Add TB_ACCOUNTS_CALDAV_URL and /oidc/auth for token based CalDAV autodiscover

Author: davinotdavid

backend/.env.example

@@ -89,6 +89,7 @@ TB_ACCOUNTS_HOST=http://localhost:8087
 TB_ACCOUNTS_CALLBACK=http://localhost:5000/accounts/callback
 TB_ACCOUNTS_CLIENT_ID
 TB_ACCOUNTS_SECRET
+TB_ACCOUNTS_CALDAV_URL=https://stage-thundermail.com
 
 # -- GOOGLE AUTH --
 GOOGLE_AUTH_CLIENT_ID=

backend/.env.test

@@ -90,6 +90,7 @@ CALDAV_TEST_USER=hello-world
 CALDAV_TEST_PASS=fake-pass
 GOOGLE_TEST_USER=
 GOOGLE_TEST_PASS=
+TB_ACCOUNTS_CALDAV_URL=https://stage-thundermail.com
 
 TEST_USER_EMAIL=[email protected]
 

backend/src/appointment/controller/calendar.py

@@ -17,6 +17,7 @@
 from dns.exception import DNSException
 from redis import Redis, RedisCluster
 from caldav import DAVClient
+from caldav.requests import HTTPBearerAuth
 from fastapi import BackgroundTasks
 from google.oauth2.credentials import Credentials
 from icalendar import Calendar, Event, vCalAddress, vText
@@ -320,7 +321,15 @@ def delete_events(self, start):
 
 class CalDavConnector(BaseConnector):
     def __init__(
-        self, db: Session, subscriber_id: int, calendar_id: int, redis_instance, url: str, user: str, password: str
+        self,
+        db: Session,
+        subscriber_id: int,
+        calendar_id: int,
+        redis_instance,
+        url: str,
+        user: str | None = None,
+        password: str | None = None,
+        token: str | None = None,
     ):
         super().__init__(subscriber_id, calendar_id, redis_instance)
 
@@ -336,7 +345,10 @@ def __init__(
             sentry_sdk.set_tag('caldav_host', parsed_url.hostname)
 
         # connect to the CalDAV server
-        self.client = DAVClient(url=self.url, username=self.user, password=self.password)
+        if token:
+            self.client = DAVClient(url=self.url, auth=HTTPBearerAuth(token))
+        else:
+            self.client = DAVClient(url=self.url, username=self.user, password=self.password)
 
     def get_busy_time(self, calendar_ids: list, start: str, end: str):
         """Retrieve a list of { start, end } dicts that will indicate busy time for a user

backend/src/appointment/database/schemas.py

@@ -285,8 +285,8 @@ class CalendarConnection(CalendarConnectionOut):
 
 
 class CalendarConnectionIn(CalendarConnection):
-    url: str = Field(min_length=1)
-    user: str = Field(min_length=1)
+    url: str = Optional[str]
+    user: str = Optional[str]
     password: Optional[str]
 
 

backend/src/appointment/routes/caldav.py

@@ -1,3 +1,4 @@
+import os
 import json
 import urllib
 from typing import Optional
@@ -11,7 +12,7 @@
 from appointment import utils
 from appointment.controller.calendar import CalDavConnector, Tools
 from appointment.database import models, schemas, repo
-from appointment.dependencies.auth import get_subscriber
+from appointment.dependencies.auth import get_subscriber, oauth2_scheme
 from appointment.dependencies.database import get_db, get_redis
 from appointment.exceptions.calendar import TestConnectionFailed
 from appointment.exceptions.misc import UnexpectedBehaviourWarning
@@ -128,6 +129,96 @@ def caldav_autodiscover_auth(
     return True
 
 
+@router.post('/oidc/auth')
+def oidc_autodiscover_auth(
+    db: Session = Depends(get_db),
+    subscriber: models.Subscriber = Depends(get_subscriber),
+    redis_client: Redis = Depends(get_redis),
+    token: str = Depends(oauth2_scheme),
+):
+    """Connects a principal caldav server through oidc token auth"""
+
+    connection_url = os.getenv('TB_ACCOUNTS_CALDAV_URL')
+    dns_lookup_cache_key = f'dns:{utils.encrypt(connection_url)}'
+    lookup_url = None
+
+    if redis_client:
+        lookup_url = redis_client.get(dns_lookup_cache_key)
+
+    if lookup_url and 'http' not in lookup_url:
+        debug_obj = {'url': lookup_url, 'branch': 'CACHE'}
+        # Raise and catch the unexpected behaviour warning so we can get proper stacktrace in sentry...
+        try:
+            sentry_sdk.set_extra('debug_object', debug_obj)
+            raise UnexpectedBehaviourWarning(message='Cache incorrect', info=debug_obj)
+        except UnexpectedBehaviourWarning as ex:
+            sentry_sdk.capture_exception(ex)
+
+        # Clear cache for that key
+        redis_client.delete(dns_lookup_cache_key)
+
+        # Ignore cached result and look it up again
+        lookup_url = None
+
+    # Do a dns lookup first
+    if lookup_url is None:
+        parsed_url = urlparse(connection_url)
+        lookup_url, ttl = Tools.dns_caldav_lookup(parsed_url.hostname, secure=True)
+        # set the cached lookup for the remainder of the dns ttl
+        if redis_client and lookup_url:
+            redis_client.set(dns_lookup_cache_key, utils.encrypt(lookup_url), ex=ttl)
+    else:
+        # Extract the cached value
+        lookup_url = utils.decrypt(lookup_url)
+
+    # If we have a lookup_url then apply it
+    if lookup_url and 'http' not in lookup_url:
+        connection_url = urllib.parse.urljoin(connection_url, lookup_url)
+    elif lookup_url:
+        connection_url = lookup_url
+
+    con = CalDavConnector(
+        db=db,
+        redis_instance=None,
+        url=connection_url,
+        subscriber_id=subscriber.id,
+        calendar_id=None,
+        token=token,
+    )
+
+    try:
+        if not con.test_connection():
+            raise RemoteCalendarConnectionError()
+    except TestConnectionFailed as ex:
+        raise RemoteCalendarConnectionError(reason=ex.reason)
+
+    caldav_name = subscriber.email
+    caldav_id = json.dumps([connection_url, caldav_name])
+
+    external_connection = repo.external_connection.get_by_type(
+        db, subscriber.id, models.ExternalConnectionType.caldav, caldav_id
+    )
+
+    # Create or update the external connection
+    if not external_connection:
+        external_connection_schema = schemas.ExternalConnection(
+            name=caldav_name,
+            type=models.ExternalConnectionType.caldav,
+            type_id=caldav_id,
+            owner_id=subscriber.id,
+            token=token,
+        )
+
+        external_connection = repo.external_connection.create(db, external_connection_schema)
+    else:
+        external_connection = repo.external_connection.update_token(
+            db, token, subscriber.id, models.ExternalConnectionType.caldav, caldav_id
+        )
+
+    con.sync_calendars(external_connection_id=external_connection.id)
+    return True
+
+
 @router.post('/', response_model=schemas.CalendarOut)
 def create_my_calendar(
     calendar: schemas.CalendarConnection,

pulumi/config.dev.yaml

@@ -226,6 +226,8 @@ resources:
                 value: "60"
               - name: OIDC_FALLBACK_MATCH_BY_EMAIL
                 value: "True"
+              - name: TB_ACCOUNTS_CALDAV_URL
+                value: https://stage-thundermail.com
 
   tb:autoscale:EcsServiceAutoscaler:
     backend:

pulumi/config.prod.yaml

@@ -296,6 +296,8 @@ resources:
                 value: https://appointment.tb.pro/api/v1/zoom/callback
               - name: ZOOM_API_NEW_APP
                 value: "False"
+              - name: TB_ACCOUNTS_CALDAV_URL
+                value: https://thundermail.com
 
   tb:autoscale:EcsServiceAutoscaler:
     backend:

pulumi/config.stage.yaml

@@ -297,6 +297,8 @@ resources:
                 value: "False"
               - name: ZOOM_AUTH_CALLBACK
                 value: https://appointment-stage.tb.pro/api/v1/zoom/callback
+              - name: TB_ACCOUNTS_CALDAV_URL
+                value: https://stage-thundermail.com
 
   tb:autoscale:EcsServiceAutoscaler:
     backend: