| 1 | #!/usr/bin/python |
|---|
| 2 | |
|---|
| 3 | """Re-generate the remctl configuration for build submissions. |
|---|
| 4 | |
|---|
| 5 | This script generates the remctl ACL and configuration for each build |
|---|
| 6 | pocket defined in the configuration. It also updates the .k5login for |
|---|
| 7 | the git user that developers can push through. |
|---|
| 8 | """ |
|---|
| 9 | |
|---|
| 10 | |
|---|
| 11 | import os |
|---|
| 12 | import tempfile |
|---|
| 13 | |
|---|
| 14 | from invirt.authz import mech as authz |
|---|
| 15 | from invirt.config import structs as config |
|---|
| 16 | |
|---|
| 17 | |
|---|
| 18 | def userToPrinc(user): |
|---|
| 19 | """Convert an AFS principal to a Kerberos v5 principal.""" |
|---|
| 20 | if '@' in user: |
|---|
| 21 | (princ, realm) = user.split('@') |
|---|
| 22 | else: |
|---|
| 23 | princ = user |
|---|
| 24 | realm = config.kerberos.realm |
|---|
| 25 | |
|---|
| 26 | return princ.replace('.', '/') + '@' + realm |
|---|
| 27 | |
|---|
| 28 | |
|---|
| 29 | def main(): |
|---|
| 30 | all_devs = set() |
|---|
| 31 | |
|---|
| 32 | # Python could really use a file-like object that gets written to |
|---|
| 33 | # a temporary path and moved to its final resting place on |
|---|
| 34 | # .close(). Oh well. |
|---|
| 35 | conf_fd, conf_name = tempfile.mkstemp() |
|---|
| 36 | conf = os.fdopen(conf_fd, 'r+') |
|---|
| 37 | build_handler = '/usr/sbin/invirt-submit-build' |
|---|
| 38 | |
|---|
| 39 | for pocket in config.git.pockets: |
|---|
| 40 | acl = authz.expandAdmin(getattr(config.git.pockets, pocket).acl, None) |
|---|
| 41 | |
|---|
| 42 | acl_fd, acl_name = tempfile.mkstemp() |
|---|
| 43 | acl_fd = os.fdopen(acl_fd, 'r+') |
|---|
| 44 | print >>acl_fd, '\n'.join(userToPrinc(a) for a in acl) |
|---|
| 45 | |
|---|
| 46 | all_devs.update(set(userToPrinc(a) for a in acl)) |
|---|
| 47 | |
|---|
| 48 | acl_path = os.path.join('/etc/remctl/acl/build-%s' % pocket) |
|---|
| 49 | |
|---|
| 50 | os.rename(acl_name, acl_path) |
|---|
| 51 | print >>conf, 'build %s %s %s' % (pocket, build_handler, acl_path) |
|---|
| 52 | |
|---|
| 53 | os.rename(conf_name, '/etc/remctl/conf.d/build') |
|---|
| 54 | |
|---|
| 55 | k5login_fd, k5login_name = tempfile.mkstemp() |
|---|
| 56 | k5login = os.fdopen(k5login_fd, 'r+') |
|---|
| 57 | print >>k5login, '\n'.join(all_devs) |
|---|
| 58 | |
|---|
| 59 | |
|---|
| 60 | if __name__ == '__main__': |
|---|
| 61 | main() |
|---|
