source: package_branches/invirt-web/cherrypy/code/getafsgroups.py @ 2652

Last change on this file since 2652 was 2591, checked in by broder, 14 years ago

Update the cherrypy branch to use authz.afs.cells instead of just
authz.cells, to stay in sync with r2590.

(Again, this isn't really a cherry-pick, but whatever)

  • Property svn:executable set to *
File size: 4.0 KB
RevLine 
[161]1#!/usr/bin/python
2import pprint
3import subprocess
[2119]4from invirt.config import structs as config
[161]5
6# import ldap
7# l = ldap.open("W92-130-LDAP-2.mit.edu")
8# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
9# l.simple_bind_s("", "")
10
11# def getLdapGroups(user):
12#     """
13#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
14#     """
15#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
16#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
17#             yield group_data[1]['cn'][0]
18
19# def checkLdapGroups(user, group):
20#     """
21#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
22#     """
23#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
24#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
25#             return True
26#     return False
27
[409]28class AfsProcessError(Exception):
[234]29    pass
30
31def getAfsGroupMembers(group, cell):
[2119]32    encrypt = True
[2591]33    for c in config.authz.afs.cells:
[2558]34        if c.cell == cell and hasattr(c, 'auth'):
[2119]35            encrypt = c.auth
[2425]36    if encrypt:
37        subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
[2119]38    p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell],
[177]39                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
[413]40    err = p.stderr.read()
41    if err: #Error code doesn't reveal missing groups, but stderr does
[1955]42        if err.startswith('pts: Permission denied ; unable to get membership of '):
43            return []
[413]44        raise AfsProcessError(err)
[234]45    return [line.strip() for line in p.stdout.readlines()[1:]]
[161]46
[408]47def getLockerPath(locker):
48    if '/' in locker or locker in ['.', '..']:
[412]49        raise AfsProcessError("Locker '%s' is invalid." % locker)
[408]50    return '/mit/' + locker
51
[234]52def getCell(locker):
[408]53    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
[177]54                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
55    if p.wait():
[409]56        raise AfsProcessError(p.stderr.read())
[234]57    return p.stdout.read().split()[-1][1:-1]
58
59def getLockerAcl(locker):
[1155]60    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
61                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
62    if p.wait():
63        raise AfsProcessError(p.stderr.read())
[234]64    lines = p.stdout.readlines()
65    values = []
66    for line in lines[1:]:
67        fields = line.split()
68        if fields[0] == 'Negative':
[161]69            break
[408]70        if 'a' in fields[1]:
[234]71            values.append(fields[0])
72    return values
[161]73
[234]74def notLockerOwner(user, locker):
75    """
76    notLockerOwner(user, locker) returns false if and only if user administers locker.
[161]77
[234]78    If the user does not own the locker, returns the string reason for
79    the failure.
80    """
81    try:
82        cell = getCell(locker)
83        values = getLockerAcl(locker)
[409]84    except AfsProcessError, e:
[234]85        return str(e)
86
87    for entry in values:
[413]88        if entry == user or (entry[0:6] == "system" and
89                                user in getAfsGroupMembers(entry, cell)):
[234]90            return False
[408]91    return "You don't have admin bits on " + getLockerPath(locker)
[234]92
93
[161]94if __name__ == "__main__":
95#    print list(getldapgroups("tabbott"))
[413]96    print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
97    print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
98    print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
99    print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
[234]100    print notLockerOwner("tabbott", "tabbott")
101    print notLockerOwner("tabbott", "debathena")
102    print notLockerOwner("tabbott", "sipb")
103    print notLockerOwner("tabbott", "lsc")
104    print notLockerOwner("tabbott", "scripts")
105    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.