level, $Loglevel{$level}; + printf "%-18s | %7d | %3d%% |\n", $level, $Loglevel{$level}, int(($Loglevel{$level} * 100) / $sum); } + print "-" x38 . "\n"; + printf "%-18s | %7d | %3d%% |\n", "", $sum, 100; } if (keys %Requests) { - print "\n**Request counters**\n"; - printf "%-18s | %7s |\n", "Request", "cnt"; - print "-" x30 . "\n"; + $sum = Sum(\%Requests); + print "\n**Request counters (D=)**\n"; + printf "%-18s | %7s | %5s |\n", "Request", "cnt", "ratio"; + print "-" x38 . "\n"; foreach my $req (sort keys %Requests) { - printf "%-18s | %7d |\n", $req, $Requests{$req}; + printf "%-18s | %7d | %3d%% |\n", $req, $Requests{$req}, int(($Requests{$req} * 100) / $sum); } + print "-" x38 . "\n"; + printf "%-18s | %7d | %3d%% |\n", "", $sum, 100; } -if ($Detail >= 5 && keys %Requests) { +if (keys %Responses) { + $sum = Sum(\%Responses); + print "\n**Response result counters ((D= R=)**\n"; + printf "%-18s | %7s | %5s |\n", "Response", "cnt", "ratio"; + print "-" x38 . "\n"; + foreach my $req (sort keys %Responses) { + printf "%-18s | %7d | %3d%% |\n", $req, $Responses{$req}, int(($Responses{$req} * 100) / $sum); + } + print "-" x38 . "\n"; + printf "%-18s | %7d | %3d%% |\n", "", $sum, 100; +} + +if (keys %Logins) { + $sum = Sum(\%Logins); + $length = MaxLength(\%Logins); print "\n**Successful login counters**\n"; - printf "%-25s | %7s |\n", "Login", "cnt"; - print "-" x37 . "\n"; + printf "%-" . $length . "s | %7s | %5s |\n", "Login", "cnt", "ratio"; + print "-" x($length + 20) . "\n"; foreach my $login (sort keys %Logins) { - printf "%-25s | %7d |\n", $login, $Logins{$login}; + printf "%-" . $length . "s | %7d | %3d%% |\n", $login, $Logins{$login}, int(($Logins{$login} * 100) / $sum); } + print "-" x($length + 20) . "\n"; + printf "%-" . $length . "s | %7d | %3d%% |\n", "", $sum, 100; } -if ($Detail >= 5 && keys %ResponseTimes) { - print "\n**Response timings (counts, seconds) (R= D=)**\n"; +if (keys %ResponseTimes) { + print "\n**Response timings (counts, seconds) (D= R=)**\n"; printf "%-18s | %7s | %7s | %7s | %7s |\n", "Response", "cnt", "min", "max", "avg"; print "-" x60 . "\n"; foreach my $req (sort keys %ResponseTimes) { - printf "%-18s | %7d | %7.3f | %7.3f | %7.3f |\n", $req, $ResponseTimes{$req}->{'cnt'}, $ResponseTimes{$req}->{'min'}, $ResponseTimes{$req}->{'max'}, $ResponseTimes{$req}->{'avg'}; + printf "%-18s | %7d | %7.3f | %7.3f | %7.3f |\n", $req + , $ResponseTimes{$req}->{'cnt'} + , $ResponseTimes{$req}->{'min'} + , $ResponseTimes{$req}->{'max'} + , $ResponseTimes{$req}->{'sum'} / $ResponseTimes{$req}->{'cnt'}; } + print "-" x60 . "\n"; } if (keys %OtherEvents) { diff --git a/contrib/logwatch/radicale-journald.conf b/contrib/logwatch/radicale-journald.conf new file mode 100644 index 00000000..522062da --- /dev/null +++ b/contrib/logwatch/radicale-journald.conf @@ -0,0 +1,11 @@ +# This file is related to Radicale - CalDAV and CardDAV server +# for logwatch (config) - input from journald +# Copyright © 2024-2024 Peter Bieringer + +Title = "Radicale" + +LogFile = none + +*JournalCtl = "--output=cat --unit=radicale.service" + +# vi: shiftwidth=3 tabstop=3 et diff --git a/contrib/logwatch/radicale.conf b/contrib/logwatch/radicale-syslog.conf similarity index 82% rename from contrib/logwatch/radicale.conf rename to contrib/logwatch/radicale-syslog.conf index 9ac633f7..89d85f16 100644 --- a/contrib/logwatch/radicale.conf +++ b/contrib/logwatch/radicale-syslog.conf @@ -1,5 +1,5 @@ # This file is related to Radicale - CalDAV and CardDAV server -# for logwatch (config) +# for logwatch (config) - input from syslog file # Copyright © 2024-2024 Peter Bieringer Title = "Radicale" @@ -7,6 +7,7 @@ Title = "Radicale" LogFile = messages *OnlyService = radicale + *RemoveHeaders # vi: shiftwidth=3 tabstop=3 et From c2b2274dad3bc8ab0a06bf83a952f1012000a62a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 28 Dec 2024 08:05:39 +0100 Subject: [PATCH 022/254] update release --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4dcea9c..5578f108 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.3.3.dev +## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification * Improve: suppress duplicate log lines on startup diff --git a/pyproject.toml b/pyproject.toml index 7c9aa260..ac2505a4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.3.dev" +version = "3.3.3" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 91bdc16a..6f2cd5c1 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.3.dev" +VERSION = "3.3.3" with open("README.md", encoding="utf-8") as f: long_description = f.read() From b22038c7467698347146c6ecdcf22d592d88041d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 17:02:39 +0100 Subject: [PATCH 023/254] LDAP auth: a little bit of cleanup - correct grammar in some cases - we're doing authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version --- radicale/auth/ldap.py | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index cb3858dc..80ceb448 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -15,11 +15,11 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . """ -Authentication backend that checks credentials with a ldap server. +Authentication backend that checks credentials with a LDAP server. Following parameters are needed in the configuration: - ldap_uri The ldap url to the server like ldap://localhost - ldap_base The baseDN of the ldap server - ldap_reader_dn The DN of a ldap user with read access to get the user accounts + ldap_uri The LDAP URL to the server like ldap://localhost + ldap_base The baseDN of the LDAP server + ldap_reader_dn The DN of a LDAP user with read access to get the user accounts ldap_secret The password of the ldap_reader_dn ldap_secret_file The path of the file containing the password of the ldap_reader_dn ldap_filter The search filter to find the user to authenticate by the username @@ -43,7 +43,7 @@ class Auth(auth.BaseAuth): _ldap_secret: str _ldap_filter: str _ldap_load_groups: bool - _ldap_version: int = 3 + _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED _ldap_ssl_ca_file: str = "" @@ -56,7 +56,7 @@ class Auth(auth.BaseAuth): except ImportError: try: import ldap - self._ldap_version = 2 + self._ldap_module_version = 2 self.ldap = ldap except ImportError as e: raise RuntimeError("LDAP authentication requires the ldap3 module") from e @@ -70,7 +70,7 @@ class Auth(auth.BaseAuth): if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: self._ldap_secret = file.read().rstrip('\n') - if self._ldap_version == 3: + if self._ldap_module_version == 3: self._ldap_use_ssl = configuration.get("auth", "ldap_use_ssl") if self._ldap_use_ssl: self._ldap_ssl_ca_file = configuration.get("auth", "ldap_ssl_ca_file") @@ -94,7 +94,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_secret : (from config)") if self._ldap_reader_dn and not self._ldap_secret: logger.error("auth.ldap_secret : (not provided)") - raise RuntimeError("LDAP authentication requires ldap_secret for reader_dn") + raise RuntimeError("LDAP authentication requires ldap_secret for ldap_reader_dn") logger.info("auth.ldap_use_ssl : %s" % self._ldap_use_ssl) if self._ldap_use_ssl is True: logger.info("auth.ldap_ssl_verify_mode : %s" % self._ldap_ssl_verify_mode) @@ -114,14 +114,14 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" res = conn.search_s(self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(login), attrlist=['memberOf']) if len(res) == 0: - """User could not be find""" + """User could not be found""" return "" user_dn = res[0][0] logger.debug("LDAP Auth user: %s", user_dn) - """Close ldap connection""" + """Close LDAP connection""" conn.unbind() except Exception as e: - raise RuntimeError(f"Invalid ldap configuration:{e}") + raise RuntimeError(f"Invalid LDAP configuration:{e}") try: """Bind as user to authenticate""" @@ -157,14 +157,14 @@ class Auth(auth.BaseAuth): server = self.ldap3.Server(self._ldap_uri) conn = self.ldap3.Connection(server, self._ldap_reader_dn, password=self._ldap_secret) except self.ldap3.core.exceptions.LDAPSocketOpenError: - raise RuntimeError("Unable to reach ldap server") + raise RuntimeError("Unable to reach LDAP server") except Exception as e: logger.debug(f"_login3 error 1 {e}") pass if not conn.bind(): - logger.debug("_login3 can not bind") - raise RuntimeError("Unable to read from ldap server") + logger.debug("_login3 cannot bind") + raise RuntimeError("Unable to read from LDAP server") logger.debug(f"_login3 bind as {self._ldap_reader_dn}") """Search the user dn""" @@ -175,8 +175,8 @@ class Auth(auth.BaseAuth): attributes=['memberOf'] ) if len(conn.entries) == 0: - logger.debug(f"_login3 user '{login}' can not be find") - """User could not be find""" + """User could not be found""" + logger.debug(f"_login3 user '{login}' cannot be found") return "" user_entry = conn.response[0] @@ -187,7 +187,7 @@ class Auth(auth.BaseAuth): """Try to bind as the user itself""" conn = self.ldap3.Connection(server, user_dn, password=password) if not conn.bind(): - logger.debug(f"_login3 user '{login}' can not be find") + logger.debug(f"_login3 user '{login}' cannot be found") return "" if self._ldap_load_groups: tmp = [] @@ -195,7 +195,7 @@ class Auth(auth.BaseAuth): tmp.append(g.split(',')[0][3:]) self._ldap_groups = set(tmp) conn.unbind() - logger.debug(f"_login3 {login} successfully authorized") + logger.debug(f"_login3 {login} successfully authenticated") return login except Exception as e: logger.debug(f"_login3 error 2 {e}") @@ -204,10 +204,10 @@ class Auth(auth.BaseAuth): def _login(self, login: str, password: str) -> str: """Validate credentials. - In first step we make a connection to the ldap server with the ldap_reader_dn credential. + In first step we make a connection to the LDAP server with the ldap_reader_dn credential. In next step the DN of the user to authenticate will be searched. In the last step the authentication of the user will be proceeded. """ - if self._ldap_version == 2: + if self._ldap_module_version == 2: return self._login2(login, password) return self._login3(login, password) From 74311560c9e8d62fcaefb7e6b8c7c03dc2958786 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:16:45 +0100 Subject: [PATCH 024/254] add cache_logins* options --- DOCUMENTATION.md | 12 ++++++++++++ config | 6 ++++++ radicale/config.py | 8 ++++++++ 3 files changed, 26 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index f590a294..640025fe 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -812,6 +812,18 @@ Available backends: Default: `none` +##### cache_logins + +Cache successful logins until expiration time + +Default: `false` + +##### cache_logins_expiry + +Expiration time of caching successful logins in seconds + +Default: `5` + ##### htpasswd_filename Path to the htpasswd file. diff --git a/config b/config index c34b9d28..429cfca1 100644 --- a/config +++ b/config @@ -62,6 +62,12 @@ # Value: none | htpasswd | remote_user | http_x_remote_user | ldap | denyall #type = none +# Cache successful logins for until expiration time +#cache_logins = false + +# Expiration time for caching successful logins in seconds +#cache_logins_expiry = 5 + # URI to the LDAP server #ldap_uri = ldap://localhost diff --git a/radicale/config.py b/radicale/config.py index 0ac5970c..486e9223 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -183,6 +183,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "authentication method", "type": str_or_callable, "internal": auth.INTERNAL_TYPES}), + ("cache_logins", { + "value": "false", + "help": "cache successful logins for until expiration time", + "type": bool}), + ("cache_logins_expiry", { + "value": "5", + "help": "expiration time for caching successful logins in seconds", + "type": int}), ("htpasswd_filename", { "value": "/etc/radicale/users", "help": "htpasswd filename", From 8e97b709bf5cb4fb09ba6fe42113ea965a07b57d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:17:15 +0100 Subject: [PATCH 025/254] implement cache_logins* option --- radicale/auth/__init__.py | 56 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 812649c5..9cb70bb8 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -29,6 +29,8 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. """ +import hashlib +import time from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils @@ -57,6 +59,10 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool + _cache: dict + _cache_logins: bool + _cache_logins_expiry: int + _cache_logins_expiry_ns: int def __init__(self, configuration: "config.Configuration") -> None: """Initialize BaseAuth. @@ -70,11 +76,27 @@ class BaseAuth: self._lc_username = configuration.get("auth", "lc_username") self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") + self._cache_logins = configuration.get("auth", "cache_logins") + self._cache_logins_expiry = configuration.get("auth", "cache_logins_expiry") + if self._cache_logins_expiry < 0: + raise RuntimeError("self._cache_logins_expiry cannot be < 0") logger.info("auth.strip_domain: %s", self._strip_domain) logger.info("auth.lc_username: %s", self._lc_username) logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") + logger.info("auth.cache_logins: %s", self._cache_logins) + if self._cache_logins is True: + logger.info("auth.cache_logins_expiry: %s seconds", self._cache_logins_expiry) + self._cache_logins_expiry_ns = self._cache_logins_expiry * 1000 * 1000 * 1000 + self._cache = dict() + + def _cache_digest(self, login: str, password: str, salt: str) -> str: + h = hashlib.sha3_512() + h.update(salt.encode()) + h.update(login.encode()) + h.update(password.encode()) + return h.digest() def get_external_login(self, environ: types.WSGIEnviron) -> Union[ Tuple[()], Tuple[str, str]]: @@ -110,4 +132,36 @@ class BaseAuth: login = login.upper() if self._strip_domain: login = login.split('@')[0] - return self._login(login, password) + if self._cache_logins is True: + # time_ns is also used as salt + result = "" + digest = "" + time_ns = time.time_ns() + if self._cache.get(login): + # entry found in cache + (digest_cache, time_ns_cache) = self._cache[login] + digest = self._cache_digest(login, password, str(time_ns_cache)) + if digest == digest_cache: + if (time_ns - time_ns_cache) > self._cache_logins_expiry_ns: + logger.debug("Login cache entry for user found but expired: '%s'", login) + digest = "" + else: + logger.debug("Login cache entry for user found: '%s'", login) + result = login + else: + logger.debug("Login cache entry for user not matching: '%s'", login) + else: + # entry not found in cache, caculate always to avoid timing attacks + digest = self._cache_digest(login, password, str(time_ns)) + if result == "": + result = self._login(login, password) + if result is not "": + if digest is "": + # successful login, but expired, digest must be recalculated + digest = self._cache_digest(login, password, str(time_ns)) + # store successful login in cache + self._cache[login] = (digest, time_ns) + logger.debug("Login cache for user set: '%s'", login) + return result + else: + return self._login(login, password) From ddd099accd311236c0c3b4be9fb32cb4c15a8c19 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:17:44 +0100 Subject: [PATCH 026/254] debug log which password hash method was used --- radicale/auth/htpasswd.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 7422e16d..43fee1b9 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -96,19 +96,19 @@ class Auth(auth.BaseAuth): def _plain(self, hash_value: str, password: str) -> bool: """Check if ``hash_value`` and ``password`` match, plain method.""" - return hmac.compare_digest(hash_value.encode(), password.encode()) + return ("PLAIN", hmac.compare_digest(hash_value.encode(), password.encode())) def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> bool: - return bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode()) + return ("BCRYPT", bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode())) def _md5apr1(self, hash_value: str, password: str) -> bool: - return apr_md5_crypt.verify(password, hash_value.strip()) + return ("MD5-APR1", apr_md5_crypt.verify(password, hash_value.strip())) def _sha256(self, hash_value: str, password: str) -> bool: - return sha256_crypt.verify(password, hash_value.strip()) + return ("SHA-256", sha256_crypt.verify(password, hash_value.strip())) def _sha512(self, hash_value: str, password: str) -> bool: - return sha512_crypt.verify(password, hash_value.strip()) + return ("SHA-512", sha512_crypt.verify(password, hash_value.strip())) def _autodetect(self, hash_value: str, password: str) -> bool: if hash_value.startswith("$apr1$", 0, 6) and len(hash_value) == 37: @@ -151,8 +151,9 @@ class Auth(auth.BaseAuth): # timing attacks, see #591. login_ok = hmac.compare_digest( hash_login.encode(), login.encode()) - password_ok = self._verify(hash_value, password) + (method, password_ok) = self._verify(hash_value, password) if login_ok and password_ok: + logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) return login except ValueError as e: raise RuntimeError("Invalid htpasswd file %r: %s" % From 30e2ab490ef1e896a3687ca49eaccc69b819cfb2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:19:20 +0100 Subject: [PATCH 027/254] cache_logins+htpasswd --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88cb2e1e..353a4e68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # Changelog ## 3.3.4.dev +* Add: option [auth] cache_logins/cache_logins_expiry for caching successful logins +* Improve: log used hash method on debug for htpasswd authentication ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 9af15e6656f3fb28916726e4be419a798d80d078 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 05:25:10 +0100 Subject: [PATCH 028/254] fixes triggered by tox --- radicale/auth/__init__.py | 6 +++--- radicale/auth/htpasswd.py | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 9cb70bb8..39e07026 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -96,7 +96,7 @@ class BaseAuth: h.update(salt.encode()) h.update(login.encode()) h.update(password.encode()) - return h.digest() + return str(h.digest()) def get_external_login(self, environ: types.WSGIEnviron) -> Union[ Tuple[()], Tuple[str, str]]: @@ -155,8 +155,8 @@ class BaseAuth: digest = self._cache_digest(login, password, str(time_ns)) if result == "": result = self._login(login, password) - if result is not "": - if digest is "": + if result != "": + if digest == "": # successful login, but expired, digest must be recalculated digest = self._cache_digest(login, password, str(time_ns)) # store successful login in cache diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 43fee1b9..1767c9e1 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -94,23 +94,23 @@ class Auth(auth.BaseAuth): raise RuntimeError("The htpasswd encryption method %r is not " "supported." % encryption) - def _plain(self, hash_value: str, password: str) -> bool: + def _plain(self, hash_value: str, password: str) -> tuple[str, bool]: """Check if ``hash_value`` and ``password`` match, plain method.""" return ("PLAIN", hmac.compare_digest(hash_value.encode(), password.encode())) - def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> bool: + def _bcrypt(self, bcrypt: Any, hash_value: str, password: str) -> tuple[str, bool]: return ("BCRYPT", bcrypt.checkpw(password=password.encode('utf-8'), hashed_password=hash_value.encode())) - def _md5apr1(self, hash_value: str, password: str) -> bool: + def _md5apr1(self, hash_value: str, password: str) -> tuple[str, bool]: return ("MD5-APR1", apr_md5_crypt.verify(password, hash_value.strip())) - def _sha256(self, hash_value: str, password: str) -> bool: + def _sha256(self, hash_value: str, password: str) -> tuple[str, bool]: return ("SHA-256", sha256_crypt.verify(password, hash_value.strip())) - def _sha512(self, hash_value: str, password: str) -> bool: + def _sha512(self, hash_value: str, password: str) -> tuple[str, bool]: return ("SHA-512", sha512_crypt.verify(password, hash_value.strip())) - def _autodetect(self, hash_value: str, password: str) -> bool: + def _autodetect(self, hash_value: str, password: str) -> tuple[str, bool]: if hash_value.startswith("$apr1$", 0, 6) and len(hash_value) == 37: # MD5-APR1 return self._md5apr1(hash_value, password) From ac8abbd12c4457fb87e4f5804a62f32db5067b9d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 30 Dec 2024 08:15:55 +0100 Subject: [PATCH 029/254] 3.3.4.dev --- CHANGELOG.md | 2 ++ pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5578f108..88cb2e1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog +## 3.3.4.dev + ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less * Improve: disable fsync during storage verification diff --git a/pyproject.toml b/pyproject.toml index ac2505a4..d01e3967 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.3" +version = "3.3.4.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 6f2cd5c1..52d74dda 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.3" +VERSION = "3.3.4.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 4f2990342dc42f5b254b0cbec2c0d7f73d00b1b2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 07:57:13 +0100 Subject: [PATCH 030/254] add additional debug line --- radicale/auth/htpasswd.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 1767c9e1..f872eba5 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -155,6 +155,8 @@ class Auth(auth.BaseAuth): if login_ok and password_ok: logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) return login + elif login_ok: + logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) except ValueError as e: raise RuntimeError("Invalid htpasswd file %r: %s" % (self._filename, e)) from e From a794a518854c4d5d358a0e0b533ec43f573301b0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 07:57:54 +0100 Subject: [PATCH 031/254] fix failed_login cache, improve coding --- DOCUMENTATION.md | 10 ++++-- radicale/auth/__init__.py | 72 ++++++++++++++++++++++++++++----------- radicale/config.py | 8 +++-- 3 files changed, 67 insertions(+), 23 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 640025fe..dc31d9b1 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -814,16 +814,22 @@ Default: `none` ##### cache_logins -Cache successful logins until expiration time +Cache successful/failed logins until expiration time Default: `false` -##### cache_logins_expiry +##### cache_successful_logins_expiry Expiration time of caching successful logins in seconds Default: `5` +##### cache_failed_logins_expiry + +Expiration time of caching failed logins in seconds + +Default: `60` + ##### htpasswd_filename Path to the htpasswd file. diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 39e07026..e9640f30 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -59,10 +59,12 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool - _cache: dict _cache_logins: bool - _cache_logins_expiry: int - _cache_logins_expiry_ns: int + _cache_successful: dict # login -> (digest, time_ns) + _cache_successful_logins_expiry: int + _cache_failed: dict # digest_failed -> (time_ns) + _cache_failed_logins_expiry: int + _cache_failed_logins_salt_ns: int # persistent over runtime def __init__(self, configuration: "config.Configuration") -> None: """Initialize BaseAuth. @@ -77,19 +79,25 @@ class BaseAuth: self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") self._cache_logins = configuration.get("auth", "cache_logins") - self._cache_logins_expiry = configuration.get("auth", "cache_logins_expiry") - if self._cache_logins_expiry < 0: - raise RuntimeError("self._cache_logins_expiry cannot be < 0") + self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry") + if self._cache_successful_logins_expiry < 0: + raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0") + self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry") + if self._cache_failed_logins_expiry < 0: + raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0") logger.info("auth.strip_domain: %s", self._strip_domain) logger.info("auth.lc_username: %s", self._lc_username) logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") + # cache_successful_logins logger.info("auth.cache_logins: %s", self._cache_logins) + self._cache_successful = dict() + self._cache_failed = dict() + self._cache_failed_logins_salt_ns = time.time_ns() if self._cache_logins is True: - logger.info("auth.cache_logins_expiry: %s seconds", self._cache_logins_expiry) - self._cache_logins_expiry_ns = self._cache_logins_expiry * 1000 * 1000 * 1000 - self._cache = dict() + logger.info("auth.cache_successful_logins_expiry: %s seconds", self._cache_successful_logins_expiry) + logger.info("auth.cache_failed_logins_expiry: %s seconds", self._cache_failed_logins_expiry) def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() @@ -137,31 +145,57 @@ class BaseAuth: result = "" digest = "" time_ns = time.time_ns() - if self._cache.get(login): - # entry found in cache - (digest_cache, time_ns_cache) = self._cache[login] + digest_failed = login + ":" + self._cache_digest(login, password, str(self._cache_failed_logins_salt_ns)) + if self._cache_failed.get(digest_failed): + # login+password found in cache "failed" + time_ns_cache = self._cache_failed[digest_failed] + age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) + if age_failed > self._cache_failed_logins_expiry: + logger.debug("Login failed cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_failed, self._cache_failed_logins_expiry) + # delete expired failed from cache + del self._cache_failed[digest_failed] + else: + # shortcut return + logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login, age_failed) + return "" + if self._cache_successful.get(login): + # login found in cache "successful" + (digest_cache, time_ns_cache) = self._cache_successful[login] digest = self._cache_digest(login, password, str(time_ns_cache)) if digest == digest_cache: - if (time_ns - time_ns_cache) > self._cache_logins_expiry_ns: - logger.debug("Login cache entry for user found but expired: '%s'", login) + age_success = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) + if age_success > self._cache_successful_logins_expiry: + logger.debug("Login successful cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_success, self._cache_successful_logins_expiry) + # delete expired success from cache + del self._cache_successful[login] digest = "" else: - logger.debug("Login cache entry for user found: '%s'", login) + logger.debug("Login successful cache entry for user+password found: '%s' (age: %d sec)", login, age_success) result = login else: - logger.debug("Login cache entry for user not matching: '%s'", login) + logger.debug("Login successful cache entry for user+password not matching: '%s'", login) else: - # entry not found in cache, caculate always to avoid timing attacks + # login not found in cache, caculate always to avoid timing attacks digest = self._cache_digest(login, password, str(time_ns)) if result == "": + # verify login+password via configured backend + logger.debug("Login verification for user+password via backend: '%s'", login) result = self._login(login, password) if result != "": + logger.debug("Login successful for user+password via backend: '%s'", login) if digest == "": # successful login, but expired, digest must be recalculated digest = self._cache_digest(login, password, str(time_ns)) # store successful login in cache - self._cache[login] = (digest, time_ns) - logger.debug("Login cache for user set: '%s'", login) + self._cache_successful[login] = (digest, time_ns) + logger.debug("Login successful cache for user set: '%s'", login) + if self._cache_failed.get(digest_failed): + logger.debug("Login failed cache for user cleared: '%s'", login) + del self._cache_failed[digest_failed] + else: + logger.debug("Login failed for user+password via backend: '%s'", login) + self._cache_failed[digest_failed] = time_ns + logger.debug("Login failed cache for user set: '%s'", login) return result else: return self._login(login, password) diff --git a/radicale/config.py b/radicale/config.py index 486e9223..f71f312b 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -185,12 +185,16 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "internal": auth.INTERNAL_TYPES}), ("cache_logins", { "value": "false", - "help": "cache successful logins for until expiration time", + "help": "cache successful/failed logins for until expiration time", "type": bool}), - ("cache_logins_expiry", { + ("cache_successful_logins_expiry", { "value": "5", "help": "expiration time for caching successful logins in seconds", "type": int}), + ("cache_failed_logins_expiry", { + "value": "60", + "help": "expiration time for caching failed logins in seconds", + "type": int}), ("htpasswd_filename", { "value": "/etc/radicale/users", "help": "htpasswd filename", From b75e303556842347761840e7a746020998d46808 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 08:11:19 +0100 Subject: [PATCH 032/254] reorg code, disable caching on not required types --- radicale/auth/__init__.py | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index e9640f30..1e9d0f2f 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -59,6 +59,7 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool + _type: str _cache_logins: bool _cache_successful: dict # login -> (digest, time_ns) _cache_successful_logins_expiry: int @@ -78,26 +79,32 @@ class BaseAuth: self._lc_username = configuration.get("auth", "lc_username") self._uc_username = configuration.get("auth", "uc_username") self._strip_domain = configuration.get("auth", "strip_domain") - self._cache_logins = configuration.get("auth", "cache_logins") - self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry") - if self._cache_successful_logins_expiry < 0: - raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0") - self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry") - if self._cache_failed_logins_expiry < 0: - raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0") logger.info("auth.strip_domain: %s", self._strip_domain) logger.info("auth.lc_username: %s", self._lc_username) logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") # cache_successful_logins - logger.info("auth.cache_logins: %s", self._cache_logins) - self._cache_successful = dict() - self._cache_failed = dict() - self._cache_failed_logins_salt_ns = time.time_ns() + self._cache_logins = configuration.get("auth", "cache_logins") + self._type = configuration.get("auth", "type") + if (self._type in [ "dovecot", "ldap", "htpasswd" ]) or (self._cache_logins is False): + logger.info("auth.cache_logins: %s", self._cache_logins) + else: + logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type) + self._cache_logins = False if self._cache_logins is True: + self._cache_successful_logins_expiry = configuration.get("auth", "cache_successful_logins_expiry") + if self._cache_successful_logins_expiry < 0: + raise RuntimeError("self._cache_successful_logins_expiry cannot be < 0") + self._cache_failed_logins_expiry = configuration.get("auth", "cache_failed_logins_expiry") + if self._cache_failed_logins_expiry < 0: + raise RuntimeError("self._cache_failed_logins_expiry cannot be < 0") logger.info("auth.cache_successful_logins_expiry: %s seconds", self._cache_successful_logins_expiry) logger.info("auth.cache_failed_logins_expiry: %s seconds", self._cache_failed_logins_expiry) + # cache init + self._cache_successful = dict() + self._cache_failed = dict() + self._cache_failed_logins_salt_ns = time.time_ns() def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() From c0acbd4402b06269f89cbc8622e3ab38b128277f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 08:12:49 +0100 Subject: [PATCH 033/254] update changelog --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 353a4e68..e9836cd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,8 @@ # Changelog ## 3.3.4.dev -* Add: option [auth] cache_logins/cache_logins_expiry for caching successful logins -* Improve: log used hash method on debug for htpasswd authentication +* Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins +* Improve: log used hash method and result on debug for htpasswd authentication ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 79ba07e16b1955f795f75c5e3d4a9f4a84f3bdb3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:13:05 +0100 Subject: [PATCH 034/254] change default cache times --- DOCUMENTATION.md | 7 ++++--- config | 7 +++++-- radicale/config.py | 4 ++-- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index dc31d9b1..a5238bc6 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -814,7 +814,8 @@ Default: `none` ##### cache_logins -Cache successful/failed logins until expiration time +Cache successful/failed logins until expiration time. Enable this to avoid +overload of authentication backends. Default: `false` @@ -822,13 +823,13 @@ Default: `false` Expiration time of caching successful logins in seconds -Default: `5` +Default: `15` ##### cache_failed_logins_expiry Expiration time of caching failed logins in seconds -Default: `60` +Default: `90` ##### htpasswd_filename diff --git a/config b/config index 429cfca1..9ac082cf 100644 --- a/config +++ b/config @@ -62,11 +62,14 @@ # Value: none | htpasswd | remote_user | http_x_remote_user | ldap | denyall #type = none -# Cache successful logins for until expiration time +# Cache logins for until expiration time #cache_logins = false # Expiration time for caching successful logins in seconds -#cache_logins_expiry = 5 +#cache_successful_logins_expiry = 15 + +## Expiration time of caching failed logins in seconds +#cache_failed_logins_expiry = 90 # URI to the LDAP server #ldap_uri = ldap://localhost diff --git a/radicale/config.py b/radicale/config.py index f71f312b..b165345f 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -188,11 +188,11 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "cache successful/failed logins for until expiration time", "type": bool}), ("cache_successful_logins_expiry", { - "value": "5", + "value": "15", "help": "expiration time for caching successful logins in seconds", "type": int}), ("cache_failed_logins_expiry", { - "value": "60", + "value": "90", "help": "expiration time for caching failed logins in seconds", "type": int}), ("htpasswd_filename", { From 5ce0cee8bfee63b05b318b90d2bd872abe9bce48 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:13:52 +0100 Subject: [PATCH 035/254] add chache cleanup and locking --- radicale/auth/__init__.py | 46 +++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 1e9d0f2f..d8f35e83 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -31,6 +31,7 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. import hashlib import time +import threading from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils @@ -63,9 +64,10 @@ class BaseAuth: _cache_logins: bool _cache_successful: dict # login -> (digest, time_ns) _cache_successful_logins_expiry: int - _cache_failed: dict # digest_failed -> (time_ns) + _cache_failed: dict # digest_failed -> (time_ns, login) _cache_failed_logins_expiry: int _cache_failed_logins_salt_ns: int # persistent over runtime + _lock: threading.Lock def __init__(self, configuration: "config.Configuration") -> None: """Initialize BaseAuth. @@ -105,6 +107,7 @@ class BaseAuth: self._cache_successful = dict() self._cache_failed = dict() self._cache_failed_logins_salt_ns = time.time_ns() + self._lock = threading.Lock() def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() @@ -152,19 +155,34 @@ class BaseAuth: result = "" digest = "" time_ns = time.time_ns() + # cleanup failed login cache to avoid out-of-memory + cache_failed_entries = len(self._cache_failed) + if cache_failed_entries > 0: + logger.debug("Login failed cache investigation start (entries: %d)", cache_failed_entries) + self._lock.acquire() + cache_failed_cleanup = dict() + for digest in self._cache_failed: + (time_ns_cache, login_cache) = self._cache_failed[digest] + age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) + if age_failed > self._cache_failed_logins_expiry: + cache_failed_cleanup[digest] = (login_cache, age_failed) + cache_failed_cleanup_entries = len(cache_failed_cleanup) + logger.debug("Login failed cache cleanup start (entries: %d)", cache_failed_cleanup_entries) + if cache_failed_cleanup_entries > 0: + for digest in cache_failed_cleanup: + (login, age_failed) = cache_failed_cleanup[digest] + logger.debug("Login failed cache entry for user+password expired: '%s' (age: %d > %d sec)", login_cache, age_failed, self._cache_failed_logins_expiry) + del self._cache_failed[digest] + self._lock.release() + logger.debug("Login failed cache investigation finished") + # check for cache failed login digest_failed = login + ":" + self._cache_digest(login, password, str(self._cache_failed_logins_salt_ns)) if self._cache_failed.get(digest_failed): - # login+password found in cache "failed" - time_ns_cache = self._cache_failed[digest_failed] + # login+password found in cache "failed" -> shortcut return + (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) - if age_failed > self._cache_failed_logins_expiry: - logger.debug("Login failed cache entry for user+password found but expired: '%s' (age: %d > %d sec)", login, age_failed, self._cache_failed_logins_expiry) - # delete expired failed from cache - del self._cache_failed[digest_failed] - else: - # shortcut return - logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login, age_failed) - return "" + logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) + return "" if self._cache_successful.get(login): # login found in cache "successful" (digest_cache, time_ns_cache) = self._cache_successful[login] @@ -194,14 +212,18 @@ class BaseAuth: # successful login, but expired, digest must be recalculated digest = self._cache_digest(login, password, str(time_ns)) # store successful login in cache + self._lock.acquire() self._cache_successful[login] = (digest, time_ns) + self._lock.release() logger.debug("Login successful cache for user set: '%s'", login) if self._cache_failed.get(digest_failed): logger.debug("Login failed cache for user cleared: '%s'", login) del self._cache_failed[digest_failed] else: logger.debug("Login failed for user+password via backend: '%s'", login) - self._cache_failed[digest_failed] = time_ns + self._lock.acquire() + self._cache_failed[digest_failed] = (time_ns, login) + self._lock.release() logger.debug("Login failed cache for user set: '%s'", login) return result else: From 2489356dda05af19754702f58e0ddc600754dc1b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:14:38 +0100 Subject: [PATCH 036/254] implement htpasswd file caching --- radicale/auth/htpasswd.py | 130 ++++++++++++++++++++++++++++++-------- 1 file changed, 102 insertions(+), 28 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index f872eba5..24cf742f 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -48,8 +48,11 @@ When bcrypt is installed: """ +import os +import time import functools import hmac +import threading from typing import Any from passlib.hash import apr_md5_crypt, sha256_crypt, sha512_crypt @@ -61,15 +64,26 @@ class Auth(auth.BaseAuth): _filename: str _encoding: str + _htpasswd: dict # login -> digest + _htpasswd_mtime_ns: int + _htpasswd_size: bytes + _htpasswd_ok: bool + _htpasswd_not_ok_seconds: int + _htpasswd_not_ok_reminder_seconds: int + _lock: threading.Lock def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("auth", "htpasswd_filename") self._encoding = configuration.get("encoding", "stock") encryption: str = configuration.get("auth", "htpasswd_encryption") - logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption) + self._htpasswd_ok = False + self._htpasswd_not_ok_reminder_seconds = 60 # currently hardcoded + self._htpasswd_read = self._read_htpasswd(True) + self._lock = threading.Lock() + if encryption == "plain": self._verify = self._plain elif encryption == "md5": @@ -127,6 +141,68 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) + def _read_htpasswd(self, init: bool) -> bool: + """Read htpasswd file + + init == True: stop on error + init == False: warn/skip on error and set mark to log reminder every interval + + """ + htpasswd_ok = True + if init is True: + info = "Read" + else: + info = "Re-read" + logger.info("%s content of htpasswd file start: %r", info, self._filename) + htpasswd = dict() + try: + with open(self._filename, encoding=self._encoding) as f: + line_num = 0 + entries = 0 + duplicates = 0 + for line in f: + line_num += 1 + line = line.rstrip("\n") + if line.lstrip() and not line.lstrip().startswith("#"): + try: + login, digest = line.split( ":", maxsplit=1) + if login == "" or digest == "": + if init is True: + raise ValueError("htpasswd file contains problematic line not matching : in line: %d" % line_num) + else: + logger.warning("htpasswd file contains problematic line not matching : in line: %d (ignored)", line_num) + htpasswd_ok = False + else: + if htpasswd.get(login): + duplicates += 1 + if init is True: + raise ValueError("htpasswd file contains duplicate login: '%s'", login, line_num) + else: + logger.warning("htpasswd file contains duplicate login: '%s' (line: %d / ignored)", login, line_num) + htpasswd_ok = False + else: + htpasswd[login] = digest + entries += 1 + except ValueError as e: + if init is True: + raise RuntimeError("Invalid htpasswd file %r: %s" % (self._filename, e)) from e + except OSError as e: + if init is True: + raise RuntimeError("Failed to load htpasswd file %r: %s" % (self._filename, e)) from e + else: + logger.warning("Failed to load htpasswd file on re-read: %r" % (self._filename, e)) + htpasswd_ok = False + else: + self._htpasswd_size = os.stat(self._filename).st_size + self._htpasswd_time_ns = os.stat(self._filename).st_mtime_ns + self._htpasswd = htpasswd + logger.info("%s content of htpasswd file done: %r (entries: %d, duplicates: %d)", info, self._filename, entries, duplicates) + if htpasswd_ok is True: + self._htpasswd_not_ok_time = 0 + else: + self._htpasswd_not_ok_time = time.time() + return htpasswd_ok + def _login(self, login: str, password: str) -> str: """Validate credentials. @@ -134,33 +210,31 @@ class Auth(auth.BaseAuth): hash (encrypted password) and check hash against password, using the method specified in the Radicale config. - The content of the file is not cached because reading is generally a - very cheap operation, and it's useful to get live updates of the - htpasswd file. + The content of the file is cached and live updates will be detected by + comparing mtime_ns and size """ - try: - with open(self._filename, encoding=self._encoding) as f: - for line in f: - line = line.rstrip("\n") - if line.lstrip() and not line.lstrip().startswith("#"): - try: - hash_login, hash_value = line.split( - ":", maxsplit=1) - # Always compare both login and password to avoid - # timing attacks, see #591. - login_ok = hmac.compare_digest( - hash_login.encode(), login.encode()) - (method, password_ok) = self._verify(hash_value, password) - if login_ok and password_ok: - logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) - return login - elif login_ok: - logger.debug("Password verification for user '%s' with method '%s': password_ok=%s", login, method, password_ok) - except ValueError as e: - raise RuntimeError("Invalid htpasswd file %r: %s" % - (self._filename, e)) from e - except OSError as e: - raise RuntimeError("Failed to load htpasswd file %r: %s" % - (self._filename, e)) from e + # check and re-read file if required + htpasswd_size = os.stat(self._filename).st_size + htpasswd_time_ns = os.stat(self._filename).st_mtime_ns + if (htpasswd_size != self._htpasswd_size) or (htpasswd_time_ns != self._htpasswd_time_ns): + with self._lock: + self._htpasswd_ok = self._read_htpasswd(False) + else: + # log reminder of problemantic file every interval + if (self._htpasswd_ok is False) and (self._htpasswd_not_ok_time > 0): + current_time = time.time() + if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: + logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) + self._htpasswd_not_ok_time = current_time + if self._htpasswd.get(login): + digest = self._htpasswd[login] + (method, password_ok) = self._verify(digest, password) + logger.debug("Login verification successful for user: '%s' (method '%s')", login, method) + if password_ok: + return login + else: + logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) + else: + logger.debug("Login verification user not found: '%s'", login) return "" From 9cac3008b7170441924aa5ad583a89c5949cf99e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 16:15:51 +0100 Subject: [PATCH 037/254] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9836cd1..505202ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.3.4.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: log used hash method and result on debug for htpasswd authentication +* Improve: htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 5357e692d9af661b35f69c47cced0bb3f648a490 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 17:09:21 +0100 Subject: [PATCH 038/254] [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file --- radicale/auth/htpasswd.py | 44 +++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 24cf742f..a5f46f93 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -70,6 +70,8 @@ class Auth(auth.BaseAuth): _htpasswd_ok: bool _htpasswd_not_ok_seconds: int _htpasswd_not_ok_reminder_seconds: int + _htpasswd_bcrypt_use: int + _has_bcrypt: bool _lock: threading.Lock def __init__(self, configuration: config.Configuration) -> None: @@ -79,9 +81,10 @@ class Auth(auth.BaseAuth): encryption: str = configuration.get("auth", "htpasswd_encryption") logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption) + self._has_bcrypt = False self._htpasswd_ok = False self._htpasswd_not_ok_reminder_seconds = 60 # currently hardcoded - self._htpasswd_read = self._read_htpasswd(True) + (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(True) self._lock = threading.Lock() if encryption == "plain": @@ -96,14 +99,24 @@ class Auth(auth.BaseAuth): try: import bcrypt except ImportError as e: - raise RuntimeError( - "The htpasswd encryption method 'bcrypt' or 'autodetect' requires " - "the bcrypt module.") from e + if (encryption == "autodetect") and (self._htpasswd_bcrypt_use == 0): + logger.warning("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' which can require bycrypt module, but currently no entries found", encryption) + else: + raise RuntimeError( + "The htpasswd encryption method 'bcrypt' or 'autodetect' requires " + "the bcrypt module (entries found: %d)." % self._htpasswd_bcrypt_use) from e + else: + if encryption == "autodetect": + if self._htpasswd_bcrypt_use == 0: + logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found, but currently not required", encryption) + else: + logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found (entries found: %d)", encryption, self._htpasswd_bcrypt_use) if encryption == "bcrypt": self._verify = functools.partial(self._bcrypt, bcrypt) else: self._verify = self._autodetect self._verify_bcrypt = functools.partial(self._bcrypt, bcrypt) + self._has_bcrypt = True else: raise RuntimeError("The htpasswd encryption method %r is not " "supported." % encryption) @@ -141,7 +154,7 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool) -> bool: + def _read_htpasswd(self, init: bool) -> (bool, int): """Read htpasswd file init == True: stop on error @@ -149,6 +162,7 @@ class Auth(auth.BaseAuth): """ htpasswd_ok = True + bcrypt_use = 0 if init is True: info = "Read" else: @@ -166,12 +180,14 @@ class Auth(auth.BaseAuth): if line.lstrip() and not line.lstrip().startswith("#"): try: login, digest = line.split( ":", maxsplit=1) + skip = False if login == "" or digest == "": if init is True: raise ValueError("htpasswd file contains problematic line not matching : in line: %d" % line_num) else: logger.warning("htpasswd file contains problematic line not matching : in line: %d (ignored)", line_num) htpasswd_ok = False + skip = True else: if htpasswd.get(login): duplicates += 1 @@ -180,9 +196,19 @@ class Auth(auth.BaseAuth): else: logger.warning("htpasswd file contains duplicate login: '%s' (line: %d / ignored)", login, line_num) htpasswd_ok = False + skip = True else: - htpasswd[login] = digest - entries += 1 + if digest.startswith("$2y$", 0, 4) and len(digest) == 60: + if init is True: + bcrypt_use += 1 + else: + if self._has_bcrypt is False: + logger.warning("htpasswd file contains bcrypt digest login: '%s' (line: %d / ignored because module is not loaded)", login, line_num) + skip = True + htpasswd_ok = False + if skip is False: + htpasswd[login] = digest + entries += 1 except ValueError as e: if init is True: raise RuntimeError("Invalid htpasswd file %r: %s" % (self._filename, e)) from e @@ -201,7 +227,7 @@ class Auth(auth.BaseAuth): self._htpasswd_not_ok_time = 0 else: self._htpasswd_not_ok_time = time.time() - return htpasswd_ok + return (htpasswd_ok, bcrypt_use) def _login(self, login: str, password: str) -> str: """Validate credentials. @@ -219,7 +245,7 @@ class Auth(auth.BaseAuth): htpasswd_time_ns = os.stat(self._filename).st_mtime_ns if (htpasswd_size != self._htpasswd_size) or (htpasswd_time_ns != self._htpasswd_time_ns): with self._lock: - self._htpasswd_ok = self._read_htpasswd(False) + (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(False) else: # log reminder of problemantic file every interval if (self._htpasswd_ok is False) and (self._htpasswd_not_ok_time > 0): From c00ab76c831488850c48ed9cea3818b0a0fef7b6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 17:09:29 +0100 Subject: [PATCH 039/254] [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file / changelog --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 505202ed..4d8bbaa1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,8 +2,9 @@ ## 3.3.4.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins -* Improve: log used hash method and result on debug for htpasswd authentication -* Improve: htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) +* Improve: [auth] log used hash method and result on debug for htpasswd authentication +* Improve: [auth] htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) +* Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From c1be04abd1a3c23ffe8bac5982a04076e8dec5ff Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 31 Dec 2024 18:26:43 +0100 Subject: [PATCH 040/254] fixes suggested by tox --- radicale/auth/__init__.py | 4 ++-- radicale/auth/htpasswd.py | 17 +++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index d8f35e83..fc453a84 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -30,8 +30,8 @@ Take a look at the class ``BaseAuth`` if you want to implement your own. """ import hashlib -import time import threading +import time from typing import Sequence, Set, Tuple, Union, final from radicale import config, types, utils @@ -89,7 +89,7 @@ class BaseAuth: # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") - if (self._type in [ "dovecot", "ldap", "htpasswd" ]) or (self._cache_logins is False): + if (self._type in ["dovecot", "ldap", "htpasswd"]) or (self._cache_logins is False): logger.info("auth.cache_logins: %s", self._cache_logins) else: logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index a5f46f93..e4c420cd 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -48,12 +48,12 @@ When bcrypt is installed: """ -import os -import time import functools import hmac +import os import threading -from typing import Any +import time +from typing import Any, Tuple from passlib.hash import apr_md5_crypt, sha256_crypt, sha512_crypt @@ -66,9 +66,9 @@ class Auth(auth.BaseAuth): _encoding: str _htpasswd: dict # login -> digest _htpasswd_mtime_ns: int - _htpasswd_size: bytes + _htpasswd_size: int _htpasswd_ok: bool - _htpasswd_not_ok_seconds: int + _htpasswd_not_ok_time: float _htpasswd_not_ok_reminder_seconds: int _htpasswd_bcrypt_use: int _has_bcrypt: bool @@ -154,7 +154,7 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool) -> (bool, int): + def _read_htpasswd(self, init: bool) -> Tuple[bool, int]: """Read htpasswd file init == True: stop on error @@ -168,6 +168,7 @@ class Auth(auth.BaseAuth): else: info = "Re-read" logger.info("%s content of htpasswd file start: %r", info, self._filename) + htpasswd: dict[str, str] htpasswd = dict() try: with open(self._filename, encoding=self._encoding) as f: @@ -179,7 +180,7 @@ class Auth(auth.BaseAuth): line = line.rstrip("\n") if line.lstrip() and not line.lstrip().startswith("#"): try: - login, digest = line.split( ":", maxsplit=1) + login, digest = line.split(":", maxsplit=1) skip = False if login == "" or digest == "": if init is True: @@ -216,7 +217,7 @@ class Auth(auth.BaseAuth): if init is True: raise RuntimeError("Failed to load htpasswd file %r: %s" % (self._filename, e)) from e else: - logger.warning("Failed to load htpasswd file on re-read: %r" % (self._filename, e)) + logger.warning("Failed to load htpasswd file on re-read: %r" % self._filename) htpasswd_ok = False else: self._htpasswd_size = os.stat(self._filename).st_size From 6ebca084237fe315ab5fe78831709b80300aeb5c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 15:47:22 +0100 Subject: [PATCH 041/254] extend copyright --- radicale/app/__init__.py | 2 +- radicale/auth/__init__.py | 2 +- radicale/auth/htpasswd.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index 4f11ad3f..28c98802 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2019 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index fc453a84..679ecf9d 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index e4c420cd..8ed1ad33 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2019 Unrud -# Copyright © 2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From c10ce7ae4661f2be8e46fd74db009d88e31f4c25 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:30:34 +0100 Subject: [PATCH 042/254] add support for login info log --- radicale/app/__init__.py | 10 +++++----- radicale/auth/__init__.py | 13 +++++++++---- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index 28c98802..eabac455 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -252,7 +252,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead, self.configuration, environ, base64.b64decode( authorization.encode("ascii"))).split(":", 1) - user = self._auth.login(login, password) or "" if login else "" + (user, info) = self._auth.login(login, password) or ("", "") if login else ("", "") if self.configuration.get("auth", "type") == "ldap": try: logger.debug("Groups %r", ",".join(self._auth._ldap_groups)) @@ -260,12 +260,12 @@ class Application(ApplicationPartDelete, ApplicationPartHead, except AttributeError: pass if user and login == user: - logger.info("Successful login: %r", user) + logger.info("Successful login: %r (%s)", user, info) elif user: - logger.info("Successful login: %r -> %r", login, user) + logger.info("Successful login: %r -> %r (%s)", login, user, info) elif login: - logger.warning("Failed login attempt from %s: %r", - remote_host, login) + logger.warning("Failed login attempt from %s: %r (%s)", + remote_host, login, info) # Random delay to avoid timing oracles and bruteforce attacks if self._auth_delay > 0: random_delay = self._auth_delay * (0.5 + random.random()) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 679ecf9d..c1c7e884 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -143,7 +143,8 @@ class BaseAuth: raise NotImplementedError @final - def login(self, login: str, password: str) -> str: + def login(self, login: str, password: str) -> Tuple[str, str]: + result_from_cache = False if self._lc_username: login = login.lower() if self._uc_username: @@ -182,7 +183,7 @@ class BaseAuth: (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) - return "" + return ("", self._type + " / cached") if self._cache_successful.get(login): # login found in cache "successful" (digest_cache, time_ns_cache) = self._cache_successful[login] @@ -197,6 +198,7 @@ class BaseAuth: else: logger.debug("Login successful cache entry for user+password found: '%s' (age: %d sec)", login, age_success) result = login + result_from_cache = True else: logger.debug("Login successful cache entry for user+password not matching: '%s'", login) else: @@ -225,6 +227,9 @@ class BaseAuth: self._cache_failed[digest_failed] = (time_ns, login) self._lock.release() logger.debug("Login failed cache for user set: '%s'", login) - return result + if result_from_cache is True: + return (result, self._type + " / cached") + else: + return (result, self._type) else: - return self._login(login, password) + return (self._login(login, password), self._type) From 46fe98f60b3cdc967144024b5d53727294d5dea0 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:31:31 +0100 Subject: [PATCH 043/254] make htpasswd cache optional --- DOCUMENTATION.md | 6 ++++ config | 3 ++ radicale/auth/htpasswd.py | 61 +++++++++++++++++++++++++-------------- radicale/config.py | 4 +++ 4 files changed, 53 insertions(+), 21 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a5238bc6..8f166e6e 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -872,6 +872,12 @@ Available methods: Default: `autodetect` +##### htpasswd_cache + +Enable caching of htpasswd file based on size and mtime_ns + +Default: `False` + ##### delay Average delay after failed login attempts in seconds. diff --git a/config b/config index 9ac082cf..3b6108fe 100644 --- a/config +++ b/config @@ -109,6 +109,9 @@ # bcrypt requires the installation of 'bcrypt' module. #htpasswd_encryption = autodetect +# Enable caching of htpasswd file based on size and mtime_ns +#htpasswd_cache = False + # Incorrect authentication delay (seconds) #delay = 1 diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 8ed1ad33..ec5bd280 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -71,6 +71,7 @@ class Auth(auth.BaseAuth): _htpasswd_not_ok_time: float _htpasswd_not_ok_reminder_seconds: int _htpasswd_bcrypt_use: int + _htpasswd_cache: bool _has_bcrypt: bool _lock: threading.Lock @@ -78,13 +79,15 @@ class Auth(auth.BaseAuth): super().__init__(configuration) self._filename = configuration.get("auth", "htpasswd_filename") self._encoding = configuration.get("encoding", "stock") + self._htpasswd_cache = configuration.get("auth", "htpasswd_cache") + logger.info("auth htpasswd cache: %s", self._htpasswd_cache) encryption: str = configuration.get("auth", "htpasswd_encryption") logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s'", encryption) self._has_bcrypt = False self._htpasswd_ok = False self._htpasswd_not_ok_reminder_seconds = 60 # currently hardcoded - (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(True) + (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(True, False) self._lock = threading.Lock() if encryption == "plain": @@ -154,27 +157,32 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool) -> Tuple[bool, int]: + def _read_htpasswd(self, init: bool, suppress: bool) -> Tuple[bool, int, dict]: """Read htpasswd file init == True: stop on error init == False: warn/skip on error and set mark to log reminder every interval + suppress == True: suppress warnings, change info to debug (used in non-caching mode) + suppress == False: do not suppress warnings (used in caching mode) """ htpasswd_ok = True bcrypt_use = 0 - if init is True: + if (init is True) or (suppress is True): info = "Read" else: info = "Re-read" - logger.info("%s content of htpasswd file start: %r", info, self._filename) - htpasswd: dict[str, str] - htpasswd = dict() + if suppress is False: + logger.info("%s content of htpasswd file start: %r", info, self._filename) + else: + logger.debug("%s content of htpasswd file start: %r", info, self._filename) + htpasswd: dict[str, str] = dict() + entries = 0 + duplicates = 0 + errors = 0 try: with open(self._filename, encoding=self._encoding) as f: line_num = 0 - entries = 0 - duplicates = 0 for line in f: line_num += 1 line = line.rstrip("\n") @@ -186,6 +194,7 @@ class Auth(auth.BaseAuth): if init is True: raise ValueError("htpasswd file contains problematic line not matching : in line: %d" % line_num) else: + errors += 1 logger.warning("htpasswd file contains problematic line not matching : in line: %d (ignored)", line_num) htpasswd_ok = False skip = True @@ -219,16 +228,17 @@ class Auth(auth.BaseAuth): else: logger.warning("Failed to load htpasswd file on re-read: %r" % self._filename) htpasswd_ok = False + htpasswd_size = os.stat(self._filename).st_size + htpasswd_mtime_ns = os.stat(self._filename).st_mtime_ns + if suppress is False: + logger.info("%s content of htpasswd file done: %r (entries: %d, duplicates: %d, errors: %d)", info, self._filename, entries, duplicates, errors) else: - self._htpasswd_size = os.stat(self._filename).st_size - self._htpasswd_time_ns = os.stat(self._filename).st_mtime_ns - self._htpasswd = htpasswd - logger.info("%s content of htpasswd file done: %r (entries: %d, duplicates: %d)", info, self._filename, entries, duplicates) + logger.debug("%s content of htpasswd file done: %r (entries: %d, duplicates: %d, errors: %d)", info, self._filename, entries, duplicates, errors) if htpasswd_ok is True: self._htpasswd_not_ok_time = 0 else: self._htpasswd_not_ok_time = time.time() - return (htpasswd_ok, bcrypt_use) + return (htpasswd_ok, bcrypt_use, htpasswd, htpasswd_size, htpasswd_mtime_ns) def _login(self, login: str, password: str) -> str: """Validate credentials. @@ -241,19 +251,28 @@ class Auth(auth.BaseAuth): comparing mtime_ns and size """ - # check and re-read file if required - htpasswd_size = os.stat(self._filename).st_size - htpasswd_time_ns = os.stat(self._filename).st_mtime_ns - if (htpasswd_size != self._htpasswd_size) or (htpasswd_time_ns != self._htpasswd_time_ns): + if self._htpasswd_cache is True: + # check and re-read file if required with self._lock: - (self._htpasswd_ok, self._htpasswd_bcrypt_use) = self._read_htpasswd(False) + htpasswd_size = os.stat(self._filename).st_size + htpasswd_mtime_ns = os.stat(self._filename).st_mtime_ns + if (htpasswd_size != self._htpasswd_size) or (htpasswd_mtime_ns != self._htpasswd_mtime_ns): + (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, False) + self._htpasswd_not_ok_time = 0 else: - # log reminder of problemantic file every interval - if (self._htpasswd_ok is False) and (self._htpasswd_not_ok_time > 0): - current_time = time.time() + # read file on every request + (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, True) + + # log reminder of problemantic file every interval + current_time = time.time() + if (self._htpasswd_ok is False): + if (self._htpasswd_not_ok_time > 0): if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) self._htpasswd_not_ok_time = current_time + else: + self._htpasswd_not_ok_time = current_time + if self._htpasswd.get(login): digest = self._htpasswd[login] (method, password_ok) = self._verify(digest, password) diff --git a/radicale/config.py b/radicale/config.py index b165345f..224f68d3 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -203,6 +203,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "autodetect", "help": "htpasswd encryption method", "type": str}), + ("htpasswd_cache", { + "value": "False", + "help": "enable caching of htpasswd file", + "type": bool}), ("dovecot_socket", { "value": "/var/run/dovecot/auth-client", "help": "dovecot auth socket", From 8fdbd0dbf6e69b35e8651988dfff58de69f8f84c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:31:47 +0100 Subject: [PATCH 044/254] log cosmetics --- radicale/auth/htpasswd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index ec5bd280..1f6c3865 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -113,7 +113,7 @@ class Auth(auth.BaseAuth): if self._htpasswd_bcrypt_use == 0: logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found, but currently not required", encryption) else: - logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found (entries found: %d)", encryption, self._htpasswd_bcrypt_use) + logger.info("auth htpasswd encryption is 'radicale.auth.htpasswd_encryption.%s' and bycrypt module found (bcrypt entries found: %d)", encryption, self._htpasswd_bcrypt_use) if encryption == "bcrypt": self._verify = functools.partial(self._bcrypt, bcrypt) else: From ca665c4849267a5be56f692558b1182b398a2e93 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:32:07 +0100 Subject: [PATCH 045/254] add a dummy delay action --- radicale/auth/htpasswd.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 1f6c3865..57bf1a40 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -282,5 +282,7 @@ class Auth(auth.BaseAuth): else: logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) else: + # dummy delay + (method, password_ok) = self._plain(str(htpasswd_mtime_ns), password) logger.debug("Login verification user not found: '%s'", login) return "" From 8604dacad07e0619e9eb44d793328193d3cfb0f5 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:40:55 +0100 Subject: [PATCH 046/254] fix typing --- radicale/auth/htpasswd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 57bf1a40..f444fdc3 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -157,7 +157,7 @@ class Auth(auth.BaseAuth): # assumed plaintext return self._plain(hash_value, password) - def _read_htpasswd(self, init: bool, suppress: bool) -> Tuple[bool, int, dict]: + def _read_htpasswd(self, init: bool, suppress: bool) -> Tuple[bool, int, dict, int, int]: """Read htpasswd file init == True: stop on error From 5a591b6471b676291cba07854fa2c9b13d1f2d62 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 16:41:11 +0100 Subject: [PATCH 047/254] use different token --- radicale/auth/htpasswd.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index f444fdc3..22b1b1ba 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -283,6 +283,6 @@ class Auth(auth.BaseAuth): logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) else: # dummy delay - (method, password_ok) = self._plain(str(htpasswd_mtime_ns), password) + (method, password_ok) = self._plain(str(time.time_ns()), password) logger.debug("Login verification user not found: '%s'", login) return "" From 5d48ba5d1ec4e28469a9553e7217a24284f40160 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:28:09 +0100 Subject: [PATCH 048/254] add test cases --- radicale/tests/test_auth.py | 48 ++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 1142caf4..23042b20 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -2,7 +2,7 @@ # Copyright © 2012-2016 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -28,6 +28,7 @@ import sys from typing import Iterable, Tuple, Union import pytest +import logging from radicale import xmlutils from radicale.tests import BaseTest @@ -101,6 +102,51 @@ class TestBaseAuthRequests(BaseTest): def test_htpasswd_multi(self) -> None: self._test_htpasswd("plain", "ign:ign\ntmp:bepo") + # login cache successful + def test_htpasswd_login_cache_successful_plain(self, caplog) -> None: + caplog.set_level(logging.INFO) + self.configure({"auth": {"cache_logins": "True"}}) + self._test_htpasswd("plain", "tmp:bepo", (("tmp", "bepo", True), ("tmp", "bepo", True))) + htpasswd_found = False + htpasswd_cached_found = False + for line in caplog.messages: + if line == "Successful login: 'tmp' (htpasswd)": + htpasswd_found = True + elif line == "Successful login: 'tmp' (htpasswd / cached)": + htpasswd_cached_found = True + if (htpasswd_found is False) or (htpasswd_cached_found is False): + raise ValueError("Logging misses expected log lines") + + # login cache failed + def test_htpasswd_login_cache_failed_plain(self, caplog) -> None: + caplog.set_level(logging.INFO) + self.configure({"auth": {"cache_logins": "True"}}) + self._test_htpasswd("plain", "tmp:bepo", (("tmp", "bepo1", False), ("tmp", "bepo1", False))) + htpasswd_found = False + htpasswd_cached_found = False + for line in caplog.messages: + if line == "Failed login attempt from unknown: 'tmp' (htpasswd)": + htpasswd_found = True + elif line == "Failed login attempt from unknown: 'tmp' (htpasswd / cached)": + htpasswd_cached_found = True + if (htpasswd_found is False) or (htpasswd_cached_found is False): + raise ValueError("Logging misses expected log lines") + + # htpasswd file cache + def test_htpasswd_file_cache(self, caplog) -> None: + self.configure({"auth": {"htpasswd_cache": "True"}}) + self._test_htpasswd("plain", "tmp:bepo") + + # detection of broken htpasswd file entries + def test_htpasswd_broken(self) -> None: + for userpass in ["tmp:", ":tmp" ]: + try: + self._test_htpasswd("plain", userpass) + except RuntimeError: + pass + else: + raise + @pytest.mark.skipif(sys.platform == "win32", reason="leading and trailing " "whitespaces not allowed in file names") def test_htpasswd_whitespace_user(self) -> None: From 0a5ae5b0b4faa9690c48f909f30c39157ef847c9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:31:16 +0100 Subject: [PATCH 049/254] extend startup logging for htpasswd --- radicale/auth/htpasswd.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 22b1b1ba..cc94a8f9 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -78,7 +78,9 @@ class Auth(auth.BaseAuth): def __init__(self, configuration: config.Configuration) -> None: super().__init__(configuration) self._filename = configuration.get("auth", "htpasswd_filename") + logger.info("auth htpasswd file: %r", self._filename) self._encoding = configuration.get("encoding", "stock") + logger.info("auth htpasswd file encoding: %r", self._encoding) self._htpasswd_cache = configuration.get("auth", "htpasswd_cache") logger.info("auth htpasswd cache: %s", self._htpasswd_cache) encryption: str = configuration.get("auth", "htpasswd_encryption") From 3763f28ae4eab549a444a2921923138d1238a098 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:36:15 +0100 Subject: [PATCH 050/254] tox fixes --- radicale/tests/test_auth.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 23042b20..f2ba577b 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -23,12 +23,12 @@ Radicale tests with simple requests and authentication. """ import base64 +import logging import os import sys from typing import Iterable, Tuple, Union import pytest -import logging from radicale import xmlutils from radicale.tests import BaseTest @@ -139,7 +139,7 @@ class TestBaseAuthRequests(BaseTest): # detection of broken htpasswd file entries def test_htpasswd_broken(self) -> None: - for userpass in ["tmp:", ":tmp" ]: + for userpass in ["tmp:", ":tmp"]: try: self._test_htpasswd("plain", userpass) except RuntimeError: From 70c4a34eb8c6072cb3658f3fe7b3b44fbdb0616d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Wed, 1 Jan 2025 17:36:33 +0100 Subject: [PATCH 051/254] fix/extend changelog --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d8bbaa1..bade4998 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,10 @@ ## 3.3.4.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication -* Improve: [auth] htpasswd file now read and verified on start, automatic re-read triggered on change (mtime or size) +* Improve: [auth] htpasswd file now read and verified on start +* Add: option [auth] htpasswd_cache to automatic re-read triggered on change (mtime or size) instead reading on each request * Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file +* Improve: [auth] successful/failed login logs now type and whether result was taken from cache ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 6f0ac545f0f35438c5105d874118abd381fd2603 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 08:08:22 +0100 Subject: [PATCH 052/254] code fix --- radicale/auth/htpasswd.py | 43 ++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index cc94a8f9..842481fd 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -249,10 +249,19 @@ class Auth(auth.BaseAuth): hash (encrypted password) and check hash against password, using the method specified in the Radicale config. - The content of the file is cached and live updates will be detected by + Optional: the content of the file is cached and live updates will be detected by comparing mtime_ns and size + TODO: improve against timing attacks + see also issue 591 + but also do not delay that much + see also issue 1466 + + As several hash methods are supported which have different speed a time based gap would be required + """ + login_ok = False + digest: str if self._htpasswd_cache is True: # check and re-read file if required with self._lock: @@ -261,22 +270,28 @@ class Auth(auth.BaseAuth): if (htpasswd_size != self._htpasswd_size) or (htpasswd_mtime_ns != self._htpasswd_mtime_ns): (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, False) self._htpasswd_not_ok_time = 0 + + # log reminder of problemantic file every interval + current_time = time.time() + if (self._htpasswd_ok is False): + if (self._htpasswd_not_ok_time > 0): + if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: + logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) + self._htpasswd_not_ok_time = current_time + else: + self._htpasswd_not_ok_time = current_time + + if self._htpasswd.get(login): + digest = self._htpasswd[login] + login_ok = True else: # read file on every request - (self._htpasswd_ok, self._htpasswd_bcrypt_use, self._htpasswd, self._htpasswd_size, self._htpasswd_mtime_ns) = self._read_htpasswd(False, True) + (htpasswd_ok, htpasswd_bcrypt_use, htpasswd, htpasswd_size, htpasswd_mtime_ns) = self._read_htpasswd(False, True) + if htpasswd.get(login): + digest = htpasswd[login] + login_ok = True - # log reminder of problemantic file every interval - current_time = time.time() - if (self._htpasswd_ok is False): - if (self._htpasswd_not_ok_time > 0): - if (current_time - self._htpasswd_not_ok_time) > self._htpasswd_not_ok_reminder_seconds: - logger.warning("htpasswd file still contains issues (REMINDER, check warnings in the past): %r" % self._filename) - self._htpasswd_not_ok_time = current_time - else: - self._htpasswd_not_ok_time = current_time - - if self._htpasswd.get(login): - digest = self._htpasswd[login] + if login_ok is True: (method, password_ok) = self._verify(digest, password) logger.debug("Login verification successful for user: '%s' (method '%s')", login, method) if password_ok: From 6f82333ff7ab69d5ed8c7d6d11bbdb77f535f7cf Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 17:18:00 +0100 Subject: [PATCH 053/254] LDAP auth: harmonize _login2() and _login3() methods --- radicale/auth/ldap.py | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 80ceb448..4833d18d 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -112,12 +112,18 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(self._ldap_reader_dn, self._ldap_secret) """Search for the dn of user to authenticate""" - res = conn.search_s(self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(login), attrlist=['memberOf']) + res = conn.search_s( + self._ldap_base, + self.ldap.SCOPE_SUBTREE, + filterstr=self._ldap_filter.format(login), + attrlist=['memberOf'] + ) if len(res) == 0: """User could not be found""" return "" - user_dn = res[0][0] - logger.debug("LDAP Auth user: %s", user_dn) + user_entry = res[0] + user_dn = user_entry[0] + logger.debug(f"_login2 found LDAP user DN {user_dn}") """Close LDAP connection""" conn.unbind() except Exception as e: @@ -132,11 +138,12 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for t in res[0][1]['memberOf']: - tmp.append(t.decode('utf-8').split(',')[0][3:]) + for g in user_entry[1]['memberOf']: + tmp.append(g.decode('utf-8').split(',')[0][3:]) self._ldap_groups = set(tmp) - logger.debug("LDAP Auth groups of user: %s", ",".join(self._ldap_groups)) + logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() + logger.debug(f"_login2 {login} successfully authenticated") return login except self.ldap.INVALID_CREDENTIALS: return "" @@ -182,18 +189,20 @@ class Auth(auth.BaseAuth): user_entry = conn.response[0] conn.unbind() user_dn = user_entry['dn'] - logger.debug(f"_login3 found user_dn {user_dn}") + logger.debug(f"_login3 found LDAP user DN {user_dn}") try: """Try to bind as the user itself""" conn = self.ldap3.Connection(server, user_dn, password=password) if not conn.bind(): logger.debug(f"_login3 user '{login}' cannot be found") return "" + tmp: list[str] = [] if self._ldap_load_groups: tmp = [] for g in user_entry['attributes']['memberOf']: tmp.append(g.split(',')[0][3:]) self._ldap_groups = set(tmp) + logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() logger.debug(f"_login3 {login} successfully authenticated") return login From c243ae4ebf52a833ebe04d71001d8bad4fa93f72 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 07:16:27 +0100 Subject: [PATCH 054/254] LDAP auth: require exactly one result when searching for the LDAP user DN This makes sure not fail securely when the query returns multiple entries - correct grammar in some cases - we're doing _authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version - align formatting & messages better between _login2() and _login3() --- radicale/auth/ldap.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4833d18d..4f80a362 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -118,8 +118,9 @@ class Auth(auth.BaseAuth): filterstr=self._ldap_filter.format(login), attrlist=['memberOf'] ) - if len(res) == 0: - """User could not be found""" + if len(res) != 1: + """User could not be found unambiguously""" + logger.debug(f"_login2 no unique DN found for '{login}'") return "" user_entry = res[0] user_dn = user_entry[0] @@ -181,9 +182,9 @@ class Auth(auth.BaseAuth): search_scope=self.ldap3.SUBTREE, attributes=['memberOf'] ) - if len(conn.entries) == 0: - """User could not be found""" - logger.debug(f"_login3 user '{login}' cannot be found") + if len(conn.entries) != 1: + """User could not be found unambiguously""" + logger.debug(f"_login3 no unique DN found for '{login}'") return "" user_entry = conn.response[0] From 8c2feb4726857746d1afbf10f77cb43f3a3d1aad Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 08:29:27 +0100 Subject: [PATCH 055/254] LDAP auth: escape values used in LDAP filters to avoid possible injection of malicious code. --- radicale/auth/ldap.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4f80a362..25da242c 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -112,10 +112,12 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(self._ldap_reader_dn, self._ldap_secret) """Search for the dn of user to authenticate""" + escaped_login = self.ldap.filter.escape_filter_chars(login) + logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, - filterstr=self._ldap_filter.format(login), + filterstr=self._ldap_filter.format(escaped_login), attrlist=['memberOf'] ) if len(res) != 1: @@ -176,9 +178,11 @@ class Auth(auth.BaseAuth): logger.debug(f"_login3 bind as {self._ldap_reader_dn}") """Search the user dn""" + escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) + logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") conn.search( search_base=self._ldap_base, - search_filter=self._ldap_filter.format(login), + search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, attributes=['memberOf'] ) From 0253682c0049011ed267887d1bff8b5b02e49050 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 13:18:39 +0100 Subject: [PATCH 056/254] LDAP auth: do not blindly assume groups have a 2-letter naming attribute Instead, strip away everything before (and including) the '=' sign of ther RDN. --- radicale/auth/ldap.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 25da242c..40f0ef09 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -142,7 +142,9 @@ class Auth(auth.BaseAuth): if self._ldap_load_groups: tmp = [] for g in user_entry[1]['memberOf']: - tmp.append(g.decode('utf-8').split(',')[0][3:]) + """Get group g's RDN's attribute value""" + g = g.decode('utf-8').split(',')[0] + tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() @@ -205,7 +207,9 @@ class Auth(auth.BaseAuth): if self._ldap_load_groups: tmp = [] for g in user_entry['attributes']['memberOf']: - tmp.append(g.split(',')[0][3:]) + """Get group g's RDN's attribute value""" + g = g.split(',')[0] + tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) conn.unbind() From 99f5ec389d3f4ca01d3c50f97c629977168497f4 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 08:05:42 +0100 Subject: [PATCH 057/254] LDAP auth: indroduce config option 'ldap_user_attribute' This option gives us - flexible authentication options where the name used for logging on does not have to be the account name e.g. use ldap_filter = (&(obhjectclass=inetOrgperson)(|(cn={0]})(mail={0}))) to allow loginng on using the cn or the mail address - automatically consistent / canonicalized username values (i.e. exactly the way the LDAP server returns them) --- DOCUMENTATION.md | 6 ++++++ config | 3 +++ radicale/auth/ldap.py | 42 +++++++++++++++++++++++++++++++++--------- radicale/config.py | 4 ++++ 4 files changed, 46 insertions(+), 9 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index f590a294..e0dd6e39 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -901,6 +901,12 @@ The search filter to find the user DN to authenticate by the username. User '{0} Default: `(cn={0})` +#### ldap_user_attribute + +The LDAP attribute whose value shall be used as the user name after successful authentication + +Default: not set, i.e. the login name given is used directly. + ##### ldap_load_groups Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. diff --git a/config b/config index c34b9d28..38b845c3 100644 --- a/config +++ b/config @@ -83,6 +83,9 @@ # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login #ldap_filter = (&(objectClass=person)(uid={0})) +# the attribute holding the value to be used as username after authentication +#ldap_user_attribute = cn + # Use ssl on the ldap connection #ldap_use_ssl = False diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 40f0ef09..ee256fed 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -17,13 +17,14 @@ """ Authentication backend that checks credentials with a LDAP server. Following parameters are needed in the configuration: - ldap_uri The LDAP URL to the server like ldap://localhost - ldap_base The baseDN of the LDAP server - ldap_reader_dn The DN of a LDAP user with read access to get the user accounts - ldap_secret The password of the ldap_reader_dn - ldap_secret_file The path of the file containing the password of the ldap_reader_dn - ldap_filter The search filter to find the user to authenticate by the username - ldap_load_groups If the groups of the authenticated users need to be loaded + ldap_uri The LDAP URL to the server like ldap://localhost + ldap_base The baseDN of the LDAP server + ldap_reader_dn The DN of a LDAP user with read access to get the user accounts + ldap_secret The password of the ldap_reader_dn + ldap_secret_file The path of the file containing the password of the ldap_reader_dn + ldap_filter The search filter to find the user to authenticate by the username + ldap_user_attribute The attribute to be used as username after authentication + ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED @@ -42,6 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str + _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 _ldap_use_ssl: bool = False @@ -66,6 +68,7 @@ class Auth(auth.BaseAuth): self._ldap_load_groups = configuration.get("auth", "ldap_load_groups") self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") + self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") ldap_secret_file_path = configuration.get("auth", "ldap_secret_file") if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: @@ -84,6 +87,10 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn) logger.info("auth.ldap_load_groups : %s" % self._ldap_load_groups) logger.info("auth.ldap_filter : %r" % self._ldap_filter) + if self._ldap_user_attr: + logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) + else: + logger.info("auth.ldap_user_attribute : (not provided)") if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -114,11 +121,15 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" escaped_login = self.ldap.filter.escape_filter_chars(login) logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") + attrs = ['memberof'] + if self._ldap_user_attr: + attrs = ['memberOf', self._ldap_user_attr] + logger.debug(f"_login2 attrs: {attrs}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(escaped_login), - attrlist=['memberOf'] + attrlist=attrs ) if len(res) != 1: """User could not be found unambiguously""" @@ -147,6 +158,11 @@ class Auth(auth.BaseAuth): tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) + if self._ldap_user_attr: + if user_entry[1][self._ldap_user_attr]: + tmplogin = user_entry[1][self._ldap_user_attr][0] + login = tmplogin.decode('utf-8') + logger.debug(f"_login2 user set to: '{login}'") conn.unbind() logger.debug(f"_login2 {login} successfully authenticated") return login @@ -182,11 +198,15 @@ class Auth(auth.BaseAuth): """Search the user dn""" escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") + attrs = ['memberof'] + if self._ldap_user_attr: + attrs = ['memberOf', self._ldap_user_attr] + logger.debug(f"_login3 attrs: {attrs}") conn.search( search_base=self._ldap_base, search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, - attributes=['memberOf'] + attributes=attrs ) if len(conn.entries) != 1: """User could not be found unambiguously""" @@ -212,6 +232,10 @@ class Auth(auth.BaseAuth): tmp.append(g.partition('=')[2]) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) + if self._ldap_user_attr: + if user_entry['attributes'][self._ldap_user_attr]: + login = user_entry['attributes'][self._ldap_user_attr][0] + logger.debug(f"_login3 user set to: '{login}'") conn.unbind() logger.debug(f"_login3 {login} successfully authenticated") return login diff --git a/radicale/config.py b/radicale/config.py index 0ac5970c..7a085f71 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -227,6 +227,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "(cn={0})", "help": "the search filter to find the user DN to authenticate by the username", "type": str}), + ("ldap_user_attribute", { + "value": "", + "help": "the attribute to be used as username after authentication", + "type": str}), ("ldap_load_groups", { "value": "False", "help": "load the ldap groups of the authenticated user", From 532fad9ba6a6f8845c3f5efa5a87c6936111d419 Mon Sep 17 00:00:00 2001 From: Jack Wilsdon Date: Thu, 2 Jan 2025 12:18:53 +0000 Subject: [PATCH 058/254] Fix test failing on systems without IPv6 support --- radicale/tests/test_server.py | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/radicale/tests/test_server.py b/radicale/tests/test_server.py index ecc493a4..b344dddf 100644 --- a/radicale/tests/test_server.py +++ b/radicale/tests/test_server.py @@ -141,13 +141,19 @@ class TestBaseServerRequests(BaseTest): def test_bind_fail(self) -> None: for address_family, address in [(socket.AF_INET, "::1"), (socket.AF_INET6, "127.0.0.1")]: - with socket.socket(address_family, socket.SOCK_STREAM) as sock: - if address_family == socket.AF_INET6: - # Only allow IPv6 connections to the IPv6 socket - sock.setsockopt(server.COMPAT_IPPROTO_IPV6, - socket.IPV6_V6ONLY, 1) - with pytest.raises(OSError) as exc_info: - sock.bind((address, 0)) + try: + with socket.socket(address_family, socket.SOCK_STREAM) as sock: + if address_family == socket.AF_INET6: + # Only allow IPv6 connections to the IPv6 socket + sock.setsockopt(server.COMPAT_IPPROTO_IPV6, + socket.IPV6_V6ONLY, 1) + with pytest.raises(OSError) as exc_info: + sock.bind((address, 0)) + except OSError as e: + if e.errno in (errno.EADDRNOTAVAIL, errno.EAFNOSUPPORT, + errno.EPROTONOSUPPORT): + continue + raise # See ``radicale.server.serve`` assert (isinstance(exc_info.value, socket.gaierror) and exc_info.value.errno in ( From 0d43a49ffb0ee4a65e630ca8ad6a7a6b8fc7c1a7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 22:33:54 +0100 Subject: [PATCH 059/254] add variable sleep to have a constant execution time on failed login --- radicale/auth/__init__.py | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index c1c7e884..eb620e29 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -60,6 +60,8 @@ class BaseAuth: _lc_username: bool _uc_username: bool _strip_domain: bool + _auth_delay: float + _failed_auth_delay: float _type: str _cache_logins: bool _cache_successful: dict # login -> (digest, time_ns) @@ -86,6 +88,9 @@ class BaseAuth: logger.info("auth.uc_username: %s", self._uc_username) if self._lc_username is True and self._uc_username is True: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") + self._auth_delay = configuration.get("auth", "delay") + logger.info("auth.delay: %f", self._auth_delay) + self._failed_auth_delay = self._auth_delay # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") @@ -142,8 +147,22 @@ class BaseAuth: raise NotImplementedError + def _sleep(self, time_ns_begin): + """Sleep some time to reach a constant execution time finally + Increase final execution time in case initial limit exceeded + """ + time_delta = (time.time_ns() - time_ns_begin) / 1000 / 1000 / 1000 + if time_delta > self._failed_auth_delay: + logger.debug("Increase failed auth_delay %.3f -> %.3f seconds", self._failed_auth_delay, time_delta) + with self._lock: + self._failed_auth_delay = time_delta + sleep = self._failed_auth_delay - time_delta + logger.debug("Sleeping %.3f seconds", sleep) + time.sleep(sleep) + @final def login(self, login: str, password: str) -> Tuple[str, str]: + time_ns_begin = time.time_ns() result_from_cache = False if self._lc_username: login = login.lower() @@ -183,6 +202,7 @@ class BaseAuth: (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) + self._sleep(time_ns_begin) return ("", self._type + " / cached") if self._cache_successful.get(login): # login found in cache "successful" @@ -228,8 +248,16 @@ class BaseAuth: self._lock.release() logger.debug("Login failed cache for user set: '%s'", login) if result_from_cache is True: + if result == "": + self._sleep(time_ns_begin) return (result, self._type + " / cached") else: + if result == "": + self._sleep(time_ns_begin) return (result, self._type) else: - return (self._login(login, password), self._type) + # self._cache_logins is False + result = self._login(login, password) + if result == "": + self._sleep(time_ns_begin) + return (result, self._type) From cf914450ee08ddaf19005e22f62cc8f409526323 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:02:29 +0100 Subject: [PATCH 060/254] remove obsolete code and comment as constant execution time is now done by __init__.py --- radicale/auth/htpasswd.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py index 842481fd..8d007cb8 100644 --- a/radicale/auth/htpasswd.py +++ b/radicale/auth/htpasswd.py @@ -252,13 +252,6 @@ class Auth(auth.BaseAuth): Optional: the content of the file is cached and live updates will be detected by comparing mtime_ns and size - TODO: improve against timing attacks - see also issue 591 - but also do not delay that much - see also issue 1466 - - As several hash methods are supported which have different speed a time based gap would be required - """ login_ok = False digest: str @@ -299,7 +292,5 @@ class Auth(auth.BaseAuth): else: logger.debug("Login verification failed for user: '%s' ( method '%s')", login, method) else: - # dummy delay - (method, password_ok) = self._plain(str(time.time_ns()), password) logger.debug("Login verification user not found: '%s'", login) return "" From 5a00baab3f17a4e5355a10061b00c1e5d07e6e6b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:11:51 +0100 Subject: [PATCH 061/254] cosmetics --- radicale/app/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/__init__.py b/radicale/app/__init__.py index eabac455..7f8301f2 100644 --- a/radicale/app/__init__.py +++ b/radicale/app/__init__.py @@ -269,7 +269,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead, # Random delay to avoid timing oracles and bruteforce attacks if self._auth_delay > 0: random_delay = self._auth_delay * (0.5 + random.random()) - logger.debug("Sleeping %.3f seconds", random_delay) + logger.debug("Failed login, sleeping random: %.3f sec", random_delay) time.sleep(random_delay) if user and not pathutils.is_safe_path_component(user): From a9f2e6fe7b57ca51a1a48d4eb5775c56eedfe812 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:14:32 +0100 Subject: [PATCH 062/254] improve code/adjustments --- radicale/auth/__init__.py | 43 ++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index eb620e29..a0974296 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -90,7 +90,7 @@ class BaseAuth: raise RuntimeError("auth.lc_username and auth.uc_username cannot be enabled together") self._auth_delay = configuration.get("auth", "delay") logger.info("auth.delay: %f", self._auth_delay) - self._failed_auth_delay = self._auth_delay + self._failed_auth_delay = 0 # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") @@ -147,18 +147,33 @@ class BaseAuth: raise NotImplementedError - def _sleep(self, time_ns_begin): - """Sleep some time to reach a constant execution time finally + def _sleep_for_constant_exec_time(self, time_ns_begin): + """Sleep some time to reach a constant execution time for failed logins + + Independent of time required by external backend or used digest methods + Increase final execution time in case initial limit exceeded + + See also issue 591 + """ time_delta = (time.time_ns() - time_ns_begin) / 1000 / 1000 / 1000 - if time_delta > self._failed_auth_delay: - logger.debug("Increase failed auth_delay %.3f -> %.3f seconds", self._failed_auth_delay, time_delta) - with self._lock: - self._failed_auth_delay = time_delta - sleep = self._failed_auth_delay - time_delta - logger.debug("Sleeping %.3f seconds", sleep) - time.sleep(sleep) + with self._lock: + # avoid that another thread is changing global value at the same time + failed_auth_delay = self._failed_auth_delay + failed_auth_delay_old = failed_auth_delay + if time_delta > failed_auth_delay: + # set new + failed_auth_delay = time_delta + # store globally + self._failed_auth_delay = failed_auth_delay + if (failed_auth_delay_old != failed_auth_delay): + logger.debug("Failed login constant execution time need increase of failed_auth_delay: %.9f -> %.9f sec", failed_auth_delay_old, failed_auth_delay) + # sleep == 0 + else: + sleep = failed_auth_delay - time_delta + logger.debug("Failed login constant exection time alignment, sleeping: %.9f sec", sleep) + time.sleep(sleep) @final def login(self, login: str, password: str) -> Tuple[str, str]: @@ -202,7 +217,7 @@ class BaseAuth: (time_ns_cache, login_cache) = self._cache_failed[digest] age_failed = int((time_ns - time_ns_cache) / 1000 / 1000 / 1000) logger.debug("Login failed cache entry for user+password found: '%s' (age: %d sec)", login_cache, age_failed) - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return ("", self._type + " / cached") if self._cache_successful.get(login): # login found in cache "successful" @@ -249,15 +264,15 @@ class BaseAuth: logger.debug("Login failed cache for user set: '%s'", login) if result_from_cache is True: if result == "": - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return (result, self._type + " / cached") else: if result == "": - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return (result, self._type) else: # self._cache_logins is False result = self._login(login, password) if result == "": - self._sleep(time_ns_begin) + self._sleep_for_constant_exec_time(time_ns_begin) return (result, self._type) From 2442a794ae8aebae10ae1e7d435dde58191e21e8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 23:17:34 +0100 Subject: [PATCH 063/254] tox fixes --- radicale/auth/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index a0974296..b30a3c79 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -91,6 +91,7 @@ class BaseAuth: self._auth_delay = configuration.get("auth", "delay") logger.info("auth.delay: %f", self._auth_delay) self._failed_auth_delay = 0 + self._lock = threading.Lock() # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") @@ -112,7 +113,6 @@ class BaseAuth: self._cache_successful = dict() self._cache_failed = dict() self._cache_failed_logins_salt_ns = time.time_ns() - self._lock = threading.Lock() def _cache_digest(self, login: str, password: str, salt: str) -> str: h = hashlib.sha3_512() @@ -147,7 +147,7 @@ class BaseAuth: raise NotImplementedError - def _sleep_for_constant_exec_time(self, time_ns_begin): + def _sleep_for_constant_exec_time(self, time_ns_begin: int): """Sleep some time to reach a constant execution time for failed logins Independent of time required by external backend or used digest methods From ad94acddf1d7131f29d3fed02c50f006adff23f8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 2 Jan 2025 23:19:58 +0100 Subject: [PATCH 064/254] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bade4998..53978fd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Add: option [auth] htpasswd_cache to automatic re-read triggered on change (mtime or size) instead reading on each request * Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file * Improve: [auth] successful/failed login logs now type and whether result was taken from cache +* Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From b1220020778d2f27df3554222345cac9e5cb2ccc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 00:41:26 +0100 Subject: [PATCH 065/254] drop support of python 3.8, fixes https://github.com/Kozea/Radicale/issues/1628 --- .github/workflows/test.yml | 4 +--- DOCUMENTATION.md | 2 +- pyproject.toml | 3 +-- setup.py.legacy | 3 +-- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8339a975..82ac574f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,10 +6,8 @@ jobs: strategy: matrix: os: [ubuntu-latest, macos-latest, windows-latest] - python-version: ['3.8', '3.9', '3.10', '3.11', '3.12.3', '3.13.0', pypy-3.9] + python-version: ['3.9', '3.10', '3.11', '3.12.3', '3.13.0', pypy-3.9] exclude: - - os: windows-latest - python-version: pypy-3.8 - os: windows-latest python-version: pypy-3.9 runs-on: ${{ matrix.os }} diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8f166e6e..1a3ba9b4 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -55,7 +55,7 @@ Follow one of the chapters below depending on your operating system. #### Linux / \*BSD -First, make sure that **python** 3.8 or later and **pip** are installed. On most distributions it should be +First, make sure that **python** 3.9 or later and **pip** are installed. On most distributions it should be enough to install the package ``python3-pip``. Then open a console and type: diff --git a/pyproject.toml b/pyproject.toml index d01e3967..15af7e1a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -17,7 +17,6 @@ classifiers = [ "License :: OSI Approved :: GNU General Public License (GPL)", "Operating System :: OS Independent", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", @@ -28,7 +27,7 @@ classifiers = [ "Topic :: Office/Business :: Groupware", ] urls = {Homepage = "https://radicale.org/"} -requires-python = ">=3.8.0" +requires-python = ">=3.9.0" dependencies = [ "defusedxml", "passlib", diff --git a/setup.py.legacy b/setup.py.legacy index 52d74dda..c1cbe249 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -61,7 +61,7 @@ setup( install_requires=install_requires, extras_require={"test": test_requires, "bcrypt": bcrypt_requires, "ldap": ldap_requires}, keywords=["calendar", "addressbook", "CalDAV", "CardDAV"], - python_requires=">=3.8.0", + python_requires=">=3.9.0", classifiers=[ "Development Status :: 5 - Production/Stable", "Environment :: Console", @@ -71,7 +71,6 @@ setup( "License :: OSI Approved :: GNU General Public License (GPL)", "Operating System :: OS Independent", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", From 976dfe4a3fcc71afb5de10cf50df5f89eb4a5837 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 00:42:08 +0100 Subject: [PATCH 066/254] drop Python 3.8 changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53978fd0..bbed6051 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Improve: [auth] htpasswd: module 'bcrypt' is no longer mandatory in case digest method not used in file * Improve: [auth] successful/failed login logs now type and whether result was taken from cache * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method +* Drop: support for Python 3.8 ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 73f8f950d057166e7111508be1c5f802c7a2a37a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 07:19:01 +0100 Subject: [PATCH 067/254] add content from https://github.com/Kozea/Radicale/pull/1073 --- DOCUMENTATION.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index e0dd6e39..b9e46bcf 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1272,7 +1272,8 @@ Default: 10000 Radicale has been tested with: * [Android](https://android.com/) with - [DAVx⁵](https://www.davx5.com/) (formerly DAVdroid) + [DAVx⁵](https://www.davx5.com/) (formerly DAVdroid), +* [OneCalendar](https://www.onecalendar.nl/) * [GNOME Calendar](https://wiki.gnome.org/Apps/Calendar), [Contacts](https://wiki.gnome.org/Apps/Contacts) and [Evolution](https://wiki.gnome.org/Apps/Evolution) @@ -1303,6 +1304,13 @@ Enter the URL of the Radicale server (e.g. `http://localhost:5232`) and your username. DAVx⁵ will show all existing calendars and address books and you can create new. +#### OneCalendar + +When adding account, select CalDAV account type, then enter user name, password and the +Radicale server (e.g. `https://yourdomain:5232`). OneCalendar will show all +existing calendars and (FIXME: address books), you need to select which ones +you want to see. OneCalendar supports many other server types too. + #### GNOME Calendar, Contacts GNOME 46 added CalDAV and CardDAV support to _GNOME Online Accounts_. From c81e19616cb4d04b9915745cacdc7cc365631cd2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 09:14:01 +0100 Subject: [PATCH 068/254] bump dev version --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bbed6051..ee5e8787 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.3.4.dev +## 3.4.0.dev * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication * Improve: [auth] htpasswd file now read and verified on start diff --git a/pyproject.toml b/pyproject.toml index 15af7e1a..31fecdc2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.3.4.dev" +version = "3.4.0.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index c1cbe249..d61c374d 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.3.4.dev" +VERSION = "3.4.0.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 841df093120fb6a5c49ebc2055cad5ac309e1fac Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 3 Jan 2025 09:16:22 +0100 Subject: [PATCH 069/254] changelog for https://github.com/Kozea/Radicale/pull/1666 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee5e8787..18ec7df5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Improve: [auth] successful/failed login logs now type and whether result was taken from cache * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method * Drop: support for Python 3.8 +* Add: option [auth] ldap_user_attribute ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 607b3af67b91bcfc8e340cf17ce6a0d38299d15d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 18:09:00 +0100 Subject: [PATCH 070/254] LDAP auth: calculate attributes to query in __init__() Remove code duplication by factoring out the calculation of the LDAP query attributes out of _login2() resp. _login3() into __init__(). --- radicale/auth/ldap.py | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index ee256fed..2290794b 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,6 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str + _ldap_attributes: list[str] = ['memberOf'] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -109,6 +110,10 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_ssl_ca_file : %r" % self._ldap_ssl_ca_file) else: logger.info("auth.ldap_ssl_ca_file : (not provided)") + """Extend attributes to to be returned in the user query""" + if self._ldap_user_attr: + self._ldap_attributes.append(self._ldap_user_attr) + logger.info("ldap_attributes : %r" % self._ldap_attributes) def _login2(self, login: str, password: str) -> str: try: @@ -121,15 +126,11 @@ class Auth(auth.BaseAuth): """Search for the dn of user to authenticate""" escaped_login = self.ldap.filter.escape_filter_chars(login) logger.debug(f"_login2 login escaped for LDAP filters: {escaped_login}") - attrs = ['memberof'] - if self._ldap_user_attr: - attrs = ['memberOf', self._ldap_user_attr] - logger.debug(f"_login2 attrs: {attrs}") res = conn.search_s( self._ldap_base, self.ldap.SCOPE_SUBTREE, filterstr=self._ldap_filter.format(escaped_login), - attrlist=attrs + attrlist=self._ldap_attributes ) if len(res) != 1: """User could not be found unambiguously""" @@ -198,15 +199,11 @@ class Auth(auth.BaseAuth): """Search the user dn""" escaped_login = self.ldap3.utils.conv.escape_filter_chars(login) logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}") - attrs = ['memberof'] - if self._ldap_user_attr: - attrs = ['memberOf', self._ldap_user_attr] - logger.debug(f"_login3 attrs: {attrs}") conn.search( search_base=self._ldap_base, search_filter=self._ldap_filter.format(escaped_login), search_scope=self.ldap3.SUBTREE, - attributes=attrs + attributes=self._ldap_attributes ) if len(conn.entries) != 1: """User could not be found unambiguously""" From 1ca41e2128e792ee7644908c4c341b598f6a6fe2 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 29 Dec 2024 20:43:14 +0100 Subject: [PATCH 071/254] LDAP auth: only ask for memberOf if ldap_load_groups = True Ask for the 'memberOf' attribute to be returned in the user query only if 'ldap_load_groups' is set to True. This fixes the issue that currently LDAP authentication can only be used on LDAP servers that know this non-standard (it's an Active Directory extension) attribute. Other LDAP servers either do not necessarily have the group memberships stored in the user object (e.g. OpenLDAP), or use different attributes for this purpose (e.g. Novell eDirectory uses 'groupMembership') --- radicale/auth/ldap.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 2290794b..50b2768a 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -43,7 +43,7 @@ class Auth(auth.BaseAuth): _ldap_reader_dn: str _ldap_secret: str _ldap_filter: str - _ldap_attributes: list[str] = ['memberOf'] + _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool _ldap_module_version: int = 3 @@ -111,6 +111,8 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" + if self._ldap_load_groups: + self._ldap_attributes.append('memberOf') if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes) From 6c1445d8db794897241bf23b5e9a81b04d4cf53a Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 20:41:55 +0100 Subject: [PATCH 072/254] LDAP auth: introduce config option 'ldap_groups_attribute' This attribute is supposed to hold the group membership information if the config option 'ldap_load_groups' is True. If not given, it defaults to 'memberOf' for Active Directory. Introducing this options allows one to use radicale's LDAP auth with groups even on LDAP servers that keep their group memberships in a different attribute than 'memberOf', e.g. Novell eDirectory which uses 'groupMembership'. --- DOCUMENTATION.md | 6 ++++++ config | 3 +++ radicale/auth/ldap.py | 10 +++++++--- radicale/config.py | 4 ++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 7c02cc58..cbca8899 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -941,6 +941,12 @@ Load the ldap groups of the authenticated user. These groups can be used later o Default: False +##### ldap_groups_attribute + +The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True. + +Default: `memberOf` + ##### ldap_use_ssl Use ssl on the ldap connection diff --git a/config b/config index ef7263a0..64fd0f9f 100644 --- a/config +++ b/config @@ -89,6 +89,9 @@ # If the ldap groups of the user need to be loaded #ldap_load_groups = True +# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True. +#ldap_groups_attribute = memberOf + # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login #ldap_filter = (&(objectClass=person)(uid={0})) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 50b2768a..4d576ef2 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -24,6 +24,7 @@ Following parameters are needed in the configuration: ldap_secret_file The path of the file containing the password of the ldap_reader_dn ldap_filter The search filter to find the user to authenticate by the username ldap_user_attribute The attribute to be used as username after authentication + ldap_groups_attribute The attribute containing group memberships in the LDAP user entry ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection @@ -46,6 +47,7 @@ class Auth(auth.BaseAuth): _ldap_attributes: list[str] = [] _ldap_user_attr: str _ldap_load_groups: bool + _ldap_groups_attr: str = "memberOf" _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED @@ -70,6 +72,7 @@ class Auth(auth.BaseAuth): self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") + self._ldap_groups_attr = configuration.get("auth", "ldap_groups_attribute") ldap_secret_file_path = configuration.get("auth", "ldap_secret_file") if ldap_secret_file_path: with open(ldap_secret_file_path, 'r') as file: @@ -92,6 +95,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) else: logger.info("auth.ldap_user_attribute : (not provided)") + logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -112,7 +116,7 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" if self._ldap_load_groups: - self._ldap_attributes.append('memberOf') + self._ldap_attributes.append(self._ldap_groups_attr) if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) logger.info("ldap_attributes : %r" % self._ldap_attributes) @@ -155,7 +159,7 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for g in user_entry[1]['memberOf']: + for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" g = g.decode('utf-8').split(',')[0] tmp.append(g.partition('=')[2]) @@ -225,7 +229,7 @@ class Auth(auth.BaseAuth): tmp: list[str] = [] if self._ldap_load_groups: tmp = [] - for g in user_entry['attributes']['memberOf']: + for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" g = g.split(',')[0] tmp.append(g.partition('=')[2]) diff --git a/radicale/config.py b/radicale/config.py index 3af6c807..6b3205d1 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -251,6 +251,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "load the ldap groups of the authenticated user", "type": bool}), + ("ldap_groups_attribute", { + "value": "memberOf", + "help": "attribute to read the group memberships from", + "type": str}), ("ldap_use_ssl", { "value": "False", "help": "Use ssl on the ldap connection", From f9dd3efc3ac9b21128c5e34d9abd07b4455be0af Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Wed, 1 Jan 2025 20:52:55 +0100 Subject: [PATCH 073/254] LDAP auth: remove config option 'ldap_load_groups' The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with. While at it, also fix header level for 'ldap_user_attribute' in documentation. --- DOCUMENTATION.md | 24 ++++++++++++------------ config | 5 +---- radicale/auth/ldap.py | 17 ++++++++--------- radicale/config.py | 6 +----- 4 files changed, 22 insertions(+), 30 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index cbca8899..8bc2554e 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -926,26 +926,26 @@ The search filter to find the user DN to authenticate by the username. User '{0} Default: `(cn={0})` -#### ldap_user_attribute +##### ldap_user_attribute The LDAP attribute whose value shall be used as the user name after successful authentication Default: not set, i.e. the login name given is used directly. -##### ldap_load_groups - -Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist. -* The group calendar will be placed under collection_root_folder/GROUPS -* The name of the calendar directory is the base64 encoded group name. -* The group calendar folders will not be created automaticaly. This must be created manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication - -Default: False - ##### ldap_groups_attribute -The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True. +The LDAP attribute to read the group memberships from in the authenticated user's LDAP entry. -Default: `memberOf` +If set, load the LDAP group memberships from the attribute given +These memberships can be used later on to define rights. +This also gives you access to the group calendars, if they exist. +* The group calendar will be placed under collection_root_folder/GROUPS +* The name of the calendar directory is the base64 encoded group name. +* The group calendar folders will not be created automatically. This must be done manually. In the [LDAP-authentication section of Radicale's wiki](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create a group calendar. + +Use 'memberOf' if you want to load groups on Active Directory and alikes, 'groupMembership' on Novell eDirectory, ... + +Default: unset ##### ldap_use_ssl diff --git a/config b/config index 64fd0f9f..dc2dc551 100644 --- a/config +++ b/config @@ -86,10 +86,7 @@ # Path of the file containing password of the reader DN #ldap_secret_file = /run/secrets/ldap_password -# If the ldap groups of the user need to be loaded -#ldap_load_groups = True - -# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True. +# the attribute to read the group memberships from in the user's LDAP entry (default: not set) #ldap_groups_attribute = memberOf # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index 4d576ef2..cdba9f12 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -25,7 +25,6 @@ Following parameters are needed in the configuration: ldap_filter The search filter to find the user to authenticate by the username ldap_user_attribute The attribute to be used as username after authentication ldap_groups_attribute The attribute containing group memberships in the LDAP user entry - ldap_load_groups If the groups of the authenticated users need to be loaded Following parameters controls SSL connections: ldap_use_ssl If the connection ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED @@ -46,8 +45,7 @@ class Auth(auth.BaseAuth): _ldap_filter: str _ldap_attributes: list[str] = [] _ldap_user_attr: str - _ldap_load_groups: bool - _ldap_groups_attr: str = "memberOf" + _ldap_groups_attr: str _ldap_module_version: int = 3 _ldap_use_ssl: bool = False _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED @@ -68,7 +66,6 @@ class Auth(auth.BaseAuth): self._ldap_uri = configuration.get("auth", "ldap_uri") self._ldap_base = configuration.get("auth", "ldap_base") self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn") - self._ldap_load_groups = configuration.get("auth", "ldap_load_groups") self._ldap_secret = configuration.get("auth", "ldap_secret") self._ldap_filter = configuration.get("auth", "ldap_filter") self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute") @@ -89,13 +86,15 @@ class Auth(auth.BaseAuth): logger.info("auth.ldap_uri : %r" % self._ldap_uri) logger.info("auth.ldap_base : %r" % self._ldap_base) logger.info("auth.ldap_reader_dn : %r" % self._ldap_reader_dn) - logger.info("auth.ldap_load_groups : %s" % self._ldap_load_groups) logger.info("auth.ldap_filter : %r" % self._ldap_filter) if self._ldap_user_attr: logger.info("auth.ldap_user_attribute : %r" % self._ldap_user_attr) else: logger.info("auth.ldap_user_attribute : (not provided)") - logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) + if self._ldap_groups_attr: + logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr) + else: + logger.info("auth.ldap_groups_attribute: (not provided)") if ldap_secret_file_path: logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path) if self._ldap_secret: @@ -115,7 +114,7 @@ class Auth(auth.BaseAuth): else: logger.info("auth.ldap_ssl_ca_file : (not provided)") """Extend attributes to to be returned in the user query""" - if self._ldap_load_groups: + if self._ldap_groups_attr: self._ldap_attributes.append(self._ldap_groups_attr) if self._ldap_user_attr: self._ldap_attributes.append(self._ldap_user_attr) @@ -157,7 +156,7 @@ class Auth(auth.BaseAuth): conn.set_option(self.ldap.OPT_REFERRALS, 0) conn.simple_bind_s(user_dn, password) tmp: list[str] = [] - if self._ldap_load_groups: + if self._ldap_groups_attr: tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" @@ -227,7 +226,7 @@ class Auth(auth.BaseAuth): logger.debug(f"_login3 user '{login}' cannot be found") return "" tmp: list[str] = [] - if self._ldap_load_groups: + if self._ldap_groups_attr: tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" diff --git a/radicale/config.py b/radicale/config.py index 6b3205d1..ed294812 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -247,12 +247,8 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "the attribute to be used as username after authentication", "type": str}), - ("ldap_load_groups", { - "value": "False", - "help": "load the ldap groups of the authenticated user", - "type": bool}), ("ldap_groups_attribute", { - "value": "memberOf", + "value": "", "help": "attribute to read the group memberships from", "type": str}), ("ldap_use_ssl", { From d6c4e6487aa79f071d216a8615cd97c9d6867117 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Thu, 2 Jan 2025 14:23:15 +0100 Subject: [PATCH 074/254] LDAP auth: flexibilize parsing of 'ldap_groups_attribute' Use helper methods from the LDAP modules to get individual elements (like in our case the RDN value) out of attributes with DN syntax in a standard compliant way instead fiddling around ourselves. If these methods fail, fall back to using the whole attribute value, which allows us to also use attributes with non-DN syntax for groups and permissions. --- radicale/auth/ldap.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py index cdba9f12..a4c73808 100644 --- a/radicale/auth/ldap.py +++ b/radicale/auth/ldap.py @@ -160,8 +160,11 @@ class Auth(auth.BaseAuth): tmp = [] for g in user_entry[1][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.decode('utf-8').split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap.dn.explode_dn(g, notypes=True) + tmp.append(rdns[0]) + except Exception: + tmp.append(g.decode('utf8')) self._ldap_groups = set(tmp) logger.debug("_login2 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: @@ -230,8 +233,11 @@ class Auth(auth.BaseAuth): tmp = [] for g in user_entry['attributes'][self._ldap_groups_attr]: """Get group g's RDN's attribute value""" - g = g.split(',')[0] - tmp.append(g.partition('=')[2]) + try: + rdns = self.ldap3.utils.dn.parse_dn(g) + tmp.append(rdns[0][1]) + except Exception: + tmp.append(g) self._ldap_groups = set(tmp) logger.debug("_login3 LDAP groups of user: %s", ",".join(self._ldap_groups)) if self._ldap_user_attr: From 5ebaf4ef1cf1bef9c265f79c485e6d512b325d5d Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Fri, 3 Jan 2025 21:56:25 +0100 Subject: [PATCH 075/254] changelog for https://github.com/Kozea/Radicale/pull/1669 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18ec7df5..75ee148a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ * Improve: [auth] constant execution time for failed logins independent of external backend or by htpasswd used digest method * Drop: support for Python 3.8 * Add: option [auth] ldap_user_attribute +* Add: option [auth] ldap_groups_attribute as a more flexible replacement of removed ldap_load_groups ## 3.3.3 * Add: display mtime_ns precision of storage folder with condition warning if too less From 8172b8707749ab137455fe3d101206ffa15d7c64 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 9 Jan 2025 20:06:57 +0100 Subject: [PATCH 076/254] 3.4.0 --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75ee148a..f4e3d890 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.4.0.dev +## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication * Improve: [auth] htpasswd file now read and verified on start diff --git a/pyproject.toml b/pyproject.toml index 31fecdc2..3193379d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.0.dev" +version = "3.4.0" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index d61c374d..ff0a5e7d 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.0.dev" +VERSION = "3.4.0" with open("README.md", encoding="utf-8") as f: long_description = f.read() From be64e57ae880acc3a14273ed3db2e42a2ec2dee3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 9 Jan 2025 22:50:51 +0100 Subject: [PATCH 077/254] fix topic level --- DOCUMENTATION.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8bc2554e..32f659cb 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1267,20 +1267,20 @@ Available types: Default: `none` -#### rabbitmq_endpoint +##### rabbitmq_endpoint End-point address for rabbitmq server. Ex: amqp://user:password@localhost:5672/ Default: -#### rabbitmq_topic +##### rabbitmq_topic RabbitMQ topic to publish message. Default: -#### rabbitmq_queue_type +##### rabbitmq_queue_type RabbitMQ queue type for the topic. From 1634ce94988aca1412fe06dd93ae4d3ee8739e0c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 9 Jan 2025 23:08:01 +0100 Subject: [PATCH 078/254] add note about install --- DOCUMENTATION.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 32f659cb..a08dc2cc 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -20,7 +20,7 @@ Radicale is a small but powerful CalDAV (calendars, to-do lists) and CardDAV #### Installation -Radicale is really easy to install and works out-of-the-box. +Radicale is really easy to install (for testing purposes) and works out-of-the-box. ```bash python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz @@ -33,6 +33,8 @@ You can login with any username and password. Want more? Check the [tutorials](#tutorials) and the [documentation](#documentation-1). +Instead of downloading from PyPI look for packages provided by used distribution (#linux-distribution-packages), they contain also startup scripts to run daemonized. + #### What's New? Read the From 08a35b19c8b6e378d582f6403c78b914e97a743f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 10 Jan 2025 07:21:26 +0100 Subject: [PATCH 079/254] doc bugfix --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a08dc2cc..969f8235 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -33,7 +33,7 @@ You can login with any username and password. Want more? Check the [tutorials](#tutorials) and the [documentation](#documentation-1). -Instead of downloading from PyPI look for packages provided by used distribution (#linux-distribution-packages), they contain also startup scripts to run daemonized. +Instead of downloading from PyPI look for packages provided by used [distribution](#linux-distribution-packages), they contain also startup scripts to run daemonized. #### What's New? From 1c77fd819f4a502922c940b4b514bbd2ebde5b10 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 12 Jan 2025 06:09:45 +0100 Subject: [PATCH 080/254] add missing dovecot option --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index dc2dc551..ee187339 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | ldap | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | denyall #type = none # Cache logins for until expiration time From 3f04914de49ee052bf868a6c118c126d03612149 Mon Sep 17 00:00:00 2001 From: HmBMvXXiSivMcLGFWoqc <> Date: Mon, 13 Jan 2025 23:10:18 -0800 Subject: [PATCH 081/254] Add support for Dovecot auth over network --- radicale/auth/__init__.py | 2 ++ radicale/auth/dovecot.py | 21 ++++++++++++++++----- radicale/config.py | 15 ++++++++++++++- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index b30a3c79..8bc8ffad 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -43,6 +43,8 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "ldap", "dovecot") +AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") + def load(configuration: "config.Configuration") -> "BaseAuth": """Load the authentication module chosen in configuration.""" diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py index ce2353a0..340253c1 100644 --- a/radicale/auth/dovecot.py +++ b/radicale/auth/dovecot.py @@ -28,10 +28,21 @@ from radicale.log import logger class Auth(auth.BaseAuth): def __init__(self, configuration): super().__init__(configuration) - self.socket = configuration.get("auth", "dovecot_socket") self.timeout = 5 self.request_id_gen = itertools.count(1) + config_family = configuration.get("auth", "dovecot_connection_type") + if config_family == "AF_UNIX": + self.family = socket.AF_UNIX + self.address = configuration.get("auth", "dovecot_socket") + return + + self.address = configuration.get("auth", "dovecot_host"), configuration.get("auth", "dovecot_port") + if config_family == "AF_INET": + self.family = socket.AF_INET + else: + self.family = socket.AF_INET6 + def _login(self, login, password): """Validate credentials. @@ -49,12 +60,12 @@ class Auth(auth.BaseAuth): return "" with closing(socket.socket( - socket.AF_UNIX, + self.family, socket.SOCK_STREAM) ) as sock: try: sock.settimeout(self.timeout) - sock.connect(self.socket) + sock.connect(self.address) buf = bytes() supported_mechs = [] @@ -171,8 +182,8 @@ class Auth(auth.BaseAuth): except socket.error as e: logger.fatal( - "Failed to communicate with Dovecot socket %r: %s" % - (self.socket, e) + "Failed to communicate with Dovecot: %s" % + (e) ) return "" diff --git a/radicale/config.py b/radicale/config.py index ed294812..743fe926 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -207,10 +207,23 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "False", "help": "enable caching of htpasswd file", "type": bool}), + ("dovecot_connection_type", { + "value": "AF_UNIX", + "help": "Connection type for dovecot authentication", + "type": str_or_callable, + "internal": auth.AUTH_SOCKET_FAMILY}), ("dovecot_socket", { "value": "/var/run/dovecot/auth-client", - "help": "dovecot auth socket", + "help": "dovecot auth AF_UNIX socket", "type": str}), + ("dovecot_host", { + "value": "", + "help": "dovecot auth AF_INET or AF_INET6 host", + "type": str}), + ("dovecot_port", { + "value": "12345", + "help": "dovecot auth port", + "type": int}), ("realm", { "value": "Radicale - Password Required", "help": "message displayed when a password is needed", From dd9bb2beff1272324963d6e33dc748695d394165 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 14 Jan 2025 08:48:58 +0100 Subject: [PATCH 082/254] 3.4.1.dev --- CHANGELOG.md | 2 ++ pyproject.toml | 2 +- setup.py.legacy | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f4e3d890..7f8b21ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog +## 3.4.1.dev + ## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins * Improve: [auth] log used hash method and result on debug for htpasswd authentication diff --git a/pyproject.toml b/pyproject.toml index 3193379d..c72edc8d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.0" +version = "3.4.1.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index ff0a5e7d..a5068002 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -1,7 +1,7 @@ # This file is part of Radicale - CalDAV and CardDAV server # Copyright © 2009-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.0" +VERSION = "3.4.1.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From ed6a5a834e46d7acb33871a5a1d7aeb50fc9ff85 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 14 Jan 2025 08:57:15 +0100 Subject: [PATCH 083/254] add proper default for dovecot_host --- radicale/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/config.py b/radicale/config.py index 743fe926..86970732 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -3,7 +3,7 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2017-2020 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -217,7 +217,7 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "help": "dovecot auth AF_UNIX socket", "type": str}), ("dovecot_host", { - "value": "", + "value": "localhost", "help": "dovecot auth AF_INET or AF_INET6 host", "type": str}), ("dovecot_port", { From a93af6f17794f9667ffe0ef1df97fa5f22036c2a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 14 Jan 2025 08:57:35 +0100 Subject: [PATCH 084/254] update changelog and doc and config for https://github.com/Kozea/Radicale/pull/1678 --- CHANGELOG.md | 1 + DOCUMENTATION.md | 22 +++++++++++++++++++++- config | 13 +++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f8b21ad..f0b8cbc8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Changelog ## 3.4.1.dev +* Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port ## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 969f8235..a68cc2c4 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -967,11 +967,31 @@ The path to the CA file in pem format which is used to certificate the server ce Default: +##### dovecot_connection_type = AF_UNIX + +Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6) + +Note: credentials are transmitted in cleartext + +Default: `AF_UNIX` + ##### dovecot_socket The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. -Default: +Default: `/var/run/dovecot/auth-client` + +##### dovecot_host + +Host of via network exposed dovecot socket + +Default: `localhost` + +##### dovecot_port + +Port of via network exposed dovecot socket + +Default: `12345` ##### lc_username diff --git a/config b/config index ee187339..a0f6cfa7 100644 --- a/config +++ b/config @@ -104,6 +104,19 @@ # The path to the CA file in pem format which is used to certificate the server certificate #ldap_ssl_ca_file = +# Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6) +# Note: credentials are transmitted in cleartext +#dovecot_connection_type = AF_UNIX + +# The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. +#dovecot_socket = /var/run/dovecot/auth-client + +# Host of via network exposed dovecot socket +#dovecot_host = localhost + +# Port of via network exposed dovecot socket +#dovecot_port = 12345 + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 3e18644423430cb81fecc9601c7f8130c95fda00 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 05:59:52 +0100 Subject: [PATCH 085/254] imap: changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f0b8cbc8..cb7952a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 3.4.1.dev * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port +* Add: option [auth] type imap by code migration from https://github.com/Unrud/RadicaleIMAP/ ## 3.4.0 * Add: option [auth] cache_logins/cache_successful_logins_expiry/cache_failed_logins for caching logins From c24659c5ec01708d634dcf1cc6d32d8e69aa1a17 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:01:01 +0100 Subject: [PATCH 086/254] imap: doc and default config --- DOCUMENTATION.md | 15 +++++++++++++++ config | 8 ++++++++ 2 files changed, 23 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index a68cc2c4..ddfaa547 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -812,6 +812,9 @@ Available backends: `dovecot` : Use a local Dovecot server to authenticate users. +`imap` +: Use a IMAP server to authenticate users. + Default: `none` ##### cache_logins @@ -993,6 +996,18 @@ Port of via network exposed dovecot socket Default: `12345` +##### imap_host + +IMAP server hostname: address | address:port | [address]:port | imap.server.tld + +Default: `localhost` + +##### imap_security + +Secure the IMAP connection: tls | starttls | none + +Default: `tls` + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth diff --git a/config b/config index a0f6cfa7..c775a3c1 100644 --- a/config +++ b/config @@ -117,6 +117,14 @@ # Port of via network exposed dovecot socket #dovecot_port = 12345 +# IMAP server hostname +# Syntax: address | address:port | [address]:port | imap.server.tld +#imap_host = localhost + +# Secure the IMAP connection +# Value: tls | starttls | none +#imap_security = tls + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 72c7d32e44060ca70e1903b8cadeab29d3a1c8c9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:01:29 +0100 Subject: [PATCH 087/254] dovecot: extend doc --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index ddfaa547..30566c33 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -810,7 +810,7 @@ Available backends: : Use a LDAP or AD server to authenticate users. `dovecot` -: Use a local Dovecot server to authenticate users. +: Use a Dovecot server to authenticate users. `imap` : Use a IMAP server to authenticate users. From 50b76f71143d9b79a0b12106d9016bcc52b7cc17 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:02:06 +0100 Subject: [PATCH 088/254] imap: config parse --- radicale/auth/__init__.py | 10 +++++++++- radicale/config.py | 31 +++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 8bc8ffad..71854e2a 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -41,8 +41,16 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "denyall", "htpasswd", "ldap", + "imap", "dovecot") +CACHE_LOGIN_TYPES: Sequence[str] = ( + "dovecot", + "ldap", + "htpasswd", + "imap", + ) + AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") @@ -97,7 +105,7 @@ class BaseAuth: # cache_successful_logins self._cache_logins = configuration.get("auth", "cache_logins") self._type = configuration.get("auth", "type") - if (self._type in ["dovecot", "ldap", "htpasswd"]) or (self._cache_logins is False): + if (self._type in CACHE_LOGIN_TYPES) or (self._cache_logins is False): logger.info("auth.cache_logins: %s", self._cache_logins) else: logger.info("auth.cache_logins: %s (but not required for type '%s' and disabled therefore)", self._cache_logins, self._type) diff --git a/radicale/config.py b/radicale/config.py index 86970732..9b4e9af4 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -104,6 +104,29 @@ def _convert_to_bool(value: Any) -> bool: return RawConfigParser.BOOLEAN_STATES[value.lower()] +def imap_address(value): + if "]" in value: + pre_address, pre_address_port = value.rsplit("]", 1) + else: + pre_address, pre_address_port = "", value + if ":" in pre_address_port: + pre_address2, port = pre_address_port.rsplit(":", 1) + address = pre_address + pre_address2 + else: + address, port = pre_address + pre_address_port, None + try: + return (address.strip(string.whitespace + "[]"), + None if port is None else int(port)) + except ValueError: + raise ValueError("malformed IMAP address: %r" % value) + + +def imap_security(value): + if value not in ("tls", "starttls", "none"): + raise ValueError("unsupported IMAP security: %r" % value) + return value + + def json_str(value: Any) -> dict: if not value: return {} @@ -276,6 +299,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "The path to the CA file in pem format which is used to certificate the server certificate", "type": str}), + ("imap_host", { + "value": "localhost", + "help": "IMAP server hostname: address|address:port|[address]:port|*localhost*", + "type": imap_address}), + ("imap_security", { + "value": "tls", + "help": "Secure the IMAP connection: *tls*|starttls|none", + "type": imap_security}), ("strip_domain", { "value": "False", "help": "strip domain from username", From bc939522dc3ad3b56026d23234ac06a2008e5847 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:02:22 +0100 Subject: [PATCH 089/254] imap: migrate from https://github.com/Unrud/RadicaleIMAP/ --- radicale/auth/imap.py | 71 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 radicale/auth/imap.py diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py new file mode 100644 index 00000000..66b67935 --- /dev/null +++ b/radicale/auth/imap.py @@ -0,0 +1,71 @@ +# RadicaleIMAP IMAP authentication plugin for Radicale. +# Copyright © 2017, 2020 Unrud +# Copyright © 2025-2025 Peter Bieringer +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import imaplib +import ssl +import string + +from radicale import auth +from radicale.log import logger + + +class Auth(auth.BaseAuth): + """Authenticate user with IMAP.""" + + def __init__(self, configuration) -> None: + super().__init__(configuration) + self._host, self._port = self.configuration.get("auth", "imap_host") + logger.info("auth imap host: %r", self._host) + self._security = self.configuration.get("auth", "imap_security") + if self._security == "none": + logger.info("auth imap security: %s (INSECURE, credentials are transmitted in clear text)", self._security) + else: + logger.info("auth imap security: %s", self._security) + if self._security == "tls": + if self._port is None: + self._port = 993 + logger.info("auth imap port (autoselected): %d", self._port) + else: + logger.info("auth imap port: %d", self._port) + else: + if self._port is None: + self._port = 143 + logger.info("auth imap port (autoselected): %d", self._port) + else: + logger.info("auth imap port: %d", self._port) + + def _login(self, login, password) -> str: + try: + if self._security == "tls": + connection = imaplib.IMAP4_SSL( + host=self._host, port=self._port, + ssl_context=ssl.create_default_context()) + else: + connection = imaplib.IMAP4(host=self._host, port=self._port) + if self._security == "starttls": + connection.starttls(ssl.create_default_context()) + try: + connection.login(login, password) + except imaplib.IMAP4.error as e: + logger.warning("IMAP authentication failed for user %r: %s", login, e, exc_info=False) + return "" + connection.logout() + return login + except (OSError, imaplib.IMAP4.error) as e: + logger.error("Failed to communicate with IMAP server %r: " + "%s" % ("[%s]:%d" % (self._host, self._port), e)) + return "" From e80bf589012a8fcb4864c439f709fe8d97682521 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:05:14 +0100 Subject: [PATCH 090/254] imap: flake8 fixes --- radicale/auth/imap.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py index 66b67935..0f78bca9 100644 --- a/radicale/auth/imap.py +++ b/radicale/auth/imap.py @@ -17,7 +17,6 @@ import imaplib import ssl -import string from radicale import auth from radicale.log import logger @@ -66,6 +65,5 @@ class Auth(auth.BaseAuth): connection.logout() return login except (OSError, imaplib.IMAP4.error) as e: - logger.error("Failed to communicate with IMAP server %r: " - "%s" % ("[%s]:%d" % (self._host, self._port), e)) + logger.error("Failed to communicate with IMAP server %r: %s" % ("[%s]:%d" % (self._host, self._port), e)) return "" From 3df5d28432e76a269d2212949b8fc81e07229a16 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 16 Jan 2025 06:11:57 +0100 Subject: [PATCH 091/254] imap: mypy fix --- radicale/auth/imap.py | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py index 0f78bca9..8b3c2972 100644 --- a/radicale/auth/imap.py +++ b/radicale/auth/imap.py @@ -49,6 +49,7 @@ class Auth(auth.BaseAuth): def _login(self, login, password) -> str: try: + connection: imaplib.IMAP4 | imaplib.IMAP4_SSL if self._security == "tls": connection = imaplib.IMAP4_SSL( host=self._host, port=self._port, From 26637a1240bfb839ab5e52a342807dc481641628 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 20 Jan 2025 06:31:56 +0100 Subject: [PATCH 092/254] add logging entries for dovecot, adjust for imap --- radicale/auth/dovecot.py | 3 +++ radicale/auth/imap.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/radicale/auth/dovecot.py b/radicale/auth/dovecot.py index 340253c1..b3f3fb81 100644 --- a/radicale/auth/dovecot.py +++ b/radicale/auth/dovecot.py @@ -1,6 +1,7 @@ # This file is part of Radicale Server - Calendar Server # Copyright © 2014 Giel van Schijndel # Copyright © 2019 (GalaxyMaster) +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -35,9 +36,11 @@ class Auth(auth.BaseAuth): if config_family == "AF_UNIX": self.family = socket.AF_UNIX self.address = configuration.get("auth", "dovecot_socket") + logger.info("auth dovecot socket: %r", self.address) return self.address = configuration.get("auth", "dovecot_host"), configuration.get("auth", "dovecot_port") + logger.warning("auth dovecot address: %r (INSECURE, credentials are transmitted in clear text)", self.address) if config_family == "AF_INET": self.family = socket.AF_INET else: diff --git a/radicale/auth/imap.py b/radicale/auth/imap.py index 8b3c2972..3fdbaa70 100644 --- a/radicale/auth/imap.py +++ b/radicale/auth/imap.py @@ -31,7 +31,7 @@ class Auth(auth.BaseAuth): logger.info("auth imap host: %r", self._host) self._security = self.configuration.get("auth", "imap_security") if self._security == "none": - logger.info("auth imap security: %s (INSECURE, credentials are transmitted in clear text)", self._security) + logger.warning("auth imap security: %s (INSECURE, credentials are transmitted in clear text)", self._security) else: logger.info("auth imap security: %s", self._security) if self._security == "tls": From 98e65d88a4753a6d869165fad261b5240307f2f3 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 26 Jan 2025 08:15:14 +0100 Subject: [PATCH 093/254] release 3.4.1 --- CHANGELOG.md | 2 +- pyproject.toml | 2 +- setup.py.legacy | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb7952a7..620073c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 3.4.1.dev +## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port * Add: option [auth] type imap by code migration from https://github.com/Unrud/RadicaleIMAP/ diff --git a/pyproject.toml b/pyproject.toml index c72edc8d..5784971a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.1.dev" +version = "3.4.1" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index a5068002..547f9dda 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.1.dev" +VERSION = "3.4.1" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 780aaa7e3e349d46236ae72defcfcf4eccb12245 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 26 Jan 2025 12:10:37 +0100 Subject: [PATCH 094/254] clarify quick installation guides --- DOCUMENTATION.md | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 30566c33..84b3a0cf 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -23,7 +23,8 @@ Radicale is a small but powerful CalDAV (calendars, to-do lists) and CardDAV Radicale is really easy to install (for testing purposes) and works out-of-the-box. ```bash -python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz +# Run as normal user +python3 -m pip install --user --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz python3 -m radicale --logging-level info --storage-filesystem-folder=~/.var/lib/radicale/collections ``` @@ -63,10 +64,20 @@ enough to install the package ``python3-pip``. Then open a console and type: ```bash -# Run the following command as root or -# add the --user argument to only install for the current user -$ python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz -$ python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collections +# Run the following command to only install for the current user +# data is also stored for the current user only +python3 -m pip install --user --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz +python3 -m radicale --storage-filesystem-folder=~/.var/lib/radicale/collections +``` + +Alternative one can install as root or system user + +```bash +# Run the following command as root +# or non-root system user (can require --user in case of dependencies are not available system-wide) +# requires existence of and write permissions to /var/lib/radicale/collections +python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gz +python3 -m radicale --storage-filesystem-folder=/var/lib/radicale/collections ``` Victory! Open in your browser! From 30389f45255ada48a5a80fee05297ca373bf2a37 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 08:29:02 +0100 Subject: [PATCH 095/254] initial from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/radicale_auth_oauth2/__init__.py --- radicale/auth/oauth2.py | 44 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 radicale/auth/oauth2.py diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py new file mode 100644 index 00000000..4efde374 --- /dev/null +++ b/radicale/auth/oauth2.py @@ -0,0 +1,44 @@ +""" +Authentication backend that checks credentials against an oauth2 server auth endpoint +""" + +from radicale import auth +from radicale.log import logger +import requests +from requests.utils import quote + + +class Auth(auth.BaseAuth): + def __init__(self, configuration): + super().__init__(configuration) + self._endpoint = configuration.get("auth", "oauth2_token_endpoint") + logger.warning("Using oauth2 token endpoint: %s" % (self._endpoint)) + + def login(self, login, password): + """Validate credentials. + Sends login credentials to oauth auth endpoint and checks that a token is returned + """ + try: + # authenticate to authentication endpoint and return login if ok, else "" + req_params = { + "username": login, + "password": password, + "grant_type": "password", + "client_id": "radicale", + } + req_headers = {"Content-Type": "application/x-www-form-urlencoded"} + response = requests.post( + self._endpoint, data=req_params, headers=req_headers + ) + if ( + response.status_code == requests.codes.ok + and "access_token" in response.json() + ): + return login + except OSError as e: + raise RuntimeError( + "Failed to authenticate against oauth server %r: %s" + % (self._endpoint, e) + ) from e + logger.warning("User %s failed to authenticate" % (str(login))) + return "" From 063883797ce703c4b862b74ea56f92b6435caa94 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 08:32:42 +0100 Subject: [PATCH 096/254] add copyright --- radicale/auth/oauth2.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index 4efde374..cfa5dbe5 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -1,3 +1,25 @@ +# This file is part of Radicale Server - Calendar Server +# +# Original from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/ +# Copyright © 2021-2022 Bruno Boiget +# Copyright © 2022-2022 Daniel Dehennin +# +# Since migration into upstream +# Copyright © 2025-2025 Peter Bieringer +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + """ Authentication backend that checks credentials against an oauth2 server auth endpoint """ From 937acf38f7f26c578c8a6ae912d1d9d4fce6e26b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 08:33:49 +0100 Subject: [PATCH 097/254] oauth2 config check improvement --- radicale/auth/oauth2.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index cfa5dbe5..644bdb8a 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -29,12 +29,14 @@ from radicale.log import logger import requests from requests.utils import quote - class Auth(auth.BaseAuth): def __init__(self, configuration): super().__init__(configuration) self._endpoint = configuration.get("auth", "oauth2_token_endpoint") - logger.warning("Using oauth2 token endpoint: %s" % (self._endpoint)) + if not self._endpoint: + logger.error("auth.oauth2_token_endpoint URL missing") + raise RuntimeError("OAuth2 token endpoint URL is required") + logger.info("auth OAuth2 token endpoint: %s" % (self._endpoint)) def login(self, login, password): """Validate credentials. From e28b719233a58b04517abfda2e206cc520a8a15a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:01:40 +0100 Subject: [PATCH 098/254] oauth2 example config --- config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config b/config index c775a3c1..ba53ef3e 100644 --- a/config +++ b/config @@ -125,6 +125,9 @@ # Value: tls | starttls | none #imap_security = tls +# OAuth2 token endpoint URL +#oauth2_token_endpoint = + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 87dc5538d201e3e2587d70fcf5a84e0953c7a4d4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:01:58 +0100 Subject: [PATCH 099/254] oauth2 module enabling --- radicale/auth/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index 71854e2a..e92272f8 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -42,6 +42,7 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "htpasswd", "ldap", "imap", + "oauth2", "dovecot") CACHE_LOGIN_TYPES: Sequence[str] = ( @@ -49,6 +50,7 @@ CACHE_LOGIN_TYPES: Sequence[str] = ( "ldap", "htpasswd", "imap", + "oauth2", ) AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") From 23a68b2fb1a923aa23be3296ca43ef4d00248388 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:03:25 +0100 Subject: [PATCH 100/254] extend mypy options --- pyproject.toml | 2 +- setup.cfg.legacy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5784971a..16d539fc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -72,7 +72,7 @@ skip_install = true [tool.tox.env.mypy] deps = ["mypy==1.11.0"] -commands = [["mypy", "."]] +commands = [["mypy", "--install-types", "--non-interactive", "."]] skip_install = true diff --git a/setup.cfg.legacy b/setup.cfg.legacy index 94a39915..e27241b4 100644 --- a/setup.cfg.legacy +++ b/setup.cfg.legacy @@ -24,7 +24,7 @@ skip_install = True [testenv:mypy] deps = mypy==1.11.0 -commands = mypy . +commands = mypy --install-types --non-interactive . skip_install = True [tool:isort] From 04523e50874d72e8b489b2e56780f706bda07730 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:03:42 +0100 Subject: [PATCH 101/254] oauth2 config option --- radicale/config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/radicale/config.py b/radicale/config.py index 9b4e9af4..5f46022e 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -307,6 +307,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "tls", "help": "Secure the IMAP connection: *tls*|starttls|none", "type": imap_security}), + ("oauth2_token_endpoint", { + "value": "", + "help": "OAuth2 token endpoint URL", + "type": str}), ("strip_domain", { "value": "False", "help": "strip domain from username", From 7b6146405f014adf1c3073b6f84e44f0ce5a8a12 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:04:06 +0100 Subject: [PATCH 102/254] make tox happy --- radicale/auth/oauth2.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index 644bdb8a..c9ae4359 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -24,10 +24,11 @@ Authentication backend that checks credentials against an oauth2 server auth endpoint """ +import requests + from radicale import auth from radicale.log import logger -import requests -from requests.utils import quote + class Auth(auth.BaseAuth): def __init__(self, configuration): From d2be086cd1de73df1ebb7270f40b2e8bc0b0db05 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:04:20 +0100 Subject: [PATCH 103/254] oauth2 adjustments to radicale changes in the past --- radicale/auth/oauth2.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index c9ae4359..7ca5eb9d 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -39,9 +39,9 @@ class Auth(auth.BaseAuth): raise RuntimeError("OAuth2 token endpoint URL is required") logger.info("auth OAuth2 token endpoint: %s" % (self._endpoint)) - def login(self, login, password): + def _login(self, login, password): """Validate credentials. - Sends login credentials to oauth auth endpoint and checks that a token is returned + Sends login credentials to oauth token endpoint and checks that a token is returned """ try: # authenticate to authentication endpoint and return login if ok, else "" From e0d20edbcd8116790dd02b387b04177c6ca46e69 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:04:42 +0100 Subject: [PATCH 104/254] oauth2 do not throw exception in case server is not reachable --- radicale/auth/oauth2.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/radicale/auth/oauth2.py b/radicale/auth/oauth2.py index 7ca5eb9d..838a786e 100644 --- a/radicale/auth/oauth2.py +++ b/radicale/auth/oauth2.py @@ -61,9 +61,6 @@ class Auth(auth.BaseAuth): ): return login except OSError as e: - raise RuntimeError( - "Failed to authenticate against oauth server %r: %s" - % (self._endpoint, e) - ) from e - logger.warning("User %s failed to authenticate" % (str(login))) + logger.critical("Failed to authenticate against OAuth2 server %s: %s" % (self._endpoint, e)) + logger.warning("User failed to authenticate using OAuth2: %r" % login) return "" From cfcfbbd231cc4ba48102fb7f436149841eae674c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:08:57 +0100 Subject: [PATCH 105/254] oauth2 changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 620073c1..3a1d896e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 3.4.2.dev + +* Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ + ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port * Add: option [auth] type imap by code migration from https://github.com/Unrud/RadicaleIMAP/ From f3a7641baa73a96feeab51bdd795716520b35083 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:09:08 +0100 Subject: [PATCH 106/254] 3.4.2.dev --- pyproject.toml | 2 +- setup.py.legacy | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 16d539fc..eac75049 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -3,7 +3,7 @@ name = "Radicale" # When the version is updated, a new section in the CHANGELOG.md file must be # added too. readme = "README.md" -version = "3.4.1" +version = "3.4.2.dev" authors = [{name = "Guillaume Ayoub", email = "guillaume.ayoub@kozea.fr"}, {name = "Unrud", email = "unrud@outlook.com"}, {name = "Peter Bieringer", email = "pb@bieringer.de"}] license = {text = "GNU GPL v3"} description = "CalDAV and CardDAV Server" diff --git a/setup.py.legacy b/setup.py.legacy index 547f9dda..09d323a9 100644 --- a/setup.py.legacy +++ b/setup.py.legacy @@ -20,7 +20,7 @@ from setuptools import find_packages, setup # When the version is updated, a new section in the CHANGELOG.md file must be # added too. -VERSION = "3.4.1" +VERSION = "3.4.2.dev" with open("README.md", encoding="utf-8") as f: long_description = f.read() From 6f68a64855b2d2e266fa23d8fca11363410c94de Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sun, 2 Feb 2025 09:14:04 +0100 Subject: [PATCH 107/254] oauth2 doc --- DOCUMENTATION.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 84b3a0cf..c2e586ef 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -824,7 +824,10 @@ Available backends: : Use a Dovecot server to authenticate users. `imap` -: Use a IMAP server to authenticate users. +: Use an IMAP server to authenticate users. + +`oauth2` +: Use an OAuth2 server to authenticate users. Default: `none` @@ -1019,6 +1022,12 @@ Secure the IMAP connection: tls | starttls | none Default: `tls` +##### oauth2_token_endpoint + +OAuth2 token endpoint URL + +Default: + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth From 938f6a97fdd670049dee91ede9d2a1fcfae0db1d Mon Sep 17 00:00:00 2001 From: Rob Aguilar Date: Thu, 6 Feb 2025 21:56:03 -0500 Subject: [PATCH 108/254] Update DOCUMENTATION.md Corrected the method override in the authentication plugin example. The original example suggested overriding login(), but BaseAuth expects _login() to be implemented instead. Overriding login() causes a Too many values to unpack error. --- DOCUMENTATION.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index c2e586ef..b9c4c572 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1819,7 +1819,7 @@ class Auth(BaseAuth): def __init__(self, configuration): super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA)) - def login(self, login, password): + def _login(self, login, password): # Get password from configuration option static_password = self.configuration.get("auth", "password") # Check authentication From dcaec206816b2e44f3a793bc3228cd139d56e250 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:33:28 +0100 Subject: [PATCH 109/254] extend copyright year --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 6e1ba215..4e1e0c9b 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -4,7 +4,7 @@ # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2020 Unrud # Copyright © 2020-2023 Tuna Celik -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From b011fa4e61b3f8dfcd484b0af546da9059ea842c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:34:13 +0100 Subject: [PATCH 110/254] extend copyright year --- radicale/httputils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/httputils.py b/radicale/httputils.py index 3983d7eb..f3c53965 100644 --- a/radicale/httputils.py +++ b/radicale/httputils.py @@ -3,7 +3,7 @@ # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub # Copyright © 2017-2022 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 77f69f2b1e6f772e6811d12381b4699ffb360bbf Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:34:29 +0100 Subject: [PATCH 111/254] add new error code --- radicale/httputils.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radicale/httputils.py b/radicale/httputils.py index f3c53965..23cc3677 100644 --- a/radicale/httputils.py +++ b/radicale/httputils.py @@ -79,6 +79,9 @@ REMOTE_DESTINATION: types.WSGIResponse = ( DIRECTORY_LISTING: types.WSGIResponse = ( client.FORBIDDEN, (("Content-Type", "text/plain"),), "Directory listings are not supported.") +INSUFFICIENT_STORAGE: types.WSGIResponse = ( + client.INSUFFICIENT_STORAGE, (("Content-Type", "text/plain"),), + "Insufficient Storage. Please contact the administrator.") INTERNAL_SERVER_ERROR: types.WSGIResponse = ( client.INTERNAL_SERVER_ERROR, (("Content-Type", "text/plain"),), "A server error occurred. Please contact the administrator.") From f0d06cbc7d8b1c133d84db6dc4b51febbdbe888c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Mon, 10 Feb 2025 19:37:19 +0100 Subject: [PATCH 112/254] catch server errors on put --- radicale/app/put.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 4e1e0c9b..976b7bfd 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -19,8 +19,10 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import itertools import posixpath +import re import socket import sys from http import client @@ -264,9 +266,22 @@ class ApplicationPartPut(ApplicationBase): ) self._hook.notify(hook_notification_item) except ValueError as e: - logger.warning( - "Bad PUT request on %r (upload): %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.warning( + "Failed PUT request on %r (upload): %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif (errno_e == errno.EPERM) or (errno_e == errno.EACCES): + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad PUT request on %r (upload): %s", path, e, exc_info=True) + return httputils.BAD_REQUEST headers = {"ETag": etag} return client.CREATED, headers, None From 605fc655847efbd2be7f6d65c16581614825895d Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:17:47 +0100 Subject: [PATCH 113/254] improve coding --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 976b7bfd..7bd37035 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -274,7 +274,7 @@ class ApplicationPartPut(ApplicationBase): errno_e = int(errno_match.group(1)) if errno_e == errno.ENOSPC: return httputils.INSUFFICIENT_STORAGE - elif (errno_e == errno.EPERM) or (errno_e == errno.EACCES): + elif errno_e in [errno.EPERM, errno.EACCES]: return httputils.FORBIDDEN else: return httputils.INTERNAL_SERVER_ERROR From c157dd7d19f2101c957a4992394595359cb32020 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:18:45 +0100 Subject: [PATCH 114/254] extend copyright --- radicale/app/mkcol.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/mkcol.py b/radicale/app/mkcol.py index 5bccc50c..50c94dce 100644 --- a/radicale/app/mkcol.py +++ b/radicale/app/mkcol.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 88accdb6723acda526d1bad30513ba6c826fea35 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:19:16 +0100 Subject: [PATCH 115/254] catch server errors and return proper message --- radicale/app/mkcol.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/mkcol.py b/radicale/app/mkcol.py index 50c94dce..953508ad 100644 --- a/radicale/app/mkcol.py +++ b/radicale/app/mkcol.py @@ -18,7 +18,9 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import posixpath +import re import socket from http import client @@ -75,8 +77,21 @@ class ApplicationPartMkcol(ApplicationBase): try: self._storage.create_collection(path, props=props) except ValueError as e: - logger.warning( - "Bad MKCOL request on %r (type:%s): %s", path, collection_type, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.error( + "Failed MKCOL request on %r (type:%s): %s", path, collection_type, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad MKCOL request on %r (type:%s): %s", path, collection_type, e, exc_info=True) + return httputils.BAD_REQUEST logger.info("MKCOL request %r (type:%s): %s", path, collection_type, "successful") return client.CREATED, {}, None From cd51581f389024dbec6b04d790ac1725cf085352 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:20:29 +0100 Subject: [PATCH 116/254] extend copyright --- radicale/storage/multifilesystem/create_collection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/create_collection.py b/radicale/storage/multifilesystem/create_collection.py index 2e6e9ce7..f300f59a 100644 --- a/radicale/storage/multifilesystem/create_collection.py +++ b/radicale/storage/multifilesystem/create_collection.py @@ -2,7 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2021 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 37b18cf5a2c3c986e739eb973e79ec9ca46ab205 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:20:51 +0100 Subject: [PATCH 117/254] catch error during create_collection --- .../multifilesystem/create_collection.py | 44 ++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/radicale/storage/multifilesystem/create_collection.py b/radicale/storage/multifilesystem/create_collection.py index f300f59a..cbbdee53 100644 --- a/radicale/storage/multifilesystem/create_collection.py +++ b/radicale/storage/multifilesystem/create_collection.py @@ -50,27 +50,31 @@ class StoragePartCreateCollection(StorageBase): self._makedirs_synced(parent_dir) # Create a temporary directory with an unsafe name - with TemporaryDirectory(prefix=".Radicale.tmp-", dir=parent_dir - ) as tmp_dir: - # The temporary directory itself can't be renamed - tmp_filesystem_path = os.path.join(tmp_dir, "collection") - os.makedirs(tmp_filesystem_path) - col = self._collection_class( - cast(multifilesystem.Storage, self), - pathutils.unstrip_path(sane_path, True), - filesystem_path=tmp_filesystem_path) - col.set_meta(props) - if items is not None: - if props.get("tag") == "VCALENDAR": - col._upload_all_nonatomic(items, suffix=".ics") - elif props.get("tag") == "VADDRESSBOOK": - col._upload_all_nonatomic(items, suffix=".vcf") + try: + with TemporaryDirectory(prefix=".Radicale.tmp-", dir=parent_dir + ) as tmp_dir: + # The temporary directory itself can't be renamed + tmp_filesystem_path = os.path.join(tmp_dir, "collection") + os.makedirs(tmp_filesystem_path) + col = self._collection_class( + cast(multifilesystem.Storage, self), + pathutils.unstrip_path(sane_path, True), + filesystem_path=tmp_filesystem_path) + col.set_meta(props) + if items is not None: + if props.get("tag") == "VCALENDAR": + col._upload_all_nonatomic(items, suffix=".ics") + elif props.get("tag") == "VADDRESSBOOK": + col._upload_all_nonatomic(items, suffix=".vcf") - if os.path.lexists(filesystem_path): - pathutils.rename_exchange(tmp_filesystem_path, filesystem_path) - else: - os.rename(tmp_filesystem_path, filesystem_path) - self._sync_directory(parent_dir) + if os.path.lexists(filesystem_path): + pathutils.rename_exchange(tmp_filesystem_path, filesystem_path) + else: + os.rename(tmp_filesystem_path, filesystem_path) + self._sync_directory(parent_dir) + except Exception as e: + raise ValueError("Failed to create collection %r as %r %s" % + (href, filesystem_path, e)) from e return self._collection_class( cast(multifilesystem.Storage, self), From 803763729a1a9310f32fdfb3126b540324d794b9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:26:57 +0100 Subject: [PATCH 118/254] extend copyright --- radicale/app/mkcalendar.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/mkcalendar.py b/radicale/app/mkcalendar.py index c507ae44..20c3445f 100644 --- a/radicale/app/mkcalendar.py +++ b/radicale/app/mkcalendar.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2021 Unrud +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From fde0ecb9b20b070a1c1205aa5b1d578b351bc218 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:29:33 +0100 Subject: [PATCH 119/254] change loglevel --- radicale/app/put.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/put.py b/radicale/app/put.py index 7bd37035..962bf756 100644 --- a/radicale/app/put.py +++ b/radicale/app/put.py @@ -269,7 +269,7 @@ class ApplicationPartPut(ApplicationBase): # return better matching HTTP result in case errno is provided and catched errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) if errno_match: - logger.warning( + logger.error( "Failed PUT request on %r (upload): %s", path, e, exc_info=True) errno_e = int(errno_match.group(1)) if errno_e == errno.ENOSPC: From b078a8f00233ff4c19ae2b14dfbbd61949dc21d7 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:29:56 +0100 Subject: [PATCH 120/254] catch os errors --- radicale/app/mkcalendar.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/mkcalendar.py b/radicale/app/mkcalendar.py index 20c3445f..b9f2063a 100644 --- a/radicale/app/mkcalendar.py +++ b/radicale/app/mkcalendar.py @@ -18,7 +18,9 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import posixpath +import re import socket from http import client @@ -71,7 +73,20 @@ class ApplicationPartMkcalendar(ApplicationBase): try: self._storage.create_collection(path, props=props) except ValueError as e: - logger.warning( - "Bad MKCALENDAR request on %r: %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.error( + "Failed MKCALENDAR request on %r: %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad MKCALENDAR request on %r: %s", path, e, exc_info=True) + return httputils.BAD_REQUEST return client.CREATED, {}, None From 718089e3bfc512aa45479d62500216896439f5c6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:34:46 +0100 Subject: [PATCH 121/254] extend copyright --- radicale/app/proppatch.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/radicale/app/proppatch.py b/radicale/app/proppatch.py index c15fddfe..1d2701a0 100644 --- a/radicale/app/proppatch.py +++ b/radicale/app/proppatch.py @@ -2,7 +2,9 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2020 Unrud +# Copyright © 2020-2020 Tuna Celik +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 484616f3631a24c5a8d3bcd6a87e8bc1a2b01a01 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:35:03 +0100 Subject: [PATCH 122/254] catch os error --- radicale/app/proppatch.py | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/radicale/app/proppatch.py b/radicale/app/proppatch.py index 1d2701a0..faa8c25b 100644 --- a/radicale/app/proppatch.py +++ b/radicale/app/proppatch.py @@ -19,6 +19,8 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno +import re import socket import xml.etree.ElementTree as ET from http import client @@ -109,7 +111,20 @@ class ApplicationPartProppatch(ApplicationBase): ) self._hook.notify(hook_notification_item) except ValueError as e: - logger.warning( - "Bad PROPPATCH request on %r: %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.warning( + "Failed PROPPATCH request on %r: %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad PROPPATCH request on %r: %s", path, e, exc_info=True) + return httputils.BAD_REQUEST return client.MULTI_STATUS, headers, self._xml_response(xml_answer) From dc83c6d7d01d7e2fcfa97c648ce0de07073805ad Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:39:40 +0100 Subject: [PATCH 123/254] extend copyright --- radicale/app/move.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radicale/app/move.py b/radicale/app/move.py index 5bd8a579..b2909cd2 100644 --- a/radicale/app/move.py +++ b/radicale/app/move.py @@ -2,7 +2,8 @@ # Copyright © 2008 Nicolas Kandel # Copyright © 2008 Pascal Halter # Copyright © 2008-2017 Guillaume Ayoub -# Copyright © 2017-2018 Unrud +# Copyright © 2017-2023 Unrud +# Copyright © 2023-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 67bbc9a31b5334af64a25de0944bf055ea8d2e4c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:39:54 +0100 Subject: [PATCH 124/254] catch os error --- radicale/app/move.py | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/radicale/app/move.py b/radicale/app/move.py index b2909cd2..f555e871 100644 --- a/radicale/app/move.py +++ b/radicale/app/move.py @@ -18,6 +18,7 @@ # You should have received a copy of the GNU General Public License # along with Radicale. If not, see . +import errno import posixpath import re from http import client @@ -110,7 +111,20 @@ class ApplicationPartMove(ApplicationBase): try: self._storage.move(item, to_collection, to_href) except ValueError as e: - logger.warning( - "Bad MOVE request on %r: %s", path, e, exc_info=True) - return httputils.BAD_REQUEST + # return better matching HTTP result in case errno is provided and catched + errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) + if errno_match: + logger.error( + "Failed MOVE request on %r: %s", path, e, exc_info=True) + errno_e = int(errno_match.group(1)) + if errno_e == errno.ENOSPC: + return httputils.INSUFFICIENT_STORAGE + elif errno_e in [errno.EPERM, errno.EACCES]: + return httputils.FORBIDDEN + else: + return httputils.INTERNAL_SERVER_ERROR + else: + logger.warning( + "Bad MOVE request on %r: %s", path, e, exc_info=True) + return httputils.BAD_REQUEST return client.NO_CONTENT if to_item else client.CREATED, {}, None From a62da71aa22077a7c3a9d2176d84bcba17956e0a Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:44:30 +0100 Subject: [PATCH 125/254] fix loglevel --- radicale/app/proppatch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/app/proppatch.py b/radicale/app/proppatch.py index faa8c25b..76b4a1a1 100644 --- a/radicale/app/proppatch.py +++ b/radicale/app/proppatch.py @@ -114,7 +114,7 @@ class ApplicationPartProppatch(ApplicationBase): # return better matching HTTP result in case errno is provided and catched errno_match = re.search("\\[Errno ([0-9]+)\\]", str(e)) if errno_match: - logger.warning( + logger.error( "Failed PROPPATCH request on %r: %s", path, e, exc_info=True) errno_e = int(errno_match.group(1)) if errno_e == errno.ENOSPC: From 19a47158bdf982f5809df8f74fb36f8b6ff37841 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 16:48:48 +0100 Subject: [PATCH 126/254] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a1d896e..cd0ab4f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ## 3.4.2.dev * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ +* Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 018978edd8349af7700f3b7ea483f6174047807c Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 11 Feb 2025 17:00:05 +0100 Subject: [PATCH 127/254] update from https://github.com/Kozea/Radicale/issues/740 --- contrib/nginx/radicale.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/contrib/nginx/radicale.conf b/contrib/nginx/radicale.conf index 5d63e523..acf91a18 100644 --- a/contrib/nginx/radicale.conf +++ b/contrib/nginx/radicale.conf @@ -2,6 +2,10 @@ ### ### Usual configuration file location: /etc/nginx/default.d/ +## "well-known" redirect at least for Apple devices +rewrite ^/.well-known/carddav /radicale/ redirect; +rewrite ^/.well-known/caldav /radicale/ redirect; + ## Base URI: /radicale/ location /radicale/ { proxy_pass http://localhost:5232/; From 3d50ae4a70097c72b76db0b35c8f466d15ad751b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:13:11 +0100 Subject: [PATCH 128/254] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd0ab4f4..f9e2a473 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) +* Test: skip bcrypt related tests if module is missing ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 48a634af9fe77e037535df59d4a7a41151049ccb Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:13:19 +0100 Subject: [PATCH 129/254] check whether bcrypt module is available --- radicale/tests/test_auth.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index f2ba577b..7abb23e9 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -41,6 +41,14 @@ class TestBaseAuthRequests(BaseTest): """ + # test for available bcrypt module + try: + import bcrypt + except ImportError as e: + has_bcrypt = 0 + else: + has_bcrypt = 1 + def _test_htpasswd(self, htpasswd_encryption: str, htpasswd_content: str, test_matrix: Union[str, Iterable[Tuple[str, str, bool]]] = "ascii") -> None: From 3914735ec0e1a28ddd325d3ebfafbfeb4e522d78 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:13:39 +0100 Subject: [PATCH 130/254] skip bcrypt related tests if module is missing --- radicale/tests/test_auth.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 7abb23e9..6745e665 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -99,10 +99,12 @@ class TestBaseAuthRequests(BaseTest): def test_htpasswd_sha512(self) -> None: self._test_htpasswd("sha512", "tmp:$6$3Qhl8r6FLagYdHYa$UCH9yXCed4A.J9FQsFPYAOXImzZUMfvLa0lwcWOxWYLOF5sE/lF99auQ4jKvHY2vijxmefl7G6kMqZ8JPdhIJ/") + @pytest.mark.skipif(has_bcrypt == 0, reason="No bcrypt module installed") def test_htpasswd_bcrypt(self) -> None: self._test_htpasswd("bcrypt", "tmp:$2y$05$oD7hbiQFQlvCM7zoalo/T.MssV3V" "NTRI3w5KDnj8NTUKJNWfVpvRq") + @pytest.mark.skipif(has_bcrypt == 0, reason="No bcrypt module installed") def test_htpasswd_bcrypt_unicode(self) -> None: self._test_htpasswd("bcrypt", "😀:$2y$10$Oyz5aHV4MD9eQJbk6GPemOs4T6edK" "6U9Sqlzr.W1mMVCS8wJUftnW", "unicode") From f6b5cb8a1e79b7862b975541b1bc21342742f098 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 18 Feb 2025 06:14:59 +0100 Subject: [PATCH 131/254] make flake8 happy --- radicale/tests/test_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/tests/test_auth.py b/radicale/tests/test_auth.py index 6745e665..6c356f97 100644 --- a/radicale/tests/test_auth.py +++ b/radicale/tests/test_auth.py @@ -44,7 +44,7 @@ class TestBaseAuthRequests(BaseTest): # test for available bcrypt module try: import bcrypt - except ImportError as e: + except ImportError: has_bcrypt = 0 else: has_bcrypt = 1 From 13a78d7365423f511e19c8d36b3805c93697cebc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:12:58 +0100 Subject: [PATCH 132/254] relax mtime check --- radicale/storage/multifilesystem/__init__.py | 35 ++++++++++++-------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 3bf9202f..6412ec1a 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -95,15 +95,21 @@ class Storage( def _analyse_mtime(self): # calculate and display mtime resolution path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") + logger.debug("Storage item mtime resolution test with file: %r", path) try: with open(path, "w") as f: f.write("mtime_test") f.close except Exception as e: - logger.error("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) + logger.warning("Storage item mtime resolution test not possible, cannot write file: %r (%s)", path, e) raise # set mtime_ns for tests - os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + try: + os.utime(path, times=None, ns=(MTIME_NS_TEST, MTIME_NS_TEST)) + except Exception as e: + logger.warning("Storage item mtime resolution test not possible, cannot set utime on file: %r (%s)", path, e) + os.remove(path) + raise logger.debug("Storage item mtime resoultion test set: %d" % MTIME_NS_TEST) mtime_ns = os.stat(path).st_mtime_ns logger.debug("Storage item mtime resoultion test get: %d" % mtime_ns) @@ -147,17 +153,20 @@ class Storage( logger.info("Storage cache subfolder usage for 'history': %s", self._use_cache_subfolder_for_history) logger.info("Storage cache subfolder usage for 'sync-token': %s", self._use_cache_subfolder_for_synctoken) logger.info("Storage cache use mtime and size for 'item': %s", self._use_mtime_and_size_for_item_cache) - (precision, precision_unit, unit) = self._analyse_mtime() - if precision >= 100000000: - # >= 100 ms - logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) - elif precision >= 10000000: - # >= 10 ms - logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) - else: - logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) - if self._use_mtime_and_size_for_item_cache is False: - logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") + try: + (precision, precision_unit, unit) = self._analyse_mtime() + if precision >= 100000000: + # >= 100 ms + logger.warning("Storage item mtime resolution test result: %d %s (VERY RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + elif precision >= 10000000: + # >= 10 ms + logger.warning("Storage item mtime resolution test result: %d %s (RISKY ON PRODUCTION SYSTEMS)" % (precision_unit, unit)) + else: + logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) + if self._use_mtime_and_size_for_item_cache is False: + logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") + except: + logger.warning("Storage item mtime resolution test result not successful") logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: logger.info("Storage cache subfolder: %r", self._get_collection_cache_folder()) From 4ab1cedee38ebf57d38d52d702fa04c8b5b8f073 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:13:43 +0100 Subject: [PATCH 133/254] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9e2a473..23f73485 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) * Test: skip bcrypt related tests if module is missing +* Improve: relax mtime check on storage filesystem ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From d5cb05f817923dd7f3507a54292b0af9b264a0a9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:17:24 +0100 Subject: [PATCH 134/254] extend copyright --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 6412ec1a..846f46b5 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -2,7 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2021 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 18338b3c6e9fe8eb413eec660a979ae60fc873dc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 20 Feb 2025 21:17:34 +0100 Subject: [PATCH 135/254] flake8 fix --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 846f46b5..1a933d14 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -165,7 +165,7 @@ class Storage( logger.info("Storage item mtime resolution test result: %d %s" % (precision_unit, unit)) if self._use_mtime_and_size_for_item_cache is False: logger.info("Storage cache using mtime and size for 'item' may be an option in case of performance issues") - except: + except Exception: logger.warning("Storage item mtime resolution test result not successful") logger.debug("Storage cache action logging: %s", self._debug_cache_actions) if self._use_cache_subfolder_for_item is True or self._use_cache_subfolder_for_history is True or self._use_cache_subfolder_for_synctoken is True: From 53251231d4ef4a1c3fa02a82eacf2271c4ae5af9 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 21 Feb 2025 07:41:01 +0100 Subject: [PATCH 136/254] change mtime test file location to collection-root --- radicale/storage/multifilesystem/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/storage/multifilesystem/__init__.py b/radicale/storage/multifilesystem/__init__.py index 1a933d14..c5b8d439 100644 --- a/radicale/storage/multifilesystem/__init__.py +++ b/radicale/storage/multifilesystem/__init__.py @@ -94,7 +94,7 @@ class Storage( def _analyse_mtime(self): # calculate and display mtime resolution - path = os.path.join(self._filesystem_folder, ".Radicale.mtime_test") + path = os.path.join(self._get_collection_root_folder(), ".Radicale.mtime_test") logger.debug("Storage item mtime resolution test with file: %r", path) try: with open(path, "w") as f: From c3c61c692e35de1d28a1b06fcc3b15282f9c908f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Fri, 21 Feb 2025 07:41:54 +0100 Subject: [PATCH 137/254] update changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 23f73485..97869621 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ * Add: option [auth] type oauth2 by code migration from https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) * Test: skip bcrypt related tests if module is missing -* Improve: relax mtime check on storage filesystem +* Improve: relax mtime check on storage filesystem, change test file location to "collection-root" directory ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 970d4ba4681067ec5a55e2397a95dd26b86d7704 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 16:22:18 +0100 Subject: [PATCH 138/254] add oauth2 to example --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index ba53ef3e..dfd8c4e2 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | denyall #type = none # Cache logins for until expiration time From 9791a4db0f4105990e31274db5cdcccee9841894 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:48:31 +0100 Subject: [PATCH 139/254] pam: doc --- DOCUMENTATION.md | 4 ++ radicale/auth/pam.py | 93 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100644 radicale/auth/pam.py diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index b9c4c572..8718c08f 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -829,6 +829,10 @@ Available backends: `oauth2` : Use an OAuth2 server to authenticate users. +`pam` +: Use local PAM to authenticate users. + + Default: `none` ##### cache_logins diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py new file mode 100644 index 00000000..25e66b19 --- /dev/null +++ b/radicale/auth/pam.py @@ -0,0 +1,93 @@ +# -*- coding: utf-8 -*- +# +# This file is part of Radicale Server - Calendar Server +# Copyright © 2011 Henry-Nicolas Tourneur +# +# This library is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Radicale. If not, see . + +""" +PAM authentication. + +Authentication based on the ``pam-python`` module. + +""" + +import grp +import pam +import pwd + +from .. import config, log + + +GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership") + + +# Compatibility for old versions of python-pam. +if hasattr(pam, "pam"): + def pam_authenticate(*args, **kwargs): + return pam.pam().authenticate(*args, **kwargs) +else: + def pam_authenticate(*args, **kwargs): + return pam.authenticate(*args, **kwargs) + + +def is_authenticated(user, password): + """Check if ``user``/``password`` couple is valid.""" + if user is None or password is None: + return False + + # Check whether the user exists in the PAM system + try: + pwd.getpwnam(user).pw_uid + except KeyError: + log.LOGGER.debug("User %s not found" % user) + return False + else: + log.LOGGER.debug("User %s found" % user) + + # Check whether the group exists + try: + # Obtain supplementary groups + members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem + except KeyError: + log.LOGGER.debug( + "The PAM membership required group (%s) doesn't exist" % + GROUP_MEMBERSHIP) + return False + + # Check whether the user exists + try: + # Get user primary group + primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name + except KeyError: + log.LOGGER.debug("The PAM user (%s) doesn't exist" % user) + return False + + # Check whether the user belongs to the required group + # (primary or supplementary) + if primary_group == GROUP_MEMBERSHIP or user in members: + log.LOGGER.debug( + "The PAM user belongs to the required group (%s)" % + GROUP_MEMBERSHIP) + # Check the password + if pam_authenticate(user, password, service='radicale'): + return True + else: + log.LOGGER.debug("Wrong PAM password") + else: + log.LOGGER.debug( + "The PAM user doesn't belong to the required group (%s)" % + GROUP_MEMBERSHIP) + + return False From 6683775c81968043bcdd929c1773d229ffb3638f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:48:51 +0100 Subject: [PATCH 140/254] pam: doc --- DOCUMENTATION.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index 8718c08f..fb86db70 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -1032,6 +1032,18 @@ OAuth2 token endpoint URL Default: +##### pam_service + +PAM service + +Default: radicale + +##### pam_group_membership + +PAM group user should be member of + +Default: + ##### lc_username Сonvert username to lowercase, must be true for case-insensitive auth From 954ddea0062f111b2eb7b1faa0d747099b53612f Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:13 +0100 Subject: [PATCH 141/254] pam: config --- config | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config b/config index dfd8c4e2..2585c718 100644 --- a/config +++ b/config @@ -128,6 +128,12 @@ # OAuth2 token endpoint URL #oauth2_token_endpoint = +# PAM service +#pam_serivce = radicale + +# PAM group user should be member of +#pam_group_membership = + # Htpasswd filename #htpasswd_filename = /etc/radicale/users From 046d39b1bd87dbcb08617098eb36436f702de2a4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:36 +0100 Subject: [PATCH 142/254] pam: add support --- radicale/auth/__init__.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/__init__.py b/radicale/auth/__init__.py index e92272f8..62a7b34f 100644 --- a/radicale/auth/__init__.py +++ b/radicale/auth/__init__.py @@ -43,6 +43,7 @@ INTERNAL_TYPES: Sequence[str] = ("none", "remote_user", "http_x_remote_user", "ldap", "imap", "oauth2", + "pam", "dovecot") CACHE_LOGIN_TYPES: Sequence[str] = ( @@ -51,6 +52,7 @@ CACHE_LOGIN_TYPES: Sequence[str] = ( "htpasswd", "imap", "oauth2", + "pam", ) AUTH_SOCKET_FAMILY: Sequence[str] = ("AF_UNIX", "AF_INET", "AF_INET6") From c8f650bc2c5699ad2c3dc3e43363d1041db915ae Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:49:52 +0100 Subject: [PATCH 143/254] extend copyright --- radicale/auth/pam.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 25e66b19..3194cb59 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -2,6 +2,8 @@ # # This file is part of Radicale Server - Calendar Server # Copyright © 2011 Henry-Nicolas Tourneur +# Copyright © 2021-2021 Unrud +# Copyright © 2025-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 855e3743caaf389643a8c567abe35565ea199823 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:07 +0100 Subject: [PATCH 144/254] pam: merge+adjust module from v1 --- radicale/auth/pam.py | 134 +++++++++++++++++++++++-------------------- 1 file changed, 72 insertions(+), 62 deletions(-) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 3194cb59..84cacb82 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -21,75 +21,85 @@ """ PAM authentication. -Authentication based on the ``pam-python`` module. +Authentication using the ``pam-python`` module. +Important: radicale user need access to /etc/shadow by e.g. + chgrp radicale /etc/shadow + chmod g+r """ import grp -import pam import pwd -from .. import config, log +from radicale import auth +from radicale.log import logger -GROUP_MEMBERSHIP = config.get("auth", "pam_group_membership") - - -# Compatibility for old versions of python-pam. -if hasattr(pam, "pam"): - def pam_authenticate(*args, **kwargs): - return pam.pam().authenticate(*args, **kwargs) -else: - def pam_authenticate(*args, **kwargs): - return pam.authenticate(*args, **kwargs) - - -def is_authenticated(user, password): - """Check if ``user``/``password`` couple is valid.""" - if user is None or password is None: - return False - - # Check whether the user exists in the PAM system - try: - pwd.getpwnam(user).pw_uid - except KeyError: - log.LOGGER.debug("User %s not found" % user) - return False - else: - log.LOGGER.debug("User %s found" % user) - - # Check whether the group exists - try: - # Obtain supplementary groups - members = grp.getgrnam(GROUP_MEMBERSHIP).gr_mem - except KeyError: - log.LOGGER.debug( - "The PAM membership required group (%s) doesn't exist" % - GROUP_MEMBERSHIP) - return False - - # Check whether the user exists - try: - # Get user primary group - primary_group = grp.getgrgid(pwd.getpwnam(user).pw_gid).gr_name - except KeyError: - log.LOGGER.debug("The PAM user (%s) doesn't exist" % user) - return False - - # Check whether the user belongs to the required group - # (primary or supplementary) - if primary_group == GROUP_MEMBERSHIP or user in members: - log.LOGGER.debug( - "The PAM user belongs to the required group (%s)" % - GROUP_MEMBERSHIP) - # Check the password - if pam_authenticate(user, password, service='radicale'): - return True +class Auth(auth.BaseAuth): + def __init__(self, configuration) -> None: + super().__init__(configuration) + try: + import pam + self.pam = pam + except ImportError as e: + raise RuntimeError("PAM authentication requires the Python pam module") from e + self._service = configuration.get("auth", "pam_service") + logger.info("auth.pam_service: %s" % self._service) + self._group_membership = configuration.get("auth", "pam_group_membership") + if (self._group_membership): + logger.info("auth.pam_group_membership: %s" % self._group_membership) else: - log.LOGGER.debug("Wrong PAM password") - else: - log.LOGGER.debug( - "The PAM user doesn't belong to the required group (%s)" % - GROUP_MEMBERSHIP) + logger.info("auth.pam_group_membership: (empty, nothing to check / INSECURE)") - return False + def pam_authenticate(self, *args, **kwargs): + return self.pam.authenticate(*args, **kwargs) + + def _login(self, login: str, password: str) -> str: + """Check if ``user``/``password`` couple is valid.""" + if login is None or password is None: + return "" + + # Check whether the user exists in the PAM system + try: + pwd.getpwnam(login).pw_uid + except KeyError: + logger.debug("PAM user not found: %r" % login) + return "" + else: + logger.debug("PAM user found: %r" % login) + + # Check whether the user has a primary group (mandatory) + try: + # Get user primary group + primary_group = grp.getgrgid(pwd.getpwnam(login).pw_gid).gr_name + logger.debug("PAM user %r has primary group: %r" % (login, primary_group)) + except KeyError: + logger.debug("PAM user has no primary group: %r" % login) + return "" + + # Obtain supplementary groups + members = [] + if (self._group_membership): + try: + members = grp.getgrnam(self._group_membership).gr_mem + except KeyError: + logger.debug( + "PAM membership required group doesn't exist: %r" % + self._group_membership) + return "" + + # Check whether the user belongs to the required group + # (primary or supplementary) + if (self._group_membership): + if (primary_group != self._group_membership) and (login not in members): + logger.warning("PAM user %r belongs not to the required group: %r" % (login, self._group_membership)) + return "" + else: + logger.debug("PAM user %r belongs to the required group: %r" % (login, self._group_membership)) + + # Check the password + if self.pam_authenticate(login, password, service=self._service): + return login + else: + logger.debug("PAM authentication not successful for user: %r (service %r)" % (login, self._service)) + return "" From 0759673e67ab0bd1f631f458cac15a5e4e308bb6 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:24 +0100 Subject: [PATCH 145/254] pam: config parser --- radicale/config.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/radicale/config.py b/radicale/config.py index 5f46022e..6a218160 100644 --- a/radicale/config.py +++ b/radicale/config.py @@ -311,6 +311,14 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([ "value": "", "help": "OAuth2 token endpoint URL", "type": str}), + ("pam_group_membership", { + "value": "", + "help": "PAM group user should be member of", + "type": str}), + ("pam_service", { + "value": "radicale", + "help": "PAM service", + "type": str}), ("strip_domain", { "value": "False", "help": "strip domain from username", From 7f3fedc048576afd2bdbc439d8ec9ca0bc0890e4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:50:42 +0100 Subject: [PATCH 146/254] log used python version --- radicale/utils.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radicale/utils.py b/radicale/utils.py index 097be3fb..a75e5089 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -18,6 +18,7 @@ # along with Radicale. If not, see . import ssl +import sys from importlib import import_module, metadata from typing import Callable, Sequence, Type, TypeVar, Union @@ -55,6 +56,7 @@ def package_version(name): def packages_version(): versions = [] + versions.append("python=%s.%s.%s" % (sys.version_info[0], sys.version_info[1], sys.version_info[2])) for pkg in RADICALE_MODULES: versions.append("%s=%s" % (pkg, package_version(pkg))) return " ".join(versions) From 6518f1b63aea24d8e0f0c7d6072930213dc639fa Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 17:51:06 +0100 Subject: [PATCH 147/254] pam: add to config selector --- config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config b/config index 2585c718..e367083c 100644 --- a/config +++ b/config @@ -59,7 +59,7 @@ [auth] # Authentication method -# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | denyall +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall #type = none # Cache logins for until expiration time From 16ece44faf353822e867a27fdfd2a9ff629d37ff Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Sat, 22 Feb 2025 18:00:23 +0100 Subject: [PATCH 148/254] pam: extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97869621..2c201fe4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Fix: catch OS errors on PUT MKCOL MKCALENDAR MOVE PROPPATCH (insufficient storage, access denied, internal server error) * Test: skip bcrypt related tests if module is missing * Improve: relax mtime check on storage filesystem, change test file location to "collection-root" directory +* Add: option [auth] type pam by code migration from v1, add new option pam_serivce ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 8218081f5882bd25814bb9d6ef85b2278b7adf1b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:19:51 +0100 Subject: [PATCH 149/254] fix loglevel --- radicale/auth/pam.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/auth/pam.py b/radicale/auth/pam.py index 84cacb82..02727c85 100644 --- a/radicale/auth/pam.py +++ b/radicale/auth/pam.py @@ -49,7 +49,7 @@ class Auth(auth.BaseAuth): if (self._group_membership): logger.info("auth.pam_group_membership: %s" % self._group_membership) else: - logger.info("auth.pam_group_membership: (empty, nothing to check / INSECURE)") + logger.warning("auth.pam_group_membership: (empty, nothing to check / INSECURE)") def pam_authenticate(self, *args, **kwargs): return self.pam.authenticate(*args, **kwargs) From 50f5d2e5ef3fc1b40200eeec294b84d5ea22e6d2 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:20:03 +0100 Subject: [PATCH 150/254] extend copyright --- radicale/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/utils.py b/radicale/utils.py index a75e5089..2d7210ac 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -2,7 +2,7 @@ # Copyright © 2014 Jean-Marc Martins # Copyright © 2012-2017 Guillaume Ayoub # Copyright © 2017-2018 Unrud -# Copyright © 2024-2024 Peter Bieringer +# Copyright © 2024-2025 Peter Bieringer # # This library is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From 9b671becebcb90fcb8eb2ffe4d5946526df9f669 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:20:14 +0100 Subject: [PATCH 151/254] extend module list to display version on start --- radicale/utils.py | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/radicale/utils.py b/radicale/utils.py index 2d7210ac..87836a65 100644 --- a/radicale/utils.py +++ b/radicale/utils.py @@ -27,7 +27,13 @@ from radicale.log import logger _T_co = TypeVar("_T_co", covariant=True) -RADICALE_MODULES: Sequence[str] = ("radicale", "vobject", "passlib", "defusedxml") +RADICALE_MODULES: Sequence[str] = ("radicale", "vobject", "passlib", "defusedxml", + "dateutil", + "bcrypt", + "pika", + "ldap", + "ldap3", + "pam") def load_plugin(internal_types: Sequence[str], module_name: str, @@ -58,7 +64,13 @@ def packages_version(): versions = [] versions.append("python=%s.%s.%s" % (sys.version_info[0], sys.version_info[1], sys.version_info[2])) for pkg in RADICALE_MODULES: - versions.append("%s=%s" % (pkg, package_version(pkg))) + try: + versions.append("%s=%s" % (pkg, package_version(pkg))) + except Exception: + try: + versions.append("%s=%s" % (pkg, package_version("python-" + pkg))) + except Exception: + versions.append("%s=%s" % (pkg, "n/a")) return " ".join(versions) From 0b5dd82109e403783cad3ce35ca5d8d27adf6fab Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:21:15 +0100 Subject: [PATCH 152/254] extend changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c201fe4..5b86d183 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Test: skip bcrypt related tests if module is missing * Improve: relax mtime check on storage filesystem, change test file location to "collection-root" directory * Add: option [auth] type pam by code migration from v1, add new option pam_serivce +* Cosmetics: extend list of used modules with their version on startup ## 3.4.1 * Add: option [auth] dovecot_connection_type / dovecot_host / dovecot_port From 29b1da465219add851ae2ac738e4e3a1ba7f31c5 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Tue, 25 Feb 2025 06:33:50 +0100 Subject: [PATCH 153/254] takeover hints from https://github.com/Kozea/Radicale/issues/1168 --- DOCUMENTATION.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md index fb86db70..b99b1d61 100644 --- a/DOCUMENTATION.md +++ b/DOCUMENTATION.md @@ -49,10 +49,8 @@ You want to try Radicale but only have 5 minutes free in your calendar? Let's go right now and play a bit with Radicale! When everything works, you can get a [client](#supported-clients) -and start creating calendars and address books. The server **only** binds to -localhost (is **not** reachable over the network) and you can log in with any -username and password. If Radicale fits your needs, it may be time for -[some basic configuration](#basic-configuration). +and start creating calendars and address books. By default, the server only binds to localhost (is not reachable over the network) +and you can log in with any user name and password. When everything works, you may get a local client and start creating calendars and address books. If Radicale fits your needs, it may be time for some [basic configuration](#basic-configuration) to support remote clients. Follow one of the chapters below depending on your operating system. From c2013ec901769250722b6911a0a764da7ccb8949 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 07:50:41 +0100 Subject: [PATCH 154/254] permit dot inside collection name, but not as first char, fixes https://github.com/Kozea/Radicale/issues/1632 --- radicale/web/internal_data/fn.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index af13ad0a..9b0bad3b 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -1348,8 +1348,10 @@ function cleanHREFinput(a) { href_form = a.target; } let currentTxtVal = href_form.value.trim().toLowerCase(); - //Clean the HREF to remove non lowercase letters and dashes - currentTxtVal = currentTxtVal.replace(/(?![0-9a-z\-\_])./g, ''); + //Clean the HREF to remove not permitted chars + currentTxtVal = currentTxtVal.replace(/(?![0-9a-z\-\_\.])./g, ''); + //Clean the HREF to remove leading . (would result in hidden directory) + currentTxtVal = currentTxtVal.replace(/^\./, ''); href_form.value = currentTxtVal; } From fcaee51ceb2714c33ea179064dacfd9a595e2fb4 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 08:09:05 +0100 Subject: [PATCH 155/254] remove double / for MKCOL --- radicale/web/internal_data/fn.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 9b0bad3b..66d6f9bb 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -1213,7 +1213,7 @@ function CreateEditCollectionScene(user, password, collection) { alert("You must enter a valid HREF"); return false; } - href = collection.href + "/" + newhreftxtvalue + "/"; + href = collection.href + newhreftxtvalue + "/"; } displayname = displayname_form.value; description = description_form.value; From 3910457a8d0d35e2eba9f60166fa9be74fce58cc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 08:26:19 +0100 Subject: [PATCH 156/254] remove double / for PUT --- radicale/web/internal_data/fn.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 66d6f9bb..61492a34 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -927,7 +927,7 @@ function UploadCollectionScene(user, password, collection) { if(files.length > 1 || href.length == 0){ href = random_uuid(); } - let upload_href = collection.href + "/" + href + "/"; + let upload_href = collection.href + href + "/"; upload_req = upload_collection(user, password, upload_href, file, function(result) { upload_req = null; results.push(result); From 7318f592c84cddf566f8efbd04d1f7531e53f9cc Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 08:32:26 +0100 Subject: [PATCH 157/254] use basename of uploaded file as default collection name, support https://github.com/Kozea/Radicale/issues/1633 --- radicale/web/internal_data/fn.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 61492a34..a83a6edd 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -874,8 +874,7 @@ function UploadCollectionScene(user, password, collection) { upload_btn.onclick = upload_start; uploadfile_form.onchange = onfileschange; - let href = random_uuid(); - href_form.value = href; + href_form.value = ""; /** @type {?number} */ let scene_index = null; /** @type {?XMLHttpRequest} */ let upload_req = null; @@ -993,10 +992,12 @@ function UploadCollectionScene(user, password, collection) { hreflimitmsg_html.classList.remove("hidden"); href_form.classList.add("hidden"); href_label.classList.add("hidden"); + href_form.value = random_uuid(); // dummy, will be replaced on upload }else{ hreflimitmsg_html.classList.add("hidden"); href_form.classList.remove("hidden"); href_label.classList.remove("hidden"); + href_form.value = files[0].name.replace(/\.(ics|vcf)$/, ''); } return false; } From eb8dc61952f6db88e86ca05f273c007e32615e7b Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:11 +0100 Subject: [PATCH 158/254] extend copyright --- radicale/web/internal_data/fn.js | 1 + 1 file changed, 1 insertion(+) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index a83a6edd..2e30d1f6 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -2,6 +2,7 @@ * This file is part of Radicale Server - Calendar Server * Copyright © 2017-2024 Unrud * Copyright © 2023-2024 Matthew Hana + * Copyright © 2024-2025 Peter Bieringer * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by From 4419aa22854d07f49009ff2aef0ccd1b246bf995 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:24 +0100 Subject: [PATCH 159/254] display error --- radicale/web/internal_data/fn.js | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/radicale/web/internal_data/fn.js b/radicale/web/internal_data/fn.js index 2e30d1f6..745ea87d 100644 --- a/radicale/web/internal_data/fn.js +++ b/radicale/web/internal_data/fn.js @@ -1007,6 +1007,12 @@ function UploadCollectionScene(user, password, collection) { scene_index = scene_stack.length - 1; html_scene.classList.remove("hidden"); close_btn.onclick = onclose; + if(error){ + error_form.textContent = "Error: " + error; + error_form.classList.remove("hidden"); + }else{ + error_form.classList.add("hidden"); + } }; this.hide = function() { @@ -1319,6 +1325,12 @@ function CreateEditCollectionScene(user, password, collection) { fill_form(); submit_btn.onclick = onsubmit; cancel_btn.onclick = oncancel; + if(error){ + error_form.textContent = "Error: " + error; + error_form.classList.remove("hidden"); + }else{ + error_form.classList.add("hidden"); + } }; this.hide = function() { read_form(); From e3ae7b3ab546adf3e7b05ff3ecef911ad0bd854e Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:37 +0100 Subject: [PATCH 160/254] add copyright --- radicale/web/internal_data/index.html | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radicale/web/internal_data/index.html b/radicale/web/internal_data/index.html index 7806765f..db241238 100644 --- a/radicale/web/internal_data/index.html +++ b/radicale/web/internal_data/index.html @@ -1,4 +1,10 @@ + From 78b94b1d4d64c11b7bbea10c523c4a53cb37cac8 Mon Sep 17 00:00:00 2001 From: Peter Bieringer Date: Thu, 27 Feb 2025 19:40:49 +0100 Subject: [PATCH 161/254] add html to display error --- radicale/web/internal_data/index.html | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/radicale/web/internal_data/index.html b/radicale/web/internal_data/index.html index db241238..9ac96795 100644 --- a/radicale/web/internal_data/index.html +++ b/radicale/web/internal_data/index.html @@ -122,6 +122,8 @@ + +