zephyr_mirror: Remove remaining AFS reads when restarting automatically.

This does introduce a small security issue, in that a shell with expired AFS tokens on the machine running the mirroring script will be able to read the Humbug API key using /proc/pid/environ. I think this is fine -- you can steal the API key from a running process using ptrace anyway. (imported from commit c6fdb798294fb32d640823b409f3e46274ca01f4)
2012-11-06 13:58:22 -05:00 · 2012-11-06 13:58:22 -05:00 · 66640aefc6
parent 45057fbf5d
commit 66640aefc6
1 changed files with 23 additions and 1 deletions
--- a/bots/zephyr_mirror.py
+++ b/bots/zephyr_mirror.py
@ -394,9 +394,17 @@ def humbug_to_zephyr(options):
                                       options={"mirror": 'zephyr_mirror'})

 def subscribed_to_mail_messages():
+    # In case we have lost our AFS tokens and those won't be able to
+    # parse the Zephyr subs file, first try reading in result of this
+    # query from the environment so we can avoid the filesystem read.
+    stored_result = os.environ.get("HUMBUG_FORWARD_MAIL_ZEPHYRS")
+    if stored_result is not None:
+        return stored_result == "True"
    for (cls, instance, recipient) in parse_zephyr_subs(verbose=False):
        if (cls.lower() == "mail" and instance.lower() == "inbox"):
+            os.environ["HUMBUG_FORWARD_MAIL_ZEPHYRS"] = "True"
            return True
+    os.environ["HUMBUG_FORWARD_MAIL_ZEPHYRS"] = "False"
    return False

 def add_humbug_subscriptions(verbose):
@ -562,7 +570,21 @@ if __name__ == "__main__":
                      action='store')
    (options, args) = parser.parse_args()

-    api_key = file(options.api_key_file).read().strip()
+    # In case this is an automated restart of the mirroring script,
+    # and we have lost AFS tokens, first try reading the API key from
+    # the environment so that we can skip doing a filesystem read.
+    if os.environ.get("HUMBUG_API_KEY") is not None:
+        api_key = os.environ.get("HUMBUG_API_KEY")
+    else:
+        if not os.path.exists(options.api_key_file):
+            print textwrap.wrap("Could not find API key file. " +
+                                "You need to either place your api key file at %s, " +
+                                "or specify the --api-key-file option." % (options.api_key_file))
+            sys.exit(1)
+        api_key = file(options.api_key_file).read().strip()
+        # Store the API key in the environment so that our children
+        # don't need to read it in
+        os.environ["HUMBUG_API_KEY"] = api_key

    import api.common
    humbug_client = api.common.HumbugAPI(email=options.user + "@mit.edu",