blob: bb53fdb1babd0124bf773f8c5c4046e2e999be77 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
import sudo
class SudoGroupPlugin(sudo.Plugin):
"""Example sudo input/output plugin
Demonstrates how to use the sudo group plugin API. Typing annotations are
just here for the help on the syntax (requires python >= 3.5).
On detailed description of the functions refer to sudo_plugin manual (man
sudo_plugin).
Most functions can express error or reject through their "int" return value
as documented in the manual. The sudo module also has constants for these:
sudo.RC.ACCEPT / sudo.RC.OK 1
sudo.RC.REJECT 0
sudo.RC.ERROR -1
sudo.RC.USAGE_ERROR -2
If the plugin encounters an error, instead of just returning sudo.RC.ERROR
result code it can also add a message describing the problem.
This can be done by raising the special exception:
raise sudo.PluginError("Message")
This added message will be used by the audit plugins.
If the function returns "None" (for example does not call return), it will
be considered sudo.RC.OK. If an exception other than sudo.PluginError is
raised, its backtrace will be shown to the user and the plugin function
returns sudo.RC.ERROR. If that is not acceptable, catch it.
"""
# -- Plugin API functions --
def query(self, user: str, group: str, user_pwd: tuple):
"""Query if user is part of the specified group.
Beware that user_pwd can be None if user is not present in the password
database. Otherwise it is a tuple convertible to pwd.struct_passwd.
"""
hardcoded_user_groups = {
"testgroup": ["testuser1", "testuser2"],
"mygroup": ["test"]
}
group_has_user = user in hardcoded_user_groups.get(group, [])
return sudo.RC.ACCEPT if group_has_user else sudo.RC.REJECT
|
