Merge pull request #1559 from pbiering/fixes-3.2.2

Fixes for 3.2.2

CHANGELOG.md

@@ -8,6 +8,7 @@
 * Enhancement: Added 'max_freebusy_occurrences` setting to avoid potential DOS on reports
 * Enhancement: remove unexpected control codes from uploaded items
 * Enhancement: add 'strip_domain' setting for username handling
+* Enhancement: add option to toggle debug log of rights rule with doesn't match
 * Drop: remove unused requirement "typeguard"
 * Improve: Refactored some date parsing code
 

DOCUMENTATION.md

@@ -978,6 +978,12 @@ Log response on level=debug
 
 Default: `False`
 
+##### rights_rule_doesnt_match_on_debug = True
+
+Log rights rule which doesn't match on level=debug
+
+Default: `False`
+
 #### headers
 
 In this section additional HTTP headers that are sent to clients can be

config

@@ -158,6 +158,8 @@
 # Log response content on level=debug
 #response_content_on_debug = False
 
+# Log rights rule which doesn't match on level=debug
+#rights_rule_doesnt_match_on_debug = False
 
 [headers]
 
@@ -177,4 +179,4 @@
 
 # When returning a free-busy report, limit the number of returned
 # occurences per event to prevent DOS attacks.
-#max_freebusy_occurrence = 10000
+#max_freebusy_occurrence = 10000

contrib/apache/radicale.conf

@@ -57,13 +57,15 @@
 		Require all granted
 		</IfDefine>
 
-		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		## You may want to use apache's authentication (config: [auth] type = http_x_remote_user)
+		##  e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser
 		#AuthBasicProvider file
 		#AuthType Basic
 		#AuthName "Enter your credentials"
-		#AuthUserFile /path/to/httpdfile/
+		#AuthUserFile /etc/httpd/conf/htpasswd-radicale
 		#AuthGroupFile /dev/null
 		#Require valid-user
+		#RequestHeader set X-Remote-User expr=%{REMOTE_USER}
 
 		<IfDefine RADICALE_ENFORCE_SSL>
 			<IfModule !ssl_module>
@@ -106,13 +108,15 @@
 		Require all granted
 		</IfDefine>
 
-		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		## You may want to use apache's authentication (config: [auth] type = http_x_remote_user)
+		##  e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser
 		#AuthBasicProvider file
 		#AuthType Basic
 		#AuthName "Enter your credentials"
-		#AuthUserFile /path/to/httpdfile/
+		#AuthUserFile /etc/httpd/conf/htpasswd-radicale
 		#AuthGroupFile /dev/null
 		#Require valid-user
+		#RequestHeader set X-Remote-User expr=%{REMOTE_USER}
 
 		<IfDefine RADICALE_ENFORCE_SSL>
 			<IfModule !ssl_module>
@@ -179,11 +183,12 @@ CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 		Require all granted
 		</IfDefine>
 
-		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		## You may want to use apache's authentication (config: [auth] type = http_x_remote_user)
+		##  e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser
 		#AuthBasicProvider file
 		#AuthType Basic
 		#AuthName "Enter your credentials"
-		#AuthUserFile /path/to/httpdfile/
+		#AuthUserFile /etc/httpd/conf/htpasswd-radicale
 		#AuthGroupFile /dev/null
 		#Require valid-user
 	</Location>
@@ -221,11 +226,12 @@ CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 		Require all granted
 		</IfDefine>
 
-		## You may want to use apache's authentication (config: [auth] type = remote_user)
+		## You may want to use apache's authentication (config: [auth] type = http_x_remote_user)
+		##  e.g. create a new file with a testuser: htpasswd -c -B /etc/httpd/conf/htpasswd-radicale testuser
 		#AuthBasicProvider file
 		#AuthType Basic
 		#AuthName "Enter your credentials"
-		#AuthUserFile /path/to/httpdfile/
+		#AuthUserFile /etc/httpd/conf/htpasswd-radicale
 		#AuthGroupFile /dev/null
 		#Require valid-user
 	</Location>

radicale/app/__init__.py

@@ -146,7 +146,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
                     if self._response_content_on_debug:
                         logger.debug("Response content:\n%s", answer)
                     else:
-                        logger.debug("Response content: suppressed by config/option [auth] response_content_on_debug")
+                        logger.debug("Response content: suppressed by config/option [logging] response_content_on_debug")
                     headers["Content-Type"] += "; charset=%s" % self._encoding
                     answer = answer.encode(self._encoding)
                 accept_encoding = [
@@ -196,7 +196,7 @@ class Application(ApplicationPartDelete, ApplicationPartHead,
             logger.debug("Request header:\n%s",
                          pprint.pformat(self._scrub_headers(environ)))
         else:
-            logger.debug("Request header: suppressed by config/option [auth] request_header_on_debug")
+            logger.debug("Request header: suppressed by config/option [logging] request_header_on_debug")
 
         # SCRIPT_NAME is already removed from PATH_INFO, according to the
         # WSGI specification.

radicale/app/base.py

@@ -51,6 +51,7 @@ class ApplicationBase:
         self._encoding = configuration.get("encoding", "request")
         self._log_bad_put_request_content = configuration.get("logging", "bad_put_request_content")
         self._response_content_on_debug = configuration.get("logging", "response_content_on_debug")
+        self._request_content_on_debug = configuration.get("logging", "request_content_on_debug")
         self._hook = hook.load(configuration)
 
     def _read_xml_request_body(self, environ: types.WSGIEnviron
@@ -66,17 +67,20 @@ class ApplicationBase:
             logger.debug("Request content (Invalid XML):\n%s", content)
             raise RuntimeError("Failed to parse XML: %s" % e) from e
         if logger.isEnabledFor(logging.DEBUG):
-            logger.debug("Request content:\n%s",
-                         xmlutils.pretty_xml(xml_content))
+            if self._request_content_on_debug:
+                logger.debug("Request content (XML):\n%s",
+                             xmlutils.pretty_xml(xml_content))
+            else:
+                logger.debug("Request content (XML): suppressed by config/option [logging] request_content_on_debug")
         return xml_content
 
     def _xml_response(self, xml_content: ET.Element) -> bytes:
         if logger.isEnabledFor(logging.DEBUG):
             if self._response_content_on_debug:
-                logger.debug("Response content:\n%s",
+                logger.debug("Response content (XML):\n%s",
                              xmlutils.pretty_xml(xml_content))
             else:
-                logger.debug("Response content: suppressed by config/option [auth] response_content_on_debug")
+                logger.debug("Response content (XML): suppressed by config/option [logging] response_content_on_debug")
         f = io.BytesIO()
         ET.ElementTree(xml_content).write(f, encoding=self._encoding,
                                           xml_declaration=True)

radicale/app/put.py

@@ -150,7 +150,7 @@ class ApplicationPartPut(ApplicationBase):
             if self._log_bad_put_request_content:
                 logger.warning("Bad PUT request content of %r:\n%s", path, content)
             else:
-                logger.debug("Bad PUT request content: suppressed by config/option [auth] bad_put_request_content")
+                logger.debug("Bad PUT request content: suppressed by config/option [logging] bad_put_request_content")
             return httputils.BAD_REQUEST
         (prepared_items, prepared_tag, prepared_write_whole_collection,
          prepared_props, prepared_exc_info) = prepare(

radicale/config.py

@@ -292,6 +292,10 @@ DEFAULT_CONFIG_SCHEMA: types.CONFIG_SCHEMA = OrderedDict([
             "value": "False",
             "help": "log response content on level=debug",
             "type": bool}),
+        ("rights_rule_doesnt_match_on_debug", {
+            "value": "False",
+            "help": "log rights rules which doesn't match on level=debug",
+            "type": bool}),
         ("mask_passwords", {
             "value": "True",
             "help": "mask passwords in logs",

radicale/httputils.py

@@ -146,7 +146,7 @@ def read_request_body(configuration: "config.Configuration",
     if configuration.get("logging", "request_content_on_debug"):
         logger.debug("Request content:\n%s", content)
     else:
-        logger.debug("Request content: suppressed by config/option [auth] request_content_on_debug")
+        logger.debug("Request content: suppressed by config/option [logging] request_content_on_debug")
     return content
 
 

radicale/rights/from_file.py

@@ -48,6 +48,7 @@ class Rights(rights.BaseRights):
     def __init__(self, configuration: config.Configuration) -> None:
         super().__init__(configuration)
         self._filename = configuration.get("rights", "file")
+        self._log_rights_rule_doesnt_match_on_debug = configuration.get("logging", "rights_rule_doesnt_match_on_debug")
 
     def authorization(self, user: str, path: str) -> str:
         user = user or ""
@@ -61,6 +62,8 @@ class Rights(rights.BaseRights):
         except Exception as e:
             raise RuntimeError("Failed to load rights file %r: %s" %
                                (self._filename, e)) from e
+        if not self._log_rights_rule_doesnt_match_on_debug:
+            logger.debug("logging of rules which doesn't match suppressed by config/option [logging] rights_rule_doesnt_match_on_debug")
         for section in rights_config.sections():
             try:
                 user_pattern = rights_config.get(section, "user")
@@ -80,8 +83,9 @@ class Rights(rights.BaseRights):
                              user, sane_path, user_pattern,
                              collection_pattern, section, permission)
                 return permission
-            logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
-                         user, sane_path, user_pattern, collection_pattern,
-                         section)
+            if self._log_rights_rule_doesnt_match_on_debug:
+                logger.debug("Rule %r:%r doesn't match %r:%r from section %r",
+                             user, sane_path, user_pattern, collection_pattern,
+                             section)
         logger.info("Rights: %r:%r doesn't match any section", user, sane_path)
         return ""