source: trunk/web/getafsgroups.py @ 242

Last change on this file since 242 was 236, checked in by ecprice, 17 years ago

Move out of the templates directory.

File size: 3.5 KB
RevLine 
[161]1#!/usr/bin/python
2import pprint
3import subprocess
4
5# import ldap
6# l = ldap.open("W92-130-LDAP-2.mit.edu")
7# # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
8# l.simple_bind_s("", "")
9
10# def getLdapGroups(user):
11#     """
12#     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
13#     """
14#     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
15#         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
16#             yield group_data[1]['cn'][0]
17
18# def checkLdapGroups(user, group):
19#     """
20#     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
21#     """
22#     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
23#         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
24#             return True
25#     return False
26
[234]27class MyException(Exception):
28    pass
29
30def getAfsGroupMembers(group, cell):
[177]31    p = subprocess.Popen(["pts", "membership", group, '-c', cell], 
32                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
33    if p.wait():
[234]34        return []
35    return [line.strip() for line in p.stdout.readlines()[1:]]
[161]36
[234]37def checkAfsGroup(user, group, cell):
[161]38    """
[234]39    checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
40    """
41    return user in getAfsGroupMembers(group, cell)
[209]42
[234]43def getCell(locker):
[177]44    p = subprocess.Popen(["fs", "whichcell", "/mit/" + locker], 
45                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
46    if p.wait():
[234]47        raise MyException(p.stderr.read())
48    return p.stdout.read().split()[-1][1:-1]
49
50def getLockerAcl(locker):
[177]51    p = subprocess.Popen(["fs", "listacl", "/mit/" + locker], 
52                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
53    if p.wait():
[234]54        raise MyException(p.stderr.read())
55    lines = p.stdout.readlines()
56    values = []
57    for line in lines[1:]:
58        fields = line.split()
59        if fields[0] == 'Negative':
[161]60            break
[234]61        if 'rlidwka' in fields[1]:
62            values.append(fields[0])
63    return values
[161]64
[234]65def notLockerOwner(user, locker):
66    """
67    notLockerOwner(user, locker) returns false if and only if user administers locker.
[161]68
[234]69    If the user does not own the locker, returns the string reason for
70    the failure.
71    """
72    try:
73        cell = getCell(locker)
74        values = getLockerAcl(locker)
75    except MyException, e:
76        return str(e)
77
78    for entry in values:
79        if entry[0] == user or (entry[0][0:6] == "system" and 
80                                checkAfsGroup(user, entry[0], cell)):
81            return False
82    return "You don't have admin bits on /mit/" + locker
83
84
[161]85if __name__ == "__main__":
86#    print list(getldapgroups("tabbott"))
87    print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
88    print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
89    print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
90    print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
[234]91    print notLockerOwner("tabbott", "tabbott")
92    print notLockerOwner("tabbott", "debathena")
93    print notLockerOwner("tabbott", "sipb")
94    print notLockerOwner("tabbott", "lsc")
95    print notLockerOwner("tabbott", "scripts")
96    print notLockerOwner("ecprice", "hmmt")
Note: See TracBrowser for help on using the repository browser.