From de7bf0cb591b27223089d408ba704d2d147bbfee Mon Sep 17 00:00:00 2001 From: Ricky Zhou Date: Fri, 13 Mar 2009 18:24:24 -0400 Subject: [PATCH] Updated upload.cgi group check. --- scripts/upload.cgi/upload.cgi | 72 +++++++++++++---------------------- 1 file changed, 26 insertions(+), 46 deletions(-) mode change 100755 => 100644 scripts/upload.cgi/upload.cgi diff --git a/scripts/upload.cgi/upload.cgi b/scripts/upload.cgi/upload.cgi old mode 100755 new mode 100644 index 20e3798..74cb2bb --- a/scripts/upload.cgi/upload.cgi +++ b/scripts/upload.cgi/upload.cgi @@ -16,9 +16,6 @@ import tempfile import StringIO import grp -sys.path.append('/var/fedora-accounts') -import website - # reading buffer size BUFFER_SIZE = 4096 @@ -28,7 +25,8 @@ DEBUG = 0 # We check modules exist from this dircetory CVSREPO = "/cvs/pkgs/rpms" -do_userdb_auth = 1 +# Fedora Packager Group +PACKAGER_GROUP = "packager" # log a trace of what we're doing def log_msg(*msgs): @@ -61,9 +59,9 @@ def send_ok(text): # check and validate that all the fields are present def check_form(var): if not form.has_key(var): - send_error("required field '%s' is not present" % (var,)) + send_error("Required field '%s' is not present" % (var,)) ret = form.getvalue(var) - if type(ret) == type([]): + if type(ret) == list: send_error("Multiple values given for '%s'. Aborting" % (var,)) ret = os.path.basename(ret) # this is a path component return ret @@ -79,45 +77,23 @@ def check_dir(tmpdir, wok = os.W_OK): send_error("Path %s is not a directory." % (tmpdir,)) return 1 -# -# MAIN START -# -if do_userdb_auth: - dbh = website.get_dbh() -auth_username = auth_password = None -need_auth = 1 +authenticated = False + if os.environ.has_key('SSL_CLIENT_S_DN_CN'): auth_username = os.environ['SSL_CLIENT_S_DN_CN'] - need_auth = 0 -elif do_userdb_auth and 0: - authtype, authinfo = website.get_http_auth_info() - - need_auth = 1 - auth_msg = "Authentication is required." - - if authinfo: - if authtype.lower() == 'basic': - need_auth = not website.do_checkpass(dbh, authinfo[0], authinfo[1]) - auth_username, auth_password = authinfo - auth_msg = "Username or password incorrect." - else: - auth_msg = "Unknown authentication type %s" % authtype + if auth_username in grp.getgrnam(PACKAGER_GROUP)[3]: + authenticated = True pieces = os.environ['REQUEST_URI'].split('/') assert pieces[1] == 'repo' -if do_userdb_auth: - #need_auth = need_auth or not website.have_group(dbh, auth_username, 'cvs' + pieces[2]) - #need_auth = need_auth or not website.have_group(dbh, auth_username, 'packager') - need_auth = need_auth or not auth_username in grp.getgrnam('packager')[3] -auth_msg = "You do not have the appropriate authorization to upload. %s %s %s" % (dbh, auth_username, 'cvs' + pieces[2]) -if need_auth: - print """Status: 403 Unauthorized to access the document -WWW-authenticate: Basic realm="fedora.redhat.com" +if not authenticated + print """Status: 403 Forbidden Content-type: text/plain -""" + str(auth_msg) - sys.exit(0) +You must be in the %s group to upload. +""" % PACKAGER_GROUP + sys.exit(0) form = cgi.FieldStorage() NAME = check_form("name") @@ -128,11 +104,11 @@ MD5SUM = check_form("md5sum") # In a submission, we don;t get a FILENAME, just the FILE. FILE = None FILENAME = None + if form.has_key("filename"): # check the presence of the file FILENAME = check_form("filename") - log_msg("Checking file status", - "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM)) + log_msg("Checking file status", "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM)) else: if form.has_key("file"): FILE = form["file"] @@ -144,14 +120,15 @@ else: send_error("Could not extract the filename for upload. Aborting") else: send_error("required field '%s' is not present" % ("file", )) - log_msg("Processing upload request", - "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM)) -# Now that all the fields are valid,, figure out our operating environment + log_msg("Processing upload request", "NAME=%s FILENAME=%s MD5SUM=%s" % (NAME,FILENAME,MD5SUM)) + +# Now that all the fields are valid, figure out our operating environment if not os.environ.has_key("SCRIPT_FILENAME"): send_error("My running environment is funky. Aborting") # start processing this request my_script = os.environ["SCRIPT_FILENAME"] + # the module's top level directory my_topdir = os.path.dirname(my_script) my_moddir = "%s/%s" % (my_topdir, NAME) @@ -174,17 +151,17 @@ if os.access(file_dest, os.F_OK | os.R_OK): message = "Available" else: FILE.file.close() - message = "File %s already exists\nFile: %s Size: %d" % ( - FILENAME, file_dest, s[stat.ST_SIZE]) + message = "File %s already exists\nFile: %s Size: %d" % (FILENAME, file_dest, s[stat.ST_SIZE]) send_ok(message) sys.exit(0) + # just checking? if FILE is None: send_ok("Missing") sys.exit(-9) - + # check that all directories are in place -for tmpdir in [ my_topdir, my_moddir, my_filedir, my_md5dir]: +for tmpdir in [my_topdir, my_moddir, my_filedir, my_md5dir]: if not check_dir(tmpdir): # we agree to create this directory if the corresponding cvs module dir exists if tmpdir == my_moddir: @@ -212,18 +189,21 @@ while 1: tmpfd.write(s) m.update(s) FILELENGTH = FILELENGTH + len(s) + # now we're done reading, check the MD5 sum of what we got tmpfd.close() my_md5sum = m.hexdigest() if MD5SUM != my_md5sum: send_error("MD5 check failed. Received %s instead of %s" % ( my_md5sum, MD5SUM)) + # wow, even the MD5SUM matches. make sure full path is valid now for tmpdir in [ my_moddir, my_filedir, my_md5dir ]: if not check_dir(tmpdir): os.mkdir(tmpdir, 02775) log_msg("mkdir", tmpdir) # and move our file to the final location + os.rename(tmpfile, file_dest) log_msg("Stored filesize", FILELENGTH, file_dest)