xenofem/python-zulip-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

zephyr_mirror: Remove remaining AFS reads when restarting automatically.

Browse source 
This does introduce a small security issue, in that a shell with
expired AFS tokens on the machine running the mirroring script will be
able to read the Humbug API key using /proc/pid/environ.  I think this
is fine -- you can steal the API key from a running process using
ptrace anyway.

(imported from commit c6fdb798294fb32d640823b409f3e46274ca01f4)
This commit is contained in:
Tim Abbott 2012-11-06 13:58:22 -05:00
parent 45057fbf5d
commit 66640aefc6
1 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

22
bots/zephyr_mirror.py
View file

@ -394,9 +394,17 @@ def humbug_to_zephyr(options):
options={"mirror": 'zephyr_mirror'}) options={"mirror": 'zephyr_mirror'})
def subscribed_to_mail_messages(): def subscribed_to_mail_messages():
# In case we have lost our AFS tokens and those won't be able to
# parse the Zephyr subs file, first try reading in result of this
# query from the environment so we can avoid the filesystem read.
stored_result = os.environ.get("HUMBUG_FORWARD_MAIL_ZEPHYRS")
if stored_result is not None:
return stored_result == "True"
for (cls, instance, recipient) in parse_zephyr_subs(verbose=False): for (cls, instance, recipient) in parse_zephyr_subs(verbose=False):
if (cls.lower() == "mail" and instance.lower() == "inbox"): if (cls.lower() == "mail" and instance.lower() == "inbox"):
os.environ["HUMBUG_FORWARD_MAIL_ZEPHYRS"] = "True"
return True return True
os.environ["HUMBUG_FORWARD_MAIL_ZEPHYRS"] = "False"
return False return False
def add_humbug_subscriptions(verbose): def add_humbug_subscriptions(verbose):
@ -562,7 +570,21 @@ if __name__ == "__main__":
action='store') action='store')
(options, args) = parser.parse_args() (options, args) = parser.parse_args()
# In case this is an automated restart of the mirroring script,
# and we have lost AFS tokens, first try reading the API key from
# the environment so that we can skip doing a filesystem read.
if os.environ.get("HUMBUG_API_KEY") is not None:
api_key = os.environ.get("HUMBUG_API_KEY")
else:
if not os.path.exists(options.api_key_file):
print textwrap.wrap("Could not find API key file. " +
"You need to either place your api key file at %s, " +
"or specify the --api-key-file option." % (options.api_key_file))
sys.exit(1)
api_key = file(options.api_key_file).read().strip() api_key = file(options.api_key_file).read().strip()
# Store the API key in the environment so that our children
# don't need to read it in
os.environ["HUMBUG_API_KEY"] = api_key
import api.common import api.common
humbug_client = api.common.HumbugAPI(email=options.user + "@mit.edu", humbug_client = api.common.HumbugAPI(email=options.user + "@mit.edu",