source: trunk/packages/invirt-web/code/getafsgroups.py @ 1977

Last change on this file since 1977 was 1959, checked in by broder, 15 years ago

Get tokens for a cell before getting a list membership from that cell.

I realize this is possibly the most unelegant way to do this, but I
could never figure out how to get tokens for multiple cells using
kstart.

File size: 3.8 KB
Line 
1#!/usr/bin/python
2import pprint
3import subprocess
4
5# import ldap
6# l = ldap.open("W92-130-LDAP-2.mit.edu")
7# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
8# l.simple_bind_s("", "")
9
10# def getLdapGroups(user):
11#     """
12#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
13#     """
14#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
15#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
16#             yield group_data[1]['cn'][0]
17
18# def checkLdapGroups(user, group):
19#     """
20#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
21#     """
22#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
23#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
24#             return True
25#     return False
26
27class AfsProcessError(Exception):
28    pass
29
30def getAfsGroupMembers(group, cell):
31    subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
32    p = subprocess.Popen(["pts", "membership", "-encrypt", group, '-c', cell],
33                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
34    err = p.stderr.read()
35    if err: #Error code doesn't reveal missing groups, but stderr does
36        if err.startswith('pts: Permission denied ; unable to get membership of '):
37            return []
38        raise AfsProcessError(err)
39    return [line.strip() for line in p.stdout.readlines()[1:]]
40
41def getLockerPath(locker):
42    if '/' in locker or locker in ['.', '..']:
43        raise AfsProcessError("Locker '%s' is invalid." % locker)
44    return '/mit/' + locker
45
46def getCell(locker):
47    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
48                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
49    if p.wait():
50        raise AfsProcessError(p.stderr.read())
51    return p.stdout.read().split()[-1][1:-1]
52
53def getLockerAcl(locker):
54    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
55                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
56    if p.wait():
57        raise AfsProcessError(p.stderr.read())
58    lines = p.stdout.readlines()
59    values = []
60    for line in lines[1:]:
61        fields = line.split()
62        if fields[0] == 'Negative':
63            break
64        if 'a' in fields[1]:
65            values.append(fields[0])
66    return values
67
68def notLockerOwner(user, locker):
69    """
70    notLockerOwner(user, locker) returns false if and only if user administers locker.
71
72    If the user does not own the locker, returns the string reason for
73    the failure.
74    """
75    try:
76        cell = getCell(locker)
77        values = getLockerAcl(locker)
78    except AfsProcessError, e:
79        return str(e)
80
81    for entry in values:
82        if entry == user or (entry[0:6] == "system" and
83                                user in getAfsGroupMembers(entry, cell)):
84            return False
85    return "You don't have admin bits on " + getLockerPath(locker)
86
87
88if __name__ == "__main__":
89#    print list(getldapgroups("tabbott"))
90    print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
91    print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
92    print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
93    print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
94    print notLockerOwner("tabbott", "tabbott")
95    print notLockerOwner("tabbott", "debathena")
96    print notLockerOwner("tabbott", "sipb")
97    print notLockerOwner("tabbott", "lsc")
98    print notLockerOwner("tabbott", "scripts")
99    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.