Closed googol42 closed 2 years ago
First of all, I would like you to print out principal.url
and see if it's correct or not.
Thanks for the research - if it wasn't for the bisect, I would probably have dismissed it as something funky with Nextcloud or the user setup in Nextcloud. Well, probably it is something funky with (your) Nextcloud, but this is also a regression issue, hence I think it's important to get it working again - though I don't think I will have much capacity to look properly into it in August. If you could figure out of it and produce a pull request it would be awesome :-)
The Principal object can be constructed, and an URL can be passed - the constructor looks like this:
def __init__(self, client=None, url=None):
"""
Returns a Principal.
Parameters:
* client: a DAVClient() oject
* url: Deprecated - for backwards compatibility purposes only.
If url is not given, deduct principal path as well as calendar home set
path from doing propfinds.
"""
... so basically, just replace principal = client.principal()
with principal = Principal(client=client, url=...)
The digest auth vs basic auth vs other auths has caused me really lots of troubles, and I thought I had finally nailed it. Since this is on the ordinary http layer, I think the requests library ought to have taken care of it for me, but unfortunately not.
The old logic would first attempt to do a basic auth, then a digest auth if basic auth didn't work out, but this logic broke on one calendar server. Then I made some stupid workarounds to try to get it working on that server - but this workaround caused it to fail on other servers. In commit 164f88d8551f7b768edc983a36f351dbd3075ec4 I replaced the "stupid workaround" with a more proper refactoring. Unfortunately this refactoring again caused things to break at various servers, several bugfixes and adjustments have been done to fix issues on different calendar servers after that.
The new logic first attempts to do the request without auth, and fixes auth according to instructions from the server after getting a 401. My hypothesis is that this breaks on your NextCloud, that it grants you access as a guest user or something like that when doing a propfind without auth.
I'm not quite sure on this one - and it's needed to be very careful here as what fixes your issue may break at other servers. At the other hand, this is a regression issue, if it was working as of 0.8.x, I want it to work without modifications on the client side in the next patch.
Thanks for your feedback.
First of all, I would like you to print out principal.url and see if it's correct or not.
I already printed the urls in the test program above.
that it grants you access as a guest user or something like that when doing a propfind without auth.
I don't have guest accounts on this instance. The calendars are all private, but some are shared with the other user. And the principal url is the one for the other user.
I check the db and the oc_calendars
table in the nextcloud db. And the principal uris are right. I quickly set up a test nextcloud instance and tried to reproduce it there, but I couldn't :-( So I guess I have to set up a new (prod) nextcloud instance and to migrate my data. And I don't consider the nextcloud caldav implementation very good, at least it causes problems from time to time. So I can imagine that this might be a nextcloud issue.
The old logic would first attempt to do a basic auth, then a digest auth if basic auth didn't work out, but this logic broke on one calendar server. Then I made some stupid workarounds to try to get it working on that server - but this workaround caused it to fail on other servers. In commit https://github.com/python-caldav/caldav/commit/164f88d8551f7b768edc983a36f351dbd3075ec4 I replaced the "stupid workaround" with a more proper refactoring. Unfortunately this refactoring again caused things to break at various servers, several bugfixes and adjustments have been done to fix issues on different calendar servers after that.
Doesn't sound like fun :-|
When I can provide any information you need, please let me know. If I don't here anything from you I'll set up a new instance some time (maybe at the end of August)
Thanks for your feedback.
First of all, I would like you to print out principal.url and see if it's correct or not.
I already printed the urls in the test program above.
Right, sorry for that ... I only saw the calendar URL. So it actually considers that the "current principal" is user1, even if you're logged in as user2. That's kind of weird. Very weird indeed.
And I don't consider the nextcloud caldav implementation very good,
Much better than the one in Zimbra at least.
To be honest, I think the caldav protocol kind of sucks, and most servers fail at some point to adhere to the standard. I really didn't want to touch it, so I hoped that by using the python caldav library I wouldn't have to dive into the details of the standard, Unfortunately the library didn't work well enough for me, so I needed to fix some things, and somehow I got stuck with the maintainer role :p
at least it causes problems from time to time. So I can imagine that this might be a nextcloud issue.
Seems so. But still it's also a regression issue.
Doesn't sound like fun :-|
When I can provide any information you need, please let me know. If I don't here anything from you I'll set up a new instance some time (maybe at the end of August)
It may be that I can find some time to do research on this those days - but I would need access to the test accounts to look more into it.
Do you cache connections/sessions/credentials somehow/somewhere? When I change the password for "user1" then everything works as expected. Which is strange because the test program never logins in with the credentials for "user1".
oc_authtoken
oc_authtoken
oc_authtoken
again: there is only one entry, but for the wrong user. (for user1 which I never logged in via the test program.)I also checked the access log and your library does a PROPFIND for the wrong user. This is the entry with a fresh password:
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:15:57:40 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 401 381 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:05 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 207 240 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:31 +0200] "PROPFIND /remote.php/dav/principals/users/test2/ HTTP/1.1" 207 288 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:31 +0200] "PROPFIND /remote.php/dav/calendars/test2/ HTTP/1.1" 207 638 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:31 +0200] "REPORT /remote.php/dav/calendars/test2/cal/ HTTP/1.1" 207 1781 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:31 +0200] "REPORT /remote.php/dav/calendars/test2/cal/ HTTP/1.1" 207 844 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:32 +0200] "REPORT /remote.php/dav/calendars/test2/cal2/ HTTP/1.1" 207 12008 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:32 +0200] "REPORT /remote.php/dav/calendars/test2/cal2/ HTTP/1.1" 207 2493 "-" "Mozilla/5.0"
....
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:32 +0200] "REPORT /remote.php/dav/calendars/test2/cal5_shared_by_test1/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:32 +0200] "REPORT /remote.php/dav/calendars/test2/cal5_shared_by_test1/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal7_shared_by_test1/ HTTP/1.1" 207 6751 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal7_shared_by_test1/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal8_shared_by_test1/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal8_shared_by_test1/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal09_shared_by_test1/ HTTP/1.1" 207 2261 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal09_shared_by_test1/ HTTP/1.1" 207 1936 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal10-shared_by_test1/ HTTP/1.1" 207 10519 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test2 [04/Aug/2022:15:58:33 +0200] "REPORT /remote.php/dav/calendars/test2/cal10-shared_by_test1/ HTTP/1.1" 207 4016 "-" "Mozilla/5.0"
This is the log entry, with the old password:
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:46 +0200] "PROPFIND /remote.php/dav/ HTTP/1.1" 207 242 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:47 +0200] "PROPFIND /remote.php/dav/principals/users/test1/ HTTP/1.1" 207 292 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:47 +0200] "PROPFIND /remote.php/dav/calendars/test1/ HTTP/1.1" 207 618 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:47 +0200] "REPORT /remote.php/dav/calendars/test1/cal1/ HTTP/1.1" 207 2233 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:48 +0200] "REPORT /remote.php/dav/calendars/test1/cal1/ HTTP/1.1" 207 1894 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:48 +0200] "REPORT /remote.php/dav/calendars/test1/cal2/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:48 +0200] "REPORT /remote.php/dav/calendars/test1/cal2/ HTTP/1.1" 207 250 "-" "Mozilla/5.0"
...
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:49 +0200] "REPORT /remote.php/dav/calendars/test1/cal09/ HTTP/1.1" 207 10407 "-" "Mozilla/5.0"
SOMEDOMAIN:443 SOMEIP - test1 [04/Aug/2022:16:03:49 +0200] "REPORT /remote.php/dav/calendars/test1/cal09/ HTTP/1.1" 207 3946 "-" "Mozilla/5.0"
(The calender names have obviously been renamed by me and they don't match up anymore. So a calender shared by one use might be missing in the logs.)
So either you library is broken or my nextcloud instance is utterly broken. But I run
php -f occ integrity:check-app calendar
php -f occ integrity:check-app tasks
php -f occ integrity:check-core
and none of them reported an error.
oh my goodness. I found it. Some time ago I created a netrc
file to automatically backup calenders from nextcloud. And it interfered with python-caldav
. I just had to rename .netrc
to some other name. That was the reason I could not reproduce this on a test system. And this also the explanation why the test program works after changing the password (because then the password in netrc does not match and the login fails). 😅 Sorry for the noise.
Do you cache connections/sessions/credentials somehow/somewhere?
The client object has a self.session
variable
oh my goodness. I found it. Some time ago I created a
netrc
file to automatically backup calenders from nextcloud. And it interfered withpython-caldav
That's a bit strange. Also strange that your bisect could pinpoint which commit it was breaking stuff.
That's a bit strange. Also strange that your bisect could pinpoint which commit it was breaking stuff.
You said that you changed the behaviour that you first don't pass any credentials. In such case the .netrc
kicked in (I think) and then those credentials (respectively the returned cookie/token) are used. Does this make sense to you?
You said that you changed the behaviour that you first don't pass any credentials. In such case the
.netrc
kicked in (I think) and then those credentials (respectively the returned cookie/token) are used. Does this make sense to you?
Seems to be correct, the requests library does support .netrc indeed.
I find it very weird that the requests library does support .netrc, but does not support passing username and password without explicitly telling it what kind of authentication mode to use. Or perhaps I've just missed something.
It's still some kind of regression issue, but it's also sort of a feature that username/password can be specified in .netrc. I should add some notes about that in the documentation.
It is a feature that .netrc is used if no username or password is given. It's a bug that .netrc is honored when username and password is given.
should I re-open the bug?
I created another one instead.
System info
Problem
It seems that a wrong url is used in the principal and thus a wrong calendar url is used.
Details
Assume the following:
In the following program user2 wants to do something with his callendar called "cal":
The test program should print out this:
but prints this:
and the following exception is thrown when you uncomment the commented line in the test program (I guess because user1 does not have access to the calendar "cal"):
I did some more debugging:
I then run git bisect and I identified commit 164f88d8551f7b768edc983a36f351dbd3075ec4 as first bad commit. See the bisect log below:
As it worked in older versions, so I assume it is not a problem with nextcloud. Or am I using the libary incorrectly?