Knowledge Base

Preserving for the future: Shell scripts, AoC, and more

Python error in Radicale led to me fixing my httpd config

bgstack15

Comments

When I ran OS updates for the month of November, I realized that my Radicale CalDAV server was not working. It was running, but it had an application error. After doing all the requisite research, I opened a bug report.

Nov 01 11:01:13 server3.ipa.internal.com radicale[8675]: [8675/Thread-2] [INFO] Successful login: 'bgstack15@IPA.INTERNAL.COM'
Nov 01 11:01:13 server3.ipa.internal.com radicale[8675]: [8675/Thread-2] [ERROR] An exception occurred during REPORT request on '/bgstack15/': Error in section 'read-domain-principal' of rights file '/etc/radicale/rights': Replacement index 0 out of range for positional args tuple

To simplify out the examples/boilerplate, my rule for calculating per-user permissions when using GSSAPI (kerberos/ldap) auth was throwing a python error.

[principal-domain]
user: (.+)@IPA.EXAMPLE.COM
collection: {0}
permissions: RW

It appears that whatever new logic happened in the 3.3.0 release revised how the regex capture groups work across the attributes of a permission directive.

It worked before. Or at least, it didn't throw errors before. (Technically I'd been patching out the domain name inside radicale already so this rule wasn't even in use).

So, the Radicale team suggested that I strip the domain name at the reverse proxy level, which inspired me to search, and this time I found a solution!

In my httpd config:

RewriteEngine On
RewriteRule ^/radicale$ /radicale/ [R,L]
<Location "/radicale/">
   ProxyPreserveHost On
   Include conf.d/auth-gssapi.cnf
   # which includes these lines:
   #GSS_NAME returns username@IPA.EXAMPLE.COM which merely needs additional rules in /etc/radicale/rights
   #RequestHeader set X_REMOTE_USER "%{GSS_NAME}e"
   Require valid-user
   AuthName "GSSAPI protected"
   ProxyPass        http://localhost:5232/ retry=20 connectiontimeout=300 timeout=300
   ProxyPassReverse http://localhost:5232/
   RequestHeader    set X-Script-Name /radicale
+   RequestHeader    edit X_REMOTE_USER "^(.*)@.*" "$1"
</Location>

So all I needed to do was treat the now-extant request header as a string variable and do a simple regex manipulation to preserve everything before the at sign.

Now I will no longer need to maintain that ridiculous app/__init__.py one-line patch after every python3 or radicale update.

I am always amused that some complex problems can be solved by a one-line change. It's usually the one-line changes that represent hours and hours and hours of work, eh?

Comments