|
Koji buildservice |
8cda32 |
#!/usr/bin/env python
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
# Copyright (c) 2015, Thomas Oulevey <thomas.oulevey@cern.ch>
|
|
Koji buildservice |
8cda32 |
# All rights reserved.
|
|
Koji buildservice |
8cda32 |
#
|
|
Koji buildservice |
8cda32 |
# Redistribution and use in source and binary forms, with or without
|
|
Koji buildservice |
8cda32 |
# modification, are permitted provided that the following conditions are met:
|
|
Koji buildservice |
8cda32 |
#
|
|
Koji buildservice |
8cda32 |
# 1. Redistributions of source code must retain the above copyright notice, this
|
|
Koji buildservice |
8cda32 |
# list of conditions and the following disclaimer.
|
|
Koji buildservice |
8cda32 |
# 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
Koji buildservice |
8cda32 |
# this list of conditions and the following disclaimer in the documentation
|
|
Koji buildservice |
8cda32 |
# and/or other materials provided with the distribution.
|
|
Koji buildservice |
8cda32 |
#
|
|
Koji buildservice |
8cda32 |
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|
Koji buildservice |
8cda32 |
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
Koji buildservice |
8cda32 |
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
Koji buildservice |
8cda32 |
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
|
|
Koji buildservice |
8cda32 |
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
Koji buildservice |
8cda32 |
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
Koji buildservice |
8cda32 |
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
Koji buildservice |
8cda32 |
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
Koji buildservice |
8cda32 |
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
|
Koji buildservice |
8cda32 |
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
# This script reads from a file, group information generated by FAS and sync
|
|
Koji buildservice |
8cda32 |
# it with koji
|
|
Koji buildservice |
8cda32 |
# No command line argument, options are hardcoded at this time.
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
import koji
|
|
Koji buildservice |
8cda32 |
import os.path
|
|
Koji buildservice |
8cda32 |
import sys
|
|
Koji buildservice |
8cda32 |
from collections import defaultdict
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
KOJI_URL='http://localhost/kojihub'
|
|
Koji buildservice |
8cda32 |
CLIENT_CERT = os.path.expanduser('~/.koji/client.crt')
|
|
Koji buildservice |
8cda32 |
CLIENTCA_CERT = os.path.expanduser('~/.koji/clientca.crt')
|
|
Koji buildservice |
8cda32 |
SERVERCA_CERT = os.path.expanduser('~/.koji/serverca.crt')
|
|
Koji buildservice |
8cda32 |
USER = 'koji'
|
|
Koji buildservice |
8cda32 |
FASDUMP = '/etc/bsadmin/groups'
|
|
Koji buildservice |
8cda32 |
SYSTEM_USERS = ['koji', 'kojira']
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_user_list():
|
|
Koji buildservice |
8cda32 |
users = [(x['name'],x['id']) for x in kojiclient.listUsers()]
|
|
Koji buildservice |
8cda32 |
return users if len(users) else None
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_user(user):
|
|
Koji buildservice |
8cda32 |
user = kojiclient.getUser(user)
|
|
Koji buildservice |
8cda32 |
return user
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_user_perms(user):
|
|
Koji buildservice |
8cda32 |
perms = kojiclient.getUserPerms(user[1])
|
|
Koji buildservice |
8cda32 |
return perms
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_users_perms():
|
|
Koji buildservice |
8cda32 |
userlist = defaultdict(list)
|
|
Koji buildservice |
8cda32 |
for user in get_user_list():
|
|
Koji buildservice |
8cda32 |
userlist[user[0]] = get_user_perms(user)
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
return userlist if len(userlist) else None
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_user_perms_from_file(user):
|
|
Koji buildservice |
8cda32 |
perms = get_users_perms_from_file()
|
|
Koji buildservice |
8cda32 |
return perms[user]
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_all_defined_perms():
|
|
Koji buildservice |
8cda32 |
perms = []
|
|
Koji buildservice |
8cda32 |
for perm in kojiclient.getAllPerms():
|
|
Koji buildservice |
8cda32 |
perms.append(perm['name'])
|
|
Koji buildservice |
8cda32 |
return perms
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def get_users_perms_from_file():
|
|
Koji buildservice |
8cda32 |
userlist = defaultdict(list)
|
|
Koji buildservice |
8cda32 |
try:
|
|
Koji buildservice |
8cda32 |
groups = open (FASDUMP, 'r')
|
|
Koji buildservice |
8cda32 |
except:
|
|
Koji buildservice |
8cda32 |
return None
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
for line in groups.readlines():
|
|
Koji buildservice |
8cda32 |
sig, users = line.strip('\n').split(':')
|
|
Koji buildservice |
8cda32 |
for user in users.replace(" ","").split(','):
|
|
Koji buildservice |
8cda32 |
perm="build-"+sig
|
|
Koji buildservice |
8cda32 |
userlist[user].append(perm)
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
return userlist if len(userlist) else None
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
def fix_permissions(new, old):
|
|
Koji buildservice |
8cda32 |
usernames = list(set(new)|set(old))
|
|
Koji buildservice |
8cda32 |
# Do not touch system users
|
|
Koji buildservice |
8cda32 |
usernames = [ u for u in usernames if u not in SYSTEM_USERS ]
|
|
Koji buildservice |
8cda32 |
for username in usernames:
|
|
Koji buildservice |
8cda32 |
togrant = list(set(new[username]) - set(old[username]))
|
|
Koji buildservice |
8cda32 |
torevoke = list(set(old[username]) - set(new[username]))
|
|
Koji buildservice |
8cda32 |
user = get_user(username)
|
|
Koji buildservice |
8cda32 |
if togrant or torevoke:
|
|
Koji buildservice |
8cda32 |
print "\n# user:%s\n# NEW perms:%s\n# OLD perms:%s \
|
|
Koji buildservice |
8cda32 |
\n# To grant:%s\n# To revoke:%s" \
|
|
Koji buildservice |
8cda32 |
% (user,new[username],old[username],togrant,torevoke)
|
|
Koji buildservice |
8cda32 |
if not user:
|
|
Koji buildservice |
8cda32 |
# Create user if it doesn't exist yet
|
|
Koji buildservice |
8cda32 |
user = kojiclient.createUser(username)
|
|
Koji buildservice |
8cda32 |
# Always grant "build" permission for building from srpm
|
|
Koji buildservice |
8cda32 |
kojiclient.grantPermission(username, 'build')
|
|
Koji buildservice |
8cda32 |
for perm in togrant:
|
|
Koji buildservice |
8cda32 |
if perm in get_all_defined_perms():
|
|
Koji buildservice |
8cda32 |
kojiclient.grantPermission(username, perm)
|
|
Koji buildservice |
8cda32 |
for perm in torevoke:
|
|
Koji buildservice |
8cda32 |
if perm in get_all_defined_perms():
|
|
Koji buildservice |
8cda32 |
kojiclient.revokePermission(username, perm)
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
if __name__ == '__main__':
|
|
Koji buildservice |
8cda32 |
try:
|
|
Koji buildservice |
8cda32 |
kojiclient = koji.ClientSession(KOJI_URL)
|
|
Koji buildservice |
8cda32 |
kojiclient.ssl_login(CLIENT_CERT, CLIENTCA_CERT, SERVERCA_CERT)
|
|
Koji buildservice |
8cda32 |
except:
|
|
Koji buildservice |
8cda32 |
print "Could not connect to koji API"
|
|
Koji buildservice |
8cda32 |
sys.exit(2)
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
fas_perms = get_users_perms_from_file()
|
|
Koji buildservice |
8cda32 |
koji_perms = get_users_perms()
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
if not fas_perms:
|
|
Koji buildservice |
8cda32 |
print "Could not read %s file." % FASDUMP
|
|
Koji buildservice |
8cda32 |
sys.exit(1)
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
if not koji_perms:
|
|
Koji buildservice |
8cda32 |
print "Could not read koji's user database"
|
|
Koji buildservice |
8cda32 |
sys.exit(2)
|
|
Koji buildservice |
8cda32 |
|
|
Koji buildservice |
8cda32 |
fix_permissions(fas_perms, koji_perms)
|
|
Koji buildservice |
8cda32 |
sys.exit(0)
|