X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=sigcheck;h=6790836937b7667e28b545dffeee00b25469fa7c;hb=1b28ec823fdf02f3c7cd8caff9bacd0c92ff2f16;hp=f3c17f0faeb12b0c132233d949c2205afd0b5b36;hpb=7248a95ca36419e77915982d71370c6b45e0ddd9;p=mirror%2Fuserdir-ldap.git diff --git a/sigcheck b/sigcheck index f3c17f0..6790836 100755 --- a/sigcheck +++ b/sigcheck @@ -24,23 +24,25 @@ # -m debian.org -a admin@db.debian.org \ # -e /etc/userdir-ldap/templtes/error-reply -- test.sh -import sys, traceback, time, os; -import pwd, getopt; +import sys, traceback, time, os +import pwd, getopt import email, email.parser -from userdir_gpg import *; +from userdir_gpg import * -EX_TEMPFAIL = 75; -EX_PERMFAIL = 65; # EX_DATAERR -Error = 'Message Error'; +EX_TEMPFAIL = 75 +EX_PERMFAIL = 65 # EX_DATAERR # Configuration -ReplayCacheFile = None; -LDAPDn = None; -LDAPServer = None; -GroupMember = None; -Phrases = None; -AllowMIME = 1; -Verbose = 0; +ReplayCacheFile = None +LDAPDn = None +LDAPServer = None +GroupMember = None +Phrases = None +AllowMIME = 1 +Verbose = 0 + +class MessageError(Exception): + pass def verbmsg(msg): if Verbose: @@ -48,42 +50,42 @@ def verbmsg(msg): # Match the key fingerprint against an LDAP directory def CheckLDAP(FingerPrint): - import ldap; - import userdir_ldap; + import ldap + import userdir_ldap # Connect to the ldap server - global ErrTyp, ErrMsg; - ErrType = EX_TEMPFAIL; - ErrMsg = "An error occurred while performing the LDAP lookup:"; - global l; - l = userdir_ldap.connectLDAP(LDAPServer); - l.simple_bind_s("",""); + global ErrTyp, ErrMsg + ErrType = EX_TEMPFAIL + ErrMsg = "An error occurred while performing the LDAP lookup:" + global l + l = userdir_ldap.connectLDAP(LDAPServer) + l.simple_bind_s("","") # Search for the matching key fingerprint verbmsg("Processing fingerprint %s" % FingerPrint) - Attrs = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=" + FingerPrint); + Attrs = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=" + FingerPrint) if len(Attrs) == 0: - raise Error, "Key not found" + raise MessageError("Key not found") if len(Attrs) != 1: - raise Error, "Oddly your key fingerprint is assigned to more than one account.." + raise MessageError("Oddly your key fingerprint is assigned to more than one account..") - gidnumber_found = 0; + gidnumber_found = 0 for key in Attrs[0][1].keys(): if (key == "gidNumber"): gidnumber_found = 1 if (gidnumber_found != 1): - raise Error, "No gidnumber in attributes for fingerprint %s" % FingerPrint + raise MessageError("No gidnumber in attributes for fingerprint %s" % FingerPrint) # Look for the group with the gid of the user GAttr = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"(&(objectClass=debianGroup)(gidnumber=%s))" % Attrs[0][1]["gidNumber"][0], ["gid"]) if len(GAttr) == 0: - raise Error, "Database inconsistency found: main group for account not found in database" + raise MessageError("Database inconsistency found: main group for account not found in database") # See if the group membership is OK # Only if a group was given on the commandline - if GroupMember != None: - Hit = 0; + if GroupMember is not None: + Hit = 0 # Check primary group first if GAttr[0][1]["gid"][0] == GroupMember: Hit = 1 @@ -91,98 +93,98 @@ def CheckLDAP(FingerPrint): # Check supplementary groups for x in Attrs[0][1].get("supplementaryGid",[]): if x == GroupMember: - Hit = 1; + Hit = 1 if Hit != 1: - raise Error, "You don't have %s group permissions."%(GroupMember); + raise MessageError("You don't have %s group permissions."%(GroupMember)) # Start of main program # Process options -(options, arguments) = getopt.getopt(sys.argv[1:], "r:k:d:l:g:mp:v"); +(options, arguments) = getopt.getopt(sys.argv[1:], "r:k:d:l:g:mp:v") for (switch, val) in options: if (switch == '-r'): - ReplayCacheFile = val; + ReplayCacheFile = val elif (switch == '-k'): - SetKeyrings(val.split(":")); + SetKeyrings(val.split(":")) elif (switch == '-d'): - LDAPDn = val; + LDAPDn = val elif (switch == '-l'): - LDAPServer = val; + LDAPServer = val elif (switch == '-g'): - GroupMember = val; + GroupMember = val elif (switch == '-m'): - AllowMIME = 0; + AllowMIME = 0 elif (switch == '-v'): - Verbose = 1; + Verbose = 1 elif (switch == '-p'): - Phrases = val; + Phrases = val -Now = time.strftime("%a, %d %b %Y %H:%M:%S",time.gmtime(time.time())); -ErrMsg = "Indeterminate Error"; -ErrType = EX_TEMPFAIL; -MsgID = None; +Now = time.strftime("%a, %d %b %Y %H:%M:%S",time.gmtime(time.time())) +ErrMsg = "Indeterminate Error" +ErrType = EX_TEMPFAIL +MsgID = None try: # Startup the replay cache - ErrType = EX_TEMPFAIL; - if ReplayCacheFile != None: - ErrMsg = "Failed to initialize the replay cache:"; - RC = ReplayCache(ReplayCacheFile); + ErrType = EX_TEMPFAIL + if ReplayCacheFile is not None: + ErrMsg = "Failed to initialize the replay cache:" + RC = ReplayCache(ReplayCacheFile) # Get the email - ErrType = EX_PERMFAIL; - ErrMsg = "Failed to understand the email or find a signature:"; - mail = email.parser.Parser().parse(sys.stdin); + ErrType = EX_PERMFAIL + ErrMsg = "Failed to understand the email or find a signature:" + mail = email.parser.Parser().parse(sys.stdin) MsgID = mail["Message-ID"] - print "Inspecting message %s"%MsgID; + print "Inspecting message %s"%MsgID verbmsg("Processing message %s" % MsgID) - Msg = GetClearSig(mail,1); + Msg = GetClearSig(mail,1) if AllowMIME == 0 and Msg[1] != 0: - raise Error, "PGP/MIME disallowed"; + raise MessageError("PGP/MIME disallowed") ErrMsg = "Message is not PGP signed:" if Msg[0].find("-----BEGIN PGP SIGNED MESSAGE-----") == -1: - raise Error, "No PGP signature"; + raise MessageError("No PGP signature") # Check the signature - ErrMsg = "Unable to check the signature or the signature was invalid:"; + ErrMsg = "Unable to check the signature or the signature was invalid:" pgp = GPGCheckSig2(Msg[0]) if not pgp.ok: - raise UDFormatError, pgp.why + raise UDFormatError(pgp.why) if pgp.text is None: - raise UDFormatError, "Null signature text" + raise UDFormatError("Null signature text") # Check the signature against the replay cache - if ReplayCacheFile != None: + if ReplayCacheFile is not None: RC.process(pgp.sig_info) # Do LDAP stuff - if LDAPDn != None: + if LDAPDn is not None: CheckLDAP(pgp.key_fpr) - ErrMsg = "Verifying message:"; - if Phrases != None: - F = open(Phrases,"r"); + ErrMsg = "Verifying message:" + if Phrases is not None: + F = open(Phrases,"r") while 1: - Line = F.readline(); - if Line == "": break; + Line = F.readline() + if Line == "": break if pgp.text.find(Line.strip()) == -1: - raise Error,"Phrase '%s' was not found" % (Line.strip()) + raise MessageError("Phrase '%s' was not found" % (Line.strip())) except: - ErrMsg = "[%s] \"%s\" \"%s %s\"\n"%(Now,MsgID,ErrMsg,sys.exc_value); - sys.stderr.write(ErrMsg); + ErrMsg = "[%s] \"%s\" \"%s %s\"\n"%(Now,MsgID,ErrMsg,sys.exc_value) + sys.stderr.write(ErrMsg) - Trace = "==> %s: %s\n" %(sys.exc_type,sys.exc_value); - List = traceback.extract_tb(sys.exc_traceback); + Trace = "==> %s: %s\n" %(sys.exc_type,sys.exc_value) + List = traceback.extract_tb(sys.exc_traceback) if len(List) >= 1: - Trace = Trace + "Python Stack Trace:\n"; + Trace = Trace + "Python Stack Trace:\n" for x in List: - Trace = Trace + " %s %s:%u: %s\n" %(x[2],x[0],x[1],x[3]); - #print Trace; + Trace = Trace + " %s %s:%u: %s\n" %(x[2],x[0],x[1],x[3]) + #print Trace - sys.exit(EX_PERMFAIL); + sys.exit(EX_PERMFAIL) # For Main -print "Message %s passed"%MsgID; -sys.exit(0); +print "Message %s passed"%MsgID +sys.exit(0)