| [161] | 1 | #!/usr/bin/python |
|---|
| 2 | import pprint |
|---|
| 3 | import subprocess |
|---|
| [2119] | 4 | from invirt.config import structs as config |
|---|
| [161] | 5 | |
|---|
| 6 | # import ldap |
|---|
| 7 | # l = ldap.open("W92-130-LDAP-2.mit.edu") |
|---|
| 8 | # # ldap.mit.edu is 1/2 broken right now so we're going to the working backend |
|---|
| 9 | # l.simple_bind_s("", "") |
|---|
| 10 | |
|---|
| 11 | # def getLdapGroups(user): |
|---|
| 12 | # """ |
|---|
| 13 | # getLdapGroups(user): returns a generator for the list of LDAP groups containing user |
|---|
| 14 | # """ |
|---|
| 15 | # for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []): |
|---|
| 16 | # for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']): |
|---|
| 17 | # yield group_data[1]['cn'][0] |
|---|
| 18 | |
|---|
| 19 | # def checkLdapGroups(user, group): |
|---|
| 20 | # """ |
|---|
| 21 | # checkLdapGroups(user, group): returns True if and only if user is in LDAP group group |
|---|
| 22 | # """ |
|---|
| 23 | # for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []): |
|---|
| 24 | # if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []: |
|---|
| 25 | # return True |
|---|
| 26 | # return False |
|---|
| 27 | |
|---|
| [409] | 28 | class AfsProcessError(Exception): |
|---|
| [234] | 29 | pass |
|---|
| 30 | |
|---|
| 31 | def getAfsGroupMembers(group, cell): |
|---|
| [2119] | 32 | encrypt = True |
|---|
| 33 | for c in config.authz: |
|---|
| 34 | if c.type == 'afs' and c.cell == cell and hasattr(c, 'auth'): |
|---|
| 35 | encrypt = c.auth |
|---|
| [1959] | 36 | subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|---|
| [2119] | 37 | p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell], |
|---|
| [177] | 38 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|---|
| [413] | 39 | err = p.stderr.read() |
|---|
| 40 | if err: #Error code doesn't reveal missing groups, but stderr does |
|---|
| [1955] | 41 | if err.startswith('pts: Permission denied ; unable to get membership of '): |
|---|
| 42 | return [] |
|---|
| [413] | 43 | raise AfsProcessError(err) |
|---|
| [234] | 44 | return [line.strip() for line in p.stdout.readlines()[1:]] |
|---|
| [161] | 45 | |
|---|
| [408] | 46 | def getLockerPath(locker): |
|---|
| 47 | if '/' in locker or locker in ['.', '..']: |
|---|
| [412] | 48 | raise AfsProcessError("Locker '%s' is invalid." % locker) |
|---|
| [408] | 49 | return '/mit/' + locker |
|---|
| 50 | |
|---|
| [234] | 51 | def getCell(locker): |
|---|
| [408] | 52 | p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], |
|---|
| [177] | 53 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|---|
| 54 | if p.wait(): |
|---|
| [409] | 55 | raise AfsProcessError(p.stderr.read()) |
|---|
| [234] | 56 | return p.stdout.read().split()[-1][1:-1] |
|---|
| 57 | |
|---|
| 58 | def getLockerAcl(locker): |
|---|
| [1155] | 59 | p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], |
|---|
| 60 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
|---|
| 61 | if p.wait(): |
|---|
| 62 | raise AfsProcessError(p.stderr.read()) |
|---|
| [234] | 63 | lines = p.stdout.readlines() |
|---|
| 64 | values = [] |
|---|
| 65 | for line in lines[1:]: |
|---|
| 66 | fields = line.split() |
|---|
| 67 | if fields[0] == 'Negative': |
|---|
| [161] | 68 | break |
|---|
| [408] | 69 | if 'a' in fields[1]: |
|---|
| [234] | 70 | values.append(fields[0]) |
|---|
| 71 | return values |
|---|
| [161] | 72 | |
|---|
| [234] | 73 | def notLockerOwner(user, locker): |
|---|
| 74 | """ |
|---|
| 75 | notLockerOwner(user, locker) returns false if and only if user administers locker. |
|---|
| [161] | 76 | |
|---|
| [234] | 77 | If the user does not own the locker, returns the string reason for |
|---|
| 78 | the failure. |
|---|
| 79 | """ |
|---|
| 80 | try: |
|---|
| 81 | cell = getCell(locker) |
|---|
| 82 | values = getLockerAcl(locker) |
|---|
| [409] | 83 | except AfsProcessError, e: |
|---|
| [234] | 84 | return str(e) |
|---|
| 85 | |
|---|
| 86 | for entry in values: |
|---|
| [413] | 87 | if entry == user or (entry[0:6] == "system" and |
|---|
| 88 | user in getAfsGroupMembers(entry, cell)): |
|---|
| [234] | 89 | return False |
|---|
| [408] | 90 | return "You don't have admin bits on " + getLockerPath(locker) |
|---|
| [234] | 91 | |
|---|
| 92 | |
|---|
| [161] | 93 | if __name__ == "__main__": |
|---|
| 94 | # print list(getldapgroups("tabbott")) |
|---|
| [413] | 95 | print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu') |
|---|
| 96 | print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu') |
|---|
| 97 | print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu') |
|---|
| 98 | print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu') |
|---|
| [234] | 99 | print notLockerOwner("tabbott", "tabbott") |
|---|
| 100 | print notLockerOwner("tabbott", "debathena") |
|---|
| 101 | print notLockerOwner("tabbott", "sipb") |
|---|
| 102 | print notLockerOwner("tabbott", "lsc") |
|---|
| 103 | print notLockerOwner("tabbott", "scripts") |
|---|
| 104 | print notLockerOwner("ecprice", "hmmt") |
|---|
