4 from invirt.config import structs as config
7 # l = ldap.open("W92-130-LDAP-2.mit.edu")
8 # # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
9 # l.simple_bind_s("", "")
11 # def getLdapGroups(user):
13 # getLdapGroups(user): returns a generator for the list of LDAP groups containing user
15 # for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
16 # for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
17 # yield group_data[1]['cn'][0]
19 # def checkLdapGroups(user, group):
21 # checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
23 # for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
24 # if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
28 class AfsProcessError(Exception):
31 def getAfsGroupMembers(group, cell):
33 for c in config.authz.cells:
34 if c.cell == cell and hasattr(c, 'auth'):
37 subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
38 p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell],
39 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
41 if err: #Error code doesn't reveal missing groups, but stderr does
42 if err.startswith('pts: Permission denied ; unable to get membership of '):
44 raise AfsProcessError(err)
45 return [line.strip() for line in p.stdout.readlines()[1:]]
47 def getLockerPath(locker):
48 if '/' in locker or locker in ['.', '..']:
49 raise AfsProcessError("Locker '%s' is invalid." % locker)
50 return '/mit/' + locker
53 p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)],
54 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
56 raise AfsProcessError(p.stderr.read())
57 return p.stdout.read().split()[-1][1:-1]
59 def getLockerAcl(locker):
60 p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)],
61 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
63 raise AfsProcessError(p.stderr.read())
64 lines = p.stdout.readlines()
66 for line in lines[1:]:
68 if fields[0] == 'Negative':
71 values.append(fields[0])
74 def notLockerOwner(user, locker):
76 notLockerOwner(user, locker) returns false if and only if user administers locker.
78 If the user does not own the locker, returns the string reason for
82 cell = getCell(locker)
83 values = getLockerAcl(locker)
84 except AfsProcessError, e:
88 if entry == user or (entry[0:6] == "system" and
89 user in getAfsGroupMembers(entry, cell)):
91 return "You don't have admin bits on " + getLockerPath(locker)
94 if __name__ == "__main__":
95 # print list(getldapgroups("tabbott"))
96 print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
97 print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
98 print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
99 print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
100 print notLockerOwner("tabbott", "tabbott")
101 print notLockerOwner("tabbott", "debathena")
102 print notLockerOwner("tabbott", "sipb")
103 print notLockerOwner("tabbott", "lsc")
104 print notLockerOwner("tabbott", "scripts")
105 print notLockerOwner("ecprice", "hmmt")