#!/usr/bin/python
import pprint
import subprocess
+from invirt.config import structs as config
# import ldap
# l = ldap.open("W92-130-LDAP-2.mit.edu")
# return True
# return False
-class MyException(Exception):
+class AfsProcessError(Exception):
pass
def getAfsGroupMembers(group, cell):
- p = subprocess.Popen(["pts", "membership", group, '-c', cell],
+ encrypt = True
+ for c in config.authz.afs.cells:
+ if c.cell == cell and hasattr(c, 'auth'):
+ encrypt = c.auth
+ if encrypt:
+ subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- if p.wait():
- return []
+ err = p.stderr.read()
+ if err: #Error code doesn't reveal missing groups, but stderr does
+ if err.startswith('pts: Permission denied ; unable to get membership of '):
+ return []
+ raise AfsProcessError(err)
return [line.strip() for line in p.stdout.readlines()[1:]]
-def checkAfsGroup(user, group, cell):
- """
- checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
- """
- return user in getAfsGroupMembers(group, cell)
+def getLockerPath(locker):
+ if '/' in locker or locker in ['.', '..']:
+ raise AfsProcessError("Locker '%s' is invalid." % locker)
+ return '/mit/' + locker
def getCell(locker):
- p = subprocess.Popen(["fs", "whichcell", "/mit/" + locker],
+ p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if p.wait():
- raise MyException(p.stderr.read())
+ raise AfsProcessError(p.stderr.read())
return p.stdout.read().split()[-1][1:-1]
def getLockerAcl(locker):
- p = subprocess.Popen(["fs", "listacl", "/mit/" + locker],
+ p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if p.wait():
- raise MyException(p.stderr.read())
+ raise AfsProcessError(p.stderr.read())
lines = p.stdout.readlines()
values = []
for line in lines[1:]:
fields = line.split()
if fields[0] == 'Negative':
break
- if 'rlidwka' in fields[1]:
+ if 'a' in fields[1]:
values.append(fields[0])
return values
try:
cell = getCell(locker)
values = getLockerAcl(locker)
- except MyException, e:
+ except AfsProcessError, e:
return str(e)
for entry in values:
- if entry == user or (entry[0:6] == "system" and
- checkAfsGroup(user, entry, cell)):
+ if entry == user or (entry[0:6] == "system" and
+ user in getAfsGroupMembers(entry, cell)):
return False
- return "You don't have admin bits on /mit/" + locker
+ return "You don't have admin bits on " + getLockerPath(locker)
if __name__ == "__main__":
# print list(getldapgroups("tabbott"))
- print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
- print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
- print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
- print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
+ print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu')
+ print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu')
+ print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu')
+ print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu')
print notLockerOwner("tabbott", "tabbott")
print notLockerOwner("tabbott", "debathena")
print notLockerOwner("tabbott", "sipb")
projects / invirt/packages/invirt-web.git / blobdiff