1 | #!/usr/bin/python |
---|
2 | import pprint |
---|
3 | import subprocess |
---|
4 | from webcommon import InvalidInput |
---|
5 | |
---|
6 | # import ldap |
---|
7 | # l = ldap.open("W92-130-LDAP-2.mit.edu") |
---|
8 | # # ldap.mit.edu is 1/2 broken right now so we're going to the working backend |
---|
9 | # l.simple_bind_s("", "") |
---|
10 | |
---|
11 | # def getLdapGroups(user): |
---|
12 | # """ |
---|
13 | # getLdapGroups(user): returns a generator for the list of LDAP groups containing user |
---|
14 | # """ |
---|
15 | # for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []): |
---|
16 | # for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']): |
---|
17 | # yield group_data[1]['cn'][0] |
---|
18 | |
---|
19 | # def checkLdapGroups(user, group): |
---|
20 | # """ |
---|
21 | # checkLdapGroups(user, group): returns True if and only if user is in LDAP group group |
---|
22 | # """ |
---|
23 | # for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []): |
---|
24 | # if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []: |
---|
25 | # return True |
---|
26 | # return False |
---|
27 | |
---|
28 | class AfsProcessError(Exception): |
---|
29 | pass |
---|
30 | |
---|
31 | def getAfsGroupMembers(group, cell): |
---|
32 | p = subprocess.Popen(["pts", "membership", group, '-c', cell], |
---|
33 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
---|
34 | if p.wait(): |
---|
35 | return [] |
---|
36 | return [line.strip() for line in p.stdout.readlines()[1:]] |
---|
37 | |
---|
38 | def getLockerPath(locker): |
---|
39 | if '/' in locker or locker in ['.', '..']: |
---|
40 | raise InvalidInput('owner', locker, 'Locker name is invalid.') |
---|
41 | return '/mit/' + locker |
---|
42 | |
---|
43 | def checkAfsGroup(user, group, cell): |
---|
44 | """ |
---|
45 | checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell |
---|
46 | """ |
---|
47 | return user in getAfsGroupMembers(group, cell) |
---|
48 | |
---|
49 | def getCell(locker): |
---|
50 | p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], |
---|
51 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
---|
52 | if p.wait(): |
---|
53 | raise AfsProcessError(p.stderr.read()) |
---|
54 | return p.stdout.read().split()[-1][1:-1] |
---|
55 | |
---|
56 | def getLockerAcl(locker): |
---|
57 | p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], |
---|
58 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
---|
59 | if p.wait(): |
---|
60 | raise AfsProcessError(p.stderr.read()) |
---|
61 | lines = p.stdout.readlines() |
---|
62 | values = [] |
---|
63 | for line in lines[1:]: |
---|
64 | fields = line.split() |
---|
65 | if fields[0] == 'Negative': |
---|
66 | break |
---|
67 | if 'a' in fields[1]: |
---|
68 | values.append(fields[0]) |
---|
69 | return values |
---|
70 | |
---|
71 | def notLockerOwner(user, locker): |
---|
72 | """ |
---|
73 | notLockerOwner(user, locker) returns false if and only if user administers locker. |
---|
74 | |
---|
75 | If the user does not own the locker, returns the string reason for |
---|
76 | the failure. |
---|
77 | """ |
---|
78 | try: |
---|
79 | cell = getCell(locker) |
---|
80 | values = getLockerAcl(locker) |
---|
81 | except AfsProcessError, e: |
---|
82 | return str(e) |
---|
83 | |
---|
84 | for entry in values: |
---|
85 | if entry == user or (entry[0:6] == "system" and |
---|
86 | checkAfsGroup(user, entry, cell)): |
---|
87 | return False |
---|
88 | return "You don't have admin bits on " + getLockerPath(locker) |
---|
89 | |
---|
90 | |
---|
91 | if __name__ == "__main__": |
---|
92 | # print list(getldapgroups("tabbott")) |
---|
93 | print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu') |
---|
94 | print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu') |
---|
95 | print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu') |
---|
96 | print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu') |
---|
97 | print notLockerOwner("tabbott", "tabbott") |
---|
98 | print notLockerOwner("tabbott", "debathena") |
---|
99 | print notLockerOwner("tabbott", "sipb") |
---|
100 | print notLockerOwner("tabbott", "lsc") |
---|
101 | print notLockerOwner("tabbott", "scripts") |
---|
102 | print notLockerOwner("ecprice", "hmmt") |
---|