source: trunk/packages/sipb-xen-www/code/getafsgroups.py @ 412

Last change on this file since 412 was 412, checked in by ecprice, 17 years ago

Better error messaging for invalid lockers.

File size: 3.7 KB
Line 
1#!/usr/bin/python
2import pprint
3import subprocess
4
5# import ldap
6# l = ldap.open("W92-130-LDAP-2.mit.edu")
7# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
8# l.simple_bind_s("", "")
9
10# def getLdapGroups(user):
11#     """
12#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
13#     """
14#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
15#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
16#             yield group_data[1]['cn'][0]
17
18# def checkLdapGroups(user, group):
19#     """
20#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
21#     """
22#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
23#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
24#             return True
25#     return False
26
27class AfsProcessError(Exception):
28    pass
29
30def getAfsGroupMembers(group, cell):
31    p = subprocess.Popen(["pts", "membership", group, '-c', cell], 
32                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
33    if p.wait():
34        return []
35    return [line.strip() for line in p.stdout.readlines()[1:]]
36
37def getLockerPath(locker):
38    if '/' in locker or locker in ['.', '..']:
39        raise AfsProcessError("Locker '%s' is invalid." % locker)
40    return '/mit/' + locker
41
42def checkAfsGroup(user, group, cell):
43    """
44    checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
45    """
46    return user in getAfsGroupMembers(group, cell)
47
48def getCell(locker):
49    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
50                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
51    if p.wait():
52        raise AfsProcessError(p.stderr.read())
53    return p.stdout.read().split()[-1][1:-1]
54
55def getLockerAcl(locker):
56    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
57                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
58    if p.wait():
59        raise AfsProcessError(p.stderr.read())
60    lines = p.stdout.readlines()
61    values = []
62    for line in lines[1:]:
63        fields = line.split()
64        if fields[0] == 'Negative':
65            break
66        if 'a' in fields[1]:
67            values.append(fields[0])
68    return values
69
70def notLockerOwner(user, locker):
71    """
72    notLockerOwner(user, locker) returns false if and only if user administers locker.
73
74    If the user does not own the locker, returns the string reason for
75    the failure.
76    """
77    try:
78        cell = getCell(locker)
79        values = getLockerAcl(locker)
80    except AfsProcessError, e:
81        return str(e)
82
83    for entry in values:
84        if entry == user or (entry[0:6] == "system" and 
85                                checkAfsGroup(user, entry, cell)):
86            return False
87    return "You don't have admin bits on " + getLockerPath(locker)
88
89
90if __name__ == "__main__":
91#    print list(getldapgroups("tabbott"))
92    print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
93    print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
94    print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
95    print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
96    print notLockerOwner("tabbott", "tabbott")
97    print notLockerOwner("tabbott", "debathena")
98    print notLockerOwner("tabbott", "sipb")
99    print notLockerOwner("tabbott", "lsc")
100    print notLockerOwner("tabbott", "scripts")
101    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.