nikdoof/rustical
1
1
Fork 0
mirror of https://github.com/lennart-k/rustical.git synced 2025-12-14 07:02:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improvement to access control

Browse Source
This commit is contained in:
Lennart
2024-10-31 21:18:41 +01:00
parent c484a17911
commit 0c14f8ba90
24 changed files with 394 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
crates/caldav/src/calendar/methods/report/calendar_multiget.rs
View File

@@ -16,7 +16,7 @@ use rustical_dav::{
MultistatusElement,
},
};
use rustical_store::{CalendarObject, CalendarStore};
use rustical_store::{auth::User, CalendarObject, CalendarStore};
use serde::Deserialize;
#[derive(Deserialize, Clone, Debug)]
@@ -65,6 +65,7 @@ pub async fn get_objects_calendar_multiget<C: CalendarStore + ?Sized>(
pub async fn handle_calendar_multiget<C: CalendarStore + ?Sized>(
cal_multiget: CalendarMultigetRequest,
req: HttpRequest,
user: &User,
principal: &str,
cal_id: &str,
cal_store: &C,
@@ -88,11 +89,13 @@ pub async fn handle_calendar_multiget<C: CalendarStore + ?Sized>(
let mut responses = Vec::new();
for object in objects {
let path = format!("{}/{}", req.path(), object.get_id());
responses.push(CalendarObjectResource::from(object).propfind(
&path,
props.clone(),
req.resource_map(),
)?);
responses.push(
CalendarObjectResource {
object,
principal: principal.to_owned(),
}
.propfind(&path, props.clone(), user, req.resource_map())?,
);
}
let not_found_responses = not_found

15
crates/caldav/src/calendar/methods/report/calendar_query.rs
View File

@@ -5,7 +5,7 @@ use rustical_dav::{
resource::Resource,
xml::{multistatus::PropstatWrapper, MultistatusElement},
};
use rustical_store::{CalendarObject, CalendarStore};
use rustical_store::{auth::User, CalendarObject, CalendarStore};
use serde::Deserialize;
use crate::{
@@ -206,6 +206,7 @@ pub async fn get_objects_calendar_query<C: CalendarStore + ?Sized>(
pub async fn handle_calendar_query<C: CalendarStore + ?Sized>(
cal_query: CalendarQueryRequest,
req: HttpRequest,
user: &User,
principal: &str,
cal_id: &str,
cal_store: &C,
@@ -230,11 +231,13 @@ pub async fn handle_calendar_query<C: CalendarStore + ?Sized>(
vec![principal, cal_id, object.get_id()],
)
.unwrap();
responses.push(CalendarObjectResource::from(object).propfind(
&path,
props.clone(),
req.resource_map(),
)?);
responses.push(
CalendarObjectResource {
object,
principal: principal.to_owned(),
}
.propfind(&path, props.clone(), user, req.resource_map())?,
);
}
Ok(MultistatusElement {

22
crates/caldav/src/calendar/methods/report/mod.rs
View File

@@ -47,16 +47,32 @@ pub async fn route_report_calendar<C: CalendarStore + ?Sized>(
Ok(match request.clone() {
ReportRequest::CalendarQuery(cal_query) => {
handle_calendar_query(cal_query, req, &principal, &cal_id, cal_store.as_ref()).await?
handle_calendar_query(
cal_query,
req,
&user,
&principal,
&cal_id,
cal_store.as_ref(),
)
.await?
}
ReportRequest::CalendarMultiget(cal_multiget) => {
handle_calendar_multiget(cal_multiget, req, &principal, &cal_id, cal_store.as_ref())
.await?
handle_calendar_multiget(
cal_multiget,
req,
&user,
&principal,
&cal_id,
cal_store.as_ref(),
)
.await?
}
ReportRequest::SyncCollection(sync_collection) => {
handle_sync_collection(
sync_collection,
req,
&user,
&principal,
&cal_id,
cal_store.as_ref(),

14
crates/caldav/src/calendar/methods/report/sync_collection.rs
View File

@@ -8,6 +8,7 @@ use rustical_dav::{
},
};
use rustical_store::{
auth::User,
synctoken::{format_synctoken, parse_synctoken},
CalendarStore,
};
@@ -44,6 +45,7 @@ pub struct SyncCollectionRequest {
pub async fn handle_sync_collection<C: CalendarStore + ?Sized>(
sync_collection: SyncCollectionRequest,
req: HttpRequest,
user: &User,
principal: &str,
cal_id: &str,
cal_store: &C,
@@ -71,11 +73,13 @@ pub async fn handle_sync_collection<C: CalendarStore + ?Sized>(
vec![principal, cal_id, &object.get_id()],
)
.unwrap();
responses.push(CalendarObjectResource::from(object).propfind(
&path,
props.clone(),
req.resource_map(),
)?);
responses.push(
CalendarObjectResource {
object,
principal: principal.to_owned(),
}
.propfind(&path, props.clone(), user, req.resource_map())?,
);
}
for object_id in deleted_objects {

49
crates/caldav/src/calendar/prop.rs
View File

@@ -47,55 +47,6 @@ pub struct Resourcetype {
collection: (),
}
#[derive(Debug, Clone, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")]
pub enum UserPrivilege {
Read,
ReadAcl,
Write,
WriteAcl,
WriteContent,
ReadCurrentUserPrivilegeSet,
Bind,
Unbind,
}
#[derive(Debug, Clone, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")]
pub struct UserPrivilegeWrapper {
#[serde(rename = "$value")]
privilege: UserPrivilege,
}
impl From<UserPrivilege> for UserPrivilegeWrapper {
fn from(value: UserPrivilege) -> Self {
Self { privilege: value }
}
}
#[derive(Debug, Clone, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")]
pub struct UserPrivilegeSet {
privilege: Vec<UserPrivilegeWrapper>,
}
impl Default for UserPrivilegeSet {
fn default() -> Self {
Self {
privilege: vec![
UserPrivilege::Read.into(),
UserPrivilege::ReadAcl.into(),
UserPrivilege::Write.into(),
UserPrivilege::WriteAcl.into(),
UserPrivilege::WriteContent.into(),
UserPrivilege::ReadCurrentUserPrivilegeSet.into(),
UserPrivilege::Bind.into(),
UserPrivilege::Unbind.into(),
],
}
}
}
#[derive(Debug, Clone, Deserialize, Serialize)]
#[serde(rename_all = "kebab-case")]
pub enum ReportMethod {

32
crates/caldav/src/calendar/resource.rs
View File

@@ -2,7 +2,7 @@ use super::methods::mkcalendar::route_mkcalendar;
use super::methods::report::route_report_calendar;
use super::prop::{
Resourcetype, SupportedCalendarComponent, SupportedCalendarComponentSet, SupportedCalendarData,
SupportedReportSet, UserPrivilegeSet,
SupportedReportSet,
};
use crate::calendar_object::resource::CalendarObjectResource;
use crate::principal::PrincipalResource;
@@ -13,6 +13,7 @@ use actix_web::web;
use actix_web::{web::Data, HttpRequest};
use async_trait::async_trait;
use derive_more::derive::{From, Into};
use rustical_dav::privileges::UserPrivilegeSet;
use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
use rustical_dav::xml::HrefElement;
use rustical_store::auth::User;
@@ -43,7 +44,7 @@ pub enum CalendarPropName {
SupportedCalendarComponentSet,
SupportedCalendarData,
Getcontenttype,
CurrentUserPrivilegeSet,
// CurrentUserPrivilegeSet,
MaxResourceSize,
SupportedReportSet,
SyncToken,
@@ -63,7 +64,7 @@ pub enum CalendarProp {
// WebDAV Access Control (RFC 3744)
Owner(HrefElement),
CurrentUserPrivilegeSet(UserPrivilegeSet),
// CurrentUserPrivilegeSet(UserPrivilegeSet),
// CalDAV (RFC 4791)
#[serde(rename = "IC:calendar-color", alias = "calendar-color")]
@@ -113,6 +114,7 @@ impl Resource for CalendarResource {
fn get_prop(
&self,
rmap: &ResourceMap,
user: &User,
prop: Self::PropName,
) -> Result<Self::Prop, Self::Error> {
Ok(match prop {
@@ -156,9 +158,9 @@ impl Resource for CalendarResource {
CalendarProp::Getcontenttype("text/calendar;charset=utf-8".to_owned())
}
CalendarPropName::MaxResourceSize => CalendarProp::MaxResourceSize(10000000),
CalendarPropName::CurrentUserPrivilegeSet => {
CalendarProp::CurrentUserPrivilegeSet(UserPrivilegeSet::default())
}
// CalendarPropName::CurrentUserPrivilegeSet => {
// CalendarProp::CurrentUserPrivilegeSet(user_privileges.to_owned())
// }
CalendarPropName::SupportedReportSet => {
CalendarProp::SupportedReportSet(SupportedReportSet::default())
}
@@ -198,7 +200,7 @@ impl Resource for CalendarResource {
CalendarProp::SupportedCalendarData(_) => Err(rustical_dav::Error::PropReadOnly),
CalendarProp::Getcontenttype(_) => Err(rustical_dav::Error::PropReadOnly),
CalendarProp::MaxResourceSize(_) => Err(rustical_dav::Error::PropReadOnly),
CalendarProp::CurrentUserPrivilegeSet(_) => Err(rustical_dav::Error::PropReadOnly),
// CalendarProp::CurrentUserPrivilegeSet(_) => Err(rustical_dav::Error::PropReadOnly),
CalendarProp::SupportedReportSet(_) => Err(rustical_dav::Error::PropReadOnly),
CalendarProp::SyncToken(_) => Err(rustical_dav::Error::PropReadOnly),
CalendarProp::Getctag(_) => Err(rustical_dav::Error::PropReadOnly),
@@ -237,7 +239,7 @@ impl Resource for CalendarResource {
CalendarPropName::SupportedCalendarData => Err(rustical_dav::Error::PropReadOnly),
CalendarPropName::Getcontenttype => Err(rustical_dav::Error::PropReadOnly),
CalendarPropName::MaxResourceSize => Err(rustical_dav::Error::PropReadOnly),
CalendarPropName::CurrentUserPrivilegeSet => Err(rustical_dav::Error::PropReadOnly),
// CalendarPropName::CurrentUserPrivilegeSet => Err(rustical_dav::Error::PropReadOnly),
CalendarPropName::SupportedReportSet => Err(rustical_dav::Error::PropReadOnly),
CalendarPropName::SyncToken => Err(rustical_dav::Error::PropReadOnly),
CalendarPropName::Getctag => Err(rustical_dav::Error::PropReadOnly),
@@ -248,6 +250,10 @@ impl Resource for CalendarResource {
fn resource_name() -> &'static str {
"caldav_calendar"
}
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
Ok(UserPrivilegeSet::owner_only(self.0.principal == user.id))
}
}
#[async_trait(?Send)]
@@ -257,10 +263,7 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarResourceService<C> {
type Resource = CalendarResource;
type Error = Error;
async fn get_resource(&self, user: User) -> Result<Self::Resource, Error> {
if self.principal != user.id {
return Err(Error::Unauthorized);
}
async fn get_resource(&self) -> Result<Self::Resource, Error> {
let calendar = self
.cal_store
.get_calendar(&self.principal, &self.calendar_id)
@@ -285,7 +288,10 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarResourceService<C> {
vec![&self.principal, &self.calendar_id, object.get_id()],
)
.unwrap(),
object.into(),
CalendarObjectResource {
object,
principal: self.principal.to_owned(),
},
)
})
.collect())

57
crates/caldav/src/calendar_object/resource.rs
View File

@@ -1,9 +1,13 @@
use super::methods::{get_event, put_event};
use crate::Error;
use crate::{principal::PrincipalResource, Error};
use actix_web::{dev::ResourceMap, web::Data, HttpRequest};
use async_trait::async_trait;
use derive_more::derive::{From, Into};
use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
use rustical_dav::{
privileges::UserPrivilegeSet,
resource::{InvalidProperty, Resource, ResourceService},
xml::HrefElement,
};
use rustical_store::{auth::User, CalendarObject, CalendarStore};
use serde::{Deserialize, Serialize};
use std::sync::Arc;
@@ -23,6 +27,9 @@ pub enum CalendarObjectPropName {
Getetag,
CalendarData,
Getcontenttype,
CurrentUserPrincipal,
Owner,
CurrentUserPrivilegeSet,
}
#[derive(Deserialize, Serialize, Debug, Clone)]
@@ -35,6 +42,13 @@ pub enum CalendarObjectProp {
// CalDAV (RFC 4791)
#[serde(rename = "C:calendar-data")]
CalendarData(String),
// WebDAV Current Principal Extension (RFC 5397)
CurrentUserPrincipal(HrefElement),
// WebDAV Access Control (RFC 3744)
Owner(HrefElement),
CurrentUserPrivilegeSet(UserPrivilegeSet),
#[serde(other)]
Invalid,
}
@@ -46,7 +60,10 @@ impl InvalidProperty for CalendarObjectProp {
}
#[derive(Clone, From, Into)]
pub struct CalendarObjectResource(CalendarObject);
pub struct CalendarObjectResource {
pub object: CalendarObject,
pub principal: String,
}
impl Resource for CalendarObjectResource {
type PropName = CalendarObjectPropName;
@@ -55,17 +72,29 @@ impl Resource for CalendarObjectResource {
fn get_prop(
&self,
_rmap: &ResourceMap,
rmap: &ResourceMap,
user: &User,
prop: Self::PropName,
) -> Result<Self::Prop, Self::Error> {
Ok(match prop {
CalendarObjectPropName::Getetag => CalendarObjectProp::Getetag(self.0.get_etag()),
CalendarObjectPropName::Getetag => CalendarObjectProp::Getetag(self.object.get_etag()),
CalendarObjectPropName::CalendarData => {
CalendarObjectProp::CalendarData(self.0.get_ics().to_owned())
CalendarObjectProp::CalendarData(self.object.get_ics().to_owned())
}
CalendarObjectPropName::Getcontenttype => {
CalendarObjectProp::Getcontenttype("text/calendar;charset=utf-8".to_owned())
}
CalendarObjectPropName::CurrentUserPrincipal => {
CalendarObjectProp::CurrentUserPrincipal(HrefElement::new(
PrincipalResource::get_principal_url(rmap, &user.id),
))
}
CalendarObjectPropName::Owner => CalendarObjectProp::Owner(
PrincipalResource::get_principal_url(rmap, &self.principal).into(),
),
CalendarObjectPropName::CurrentUserPrivilegeSet => {
CalendarObjectProp::CurrentUserPrivilegeSet(self.get_user_privileges(&user)?)
}
})
}
@@ -73,6 +102,10 @@ impl Resource for CalendarObjectResource {
fn resource_name() -> &'static str {
"caldav_calendar_object"
}
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
}
}
#[derive(Debug, Clone)]
@@ -132,15 +165,15 @@ impl<C: CalendarStore + ?Sized> ResourceService for CalendarObjectResourceServic
})
}
async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
if self.principal != user.id {
return Err(Error::Unauthorized);
}
let event = self
async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
let object = self
.cal_store
.get_object(&self.principal, &self.cal_id, &self.object_id)
.await?;
Ok(event.into())
Ok(CalendarObjectResource {
object,
principal: self.principal.to_owned(),
})
}
async fn save_resource(&self, _file: Self::Resource) -> Result<(), Self::Error> {

29
crates/caldav/src/principal/mod.rs
View File

@@ -4,6 +4,7 @@ use actix_web::dev::ResourceMap;
use actix_web::web::Data;
use actix_web::HttpRequest;
use async_trait::async_trait;
use rustical_dav::privileges::UserPrivilegeSet;
use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
use rustical_dav::xml::HrefElement;
use rustical_store::auth::User;
@@ -42,6 +43,10 @@ pub enum PrincipalProp {
// WebDAV Current Principal Extension (RFC 5397)
CurrentUserPrincipal(HrefElement),
// WebDAV Access Control (RFC 3744)
Owner(HrefElement),
CurrentUserPrivilegeSet(UserPrivilegeSet),
// CalDAV (RFC 4791)
#[serde(rename = "C:calendar-home-set")]
CalendarHomeSet(HrefElement),
@@ -63,12 +68,20 @@ impl InvalidProperty for PrincipalProp {
pub enum PrincipalPropName {
Resourcetype,
CurrentUserPrincipal,
Owner,
CurrentUserPrivilegeSet,
#[strum(serialize = "principal-URL")]
PrincipalUrl,
CalendarHomeSet,
CalendarUserAddressSet,
}
impl PrincipalResource {
pub fn get_principal_url(rmap: &ResourceMap, principal: &str) -> String {
Self::get_url(rmap, vec![principal]).unwrap()
}
}
impl Resource for PrincipalResource {
type PropName = PrincipalPropName;
type Prop = PrincipalProp;
@@ -77,6 +90,7 @@ impl Resource for PrincipalResource {
fn get_prop(
&self,
rmap: &ResourceMap,
user: &User,
prop: Self::PropName,
) -> Result<Self::Prop, Self::Error> {
let principal_href = HrefElement::new(Self::get_url(rmap, vec![&self.principal]).unwrap());
@@ -86,6 +100,12 @@ impl Resource for PrincipalResource {
PrincipalPropName::CurrentUserPrincipal => {
PrincipalProp::CurrentUserPrincipal(principal_href)
}
PrincipalPropName::Owner => PrincipalProp::Owner(HrefElement::new(
PrincipalResource::get_url(rmap, vec![&self.principal]).unwrap(),
)),
PrincipalPropName::CurrentUserPrivilegeSet => {
PrincipalProp::CurrentUserPrivilegeSet(self.get_user_privileges(user)?)
}
PrincipalPropName::PrincipalUrl => PrincipalProp::PrincipalUrl(principal_href),
PrincipalPropName::CalendarHomeSet => PrincipalProp::CalendarHomeSet(principal_href),
PrincipalPropName::CalendarUserAddressSet => {
@@ -98,6 +118,10 @@ impl Resource for PrincipalResource {
fn resource_name() -> &'static str {
"caldav_principal"
}
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error> {
Ok(UserPrivilegeSet::owner_only(self.principal == user.id))
}
}
#[async_trait(?Send)]
@@ -123,10 +147,7 @@ impl<C: CalendarStore + ?Sized> ResourceService for PrincipalResourceService<C>
})
}
async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
if self.principal != user.id {
return Err(Error::Unauthorized);
}
async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
Ok(PrincipalResource {
principal: self.principal.to_owned(),
})

25
crates/caldav/src/root/mod.rs
View File

@@ -3,6 +3,7 @@ use crate::Error;
use actix_web::dev::ResourceMap;
use actix_web::HttpRequest;
use async_trait::async_trait;
use rustical_dav::privileges::UserPrivilegeSet;
use rustical_dav::resource::{InvalidProperty, Resource, ResourceService};
use rustical_dav::xml::HrefElement;
use rustical_store::auth::User;
@@ -13,8 +14,8 @@ use strum::{EnumString, VariantNames};
#[strum(serialize_all = "kebab-case")]
pub enum RootPropName {
Resourcetype,
// Defined by RFC 5397
CurrentUserPrincipal,
CurrentUserPrivilegeSet,
}
#[derive(Deserialize, Serialize, Default, Debug)]
@@ -31,6 +32,10 @@ pub enum RootProp {
// WebDAV Current Principal Extension (RFC 5397)
CurrentUserPrincipal(HrefElement),
// WebDAV Access Control Protocol (RFC 3477)
CurrentUserPrivilegeSet(UserPrivilegeSet),
#[serde(other)]
Invalid,
}
@@ -42,9 +47,7 @@ impl InvalidProperty for RootProp {
}
#[derive(Clone)]
pub struct RootResource {
principal: String,
}
pub struct RootResource;
impl Resource for RootResource {
type PropName = RootPropName;
@@ -54,13 +57,17 @@ impl Resource for RootResource {
fn get_prop(
&self,
rmap: &ResourceMap,
user: &User,
prop: Self::PropName,
) -> Result<Self::Prop, Self::Error> {
Ok(match prop {
RootPropName::Resourcetype => RootProp::Resourcetype(Resourcetype::default()),
RootPropName::CurrentUserPrincipal => RootProp::CurrentUserPrincipal(HrefElement::new(
PrincipalResource::get_url(rmap, vec![&self.principal]).unwrap(),
PrincipalResource::get_url(rmap, vec![&user.id]).unwrap(),
)),
RootPropName::CurrentUserPrivilegeSet => {
RootProp::CurrentUserPrivilegeSet(self.get_user_privileges(user)?)
}
})
}
@@ -68,6 +75,10 @@ impl Resource for RootResource {
fn resource_name() -> &'static str {
"caldav_root"
}
fn get_user_privileges(&self, _user: &User) -> Result<UserPrivilegeSet, Self::Error> {
Ok(UserPrivilegeSet::all())
}
}
pub struct RootResourceService;
@@ -86,8 +97,8 @@ impl ResourceService for RootResourceService {
Ok(Self)
}
async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error> {
Ok(RootResource { principal: user.id })
async fn get_resource(&self) -> Result<Self::Resource, Self::Error> {
Ok(RootResource)
}
async fn save_resource(&self, _file: Self::Resource) -> Result<(), Self::Error> {