initial commit of file from CVS for smeserver-mod_dav on Sat Sep 7 20:41:25 AEST 2024
This commit is contained in:
Trevor Batley
1
root/etc/e-smith/db/configuration/defaults/modDAV/status
Normal file
1
root/etc/e-smith/db/configuration/defaults/modDAV/status
Normal file
@@ -0,0 +1 @@
|
||||
enabled
|
||||
1
root/etc/e-smith/db/configuration/defaults/modDAV/type
Normal file
1
root/etc/e-smith/db/configuration/defaults/modDAV/type
Normal file
@@ -0,0 +1 @@
|
||||
service
|
||||
@@ -0,0 +1,9 @@
|
||||
{
|
||||
# vim: ft=perl:
|
||||
my $status = $modDAV{status} || 'disabled';
|
||||
if ( $status eq "enabled" )
|
||||
{
|
||||
$OUT .= "LoadModule dav_module\tmodules/mod_dav.so\n";
|
||||
$OUT .= "LoadModule dav_fs_module modules/mod_dav_fs.so\n";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
my $status = $modDAV{status} || 'disabled';
|
||||
if ( $status eq "enabled" )
|
||||
{
|
||||
$OUT .= "\nDAVLockDB /var/run/davLocks/DAVLock\n";
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
#
|
||||
# The following directive disables redirects on non-GET requests for
|
||||
# a directory that does not include the trailing slash. This fixes a
|
||||
# problem with Microsoft WebFolders which does not appropriately handle
|
||||
# redirects for folders with DAV methods.
|
||||
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
|
||||
#
|
||||
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
|
||||
BrowserMatch "^WebDrive" redirect-carefully
|
||||
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
|
||||
BrowserMatch "^gnome-vfs" redirect-carefully
|
||||
@@ -0,0 +1,92 @@
|
||||
{
|
||||
use esmith::AccountsDB;
|
||||
use esmith::DAV;
|
||||
my $adb = esmith::AccountsDB->open_ro();
|
||||
$OUT = "";
|
||||
foreach my $ibay ($adb->ibays)
|
||||
{
|
||||
my %properties = $ibay->props;
|
||||
my $key = $ibay->key;
|
||||
my $dynamicContent = $properties{'CgiBin'} || "disabled";
|
||||
my $secureEXEC = $properties{'ModDavSecureEXEC'} || 'enabled';
|
||||
my $access = $properties{'PublicAccess'} || 'none';
|
||||
$OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
|
||||
next if $access eq 'none';
|
||||
# true if have to be password accessible from somewhere.
|
||||
my $satisfy = ($access eq 'global-pw-remote')? 'RequireAny': 'RequireAll';
|
||||
if ($properties{'ModDav'})
|
||||
{
|
||||
if ($properties{'ModDav'} eq 'enabled')
|
||||
{
|
||||
my $ReadRequire = esmith::DAV::getRequireUser("read", $key );
|
||||
my $WriteRequire = esmith::DAV::getRequireUser("write", $key);
|
||||
my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess );
|
||||
my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess );
|
||||
|
||||
$OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n\n";
|
||||
$OUT .= " # Enable DAV access for this directory tree\n";
|
||||
$OUT .= " DAV On\n\n";
|
||||
#we will not seriously let you type your password over the network without encryption
|
||||
$OUT .= " SSLRequireSSL\n\n";
|
||||
|
||||
if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled')
|
||||
{
|
||||
# we do not want PHP or CGI to be runt there for security reason
|
||||
$OUT .= " <FilesMatch \\.(phar|php)\$>\n";
|
||||
$OUT .= " #disabling php\n";
|
||||
$OUT .= " SetHandler !\n"; # could use also SetHandler none
|
||||
$OUT .= " Require all denied\n" if ( $properties{'ModDavHidePHP'} || 'enabled' ) eq 'enabled';
|
||||
$OUT .= " </FilesMatch>\n";
|
||||
$OUT .= " Options -ExecCGI\n";
|
||||
$OUT .= " RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n";
|
||||
$OUT .= " php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use
|
||||
}
|
||||
|
||||
$OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'});
|
||||
|
||||
$OUT .= " AllowOverride None\n";
|
||||
$OUT .= " Options +Indexes \n\n";
|
||||
$OUT .= " # Allow fancy indexing by columns and download by clicking icon\n";
|
||||
$OUT .= " IndexOptions FancyIndexing IconsAreLinks\n\n";
|
||||
|
||||
# bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail
|
||||
$OUT .= " #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n";
|
||||
$OUT .= " DirectoryIndex disabled\n\n" unless ( ($properties{'ModDavNoDirectoryIndex'}||"enabled" ) eq "disabled");
|
||||
$OUT .= " #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'ModDavNoDirectoryIndex'}||"enabled" ) eq "disabled");
|
||||
|
||||
$OUT .= " AuthName \"$properties{'Name'}\"\n";
|
||||
$OUT .= " AuthBasicProvider external\n";
|
||||
$OUT .= " AuthType Basic\n";
|
||||
$OUT .= " AuthExternal pwauth\n";
|
||||
$OUT .= " <$satisfy>\n";
|
||||
$OUT .= " " . $ReadRequire . "\n";
|
||||
$OUT .= " " . $ReadAllow . "\n";
|
||||
$OUT .= " </$satisfy>\n\n";
|
||||
|
||||
# Ensure only valid users get to do stuff... update 2021/02:
|
||||
# GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
|
||||
# some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE
|
||||
# TRACE is not supposed to be limited by this directive, should use TraceEnable
|
||||
# LimitExcept is suggested over Limit in order to catch all non standard methods
|
||||
# however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless
|
||||
# unless we reduce it to one user, or are fool to enlarge to Require valid-user
|
||||
# $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n\n";
|
||||
# $OUT .= " #Require all granted\n";
|
||||
# $OUT .= " Require user $userlist\n\n";
|
||||
# $OUT .= " </Limit>\n\n";
|
||||
|
||||
$OUT .= " <LimitExcept GET POST PROPFIND OPTIONS CONNECT>\n";
|
||||
$OUT .= " <RequireAll>\n";
|
||||
$OUT .= " " . $WriteRequire . "\n";
|
||||
$OUT .= " ". $WriteAllow ."\n";
|
||||
$OUT .= " </RequireAll>\n";
|
||||
$OUT .= " </LimitExcept>\n\n";
|
||||
$OUT .= "</Directory>\n";
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$OUT .= "\n # DAV disabled for ibay $key\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,32 @@
|
||||
{
|
||||
# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled
|
||||
# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV
|
||||
use esmith::AccountsDB;
|
||||
my $adb = esmith::AccountsDB->open_ro();
|
||||
$OUT = "";
|
||||
foreach my $ibay ($adb->ibays)
|
||||
{
|
||||
my %properties = $ibay->props;
|
||||
my $key = $ibay->key;
|
||||
my $dynamicContent = $properties{'CgiBin'} || "disabled";
|
||||
my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled';
|
||||
my $access = $properties{'PublicAccess'} || 'none';
|
||||
$OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none';
|
||||
next if $access eq 'none';
|
||||
# true if have to be password accessible from somewhere.
|
||||
if ($properties{'ModDav'})
|
||||
{
|
||||
if ($properties{'ModDav'} eq 'enabled')
|
||||
{
|
||||
# we force SSL redirection in case DAV is enabled
|
||||
if (( $port ne $httpsPort ) && (($ibay->prop('SSL') || 'disabled') ne 'enabled'))
|
||||
{
|
||||
my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort";
|
||||
$OUT .= " RewriteEngine on\n";
|
||||
$OUT .= " RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
1
root/usr/lib/tmpfiles.d/mod_dav.conf
Normal file
1
root/usr/lib/tmpfiles.d/mod_dav.conf
Normal file
@@ -0,0 +1 @@
|
||||
d /var/run/davLocks 0755 www www
|
||||
118
root/usr/share/perl5/vendor_perl/esmith/DAV.pm
Normal file
118
root/usr/share/perl5/vendor_perl/esmith/DAV.pm
Normal file
@@ -0,0 +1,118 @@
|
||||
|
||||
package esmith::DAV;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
use esmith::AccountsDB;
|
||||
my $adb = esmith::AccountsDB->open_ro();
|
||||
|
||||
use vars qw( $AUTOLOAD @ISA );
|
||||
|
||||
sub getRequireUser {
|
||||
my ($mode, $key) = @_;
|
||||
my $ibay = $adb->get($key) or return "Require user admin";
|
||||
my %properties = $ibay->props or return "Require user admin";
|
||||
my $iBayGroup = $properties{'Group'} || 'admin';
|
||||
my $accessMode = $properties{'UserAccess'} || 'wr-admin-rd-group';
|
||||
my $access = $properties{'PublicAccess'} || 'none';
|
||||
my $ispassibay = $access =~ /-pw/;
|
||||
my $Anonymous = $properties{'ModDavAnonymousRead'} || "disabled";
|
||||
my $MEMBERS = getMembers( $key, $iBayGroup);
|
||||
my $REQUIRE = "";
|
||||
if ($mode eq "read")
|
||||
{
|
||||
if ($accessMode eq "wr-group-rd-everyone")
|
||||
{
|
||||
if ( $Anonymous eq "enabled" )
|
||||
{
|
||||
$REQUIRE = "# Allowing unauthenticated read access";
|
||||
}
|
||||
else
|
||||
{
|
||||
my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members
|
||||
#$REQUIRE = "#wr-group-rd-everyone : members of shared\n";
|
||||
$REQUIRE .= "Require user " . $EVERYONE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$REQUIRE = "Require user " . $MEMBERS;
|
||||
if ($accessMode eq "wr-admin-rd-group")
|
||||
{
|
||||
# add "admin" to the read group to avoid read/write auth conflicts
|
||||
$REQUIRE .= " admin";
|
||||
}
|
||||
}
|
||||
if ($ispassibay)
|
||||
{
|
||||
#we have local-pw or global-pw or global-pw-remote
|
||||
$REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key";
|
||||
$REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ );
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($accessMode eq "wr-admin-rd-group")
|
||||
{
|
||||
$REQUIRE = "Require user admin";
|
||||
}
|
||||
else
|
||||
{
|
||||
$REQUIRE = "Require user " . $MEMBERS;
|
||||
}
|
||||
}
|
||||
return $REQUIRE;
|
||||
}
|
||||
|
||||
sub getAllow {
|
||||
my ($mode, $key, $localAccess ) = @_;
|
||||
$localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1";
|
||||
my $ibay = $adb->get($key) or return "Require ip 127.0.0.1";
|
||||
my %properties = $ibay->props or return "Require ip 127.0.0.1";
|
||||
my $Public = $properties{'PublicAccess'} || 'none';
|
||||
|
||||
my $allow = "Require ip 127.0.0.1";
|
||||
if ($Public eq 'none')
|
||||
{
|
||||
$allow = "# allow from set to NONE";
|
||||
}
|
||||
elsif ($Public =~ /(local|remote)/ )
|
||||
{
|
||||
$allow = "Require ip " . $localAccess;
|
||||
}
|
||||
elsif ($Public =~ /global/)
|
||||
{
|
||||
$allow = "Require all granted";
|
||||
}
|
||||
return $allow;
|
||||
}
|
||||
|
||||
sub getMembers {
|
||||
my ($key, $iBayGroup) = @_;
|
||||
my $MEMBERS = $key;
|
||||
foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) )
|
||||
{
|
||||
my %groupprops = $group->props;
|
||||
my $grpkey = $group->key;
|
||||
if ($grpkey eq $iBayGroup)
|
||||
{
|
||||
# we have the group that owns the DAV iBay
|
||||
# If there are members of the group validate on them,
|
||||
# otherwise on the ibayname
|
||||
my $GroupMembers = $groupprops{'Members'} || undef;
|
||||
$GroupMembers = "admin" if ( $grpkey eq "admin" );
|
||||
$GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared" ) ;
|
||||
|
||||
if ($GroupMembers)
|
||||
{
|
||||
# need to break user list on commas then output each one...
|
||||
my @values = split(',',$GroupMembers);
|
||||
$MEMBERS = "" unless (!@values) ;
|
||||
foreach my $val (@values) {
|
||||
$MEMBERS .= $val . " ";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return $MEMBERS;
|
||||
}
|
||||
0
root/var/run/davLocks/.gitignore
vendored
Normal file
0
root/var/run/davLocks/.gitignore
vendored
Normal file
Reference in New Issue
Block a user