tools/check_auth.rb - whimsy - Git at Google

 #!/usr/bin/env ruby

 # basic check of asf/pit-auth consistency

 # - name agrees with ldap query
 # - incorrect alias reference

 # allowable non-LDAP names
 ROLE_NAMES =
   %w(buildbot comdev_role projects_role spamassassin_role svn-role acrequser whimsysvn apezmlm puppetsvn apsiteread apsecmail apezmlm smtpd svn rptremind comdev-svn openejb-tck staff
   sk clr uli nick jim upayavira cpluchino mostarda druggeri
   svn-site-role
 )

 DIR = ARGV.first || '/srv/git/infrastructure-puppet/modules/subversion_server/files/authorization'

 def parse(file)
   puts "Parsing #{file}"
   section=''
   names=Hash.new(0)
   IO.foreach(file) { |x|
     x.chomp!
     next if x =~ /^(#| *$)/
     section='groups' and next if x =~ /^\[groups\]$/
     section='paths'  and next if x =~ /^\[\/\]$/
     if section == 'groups'
       if x =~ /^(\w[^=]+)={ldap:cn=(\w[^,]+),([^}]+)}/
         a,b,c = $1,$2,$3
         names[a]+=1
         suff=''
         # ou=pmc only needed for tac and security now
         if c =~ /^ou=pmc,ou=committees/ or c =~ /ou=project,[^;]+;attr=owner/
           suff='-p?pmc'
         end
         ma=%r{^#{b}#{suff}$}
         puts "Mis-matched names: #{x} #{a} != #{ma}" unless a =~ ma
 #        die
         next
       end
       if x =~ /^(\w[^=]+)={reuse:(asf|pit)-authorization:(\w[^}]+)}$/
         names[$1]+=1
         puts "Mis-matched names: #{x} #{$1} != #{$3}" unless $1 == $3
         next
       end
       if x =~ /^([-\w]+)=(\w.*)?$/
         names[$1]+=1
         next
       end
     elsif section == 'paths'
       next if x =~ /^\[((asf:|infra:|private:|bigdata:)?\/\S*)\]$/ # [/path]
       if x =~ /^(?:@(\S+)|\*|(\S+)) *= *r?w? *$/
         if $1
           puts "Undefined name: '#{$1}' in #{x}" unless names.has_key?($1)
           next
         end
         next unless $2
         next if ROLE_NAMES.include? $2
         p "Unexpected name: #{x}"
         next
       end
     else
       p "Unexpected section: #{section}"
     end
    p "Unexpected line: #{x}"
   }
   names.each() do |k,v|
     puts "Duplicate Key: #{k} Count: #{v}" unless v == 1
   end
   puts "Completed validation"
 end
 parse("#{DIR}/asf-authorization-template")
 parse("#{DIR}/pit-authorization-template")
	#!/usr/bin/env ruby

	# basic check of asf/pit-auth consistency

	# - name agrees with ldap query
	# - incorrect alias reference

	# allowable non-LDAP names
	ROLE_NAMES =
	%w(buildbot comdev_role projects_role spamassassin_role svn-role acrequser whimsysvn apezmlm puppetsvn apsiteread apsecmail apezmlm smtpd svn rptremind comdev-svn openejb-tck staff
	sk clr uli nick jim upayavira cpluchino mostarda druggeri
	svn-site-role
	)

	DIR = ARGV.first \|\| '/srv/git/infrastructure-puppet/modules/subversion_server/files/authorization'

	def parse(file)
	puts "Parsing #{file}"
	section=''
	names=Hash.new(0)
	IO.foreach(file) { \|x\|
	x.chomp!
	next if x =~ /^(#\| *$)/
	section='groups' and next if x =~ /^\[groups\]$/
	section='paths' and next if x =~ /^\[\/\]$/
	if section == 'groups'
	if x =~ /^(\w[^=]+)={ldap:cn=(\w[^,]+),([^}]+)}/
	a,b,c = $1,$2,$3
	names[a]+=1
	suff=''
	# ou=pmc only needed for tac and security now
	if c =~ /^ou=pmc,ou=committees/ or c =~ /ou=project,[^;]+;attr=owner/
	suff='-p?pmc'
	end
	ma=%r{^#{b}#{suff}$}
	puts "Mis-matched names: #{x} #{a} != #{ma}" unless a =~ ma
	# die
	next
	end
	if x =~ /^(\w[^=]+)={reuse:(asf\|pit)-authorization:(\w[^}]+)}$/
	names[$1]+=1
	puts "Mis-matched names: #{x} #{$1} != #{$3}" unless $1 == $3
	next
	end
	if x =~ /^([-\w]+)=(\w.*)?$/
	names[$1]+=1
	next
	end
	elsif section == 'paths'
	next if x =~ /^\[((asf:\|infra:\|private:\|bigdata:)?\/\S*)\]$/ # [/path]
	if x =~ /^(?:@(\S+)\|\\|(\S+)) = r?w? $/
	if $1
	puts "Undefined name: '#{$1}' in #{x}" unless names.has_key?($1)
	next
	end
	next unless $2
	next if ROLE_NAMES.include? $2
	p "Unexpected name: #{x}"
	next
	end
	else
	p "Unexpected section: #{section}"
	end
	p "Unexpected line: #{x}"
	}
	names.each() do \|k,v\|
	puts "Duplicate Key: #{k} Count: #{v}" unless v == 1
	end
	puts "Completed validation"
	end
	parse("#{DIR}/asf-authorization-template")
	parse("#{DIR}/pit-authorization-template")