Catch AFS exceptions

[invirt/packages/xvm-authz-locker.git] / python / xvm / authz / locker.py

diff --git a/python/xvm/authz/locker.py b/python/xvm/authz/locker.py
index cbfc28a..5945ab6 100644 (file)
--- a/python/xvm/authz/locker.py
+++ b/python/xvm/authz/locker.py
@@ -3,6 +3,7 @@ import errno
 from afs import acl
 from afs import fs
 from afs import pts
+from afs import _util
 
 from invirt import common
 from invirt.config import structs as config
@@ -41,22 +42,19 @@ def expandOwner(name):
                 allowed.difference_update(_expandGroup(ent, cell=cell, auth=auth))
 
         return allowed
-    except OSError, e:
+    except (_util.AFSException, OSError), e:
         if e.errno in (errno.ENOENT, errno.EACCES):
             return []
         else:
             raise
 
 
-def expandAdmin(name, owner):
+def expandAdmin(name):
     """Expand an administrator to a list of authorized users.
 
-    Because the interpretation of an administrator might depend on the
-    owner, the owner is passed in as an argument.
-
-    However, in the case of locker-based authentication, the
-    administrator is always interpreted as an AFS entry (either a user
-    or a group) in the home cell (athena.mit.edu for XVM).
+    For locker-based authorization, the administrator is always
+    interpreted as an AFS entry (either a user or a group) in the
+    machine's home cell (athena.mit.edu for XVM).
     """
     cell = config.authz.afs.cells[0].cell
     auth = _authenticate(cell)
@@ -116,6 +114,13 @@ def _expandGroup(name, cell=None, auth=False):
             return set([ent.name])
         else:
             return set([x.name for x in ent.members])
+    except _util.AFSException, e:
+        if e.errno in (267268, # User or group doesn't exist
+                       267269  # Permission denied
+                       ):
+            return set()
+        else:
+            raise
     except OSError, e:
         if e.errno in (errno.ENOENT, errno.EACCESS):
             return set()