Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

fixing user calendar access in radicale

bgstack15

Comments

Main

I have written before about my calendar solution. This time, I have improved my radicale installation for myself. I spent a long time investigating why a small caldav client script I was writing (post coming in a few days) couldn't get to my account.

I had to run the server on debuglevel "DEBUG" and carefully examine all the rights setup. I use the rights file method. I have previously described how I added my domain auth to my radicale instance.

At first, after a ton of work, I thought that the rights evaluations are not properly evaluating string {0} which should be a python re method for referring to the first replaced named expression in a regular expression, such as block:

[calendars-domain]
user: (.+)@IPA.EXAMPLE.COM
collection: {0}/[^/]+
permissions: rw

I am not entirely convinced it's operating as expected. I wanted user bgstack15@IPA.EXAMPLE.COM to access collections under namespace bgstack15 but it was not working. I tried adding a named variable in the interpolation list in the radicale source code to handle a username_without_domain but that didn't seem to work.

So eventually I just ended up adding a single line right after the variable user gets populated from the http Authorization header, in radicale/app/__init__.py:

user = user.split("@")[0]

Which due to user-friendly language design, safely handles when no at symbol is present also. So this just chomps off the @IPA.EXAMPLE.COM, and then I keep going.

I didn't fork the repo, or build a new rpm (since I'm now on AlmaLinux 8 and can just use the distro radicale3 package instead of the one I had to build for CentOS 7). I just modified the deployed file on my production system like a neanderthal. So any future updates will cause problems. Oh, so this is "technical debt." I guess I'm technically poorer now.

Second thought, unexecuted

And after I'd written my internal documentation about this whole process, I realized I should have just symlinked the collections like so:

cd /var/lib/radicale/collections/collection-root/
ln -s bgstack15 bgstack15@IPA.EXAMPLE.COM

Or just moved it. Absolutely all auth goes through the frontend reverse proxy because radicale listens only on loopback, so the usernames would always have the domain name appended. Ah, well. Perhaps in an alternate universe(timeline? parallelly-developed planet [Warning: TV Tropes links!]?) I solved it that way.

Comments