init

2026-03-21 02:39:09 +01:00
commit 41e36a4545
15 changed files with 1247 additions and 0 deletions
--- a/internal/backend/db.go
+++ b/internal/backend/db.go
@@ -0,0 +1,560 @@
+package backend
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+
+	"github.com/emersion/go-ical"
+	"github.com/emersion/go-webdav"
+	"github.com/emersion/go-webdav/caldav"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+	"golang.org/x/crypto/bcrypt"
+	"nxcaldav/internal/config"
+)
+
+type DBBackend struct {
+	pool          *pgxpool.Pool
+	redactionText string
+}
+
+func NewDBBackend(ctx context.Context, cfg *config.Config) (*DBBackend, error) {
+	pool, err := pgxpool.New(ctx, cfg.Database.URL)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to postgres: %v", err)
+	}
+
+	b := &DBBackend{
+		pool:          pool,
+		redactionText: cfg.Server.Redaction,
+	}
+
+	if err := b.initSchema(ctx); err != nil {
+		return nil, err
+	}
+
+	if err := b.syncConfig(ctx, cfg); err != nil {
+		return nil, err
+	}
+
+	return b, nil
+}
+
+func (b *DBBackend) initSchema(ctx context.Context) error {
+	queries := []string{
+		`CREATE TABLE IF NOT EXISTS users (
+			id SERIAL PRIMARY KEY,
+			name TEXT UNIQUE NOT NULL,
+			password TEXT NOT NULL
+		)`,
+		`CREATE TABLE IF NOT EXISTS calendars (
+			id SERIAL PRIMARY KEY,
+			owner_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+			path TEXT UNIQUE NOT NULL,
+			name TEXT,
+			description TEXT
+		)`,
+		`CREATE TABLE IF NOT EXISTS calendar_access (
+			calendar_id INTEGER REFERENCES calendars(id) ON DELETE CASCADE,
+			user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
+			mode TEXT NOT NULL,
+			PRIMARY KEY (calendar_id, user_id)
+		)`,
+		`CREATE TABLE IF NOT EXISTS calendar_objects (
+			id SERIAL PRIMARY KEY,
+			calendar_id INTEGER REFERENCES calendars(id) ON DELETE CASCADE,
+			path TEXT NOT NULL,
+			data TEXT NOT NULL,
+			etag TEXT NOT NULL,
+			UNIQUE (calendar_id, path)
+		)`,
+	}
+
+	for _, q := range queries {
+		if _, err := b.pool.Exec(ctx, q); err != nil {
+			return fmt.Errorf("failed to execute schema query: %v", err)
+		}
+	}
+	return nil
+}
+
+func (b *DBBackend) resolvePassword(u config.User) (string, error) {
+	var raw string
+	if u.PasswordCmd != "" {
+		cmd := exec.Command("bash", "-c", u.PasswordCmd)
+		out, err := cmd.Output()
+		if err != nil {
+			return "", fmt.Errorf("failed to run password command for %s: %v", u.Name, err)
+		}
+		raw = strings.TrimSpace(string(out))
+	} else {
+		raw = u.Password
+	}
+
+	// If it already looks like a bcrypt hash, return as is.
+	// bcrypt hashes usually start with $2a$ or $2b$ or $2y$.
+	if strings.HasPrefix(raw, "$2") {
+		return raw, nil
+	}
+
+	// Otherwise, hash it.
+	hash, err := bcrypt.GenerateFromPassword([]byte(raw), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(hash), nil
+}
+
+func (b *DBBackend) syncConfig(ctx context.Context, cfg *config.Config) error {
+	tx, err := b.pool.Begin(ctx)
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback(ctx)
+
+	configUserNames := make(map[string]bool)
+	configCalendarPaths := make(map[string]bool)
+
+	// Sync Users
+	for _, u := range cfg.Users {
+		configUserNames[u.Name] = true
+		hashed, err := b.resolvePassword(u)
+		if err != nil {
+			return err
+		}
+
+		_, err = tx.Exec(ctx, `
+			INSERT INTO users (name, password) VALUES ($1, $2)
+			ON CONFLICT (name) DO UPDATE SET password = EXCLUDED.password`,
+			u.Name, hashed)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Sync Calendars and Access
+	for _, c := range cfg.Calendars {
+		path := fmt.Sprintf("/%s/calendars/%s/", c.Owner, c.ID)
+		configCalendarPaths[path] = true
+
+		var ownerID int
+		err := tx.QueryRow(ctx, "SELECT id FROM users WHERE name = $1", c.Owner).Scan(&ownerID)
+		if err != nil {
+			return fmt.Errorf("owner %s not found: %v", c.Owner, err)
+		}
+
+		var calID int
+		err = tx.QueryRow(ctx, `
+			INSERT INTO calendars (owner_id, path, name) VALUES ($1, $2, $3)
+			ON CONFLICT (path) DO UPDATE SET owner_id = EXCLUDED.owner_id, name = EXCLUDED.name
+			RETURNING id`,
+			ownerID, path, c.ID).Scan(&calID)
+		if err != nil {
+			return err
+		}
+
+		_, err = tx.Exec(ctx, "DELETE FROM calendar_access WHERE calendar_id = $1", calID)
+		if err != nil {
+			return err
+		}
+
+		for _, a := range c.Access {
+			var userID int
+			err := tx.QueryRow(ctx, "SELECT id FROM users WHERE name = $1", a.User).Scan(&userID)
+			if err != nil {
+				return fmt.Errorf("access user %s not found: %v", a.User, err)
+			}
+			_, err = tx.Exec(ctx, "INSERT INTO calendar_access (calendar_id, user_id, mode) VALUES ($1, $2, $3)",
+				calID, userID, a.Mode)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	// Orphaned User Check
+	userRows, err := tx.Query(ctx, "SELECT name FROM users")
+	if err != nil {
+		return err
+	}
+	var dbUsers []string
+	for userRows.Next() {
+		var name string
+		if err := userRows.Scan(&name); err != nil {
+			return err
+		}
+		dbUsers = append(dbUsers, name)
+	}
+	userRows.Close()
+
+	for _, name := range dbUsers {
+		if !configUserNames[name] {
+			log.Printf("WARNING: Orphaned user found in database: %s (Not in config.yaml)", name)
+		}
+	}
+
+	// Orphaned Calendar Check
+	calRows, err := tx.Query(ctx, "SELECT path FROM calendars")
+	if err != nil {
+		return err
+	}
+	var dbPaths []string
+	for calRows.Next() {
+		var p string
+		if err := calRows.Scan(&p); err != nil {
+			return err
+		}
+		dbPaths = append(dbPaths, p)
+	}
+	calRows.Close()
+
+	for _, p := range dbPaths {
+		if !configCalendarPaths[p] {
+			log.Printf("WARNING: Orphaned calendar found in database: %s (Not in config.yaml)", p)
+		}
+	}
+	
+	return tx.Commit(ctx)
+}
+
+func (b *DBBackend) VerifyUser(ctx context.Context, username, password string) (bool, error) {
+	var hash string
+	err := b.pool.QueryRow(ctx, "SELECT password FROM users WHERE name = $1", username).Scan(&hash)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return false, nil
+		}
+		return false, err
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil, nil
+}
+
+// UserPrincipalBackend implementation
+
+func (b *DBBackend) CurrentUserPrincipal(ctx context.Context) (string, error) {
+	principal, ok := ctx.Value("principal").(string)
+	if !ok {
+		return "", errors.New("no principal in context")
+	}
+	return principal, nil
+}
+
+func (b *DBBackend) getUsername(ctx context.Context) (string, error) {
+	principal, err := b.CurrentUserPrincipal(ctx)
+	if err != nil {
+		return "", err
+	}
+	return strings.Trim(principal, "/"), nil
+}
+
+func (b *DBBackend) checkAccess(ctx context.Context, calendarPath string, requiredMode string) (int, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	if !strings.HasSuffix(calendarPath, "/") {
+		calendarPath += "/"
+	}
+
+	var calID int
+	var ownerName string
+	err = b.pool.QueryRow(ctx, `
+		SELECT c.id, u.name 
+		FROM calendars c 
+		JOIN users u ON c.owner_id = u.id 
+		WHERE c.path = $1`, calendarPath).Scan(&calID, &ownerName)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return 0, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar not found"))
+		}
+		return 0, err
+	}
+
+	if ownerName == username {
+		return calID, nil
+	}
+
+	var mode string
+	err = b.pool.QueryRow(ctx, `
+		SELECT mode FROM calendar_access 
+		WHERE calendar_id = $1 AND user_id = (SELECT id FROM users WHERE name = $2)`,
+		calID, username).Scan(&mode)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return 0, webdav.NewHTTPError(http.StatusForbidden, errors.New("access denied"))
+		}
+		return 0, err
+	}
+
+	if requiredMode == "write" && mode != "read-write" {
+		return 0, webdav.NewHTTPError(http.StatusForbidden, errors.New("read-only access"))
+	}
+
+	return calID, nil
+}
+
+func (b *DBBackend) filterCalendar(ctx context.Context, calendarID int, original *ical.Calendar) (*ical.Calendar, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var ownerName string
+	err = b.pool.QueryRow(ctx, "SELECT u.name FROM users u JOIN calendars c ON c.owner_id = u.id WHERE c.id = $1", calendarID).Scan(&ownerName)
+	if err != nil {
+		return nil, err
+	}
+
+	if username == ownerName {
+		return original, nil
+	}
+
+	filtered := ical.NewCalendar()
+	filtered.Props = original.Props
+
+	for _, child := range original.Children {
+		if child.Name != "VEVENT" && child.Name != "VTODO" {
+			filtered.Children = append(filtered.Children, child)
+			continue
+		}
+
+		class := "PUBLIC"
+		if prop := child.Props.Get("CLASS"); prop != nil {
+			class = strings.ToUpper(prop.Value)
+		}
+
+		switch class {
+		case "PRIVATE":
+			continue
+		case "CONFIDENTIAL":
+			redacted := ical.NewComponent(child.Name)
+			propsToKeep := []string{
+				"UID", "DTSTAMP", "DTSTART", "DTEND", "DURATION", "CLASS",
+				"DUE", "COMPLETED", "STATUS", "PRIORITY", "PERCENT-COMPLETE",
+			}
+			for _, pName := range propsToKeep {
+				if props, ok := child.Props[pName]; ok {
+					redacted.Props[pName] = props
+				}
+			}
+			redacted.Props.SetText("SUMMARY", b.redactionText)
+			filtered.Children = append(filtered.Children, redacted)
+		default:
+			filtered.Children = append(filtered.Children, child)
+		}
+	}
+
+	if len(filtered.Children) == 0 {
+		return nil, nil
+	}
+
+	return filtered, nil
+}
+
+// CalDAV Backend implementation
+
+func (b *DBBackend) CalendarHomeSetPath(ctx context.Context) (string, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("/%s/calendars/", username), nil
+}
+
+func (b *DBBackend) ListCalendars(ctx context.Context) ([]caldav.Calendar, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	rows, err := b.pool.Query(ctx, `
+		SELECT path, name FROM calendars 
+		WHERE owner_id = (SELECT id FROM users WHERE name = $1)
+		OR id IN (SELECT calendar_id FROM calendar_access WHERE user_id = (SELECT id FROM users WHERE name = $1))`,
+		username)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var res []caldav.Calendar
+	for rows.Next() {
+		var cal caldav.Calendar
+		if err := rows.Scan(&cal.Path, &cal.Name); err != nil {
+			return nil, err
+		}
+		cal.SupportedComponentSet = []string{"VEVENT", "VTODO"}
+		res = append(res, cal)
+	}
+	return res, nil
+}
+
+func (b *DBBackend) GetCalendar(ctx context.Context, path string) (*caldav.Calendar, error) {
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	var cal caldav.Calendar
+	err := b.pool.QueryRow(ctx, "SELECT path, name FROM calendars WHERE path = $1", path).Scan(&cal.Path, &cal.Name)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar not found"))
+		}
+		return nil, err
+	}
+	cal.SupportedComponentSet = []string{"VEVENT", "VTODO"}
+	return &cal, nil
+}
+
+func (b *DBBackend) CreateCalendar(ctx context.Context, calendar *caldav.Calendar) error {
+	return webdav.NewHTTPError(http.StatusForbidden, errors.New("calendar creation only via config"))
+}
+
+func (b *DBBackend) ListCalendarObjects(ctx context.Context, path string, req *caldav.CalendarCompRequest) ([]caldav.CalendarObject, error) {
+	calID, err := b.checkAccess(ctx, path, "read")
+	if err != nil {
+		return nil, err
+	}
+
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	rows, err := b.pool.Query(ctx, "SELECT path, data, etag FROM calendar_objects WHERE calendar_id = $1", calID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var res []caldav.CalendarObject
+	for rows.Next() {
+		var obj caldav.CalendarObject
+		var dataStr string
+		if err := rows.Scan(&obj.Path, &dataStr, &obj.ETag); err != nil {
+			return nil, err
+		}
+
+		calData, err := ical.NewDecoder(strings.NewReader(dataStr)).Decode()
+		if err != nil {
+			return nil, err
+		}
+
+		filteredData, err := b.filterCalendar(ctx, calID, calData)
+		if err != nil {
+			return nil, err
+		}
+		if filteredData == nil {
+			continue
+		}
+		obj.Data = filteredData
+		res = append(res, obj)
+	}
+	return res, nil
+}
+
+func (b *DBBackend) GetCalendarObject(ctx context.Context, path string, req *caldav.CalendarCompRequest) (*caldav.CalendarObject, error) {
+	lastSlash := strings.LastIndex(path, "/")
+	if lastSlash == -1 {
+		return nil, webdav.NewHTTPError(http.StatusBadRequest, errors.New("invalid object path"))
+	}
+	parentPath := path[:lastSlash+1]
+
+	calID, err := b.checkAccess(ctx, parentPath, "read")
+	if err != nil {
+		return nil, err
+	}
+
+	var obj caldav.CalendarObject
+	var dataStr string
+	err = b.pool.QueryRow(ctx, "SELECT path, data, etag FROM calendar_objects WHERE calendar_id = $1 AND path = $2", calID, path).Scan(&obj.Path, &dataStr, &obj.ETag)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar object not found"))
+		}
+		return nil, err
+	}
+
+	calData, err := ical.NewDecoder(strings.NewReader(dataStr)).Decode()
+	if err != nil {
+		return nil, err
+	}
+
+	filteredData, err := b.filterCalendar(ctx, calID, calData)
+	if err != nil {
+		return nil, err
+	}
+	if filteredData == nil {
+		return nil, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar object not found"))
+	}
+	obj.Data = filteredData
+	return &obj, nil
+}
+
+func (b *DBBackend) PutCalendarObject(ctx context.Context, path string, calendar *ical.Calendar, opts *caldav.PutCalendarObjectOptions) (*caldav.CalendarObject, error) {
+	lastSlash := strings.LastIndex(path, "/")
+	if lastSlash == -1 {
+		return nil, webdav.NewHTTPError(http.StatusBadRequest, errors.New("invalid object path"))
+	}
+	parentPath := path[:lastSlash+1]
+
+	calID, err := b.checkAccess(ctx, parentPath, "write")
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	if err := ical.NewEncoder(&buf).Encode(calendar); err != nil {
+		return nil, err
+	}
+	dataStr := buf.String()
+	etag := fmt.Sprintf(`"%d"`, len(calendar.Events()))
+
+	_, err = b.pool.Exec(ctx, `
+		INSERT INTO calendar_objects (calendar_id, path, data, etag) VALUES ($1, $2, $3, $4)
+		ON CONFLICT (calendar_id, path) DO UPDATE SET data = EXCLUDED.data, etag = EXCLUDED.etag`,
+		calID, path, dataStr, etag)
+	if err != nil {
+		return nil, err
+	}
+
+	return &caldav.CalendarObject{
+		Path: path,
+		Data: calendar,
+		ETag: etag,
+	}, nil
+}
+
+func (b *DBBackend) DeleteCalendarObject(ctx context.Context, path string) error {
+	lastSlash := strings.LastIndex(path, "/")
+	if lastSlash == -1 {
+		return webdav.NewHTTPError(http.StatusBadRequest, errors.New("invalid object path"))
+	}
+	parentPath := path[:lastSlash+1]
+
+	calID, err := b.checkAccess(ctx, parentPath, "write")
+	if err != nil {
+		return err
+	}
+
+	commandTag, err := b.pool.Exec(ctx, "DELETE FROM calendar_objects WHERE calendar_id = $1 AND path = $2", calID, path)
+	if err != nil {
+		return err
+	}
+	if commandTag.RowsAffected() == 0 {
+		return webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar object not found"))
+	}
+	return nil
+}
+
+func (b *DBBackend) QueryCalendarObjects(ctx context.Context, path string, query *caldav.CalendarQuery) ([]caldav.CalendarObject, error) {
+	return b.ListCalendarObjects(ctx, path, nil)
+}
--- a/internal/backend/mem.go
+++ b/internal/backend/mem.go
@@ -0,0 +1,318 @@
+package backend
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/emersion/go-ical"
+	"github.com/emersion/go-webdav"
+	"github.com/emersion/go-webdav/caldav"
+	"nxcaldav/internal/config"
+)
+
+type MemBackend struct {
+	sync.RWMutex
+	allCalendars   map[string]*caldav.Calendar
+	objects        map[string]map[string]*caldav.CalendarObject
+	userCalendars  map[string][]string
+	calendarOwner  map[string]string
+	calendarAccess map[string]map[string]string
+}
+
+func NewMemBackend(cfg *config.Config) *MemBackend {
+	b := &MemBackend{
+		allCalendars:   make(map[string]*caldav.Calendar),
+		objects:        make(map[string]map[string]*caldav.CalendarObject),
+		userCalendars:  make(map[string][]string),
+		calendarOwner:  make(map[string]string),
+		calendarAccess: make(map[string]map[string]string),
+	}
+
+	for _, c := range cfg.Calendars {
+		path := fmt.Sprintf("/%s/calendars/%s/", c.Owner, c.ID)
+		cal := &caldav.Calendar{
+			Path:                  path,
+			Name:                  c.ID,
+			SupportedComponentSet: []string{"VEVENT", "VTODO"},
+		}
+		b.allCalendars[path] = cal
+		b.calendarOwner[path] = c.Owner
+		b.userCalendars[c.Owner] = append(b.userCalendars[c.Owner], path)
+
+		accessMap := make(map[string]string)
+		for _, a := range c.Access {
+			accessMap[a.User] = a.Mode
+			b.userCalendars[a.User] = append(b.userCalendars[a.User], path)
+		}
+		b.calendarAccess[path] = accessMap
+	}
+
+	return b
+}
+
+func (b *MemBackend) CurrentUserPrincipal(ctx context.Context) (string, error) {
+	principal, ok := ctx.Value("principal").(string)
+	if !ok {
+		return "", errors.New("no principal in context")
+	}
+	return principal, nil
+}
+
+func (b *MemBackend) getUsername(ctx context.Context) (string, error) {
+	principal, err := b.CurrentUserPrincipal(ctx)
+	if err != nil {
+		return "", err
+	}
+	return strings.Trim(principal, "/"), nil
+}
+
+func (b *MemBackend) checkAccess(ctx context.Context, calendarPath string, requiredMode string) error {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return err
+	}
+
+	if !strings.HasSuffix(calendarPath, "/") {
+		calendarPath += "/"
+	}
+
+	owner := b.calendarOwner[calendarPath]
+	if owner == username {
+		return nil
+	}
+
+	mode, ok := b.calendarAccess[calendarPath][username]
+	if !ok {
+		return webdav.NewHTTPError(http.StatusForbidden, errors.New("access denied"))
+	}
+
+	if requiredMode == "write" && mode != "read-write" {
+		return webdav.NewHTTPError(http.StatusForbidden, errors.New("read-only access"))
+	}
+
+	return nil
+}
+
+func (b *MemBackend) filterCalendar(ctx context.Context, calendarPath string, original *ical.Calendar) (*ical.Calendar, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if !strings.HasSuffix(calendarPath, "/") {
+		calendarPath += "/"
+	}
+
+	owner := b.calendarOwner[calendarPath]
+	if username == owner {
+		return original, nil
+	}
+
+	filtered := ical.NewCalendar()
+	filtered.Props = original.Props
+
+	for _, child := range original.Children {
+		if child.Name != "VEVENT" && child.Name != "VTODO" {
+			filtered.Children = append(filtered.Children, child)
+			continue
+		}
+
+		class := "PUBLIC"
+		if prop := child.Props.Get("CLASS"); prop != nil {
+			class = strings.ToUpper(prop.Value)
+		}
+
+		switch class {
+		case "PRIVATE":
+			continue
+		case "CONFIDENTIAL":
+			redacted := ical.NewComponent(child.Name)
+			propsToKeep := []string{
+				"UID", "DTSTAMP", "DTSTART", "DTEND", "DURATION", "CLASS",
+				"DUE", "COMPLETED", "STATUS", "PRIORITY", "PERCENT-COMPLETE",
+			}
+			for _, pName := range propsToKeep {
+				if props, ok := child.Props[pName]; ok {
+					redacted.Props[pName] = props
+				}
+			}
+			redacted.Props.SetText("SUMMARY", "Busy")
+			filtered.Children = append(filtered.Children, redacted)
+		default:
+			filtered.Children = append(filtered.Children, child)
+		}
+	}
+
+	if len(filtered.Children) == 0 {
+		return nil, nil
+	}
+
+	return filtered, nil
+}
+
+// CalDAV Backend implementation
+
+func (b *MemBackend) CalendarHomeSetPath(ctx context.Context) (string, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("/%s/calendars/", username), nil
+}
+
+func (b *MemBackend) ListCalendars(ctx context.Context) ([]caldav.Calendar, error) {
+	username, err := b.getUsername(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	b.RLock()
+	defer b.RUnlock()
+
+	paths := b.userCalendars[username]
+	res := make([]caldav.Calendar, 0, len(paths))
+	for _, p := range paths {
+		if cal, ok := b.allCalendars[p]; ok {
+			res = append(res, *cal)
+		}
+	}
+	return res, nil
+}
+
+func (b *MemBackend) GetCalendar(ctx context.Context, path string) (*caldav.Calendar, error) {
+	b.RLock()
+	defer b.RUnlock()
+
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	if cal, ok := b.allCalendars[path]; ok {
+		return cal, nil
+	}
+	return nil, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar not found"))
+}
+
+func (b *MemBackend) CreateCalendar(ctx context.Context, calendar *caldav.Calendar) error {
+	return webdav.NewHTTPError(http.StatusForbidden, errors.New("calendar creation only via config"))
+}
+
+func (b *MemBackend) ListCalendarObjects(ctx context.Context, path string, req *caldav.CalendarCompRequest) ([]caldav.CalendarObject, error) {
+	if err := b.checkAccess(ctx, path, "read"); err != nil {
+		return nil, err
+	}
+
+	b.RLock()
+	defer b.RUnlock()
+
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
+	objs, ok := b.objects[path]
+	if !ok {
+		return []caldav.CalendarObject{}, nil
+	}
+
+	res := make([]caldav.CalendarObject, 0, len(objs))
+	for _, obj := range objs {
+		filteredData, err := b.filterCalendar(ctx, path, obj.Data)
+		if err != nil {
+			return nil, err
+		}
+		if filteredData == nil {
+			continue
+		}
+		newObj := *obj
+		newObj.Data = filteredData
+		res = append(res, newObj)
+	}
+	return res, nil
+}
+
+func (b *MemBackend) GetCalendarObject(ctx context.Context, path string, req *caldav.CalendarCompRequest) (*caldav.CalendarObject, error) {
+	lastSlash := strings.LastIndex(path, "/")
+	if lastSlash == -1 {
+		return nil, webdav.NewHTTPError(http.StatusBadRequest, errors.New("invalid object path"))
+	}
+	parentPath := path[:lastSlash+1]
+
+	if err := b.checkAccess(ctx, parentPath, "read"); err != nil {
+		return nil, err
+	}
+
+	b.RLock()
+	defer b.RUnlock()
+
+	if objs, ok := b.objects[parentPath]; ok {
+		if obj, ok := objs[path]; ok {
+			filteredData, err := b.filterCalendar(ctx, parentPath, obj.Data)
+			if err != nil {
+				return nil, err
+			}
+			if filteredData == nil {
+				return nil, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar object not found"))
+			}
+			newObj := *obj
+			newObj.Data = filteredData
+			return &newObj, nil
+		}
+	}
+	return nil, webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar object not found"))
+}
+
+func (b *MemBackend) PutCalendarObject(ctx context.Context, path string, calendar *ical.Calendar, opts *caldav.PutCalendarObjectOptions) (*caldav.CalendarObject, error) {
+	lastSlash := strings.LastIndex(path, "/")
+	if lastSlash == -1 {
+		return nil, webdav.NewHTTPError(http.StatusBadRequest, errors.New("invalid object path"))
+	}
+	parentPath := path[:lastSlash+1]
+
+	if err := b.checkAccess(ctx, parentPath, "write"); err != nil {
+		return nil, err
+	}
+
+	b.Lock()
+	defer b.Unlock()
+
+	obj := &caldav.CalendarObject{
+		Path:     path,
+		Data:     calendar,
+		ETag:     fmt.Sprintf(`"%d"`, len(calendar.Events())),
+	}
+
+	if _, ok := b.objects[parentPath]; !ok {
+		b.objects[parentPath] = make(map[string]*caldav.CalendarObject)
+	}
+	b.objects[parentPath][path] = obj
+	return obj, nil
+}
+
+func (b *MemBackend) DeleteCalendarObject(ctx context.Context, path string) error {
+	lastSlash := strings.LastIndex(path, "/")
+	if lastSlash == -1 {
+		return webdav.NewHTTPError(http.StatusBadRequest, errors.New("invalid object path"))
+	}
+	parentPath := path[:lastSlash+1]
+
+	if err := b.checkAccess(ctx, parentPath, "write"); err != nil {
+		return err
+	}
+
+	b.Lock()
+	defer b.Unlock()
+
+	if objs, ok := b.objects[parentPath]; ok {
+		delete(objs, path)
+		return nil
+	}
+	return webdav.NewHTTPError(http.StatusNotFound, errors.New("calendar object not found"))
+}
+
+func (b *MemBackend) QueryCalendarObjects(ctx context.Context, path string, query *caldav.CalendarQuery) ([]caldav.CalendarObject, error) {
+	return b.ListCalendarObjects(ctx, path, nil)
+}