X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap.git;a=blobdiff_plain;f=sigcheck;h=57c4a9034767831be1a3eec86c308a0d37614e3b;hp=848911e5e5b045b43d26d686cee08fd198a2f6cd;hb=a6fb69805c3999a85c064a96c93417bb1c284c5c;hpb=41b57e59986a3cea9a32d8940d9372bbd3b7f6d1 diff --git a/sigcheck b/sigcheck index 848911e..57c4a90 100755 --- a/sigcheck +++ b/sigcheck @@ -19,13 +19,13 @@ # -v Verbose mode # Typical Debian invokation may look like: -# ./gpgwrapper -k /usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-keyring.pgp \ +# sigcheck -k /usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-keyring.pgp \ # -d ou=users,dc=debian,dc=org -l db.debian.org \ # -m debian.org -a admin@db.debian.org \ # -e /etc/userdir-ldap/templtes/error-reply -- test.sh import sys, traceback, time, os; -import string, pwd, getopt; +import pwd, getopt; from userdir_gpg import *; EX_TEMPFAIL = 75; @@ -52,7 +52,7 @@ def CheckLDAP(FingerPrint): # Connect to the ldap server global ErrTyp, ErrMsg; ErrType = EX_TEMPFAIL; - ErrMsg = "An error occured while performing the LDAP lookup:"; + ErrMsg = "An error occurred while performing the LDAP lookup:"; global l; l = ldap.open(LDAPServer); l.simple_bind_s("",""); @@ -65,12 +65,31 @@ def CheckLDAP(FingerPrint): if len(Attrs) != 1: raise Error, "Oddly your key fingerprint is assigned to more than one account.." + gidnumber_found = 0; + for key in Attrs[0][1].keys(): + if (key == "gidNumber"): + gidnumber_found = 1 + + if (gidnumber_found != 1): + raise Error, "No gidnumber in attributes for fingerprint %s" % FingerPrint + + # Look for the group with the gid of the user + GAttr = l.search_s(LDAPDn,ldap.SCOPE_ONELEVEL,"(&(objectClass=debianGroup)(gidnumber=%s))" % Attrs[0][1]["gidNumber"][0], ["gid"]) + if len(GAttr) == 0: + raise Error, "Database inconsistency found: main group for account not found in database" + # See if the group membership is OK + # Only if a group was given on the commandline if GroupMember != None: Hit = 0; - for x in Attrs[0][1].get("supplementarygid",[]): - if x == GroupMember: - Hit = 1; + # Check primary group first + if GAttr[0][1]["gid"][0] == GroupMember: + Hit = 1 + else: + # Check supplementary groups + for x in Attrs[0][1].get("supplementaryGid",[]): + if x == GroupMember: + Hit = 1; if Hit != 1: raise Error, "You don't have %s group permissions."%(GroupMember); @@ -81,7 +100,7 @@ for (switch, val) in options: if (switch == '-r'): ReplayCacheFile = val; elif (switch == '-k'): - SetKeyrings(string.split(val,":")); + SetKeyrings(val.split(":")); elif (switch == '-d'): LDAPDn = val; elif (switch == '-l'): @@ -120,13 +139,13 @@ try: raise Error, "PGP/MIME disallowed"; ErrMsg = "Message is not PGP signed:" - if string.find(Msg[0],"-----BEGIN PGP SIGNED MESSAGE-----") == -1: + if Msg[0].find("-----BEGIN PGP SIGNED MESSAGE-----") == -1: raise Error, "No PGP signature"; # Check the signature ErrMsg = "Unable to check the signature or the signature was invalid:"; Res = GPGCheckSig(Msg[0]); - + if Res[0] != None: raise Error, Res[0]; @@ -140,6 +159,7 @@ try: if Rply != None: raise Error, Rply; RC.Add(Res[1]); + RC.close(); # Do LDAP stuff if LDAPDn != None: @@ -151,8 +171,8 @@ try: while 1: Line = F.readline(); if Line == "": break; - if string.find(Res[3],string.strip(Line)) == -1: - raise Error,"Phrase '%s' was not found"%(string.strip(Line)); + if Res[3].find(Line.strip()) == -1: + raise Error,"Phrase '%s' was not found" % (Line.strip()) except: ErrMsg = "[%s] \"%s\" \"%s %s\"\n"%(Now,MsgID,ErrMsg,sys.exc_value);