1
import sudo
2

3

4
class SudoGroupPlugin(sudo.Plugin):
5
    """Example sudo input/output plugin
6

7
    Demonstrates how to use the sudo group plugin API. Typing annotations are
8
    just here for the help on the syntax (requires python >= 3.5).
9

10
    On detailed description of the functions refer to sudo_plugin manual (man
11
    sudo_plugin).
12

13
    Most functions can express error or reject through their "int" return value
14
    as documented in the manual. The sudo module also has constants for these:
15
        sudo.RC.ACCEPT / sudo.RC.OK  1
16
        sudo.RC.REJECT               0
17
        sudo.RC.ERROR               -1
18
        sudo.RC.USAGE_ERROR         -2
19

20
    If the plugin encounters an error, instead of just returning sudo.RC.ERROR
21
    result code it can also add a message describing the problem.
22
    This can be done by raising the special exception:
23
        raise sudo.PluginError("Message")
24
    This added message will be used by the audit plugins.
25

26
    If the function returns "None" (for example does not call return), it will
27
    be considered sudo.RC.OK. If an exception other than sudo.PluginError is
28
    raised, its backtrace will be shown to the user and the plugin function
29
    returns sudo.RC.ERROR. If that is not acceptable, catch it.
30
    """
31

32
    # -- Plugin API functions --
33
    def query(self, user: str, group: str, user_pwd: tuple):
34
        """Query if user is part of the specified group.
35

36
        Beware that user_pwd can be None if user is not present in the password
37
        database. Otherwise it is a tuple convertible to pwd.struct_passwd.
38
        """
39
        hardcoded_user_groups = {
40
            "testgroup": ["testuser1", "testuser2"],
41
            "mygroup": ["test"]
42
        }
43

44
        group_has_user = user in hardcoded_user_groups.get(group, [])
45
        return sudo.RC.ACCEPT if group_has_user else sudo.RC.REJECT
46

47