nikdoof/rustical
1
1
Fork 0
mirror of https://github.com/lennart-k/rustical.git synced 2025-12-14 07:02:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improvement to access control

Browse Source
This commit is contained in:
Lennart
2024-10-31 21:18:41 +01:00
parent c484a17911
commit 0c14f8ba90
24 changed files with 394 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
crates/dav/src/lib.rs
View File

@@ -2,6 +2,7 @@ pub mod depth_header;
pub mod error;
pub mod methods;
pub mod namespace;
pub mod privileges;
pub mod resource;
pub mod xml;

12
crates/dav/src/methods/delete.rs
View File

@@ -1,4 +1,7 @@
use crate::privileges::UserPrivilege;
use crate::resource::Resource;
use crate::resource::ResourceService;
use crate::Error;
use actix_web::web::Path;
use actix_web::HttpRequest;
use actix_web::HttpResponse;
@@ -8,7 +11,7 @@ use rustical_store::auth::User;
pub async fn route_delete<R: ResourceService>(
path_components: Path<R::PathComponents>,
req: HttpRequest,
_user: User,
user: User,
) -> Result<impl Responder, R::Error> {
let path_components = path_components.into_inner();
@@ -19,6 +22,13 @@ pub async fn route_delete<R: ResourceService>(
.unwrap_or(false);
let resource_service = R::new(&req, path_components.clone()).await?;
let resource = resource_service.get_resource().await?;
let privileges = resource.get_user_privileges(&user)?;
if !privileges.has(&UserPrivilege::Write) {
// TODO: Actually the spec wants us to look whether we have unbind access in the parent
// collection
return Err(Error::Unauthorized.into());
}
resource_service.delete_resource(!no_trash).await?;
Ok(HttpResponse::Ok().body(""))

17
crates/dav/src/methods/propfind.rs
View File

@@ -1,4 +1,5 @@
use crate::depth_header::Depth;
use crate::privileges::UserPrivilege;
use crate::resource::Resource;
use crate::resource::ResourceService;
use crate::xml::multistatus::PropstatWrapper;
@@ -52,6 +53,12 @@ pub async fn route_propfind<R: ResourceService>(
> {
let resource_service = R::new(&req, path_components.into_inner()).await?;
let resource = resource_service.get_resource().await?;
let privileges = resource.get_user_privileges(&user)?;
if !privileges.has(&UserPrivilege::Read) {
return Err(Error::Unauthorized.into());
}
// A request body is optional. If empty we MUST return all props
let propfind: PropfindElement = if !body.is_empty() {
quick_xml::de::from_str(&body).map_err(Error::XmlDeserializationError)?
@@ -75,12 +82,16 @@ pub async fn route_propfind<R: ResourceService>(
let mut member_responses = Vec::new();
if depth != Depth::Zero {
for (path, member) in resource_service.get_members(req.resource_map()).await? {
member_responses.push(member.propfind(&path, props.clone(), req.resource_map())?);
member_responses.push(member.propfind(
&path,
props.clone(),
&user,
req.resource_map(),
)?);
}
}
let resource = resource_service.get_resource(user).await?;
let response = resource.propfind(req.path(), props, req.resource_map())?;
let response = resource.propfind(req.path(), props, &user, req.resource_map())?;
Ok(MultistatusElement {
responses: vec![response],

7
crates/dav/src/methods/proppatch.rs
View File

@@ -1,3 +1,4 @@
use crate::privileges::UserPrivilege;
use crate::resource::InvalidProperty;
use crate::resource::Resource;
use crate::resource::ResourceService;
@@ -76,7 +77,11 @@ pub async fn route_proppatch<R: ResourceService>(
})
.collect();
let mut resource = resource_service.get_resource(user).await?;
let mut resource = resource_service.get_resource().await?;
let privileges = resource.get_user_privileges(&user)?;
if !privileges.has(&UserPrivilege::Write) {
return Err(Error::Unauthorized.into());
}
let mut props_ok = Vec::new();
let mut props_conflict = Vec::new();

78
crates/dav/src/privileges.rs Normal file
View File

@@ -0,0 +1,78 @@
use serde::{Deserialize, Serialize};
use std::collections::HashSet;
#[derive(Debug, Clone, Serialize, Deserialize, Eq, Hash, PartialEq)]
#[serde(rename_all = "kebab-case")]
pub enum UserPrivilege {
Read,
Write,
WriteProperties,
WriteContent,
ReadAcl,
ReadCurrentUserPrivilegeSet,
WriteAcl,
All,
}
impl Serialize for UserPrivilegeSet {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where
S: serde::Serializer,
{
#[derive(Serialize)]
#[serde(rename_all = "kebab-case")]
pub struct UserPrivilegeWrapper<'a> {
#[serde(rename = "$value")]
privilege: &'a UserPrivilege,
}
#[derive(Serialize)]
#[serde(rename_all = "kebab-case")]
pub struct FakeUserPrivilegeSet<'a> {
#[serde(rename = "privilege")]
privileges: Vec<UserPrivilegeWrapper<'a>>,
}
FakeUserPrivilegeSet {
privileges: self
.privileges
.iter()
.map(|privilege| UserPrivilegeWrapper { privilege })
.collect(),
}
.serialize(serializer)
}
}
// TODO: implement Deserialize once we need it
#[derive(Debug, Clone, Deserialize, Default)]
#[serde(rename_all = "kebab-case")]
pub struct UserPrivilegeSet {
privileges: HashSet<UserPrivilege>,
}
impl UserPrivilegeSet {
pub fn has(&self, privilege: &UserPrivilege) -> bool {
self.privileges.contains(privilege) || self.privileges.contains(&UserPrivilege::All)
}
pub fn all() -> Self {
Self {
privileges: HashSet::from([UserPrivilege::All]),
}
}
pub fn owner_only(is_owner: bool) -> Self {
if is_owner {
Self::all()
} else {
Self::default()
}
}
}
impl<const N: usize> From<[UserPrivilege; N]> for UserPrivilegeSet {
fn from(privileges: [UserPrivilege; N]) -> Self {
Self {
privileges: HashSet::from(privileges),
}
}
}

16
crates/dav/src/resource.rs
View File

@@ -1,4 +1,5 @@
use crate::methods::{route_delete, route_propfind, route_proppatch};
use crate::privileges::UserPrivilegeSet;
use crate::xml::multistatus::{PropTagWrapper, PropstatElement, PropstatWrapper};
use crate::xml::{multistatus::ResponseElement, TagList};
use crate::Error;
@@ -25,8 +26,12 @@ pub trait Resource: Clone {
Self::PropName::VARIANTS
}
fn get_prop(&self, rmap: &ResourceMap, prop: Self::PropName)
-> Result<Self::Prop, Self::Error>;
fn get_prop(
&self,
rmap: &ResourceMap,
user: &User,
prop: Self::PropName,
) -> Result<Self::Prop, Self::Error>;
fn set_prop(&mut self, _prop: Self::Prop) -> Result<(), crate::Error> {
Err(crate::Error::PropReadOnly)
@@ -53,10 +58,13 @@ pub trait Resource: Clone {
.to_owned())
}
fn get_user_privileges(&self, user: &User) -> Result<UserPrivilegeSet, Self::Error>;
fn propfind(
&self,
path: &str,
mut props: Vec<&str>,
user: &User,
rmap: &ResourceMap,
) -> Result<ResponseElement<PropstatWrapper<Self::Prop>>, Self::Error> {
if props.contains(&"propname") {
@@ -104,7 +112,7 @@ pub trait Resource: Clone {
let prop_responses = valid_props
.into_iter()
.map(|prop| self.get_prop(rmap, prop))
.map(|prop| self.get_prop(rmap, user, prop))
.collect::<Result<Vec<Self::Prop>, Self::Error>>()?;
let mut propstats = vec![PropstatWrapper::Normal(PropstatElement {
@@ -154,7 +162,7 @@ pub trait ResourceService: Sized + 'static {
Ok(vec![])
}
async fn get_resource(&self, user: User) -> Result<Self::Resource, Self::Error>;
async fn get_resource(&self) -> Result<Self::Resource, Self::Error>;
async fn save_resource(&self, file: Self::Resource) -> Result<(), Self::Error>;
async fn delete_resource(&self, _use_trashbin: bool) -> Result<(), Self::Error> {
Err(crate::Error::Unauthorized.into())

3
crates/dav/src/xml/mod.rs
View File

@@ -2,13 +2,14 @@ pub mod multistatus;
pub mod tag_list;
pub mod tag_name;
use derive_more::derive::From;
pub use multistatus::MultistatusElement;
pub use tag_list::TagList;
pub use tag_name::TagName;
use serde::{Deserialize, Serialize};
#[derive(Debug, Clone, Deserialize, Serialize)]
#[derive(Debug, Clone, Deserialize, Serialize, From)]
pub struct HrefElement {
pub href: String,
}