source: package_branches/invirt-web/cherrypy/code/getafsgroups.py @ 2501

Last change on this file since 2501 was 2425, checked in by broder, 15 years ago

Only aklog to a cell if encryption is actually needed.

  • Property svn:executable set to *
File size: 4.0 KB
RevLine 
[161]1#!/usr/bin/python
2import pprint
3import subprocess
[2119]4from invirt.config import structs as config
[161]5
6# import ldap
7# l = ldap.open("W92-130-LDAP-2.mit.edu")
8# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
9# l.simple_bind_s("", "")
10
11# def getLdapGroups(user):
12#     """
13#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
14#     """
15#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
16#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
17#             yield group_data[1]['cn'][0]
18
19# def checkLdapGroups(user, group):
20#     """
21#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
22#     """
23#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
24#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
25#             return True
26#     return False
27
[409]28class AfsProcessError(Exception):
[234]29    pass
30
31def getAfsGroupMembers(group, cell):
[2119]32    encrypt = True
33    for c in config.authz:
34        if c.type == 'afs' and c.cell == cell and hasattr(c, 'auth'):
35            encrypt = c.auth
[2425]36    if encrypt:
37        subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
[2119]38    p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell],
[177]39                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
[413]40    err = p.stderr.read()
41    if err: #Error code doesn't reveal missing groups, but stderr does
[1955]42        if err.startswith('pts: Permission denied ; unable to get membership of '):
43            return []
[413]44        raise AfsProcessError(err)
[234]45    return [line.strip() for line in p.stdout.readlines()[1:]]
[161]46
[408]47def getLockerPath(locker):
48    if '/' in locker or locker in ['.', '..']:
[412]49        raise AfsProcessError("Locker '%s' is invalid." % locker)
[408]50    return '/mit/' + locker
51
[234]52def getCell(locker):
[408]53    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
[177]54                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
55    if p.wait():
[409]56        raise AfsProcessError(p.stderr.read())
[234]57    return p.stdout.read().split()[-1][1:-1]
58
59def getLockerAcl(locker):
[1155]60    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
61                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
62    if p.wait():
63        raise AfsProcessError(p.stderr.read())
[234]64    lines = p.stdout.readlines()
65    values = []
66    for line in lines[1:]:
67        fields = line.split()
68        if fields[0] == 'Negative':
[161]69            break
[408]70        if 'a' in fields[1]:
[234]71            values.append(fields[0])
72    return values
[161]73
[234]74def notLockerOwner(user, locker):
75    """
76    notLockerOwner(user, locker) returns false if and only if user administers locker.
[161]77
[234]78    If the user does not own the locker, returns the string reason for
79    the failure.
80    """
81    try:
82        cell = getCell(locker)
83        values = getLockerAcl(locker)
[409]84    except AfsProcessError, e:
[234]85        return str(e)
86
87    for entry in values:
[413]88        if entry == user or (entry[0:6] == "system" and
89                                user in getAfsGroupMembers(entry, cell)):
[234]90            return False
[408]91    return "You don't have admin bits on " + getLockerPath(locker)
[234]92
93
[161]94if __name__ == "__main__":
95#    print list(getldapgroups("tabbott"))
[413]96    print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
97    print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
98    print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
99    print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
[234]100    print notLockerOwner("tabbott", "tabbott")
101    print notLockerOwner("tabbott", "debathena")
102    print notLockerOwner("tabbott", "sipb")
103    print notLockerOwner("tabbott", "lsc")
104    print notLockerOwner("tabbott", "scripts")
105    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.