diff options
Diffstat (limited to 'plugins/python/example_group_plugin.py')
-rw-r--r-- | plugins/python/example_group_plugin.py | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/plugins/python/example_group_plugin.py b/plugins/python/example_group_plugin.py new file mode 100644 index 0000000..bb53fdb --- /dev/null +++ b/plugins/python/example_group_plugin.py @@ -0,0 +1,45 @@ +import sudo + + +class SudoGroupPlugin(sudo.Plugin): + """Example sudo input/output plugin + + Demonstrates how to use the sudo group plugin API. Typing annotations are + just here for the help on the syntax (requires python >= 3.5). + + On detailed description of the functions refer to sudo_plugin manual (man + sudo_plugin). + + Most functions can express error or reject through their "int" return value + as documented in the manual. The sudo module also has constants for these: + sudo.RC.ACCEPT / sudo.RC.OK 1 + sudo.RC.REJECT 0 + sudo.RC.ERROR -1 + sudo.RC.USAGE_ERROR -2 + + If the plugin encounters an error, instead of just returning sudo.RC.ERROR + result code it can also add a message describing the problem. + This can be done by raising the special exception: + raise sudo.PluginError("Message") + This added message will be used by the audit plugins. + + If the function returns "None" (for example does not call return), it will + be considered sudo.RC.OK. If an exception other than sudo.PluginError is + raised, its backtrace will be shown to the user and the plugin function + returns sudo.RC.ERROR. If that is not acceptable, catch it. + """ + + # -- Plugin API functions -- + def query(self, user: str, group: str, user_pwd: tuple): + """Query if user is part of the specified group. + + Beware that user_pwd can be None if user is not present in the password + database. Otherwise it is a tuple convertible to pwd.struct_passwd. + """ + hardcoded_user_groups = { + "testgroup": ["testuser1", "testuser2"], + "mygroup": ["test"] + } + + group_has_user = user in hardcoded_user_groups.get(group, []) + return sudo.RC.ACCEPT if group_has_user else sudo.RC.REJECT |