[161] | 1 | #!/usr/bin/python |
---|
| 2 | import pprint |
---|
| 3 | import subprocess |
---|
| 4 | |
---|
| 5 | # import ldap |
---|
| 6 | # l = ldap.open("W92-130-LDAP-2.mit.edu") |
---|
| 7 | # # ldap.mit.edu is 1/2 broken right now so we're going to the working backend |
---|
| 8 | # l.simple_bind_s("", "") |
---|
| 9 | |
---|
| 10 | # def getLdapGroups(user): |
---|
| 11 | # """ |
---|
| 12 | # getLdapGroups(user): returns a generator for the list of LDAP groups containing user |
---|
| 13 | # """ |
---|
| 14 | # for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []): |
---|
| 15 | # for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']): |
---|
| 16 | # yield group_data[1]['cn'][0] |
---|
| 17 | |
---|
| 18 | # def checkLdapGroups(user, group): |
---|
| 19 | # """ |
---|
| 20 | # checkLdapGroups(user, group): returns True if and only if user is in LDAP group group |
---|
| 21 | # """ |
---|
| 22 | # for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []): |
---|
| 23 | # if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []: |
---|
| 24 | # return True |
---|
| 25 | # return False |
---|
| 26 | |
---|
| 27 | def checkAfsGroup(user, group, cell): |
---|
| 28 | """ |
---|
| 29 | checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell |
---|
| 30 | """ |
---|
[177] | 31 | p = subprocess.Popen(["pts", "membership", group, '-c', cell], |
---|
| 32 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
---|
| 33 | if p.wait(): |
---|
[161] | 34 | return False |
---|
[177] | 35 | for line in p.stdout.readlines()[1:]: |
---|
| 36 | if line.strip() == user: |
---|
[161] | 37 | return True |
---|
| 38 | return False |
---|
| 39 | |
---|
[177] | 40 | def checkLockerOwner(user, locker, verbose=False): |
---|
[161] | 41 | """ |
---|
[209] | 42 | checkLockerOwner(user, locker) returns True if and only if user administers locker. |
---|
| 43 | |
---|
| 44 | If verbose is true, instead return the reason for failure, or None |
---|
| 45 | if there is no failure. |
---|
[161] | 46 | """ |
---|
[177] | 47 | p = subprocess.Popen(["fs", "whichcell", "/mit/" + locker], |
---|
| 48 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
---|
| 49 | if p.wait(): |
---|
| 50 | if verbose: |
---|
| 51 | return p.stderr.read() |
---|
[161] | 52 | return False |
---|
| 53 | cell = p.stdout.read().split()[-1][1:-1] |
---|
[177] | 54 | p = subprocess.Popen(["fs", "listacl", "/mit/" + locker], |
---|
| 55 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
---|
| 56 | if p.wait(): |
---|
| 57 | if verbose: |
---|
| 58 | return p.stderr.read() |
---|
[161] | 59 | return False |
---|
[177] | 60 | for line in p.stdout.readlines()[1:]: |
---|
[161] | 61 | entry = line.split() |
---|
[177] | 62 | if not entry or entry[0] == "Negative": |
---|
[161] | 63 | break |
---|
| 64 | if entry[1] == "rlidwka": |
---|
[177] | 65 | if entry[0] == user or (entry[0][0:6] == "system" and |
---|
| 66 | checkAfsGroup(user, entry[0], cell)): |
---|
[209] | 67 | if verbose: |
---|
| 68 | return None |
---|
[161] | 69 | return True |
---|
[177] | 70 | if verbose: |
---|
| 71 | return "You don't have admin bits on /mit/" + locker |
---|
[161] | 72 | return False |
---|
| 73 | |
---|
| 74 | |
---|
| 75 | if __name__ == "__main__": |
---|
| 76 | # print list(getldapgroups("tabbott")) |
---|
| 77 | print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu') |
---|
| 78 | print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu') |
---|
| 79 | print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu') |
---|
| 80 | print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu') |
---|
| 81 | print checkLockerOwner("tabbott", "tabbott") |
---|
| 82 | print checkLockerOwner("tabbott", "debathena") |
---|
| 83 | print checkLockerOwner("tabbott", "sipb") |
---|
| 84 | print checkLockerOwner("tabbott", "lsc") |
---|
| 85 | print checkLockerOwner("tabbott", "scripts") |
---|
| 86 | print checkLockerOwner("ecprice", "hmmt") |
---|