source: trunk/packages/invirt-web/code/getafsgroups.py @ 1969

Last change on this file since 1969 was 1959, checked in by broder, 16 years ago

Get tokens for a cell before getting a list membership from that cell.

I realize this is possibly the most unelegant way to do this, but I
could never figure out how to get tokens for multiple cells using
kstart.

File size: 3.8 KB
RevLine 
[161]1#!/usr/bin/python
2import pprint
3import subprocess
4
5# import ldap
6# l = ldap.open("W92-130-LDAP-2.mit.edu")
7# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
8# l.simple_bind_s("", "")
9
10# def getLdapGroups(user):
11#     """
12#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
13#     """
14#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
15#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
16#             yield group_data[1]['cn'][0]
17
18# def checkLdapGroups(user, group):
19#     """
20#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
21#     """
22#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
23#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
24#             return True
25#     return False
26
[409]27class AfsProcessError(Exception):
[234]28    pass
29
30def getAfsGroupMembers(group, cell):
[1959]31    subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
[1947]32    p = subprocess.Popen(["pts", "membership", "-encrypt", group, '-c', cell],
[177]33                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
[413]34    err = p.stderr.read()
35    if err: #Error code doesn't reveal missing groups, but stderr does
[1955]36        if err.startswith('pts: Permission denied ; unable to get membership of '):
37            return []
[413]38        raise AfsProcessError(err)
[234]39    return [line.strip() for line in p.stdout.readlines()[1:]]
[161]40
[408]41def getLockerPath(locker):
42    if '/' in locker or locker in ['.', '..']:
[412]43        raise AfsProcessError("Locker '%s' is invalid." % locker)
[408]44    return '/mit/' + locker
45
[234]46def getCell(locker):
[408]47    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
[177]48                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
49    if p.wait():
[409]50        raise AfsProcessError(p.stderr.read())
[234]51    return p.stdout.read().split()[-1][1:-1]
52
53def getLockerAcl(locker):
[1155]54    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
55                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
56    if p.wait():
57        raise AfsProcessError(p.stderr.read())
[234]58    lines = p.stdout.readlines()
59    values = []
60    for line in lines[1:]:
61        fields = line.split()
62        if fields[0] == 'Negative':
[161]63            break
[408]64        if 'a' in fields[1]:
[234]65            values.append(fields[0])
66    return values
[161]67
[234]68def notLockerOwner(user, locker):
69    """
70    notLockerOwner(user, locker) returns false if and only if user administers locker.
[161]71
[234]72    If the user does not own the locker, returns the string reason for
73    the failure.
74    """
75    try:
76        cell = getCell(locker)
77        values = getLockerAcl(locker)
[409]78    except AfsProcessError, e:
[234]79        return str(e)
80
81    for entry in values:
[413]82        if entry == user or (entry[0:6] == "system" and
83                                user in getAfsGroupMembers(entry, cell)):
[234]84            return False
[408]85    return "You don't have admin bits on " + getLockerPath(locker)
[234]86
87
[161]88if __name__ == "__main__":
89#    print list(getldapgroups("tabbott"))
[413]90    print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
91    print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
92    print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
93    print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
[234]94    print notLockerOwner("tabbott", "tabbott")
95    print notLockerOwner("tabbott", "debathena")
96    print notLockerOwner("tabbott", "sipb")
97    print notLockerOwner("tabbott", "lsc")
98    print notLockerOwner("tabbott", "scripts")
99    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.