Changeset 413


Ignore:
Timestamp:
Apr 14, 2008, 12:44:00 AM (17 years ago)
Author:
ecprice
Message:

Resolve #69, by checking that administrators are either users or
groups in the athena cell.

Location:
trunk/packages/sipb-xen-www/code
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/packages/sipb-xen-www/code/cache_acls.py

    r410 r413  
    2929            return [name]
    3030        name = 'system:'+name
    31     return getafsgroups.getAfsGroupMembers(name, 'athena.mit.edu')
     31    try:
     32        return getafsgroups.getAfsGroupMembers(name, 'athena.mit.edu')
     33    except getafsgroups.AfsProcessError:
     34        return []
    3235
    3336def accessList(m):

  • trunk/packages/sipb-xen-www/code/getafsgroups.py

    r412 r413  
    2929
    3030def getAfsGroupMembers(group, cell):
    31     p = subprocess.Popen(["pts", "membership", group, '-c', cell],
     31    p = subprocess.Popen(["pts", "membership", "-noauth", group, '-c', cell],
    3232                         stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    33     if p.wait():
    34         return []
     33    err = p.stderr.read()
     34    if err: #Error code doesn't reveal missing groups, but stderr does
     35        raise AfsProcessError(err)
    3536    return [line.strip() for line in p.stdout.readlines()[1:]]
    3637
     
    3940        raise AfsProcessError("Locker '%s' is invalid." % locker)
    4041    return '/mit/' + locker
    41 
    42 def checkAfsGroup(user, group, cell):
    43     """
    44     checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
    45     """
    46     return user in getAfsGroupMembers(group, cell)
    4742
    4843def getCell(locker):
     
    8277
    8378    for entry in values:
    84         if entry == user or (entry[0:6] == "system" and 
    85                                 checkAfsGroup(user, entry, cell)):
     79        if entry == user or (entry[0:6] == "system" and
     80                                user in getAfsGroupMembers(entry, cell)):
    8681            return False
    8782    return "You don't have admin bits on " + getLockerPath(locker)
     
    9085if __name__ == "__main__":
    9186#    print list(getldapgroups("tabbott"))
    92     print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
    93     print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
    94     print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
    95     print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
     87    print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
     88    print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
     89    print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
     90    print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
    9691    print notLockerOwner("tabbott", "tabbott")
    9792    print notLockerOwner("tabbott", "debathena")

  • trunk/packages/sipb-xen-www/code/validation.py

    r411 r413  
    159159            return admin
    160160        admin = 'system:' + admin
    161     if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'):
    162         return admin
    163     #XXX Should we require that user is in cache_acls.expandName(admin)?
     161    try:
     162        if user in getafsgroups.getAfsGroupMembers(admin, 'athena.mit.edu'):
     163            return admin
     164    except getafsgroups.AfsProcessError, e:
     165        raise InvalidInput('administrator', admin, str(e))
     166    #XXX Should we require that user is in the admin group?
    164167    return admin
    165168   
Note: See TracChangeset for help on using the changeset viewer.