/usr/lib/python2.7/dist-packages/twext/python/sacl.py is in python-twext 0.1.b2.dev15059-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | ##
# Copyright (c) 2005-2015 Apple Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
##
from __future__ import print_function
__all__ = [
"checkSACL"
]
from cffi import FFI, VerificationError
ffi = FFI()
definitions = """
typedef unsigned char uuid_t[16];
int mbr_check_service_membership(const uuid_t user, const char* servicename, int* ismember);
int mbr_user_name_to_uuid(const char* name, uuid_t uu);
int mbr_group_name_to_uuid(const char* name, uuid_t uu);
"""
ffi.cdef(definitions)
try:
lib = ffi.verify(
definitions,
libraries=[],
tag=__name__.replace(".", "_")
)
except VerificationError as ve:
raise ImportError(ve)
def checkSACL(userOrGroupName, serviceName):
"""
Check to see if a given user or group is a member of an OS X Server
service's access group. If userOrGroupName is an empty string, we
want to know if unauthenticated access is allowed for the given service.
@param userOrGroupName: the name of the user or group
@type userOrGroupName: C{unicode}
@param serviceName: the name of the service (e.g. calendar, addressbook)
@type serviceName: C{str}
@return: True if the user or group is allowed access to service
@rtype: C{bool}
"""
userOrGroupName = userOrGroupName.encode("utf-8")
prefix = "com.apple.access_"
uu = ffi.new("uuid_t")
# See if the access group exists. If it does not, then there are no
# restrictions
groupName = prefix + serviceName
groupMissing = lib.mbr_group_name_to_uuid(groupName, uu)
if groupMissing:
return True
# See if userOrGroupName matches a user
result = lib.mbr_user_name_to_uuid(userOrGroupName, uu)
if result:
# Not a user, try looking up a group of that name
result = lib.mbr_group_name_to_uuid(userOrGroupName, uu)
if result:
# Neither a user nor a group matches the name
return False
# See if the uuid is a member of the service access group
isMember = ffi.new("int *")
result = lib.mbr_check_service_membership(uu, serviceName, isMember)
if not result and isMember[0]:
return True
return False
|