iQJBdZddlZddlmZddlmZmZddlZddl Z ddl Z n#e $rddl Z YnwxYwddl mZejeZGddeZeGdd Zd ed ed efd Zded eeedzffdZded edzfdZ d"dededed eeeeeeffdZd"dededed edzfdZ d#dedededed edzf dZ d$dedededededed edzfdZ d%dededededed edzf d Z d%dededededed edzf d!Z!dS)&a3 RFC 6764 - Locating Services for Calendaring and Contacts (CalDAV/CardDAV) This module implements DNS-based service discovery for CalDAV and CardDAV servers as specified in RFC 6764. It allows clients to discover service endpoints from just a domain name or email address. Discovery methods (in order of preference): 1. DNS SRV records (_caldavs._tcp / _carddavs._tcp for TLS) 2. DNS TXT records (for path information) 3. Well-Known URIs (/.well-known/caldav or /.well-known/carddav) SECURITY CONSIDERATIONS: DNS-based discovery is vulnerable to attacks if DNS is not secured with DNSSEC: - DNS Spoofing: Attackers can provide malicious SRV/TXT records pointing to attacker-controlled servers - Downgrade Attacks: Malicious DNS can specify non-TLS services, causing credentials to be sent in plaintext - Man-in-the-Middle: Even with HTTPS, attackers can redirect to their servers MITIGATIONS: - require_tls=True (DEFAULT): Only accept HTTPS connections, preventing downgrade attacks - ssl_verify_cert=True (DEFAULT): Verify TLS certificates per RFC 6125 - Domain validation (RFC 6764 Section 8): Discovered hostnames must be in the same domain as the queried domain to prevent redirection attacks - Use DNSSEC when possible for DNS integrity - Manually verify discovered endpoints for sensitive applications - Consider certificate pinning for known domains For high-security environments, manual configuration may be preferable to automatic discovery. See: https://datatracker.ietf.org/doc/html/rfc6764 N) dataclass)urljoinurlparse)DAVErrorceZdZdZdS)DiscoveryErrorz#Raised when service discovery failsN)__name__ __module__ __qualname____doc__K/root/projects/butler/venv/lib/python3.11/site-packages/caldav/discovery.pyrr8s--DrrceZdZUdZeed<eed<eed<eed<eed<dZeed<dZ eed <d Z eed <d Z ed zed <defdZ d S) ServiceInfoz5Information about a discovered CalDAV/CardDAV serviceurlhostnameportpathtlsrpriorityweightunknownsourceNusernamereturnc Hd|jd|jd|jd|jd S)NzServiceInfo(url=z , source=z , priority=z , username=))rrrr)selfs r__str__zServiceInfo.__str__Ls5w$(wwT[wwT]wwgkgtwwwwr) r r r r str__annotations__intboolrrrrr r rrrr>s?? HHHMMM III III IIIHcFCOOOFCHcDjxxxxxxxrrdiscovered_domainoriginal_domainrc|d}|d}||krdS|d|zrdSdS)a Check if discovered domain is the same as or a subdomain of the original domain. This prevents DNS hijacking attacks where malicious DNS records redirect to completely different domains (e.g., acme.com -> evil.hackers.are.us). Args: discovered_domain: The hostname discovered via DNS SRV/TXT or well-known URI original_domain: The domain from the user's identifier Returns: True if discovered_domain is safe (same domain or subdomain), False otherwise Examples: >>> _is_subdomain_or_same('calendar.example.com', 'example.com') True >>> _is_subdomain_or_same('example.com', 'example.com') True >>> _is_subdomain_or_same('evil.com', 'example.com') False >>> _is_subdomain_or_same('subdomain.calendar.example.com', 'example.com') True >>> _is_subdomain_or_same('exampleXcom.evil.com', 'example.com') False .TF)lowerstripendswith)r%r& discoveredoriginals r_is_subdomain_or_samer.Psz6#((**0055J$$&&,,S11HXt3>**t 5r identifierc d|vrt|}|jp|dfSd|vrW|d}|dr|dnd}|d}||fS|dfS)a  Extract domain and optional username from an email address or URL. Args: identifier: Email address (user@example.com) or domain (example.com) Returns: A tuple of (domain, username) where username is None if not present Examples: >>> _extract_domain('user@example.com') ('example.com', 'user') >>> _extract_domain('example.com') ('example.com', None) >>> _extract_domain('https://caldav.example.com/path') ('caldav.example.com', None) ://N@r)rrsplitr*)r/parsedpartsrdomains r_extract_domainr8zs& *%%-:t44 j  %%',Qx958>>###Tr""!!      %%rtxt_datac|D]_}d|vrY|dd\}}|dkr|cS`dS)a Parse TXT record data to extract the path attribute. According to RFC 6764, TXT records contain attribute=value pairs. We're looking for the 'path' attribute. Args: txt_data: TXT record data (e.g., "path=/caldav/") Returns: The path value or None if not found Examples: >>> _parse_txt_record('path=/caldav/') '/caldav/' >>> _parse_txt_record('path=/caldav/ other=value') '/caldav/' =rN)r4r*r))r9pairkeyvalues r_parse_txt_recordr@sv(  %% $;;C++JCyy{{  ""f,,{{}}$$$ 4rTr7 service_typeuse_tlsc |rdnd}d||d|}td| tj|d}g}|D]}t |jd}t|j } t|j } t|j } td|d | d | d | d | || | | f| d |S#tjjtjjtjjf$r,} td|d| gcYd} ~ Sd} ~ wwxYw)an Perform DNS SRV record lookup. Args: domain: The domain to query service_type: Either 'caldav' or 'carddav' use_tls: If True, query for TLS service (_caldavs), else non-TLS (_caldav) Returns: List of tuples: (hostname, port, priority, weight) Sorted by priority (lower is better), then randomized by weight s_._tcp.zPerforming SRV lookup for SRVr(zFound SRV record: :z (priority=z , weight=rc$|d|d fS)Nr )xs rz_srv_lookup..sAaD1Q4%=r)r>zSRV lookup failed for : N)logdebugdnsresolverresolver!targetrstripr#rrrappendsortNXDOMAINNoAnswer exception DNSException) r7rArBservice_suffixsrv_nameanswersresultsrdatarrrres r _srv_lookuprcs"$+SSN?<???v??HII5855666,&&x77 ? ?E5<((//44Huz??D5>**H&&F IIc8ccdccxccZ`ccc d d d NNHdHf= > > > >  00 111   "  :8::q::;;; sC"D5E3!E.(E3.E3c|rdnd}d||d|}td| tj|d}|D]X}dd|jD}td|t|}|r|cSYnb#tjjtjj tj j f$r*} td |d | Yd } ~ nd } ~ wwxYwd S) a? Perform DNS TXT record lookup to find the service path. Args: domain: The domain to query service_type: Either 'caldav' or 'carddav' use_tls: If True, query for TLS service (_caldavs), else non-TLS (_caldav) Returns: The path from the TXT record, or None if not found rDrErFrGzPerforming TXT lookup for TXTcfg|].}t|tr|dn|/S)zutf-8) isinstancebytesdecode).0rDs r z_txt_lookup..s8YYYajE&:&:A'"""YYYrzFound TXT record: zTXT lookup failed for rON) rPrQrRrSrTjoinstringsr@rYrZr[r\) r7rArBr]txt_namer_rar9rrbs r _txt_lookuprosS$+SSN?<???v??HII5855666<,&&x77  EwwYY5=YYYH II5855 6 6 6$X..D       " <<< :8::q::;;;;;;;; < 4sA9B+)B++5D  DD  timeoutssl_verify_certc.d|}d||}td| tj|||d}|jdvr|jd}|rtd|t ||}t|} | jp|} t| |s#t d |d | d d St|| | j p| j d krdnd| jpd| j d kdS|jdkr2td|t||d|ddSn>#tjj$r'} td| Yd } ~ nd } ~ wwxYwd S)a8 Try to discover service via Well-Known URI (RFC 5785). According to RFC 6764, if SRV/TXT lookup fails, clients should try: - https://domain/.well-known/caldav - https://domain/.well-known/carddav Security: Redirects to different domains are validated per RFC 6764 Section 8. Args: domain: The domain to query service_type: Either 'caldav' or 'carddav' timeout: Request timeout in seconds ssl_verify_cert: Whether to verify SSL certificates Returns: ServiceInfo if successful, None otherwise z /.well-known/zhttps://zTrying well-known URI: F)rqverifyallow_redirects)i-i.i/i3i4LocationzWell-known URI redirected to: zVRFC 6764 Security: Rejecting well-known redirect to different domain. Queried domain: z, Redirect target: z&. Ignoring this redirect for security.NhttpsP/z well-known)rrrrrrz(Well-known URI is the service endpoint: TzWell-known URI lookup failed: )rPrQrequestsget status_codeheadersrrrr.warningrrschemer exceptionsRequestException) r7rArqrrwell_known_pathrresponselocation final_urlr5redirect_hostnamerbs r_well_known_lookuprs7*5l44O .V ._ . .CII---...48< "!      #< < <'++J77H  E8EEFFF$C22 !),,$*O$=v!-->GG KK@+1@@FW@@@  4"!.Q 0H0Hb+ 0'   3 & & IIFFF G G G$#   '   /888 6166777777778 4s$B3E 8E>> info = discover_service('user@example.com', 'caldav') >>> if info: ... print(f"Service URL: {info.url}") >>> # Allow non-TLS (INSECURE - only for testing) >>> info = discover_service('user@example.com', 'caldav', require_tls=False) )rcarddavzInvalid service_type: z. Must be 'caldav' or 'carddav')reasonz Discovering z service for domain: z$Username extracted from identifier: Tz/require_tls=True: Only attempting TLS discoveryFz:require_tls=False: Allowing non-TLS connections (INSECURE)rzVRFC 6764 Security: Rejecting SRV record pointing to different domain. Queried domain: z, Target FQDN: z6. This may indicate DNS hijacking or misconfiguration.z$No TXT record found, using root pathrzrwhttprxryr1rIz Discovered z service via SRV: srv) rrrrrrrrrz(SRV lookup failed, trying well-known URIz service via well-known URI: zFailed to discover z service for N) rr8rPinforQrrcr.rorrrr)r/rArqrrrrr7r tls_optionsrB srv_recordsrrrrrr default_portrwell_known_infos rdiscover_servicerdsn000YLYYY    'z22FHHH GL G Gv G GHHHE CCCDDDRf  CDDDD(2DtUmmt}  PQQQ..!&,@@ + /:1~ ,HdHf )6::  L'-LL>FLLL v|W==D  @AAA!(3WWVF")133rL|##;;H;;t;T;;44H4d44 HHH<HH3HH I I I!!!      C+ \II8999(wXXO#+  _|__/J]__```KKIlIIIIJJJ 4rc,t|d||||S)a Convenience function to discover CalDAV service. Args: identifier: Domain name or email address timeout: Timeout for HTTP requests in seconds ssl_verify_cert: Whether to verify SSL certificates prefer_tls: If True, try TLS services first require_tls: If True (default), only accept TLS connections Returns: ServiceInfo object or None rr/rArqrrrrrr/rqrrrrs rdiscover_caldavrs-( '    rc,t|d||||S)a Convenience function to discover CardDAV service. Args: identifier: Domain name or email address timeout: Timeout for HTTP requests in seconds ssl_verify_cert: Whether to verify SSL certificates prefer_tls: If True, try TLS services first require_tls: If True (default), only accept TLS connections Returns: ServiceInfo object or None rrrrs rdiscover_carddavr s-( '    r)T)rpT)rrpTTT)rpTTT)"r logging dataclassesr urllib.parserr dns.exceptionrR dns.resolverniquestsr| ImportErrorcaldav.lib.errorr getLoggerr rPrrr!r$r.tupler8r@listr#rcrorrrrr rrrs##J!!!!!!********OOOOO&%%%%%g!!     X    xxxxxxx x"'S'3'4''''T&&c3:o(>&&&&Dd :59-- -"--1- %S#s" #$----`&&&3&&t&&&&TPTPP P"P-0PHLP4PPPPj!  GGGGG G  G  G4GGGGX       4 @       4 s # //