#!/usr/bin/python
+import cache_acls
import getafsgroups
import re
import string
-from sipb_xen_database import Machine, NIC
+from sipb_xen_database import Machine, NIC, Type
from webcommon import InvalidInput, g
MAX_MEMORY_TOTAL = 512
def haveAccess(user, machine):
"""Return whether a user has administrative access to a machine"""
- if user in (machine.administrator, machine.owner):
- return True
- if getafsgroups.checkAfsGroup(user, machine.administrator,
- 'athena.mit.edu'): #XXX Cell?
- return True
- if not getafsgroups.notLockerOwner(user, machine.owner):
- return True
- return owns(user, machine)
+ return user in cache_acls.accessList(machine)
def owns(user, machine):
"""Return whether a user owns a machine"""
- return not getafsgroups.notLockerOwner(user, machine.owner)
+ return user in expandLocker(machine.owner)
def validMachineName(name):
"""Check that name is valid for a machine name"""
raise InvalidInput('disk', disk,
"Minimum %s GiB" % MIN_DISK_SINGLE)
return disk
-
+
+def validVmType(vm_type):
+ if vm_type == 'hvm':
+ return Type.get('linux-hvm')
+ elif vm_type == 'paravm':
+ return Type.get('linux')
+ else:
+ raise CodeError("Invalid vm type '%s'" % vm_type)
+
def testMachineId(user, machine_id, exists=True):
"""Parse, validate and check authorization for a given user and machine.
return machine
def testAdmin(user, admin, machine):
+ """Determine whether a user can set the admin of a machine to this value.
+
+ Return the value to set the admin field to (possibly 'system:' +
+ admin). XXX is modifying this a good idea?
+ """
if admin in (None, machine.administrator):
return None
if admin == user:
return admin
- if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'):
- return admin
- if getafsgroups.checkAfsGroup(user, 'system:'+admin,
- 'athena.mit.edu'):
- return 'system:'+admin
+ if ':' not in admin:
+ if cache_acls.isUser(admin):
+ return admin
+ admin = 'system:' + admin
+ try:
+ if user in getafsgroups.getAfsGroupMembers(admin, 'athena.mit.edu'):
+ return admin
+ except getafsgroups.AfsProcessError, e:
+ errmsg = str(e)
+ if errmsg.startswith("pts: User or group doesn't exist"):
+ errmsg = 'The group "%s" does not exist.' % admin
+ raise InvalidInput('administrator', admin, errmsg)
+ #XXX Should we require that user is in the admin group?
return admin
def testOwner(user, owner, machine=None):
+ """Determine whether a user can set the owner of a machine to this value.
+
+ If machine is None, this is the owner of a new machine.
+ """
if owner == user or machine is not None and owner == machine.owner:
return owner
if owner is None:
raise InvalidInput('owner', owner, "Owner must be specified")
- value = getafsgroups.notLockerOwner(user, owner)
- if not value:
- return owner
- raise InvalidInput('owner', owner, value)
+ try:
+ if user not in cache_acls.expandLocker(owner):
+ raise InvalidInput('owner', owner, 'You do not have access to the '
+ + owner + ' locker')
+ except getafsgroups.AfsProcessError, e:
+ raise InvalidInput('owner', owner, str(e))
+ return owner
def testContact(user, contact, machine=None):
if contact in (None, machine.contact):
projects / invirt/packages/invirt-web.git / blobdiff