Context Navigation

source: LATMOS-Accounts/lib/LATMOS/Accounts/Acls.pm @ 480

Visit:

Last change on this file since 480 was 480, checked in by nanardon, 15 years ago
revert previous commit
File size: 6.0 KB

Line
1	package LATMOS::Accounts::Acls;
2
3	use strict;
4	use warnings;
5	use LATMOS::Accounts::Log;
6
7	our $VERSION = (q$Rev: 330 $ =~ /^Rev: (\d+) /)[0];
8
9	sub new {
10	my ($class, $file) = @_;
11	my $acls = bless(
12	{
13	_acls => []
14	}, $class
15	);
16	if ($file) {
17	$acls->read_acl_file($file) or return;
18	}
19	$acls
20	}
21
22	=head1 ACL FILE FORMAT
23
24	OBJ_TYPE.ATTRIBUTE
25	USER: read,write
26	USER2: read
27
28	=over 4
29
30	=item OBJ_TYPE is the type the object, '*' match all
31
32	=item ATTRIBUTE is either an attribute, either an comma separate attribute
33	enclose into bracket, either a '*' to match any attribute.
34
35	Special keyword C<CREATE> and C<DELETE> can be used to allow or deny object
36	creation and deletion. In this case USER in form C<$...> and read permission
37	have no effect (see below). C<*> do not include C<CREATE> and C<DELETE> action.
38
39	=item USER can be
40
41	=over 4
42
43	=item a username
44
45	=item group, prefixed by a '%'
46
47	=item an attribute of the accessed object which should contains the username,
48	prefixed by '$'
49
50	=item C<*> to math any user
51
52	=item @authenticated or @anonymous for any authenticated user and non
53	authenticated user ('*' include both)
54
55	=back
56
57	=item Permission are read and or write, or deny.
58
59	=back
60
61	ACL are applied in the order they appear in the file.
62
63	=cut
64
65	sub read_acl_file {
66	my ($self, $file) = @_;
67
68	my $acl;
69	my $line_nb = 0;
70	my $prevline = "";
71	if (open(my $handle, '<', $file)) {
72	while(my $realline = <$handle>) {
73	$line_nb++;
74	chomp($realline);
75	if ($realline =~ /\\$/) {
76	# continuation line
77	$prevline .= $realline;
78	$prevline =~ s/\s*\\$//;
79	next;
80	}
81	my $line = $prevline . $realline; # keep track to report malformed file
82	$prevline = "";
83	$line =~ s/\s#.//;
84	if ($line =~ /^(\S.*)/) {
85	if ($acl) {
86	push(@{$self->{_acls}}, $acl);
87	}
88	$acl = LATMOS::Accounts::Acls::acl->new($1) or do {
89	la_log(LA_ERR, "Error in %s at line %d", $file,
90	$line_nb);
91	return;
92	};
93	} elsif ($line =~ /^\s+(\S.*)/) {
94	if ($acl) {
95	$acl->add_perm($line) or do {
96	la_log(LA_ERR, "Error in %s at line %d", $file,
97	$line_nb);
98	return;
99	};
100	} else {
101	# err no acl
102	return;
103	}
104	} elsif ($line =~ /^\s*$/) {
105	# just empty line
106	} else {
107	}
108	}
109	if ($acl) {
110	push(@{$self->{_acls}}, $acl);
111	}
112	} else {
113	la_log(LA_ERR, "Cannot open acl file %s", $file);
114	return;
115	}
116	1;
117	}
118
119	sub add {
120	my ($self, $obj, $list) = @_;
121	my $acl = LATMOS::Accounts::Acls::acl->new(
122	$obj, $list) or return;
123	push(@{$self->{_acls}}, $acl);
124	return 1;
125	}
126
127	sub check {
128	my ($self, $obj, $attr, $perm, $who, $groups) = @_;
129	foreach my $acl (@{$self->{_acls}}) {
130	my $res = $acl->match($obj, $attr, $perm, $who, $groups);
131	defined($res) and return $res;
132	}
133	return 0;
134	}
135
136	sub dump {
137	my ($self) = @_;
138	foreach my $acl (@{$self->{_acls}}) {
139	print $acl->dump, "\n";
140	}
141	}
142
143	package LATMOS::Accounts::Acls::acl;
144	use strict;
145	use warnings;
146
147	sub new {
148	my ($class, $objdotatt, $list) = @_;
149	my ($obj, $attr) = $objdotatt =~ /^([^.]+)\.(.*)/ or return;
150	my @attrs = ($attr =~ /^\{(.*)\}$/)
151	? (split(/\s,\s/, $1))
152	: ($attr);
153	@attrs or return;
154	my $acl = {
155	obj => lc($obj),
156	attr => [ map { lc } @attrs ],
157	users => [], # user->{r} = 1
158	};
159	bless($acl, $class);
160	foreach my $k (@{ $list \|\| [] }) {
161	$acl->add_perm($k) or return;
162	}
163	$acl
164	}
165
166	sub add_perm {
167	my ($self, $perm) = @_;
168	my ($username, $perms) = $perm =~ /^\s(\S):\s(.)$/;
169	$username && $perms or return;
170	my $user = { user => $username };
171	foreach (split(/\s,\s/, $perms)) {
172	/^read$/i and do { $user->{r} = 1; next; };
173	/^write$/i and do { $user->{w} = 1; next; };
174	/^deny$/i and do {
175	# reseting...
176	$user->{r} = 0;
177	$user->{w} = 0;
178	last; # we end here, life is hard
179	};
180	return;
181	}
182	push(@{$self->{users}}, $user);
183	1
184	}
185
186	sub match {
187	my ($self, $obj, $attr, $perm, $who, $groups) = @_;
188	my $objtype = ref $obj ? lc($obj->type) : $obj;
189	$attr = lc($attr);
190	if (!($self->{obj} eq '*' \|\| $self->{obj} eq $objtype)) {
191	return
192	}
193	grep { ($_ !~ /^(CREATE\|DELETE)$/ && $_ eq '*') \|\| $_ eq $attr } @{$self->{attr}} or return;
194
195	foreach my $u (@{ $self->{users} }) {
196	if (substr($u->{user}, 0, 1) eq '$') { # check attr content
197	if (ref $obj) {
198	my $attribute = substr($u->{user}, 1);
199	my $val = $obj->_get_c_field($attribute);
200	my @vals = ref $val ? (@{ $val }) : ($val);
201	return ($u->{$perm} \|\| 0) if (grep { $_ eq $who } @vals);
202	}
203	} elsif (substr($u->{user}, 0, 1) eq '%') { # group
204	my $group = substr($u->{user}, 1);
205	return ($u->{$perm} \|\| 0) if (grep { $group eq $_ } @{$groups \|\|[]});
206	} elsif ($u->{user} eq '*' \|\| $u->{user} eq $who) {
207	return $u->{$perm} \|\| 0;
208	} elsif (lc($u->{user}) eq '@authenticated' && $who) {
209	return $u->{$perm} \|\| 0;
210	} elsif (lc($u->{user}) eq '@anonymous' && $who eq "") {
211	return $u->{$perm} \|\| 0;
212	}
213	}
214	return;
215	}
216
217	sub dump {
218	my ($self) = @_;
219	my $dump = sprintf("%s.{%s}\n", $self->{obj}, join(', ', @{$self->{attr}}));
220	foreach my $u (@{ $self->{users} }) {
221	$dump .= sprintf("\t%s: %s\n",
222	$u->{user},
223	join(', ', ($u->{r} ? 'read' : ()), ($u->{w} ? 'write' : ())) \|\|
224	'deny');
225	}
226	$dump
227	}
228
229	1;
230
231	__END__

Note: See TracBrowser for help on using the repository browser.

Download in other formats: