source: trunk/packages/sipb-xen-www/code/getafsgroups.py @ 408

Last change on this file since 408 was 408, checked in by broder, 17 years ago

Validate the locker name before using it for anything

File size: 3.7 KB
Line 
1#!/usr/bin/python
2import pprint
3import subprocess
4from webcommon import InvalidInput
5
6# import ldap
7# l = ldap.open("W92-130-LDAP-2.mit.edu")
8# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
9# l.simple_bind_s("", "")
10
11# def getLdapGroups(user):
12#     """
13#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
14#     """
15#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
16#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
17#             yield group_data[1]['cn'][0]
18
19# def checkLdapGroups(user, group):
20#     """
21#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
22#     """
23#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
24#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
25#             return True
26#     return False
27
28class MyException(Exception):
29    pass
30
31def getAfsGroupMembers(group, cell):
32    p = subprocess.Popen(["pts", "membership", group, '-c', cell], 
33                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
34    if p.wait():
35        return []
36    return [line.strip() for line in p.stdout.readlines()[1:]]
37
38def getLockerPath(locker):
39    if '/' in locker or locker in ['.', '..']:
40        raise InvalidInput('owner', locker, 'Locker name is invalid.')
41    return '/mit/' + locker
42
43def checkAfsGroup(user, group, cell):
44    """
45    checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
46    """
47    return user in getAfsGroupMembers(group, cell)
48
49def getCell(locker):
50    p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], 
51                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
52    if p.wait():
53        raise MyException(p.stderr.read())
54    return p.stdout.read().split()[-1][1:-1]
55
56def getLockerAcl(locker):
57    p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], 
58                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
59    if p.wait():
60        raise MyException(p.stderr.read())
61    lines = p.stdout.readlines()
62    values = []
63    for line in lines[1:]:
64        fields = line.split()
65        if fields[0] == 'Negative':
66            break
67        if 'a' in fields[1]:
68            values.append(fields[0])
69    return values
70
71def notLockerOwner(user, locker):
72    """
73    notLockerOwner(user, locker) returns false if and only if user administers locker.
74
75    If the user does not own the locker, returns the string reason for
76    the failure.
77    """
78    try:
79        cell = getCell(locker)
80        values = getLockerAcl(locker)
81    except MyException, e:
82        return str(e)
83
84    for entry in values:
85        if entry == user or (entry[0:6] == "system" and 
86                                checkAfsGroup(user, entry, cell)):
87            return False
88    return "You don't have admin bits on " + getLockerPath(locker)
89
90
91if __name__ == "__main__":
92#    print list(getldapgroups("tabbott"))
93    print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
94    print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
95    print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
96    print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
97    print notLockerOwner("tabbott", "tabbott")
98    print notLockerOwner("tabbott", "debathena")
99    print notLockerOwner("tabbott", "sipb")
100    print notLockerOwner("tabbott", "lsc")
101    print notLockerOwner("tabbott", "scripts")
102    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.