source: trunk/packages/sipb-xen-www/code/getafsgroups.py @ 409

Last change on this file since 409 was 409, checked in by ecprice, 16 years ago

Rename MyException? to something reasonable.

File size: 3.7 KB
RevLine 
[161]1#!/usr/bin/python
2import pprint
3import subprocess
[408]4from webcommon import InvalidInput
[161]5
6# import ldap
7# l = ldap.open("W92-130-LDAP-2.mit.edu")
8# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
9# l.simple_bind_s("", "")
10
11# def getLdapGroups(user):
12#     """
13#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
14#     """
15#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
16#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
17#             yield group_data[1]['cn'][0]
18
19# def checkLdapGroups(user, group):
20#     """
21#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
22#     """
23#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
24#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
25#             return True
26#     return False
27
[409]28class AfsProcessError(Exception):
[234]29    pass
30
31def getAfsGroupMembers(group, cell):
[177]32    p = subprocess.Popen(["pts", "membership", group, '-c', cell], 
33                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
34    if p.wait():
[234]35        return []
36    return [line.strip() for line in p.stdout.readlines()[1:]]
[161]37
[408]38def getLockerPath(locker):
39    if '/' in locker or locker in ['.', '..']:
40        raise InvalidInput('owner', locker, 'Locker name is invalid.')
41    return '/mit/' + locker
42
[234]43def checkAfsGroup(user, group, cell):
[161]44    """
[234]45    checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
46    """
47    return user in getAfsGroupMembers(group, cell)
[209]48
[234]49def getCell(locker):
[408]50    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
[177]51                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
52    if p.wait():
[409]53        raise AfsProcessError(p.stderr.read())
[234]54    return p.stdout.read().split()[-1][1:-1]
55
56def getLockerAcl(locker):
[408]57    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
[177]58                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
59    if p.wait():
[409]60        raise AfsProcessError(p.stderr.read())
[234]61    lines = p.stdout.readlines()
62    values = []
63    for line in lines[1:]:
64        fields = line.split()
65        if fields[0] == 'Negative':
[161]66            break
[408]67        if 'a' in fields[1]:
[234]68            values.append(fields[0])
69    return values
[161]70
[234]71def notLockerOwner(user, locker):
72    """
73    notLockerOwner(user, locker) returns false if and only if user administers locker.
[161]74
[234]75    If the user does not own the locker, returns the string reason for
76    the failure.
77    """
78    try:
79        cell = getCell(locker)
80        values = getLockerAcl(locker)
[409]81    except AfsProcessError, e:
[234]82        return str(e)
83
84    for entry in values:
[246]85        if entry == user or (entry[0:6] == "system" and 
86                                checkAfsGroup(user, entry, cell)):
[234]87            return False
[408]88    return "You don't have admin bits on " + getLockerPath(locker)
[234]89
90
[161]91if __name__ == "__main__":
92#    print list(getldapgroups("tabbott"))
93    print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
94    print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
95    print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
96    print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
[234]97    print notLockerOwner("tabbott", "tabbott")
98    print notLockerOwner("tabbott", "debathena")
99    print notLockerOwner("tabbott", "sipb")
100    print notLockerOwner("tabbott", "lsc")
101    print notLockerOwner("tabbott", "scripts")
102    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.