X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/e37dd15bbf8683bab8454ea0eec8e9968ce982b2..df4006d32d7e0af2cc6d03123bb083eb1fab704f:/code/getafsgroups.py?ds=sidebyside diff --git a/code/getafsgroups.py b/code/getafsgroups.py old mode 100644 new mode 100755 index 899de81..1c6b82e --- a/code/getafsgroups.py +++ b/code/getafsgroups.py @@ -1,6 +1,7 @@ #!/usr/bin/python import pprint import subprocess +from invirt.config import structs as config # import ldap # l = ldap.open("W92-130-LDAP-2.mit.edu") @@ -24,41 +25,49 @@ import subprocess # return True # return False -class MyException(Exception): +class AfsProcessError(Exception): pass def getAfsGroupMembers(group, cell): - p = subprocess.Popen(["pts", "membership", group, '-c', cell], + encrypt = True + for c in config.authz.afs.cells: + if c.cell == cell and hasattr(c, 'auth'): + encrypt = c.auth + if encrypt: + subprocess.check_call(['aklog', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + p = subprocess.Popen(["pts", "membership", "-encrypt" if encrypt else '-noauth', group, '-c', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - if p.wait(): - return [] + err = p.stderr.read() + if err: #Error code doesn't reveal missing groups, but stderr does + if err.startswith('pts: Permission denied ; unable to get membership of '): + return [] + raise AfsProcessError(err) return [line.strip() for line in p.stdout.readlines()[1:]] -def checkAfsGroup(user, group, cell): - """ - checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell - """ - return user in getAfsGroupMembers(group, cell) +def getLockerPath(locker): + if '/' in locker or locker in ['.', '..']: + raise AfsProcessError("Locker '%s' is invalid." % locker) + return '/mit/' + locker def getCell(locker): - p = subprocess.Popen(["fs", "whichcell", "/mit/" + locker], + p = subprocess.Popen(["fs", "whichcell", getLockerPath(locker)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if p.wait(): - raise MyException(p.stderr.read()) + raise AfsProcessError(p.stderr.read()) return p.stdout.read().split()[-1][1:-1] def getLockerAcl(locker): - p = subprocess.Popen(["fs", "listacl", "/mit/" + locker], + p = subprocess.Popen(["fs", "listacl", getLockerPath(locker)], stdout=subprocess.PIPE, stderr=subprocess.PIPE) if p.wait(): - raise MyException(p.stderr.read()) + raise AfsProcessError(p.stderr.read()) lines = p.stdout.readlines() values = [] for line in lines[1:]: fields = line.split() if fields[0] == 'Negative': break - if 'rlidwka' in fields[1]: + if 'a' in fields[1]: values.append(fields[0]) return values @@ -72,22 +81,22 @@ def notLockerOwner(user, locker): try: cell = getCell(locker) values = getLockerAcl(locker) - except MyException, e: + except AfsProcessError, e: return str(e) for entry in values: - if entry == user or (entry[0:6] == "system" and - checkAfsGroup(user, entry, cell)): + if entry == user or (entry[0:6] == "system" and + user in getAfsGroupMembers(entry, cell)): return False - return "You don't have admin bits on /mit/" + locker + return "You don't have admin bits on " + getLockerPath(locker) if __name__ == "__main__": # print list(getldapgroups("tabbott")) - print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu') - print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu') - print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu') - print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu') + print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu') + print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu') + print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu') + print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu') print notLockerOwner("tabbott", "tabbott") print notLockerOwner("tabbott", "debathena") print notLockerOwner("tabbott", "sipb")