From ab9b6db10f47351659f37b0d75acfad2d40d2493 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sun, 19 Sep 2010 01:01:54 +0200
Subject: [PATCH] Teach ud-generate about host ACLs that expire

---
 UDLdap.py   | 20 ++++++++++++++++++++
 ud-generate |  2 +-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/UDLdap.py b/UDLdap.py
index 0155345..97fd2fb 100644
--- a/UDLdap.py
+++ b/UDLdap.py
@@ -1,6 +1,8 @@
 import ldap
 import time
+import datetime
 import userdir_ldap
+import sys
 
 class Account:
     array_values = ['objectClass', 'keyFingerPrint', 'mailWhitelist', 'mailRBL',
@@ -108,6 +110,24 @@ class Account:
         tokens.append(mailbox)
         return ' '.join(tokens)
 
+    def is_allowed_by_hostacl(self, host):
+        if not 'allowedHost' in self: return False
+        if host in self['allowedHost']: return True
+        # or maybe it's a date limited ACL
+        for entry in self['allowedHost']:
+            list = entry.split(None,1)
+            if len(list) == 1: continue
+            (h, expire) = list
+            if host != h: continue
+            try:
+                parsed = datetime.datetime.strptime(expire, '%Y%m%d')
+            except ValueError:
+                print >>sys.stderr, "Cannot parse expiry date in '%s' in hostACL entry for %s."%(entry, self['uid'])
+                return False
+            return parsed >= datetime.datetime.now()
+        return False
+
+
 # vim:set et:
 # vim:set ts=4:
 # vim:set shiftwidth=4:
diff --git a/ud-generate b/ud-generate
index 76d8179..af277ea 100755
--- a/ud-generate
+++ b/ud-generate
@@ -137,7 +137,7 @@ def IsInGroup(account):
   if str(account['gidNumber']) in Allowed: return True
 
   # Check the host based ACL
-  if 'allowedHost' in account and CurrentHost in account['allowedHost']: return True
+  if account.is_allowed_by_hostacl(CurrentHost): return True
 
   # See if there are supplementary groups
   if not 'supplementaryGid' in account: return False
-- 
2.20.1