source: trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Acls.pm @ 1950

Last change on this file since 1950 was 1048, checked in by nanardon, 12 years ago
  • split L::A::Acls module using proper perl fs
File size: 4.5 KB
Line 
1package LATMOS::Accounts::Acls;
2
3use strict;
4use warnings;
5use LATMOS::Accounts::Log;
6use LATMOS::Accounts::Acls::Acl;
7
8our $VERSION = (q$Rev: 330 $ =~ /^Rev: (\d+) /)[0];
9
10=head1 NAME
11
12LATMOS::Accounts::Acls - Acl support in L<LATMOS::Accounts>
13
14=head1 FUNCTIONS
15
16=cut
17
18=head2 new ($file)
19
20Instanciate Acls from C<$file>
21
22=cut
23
24sub new {
25    my ($class, $file) = @_;
26    my $acls = bless(
27        {
28            _acls => []
29        }, $class
30    );
31    if ($file) {
32        $acls->read_acl_file($file) or return;
33    }
34    $acls
35}
36
37=head1 ACL FILE FORMAT
38
39    OBJ_TYPE.ATTRIBUTE
40        USER:  read,write
41        USER2: read
42
43=over 4
44
45=item OBJ_TYPE is the type the object, '*' match all
46
47=item ATTRIBUTE is either an attribute, either an comma separate attribute
48enclose into bracket, either a '*' to match any attribute.
49
50Special keyword C<@CREATE> and C<@DELETE> can be used to allow or deny object
51creation and deletion. In this case read permission and USER in form C<$...> for
52C<@CREATE> have no effect (see below). C<*> do not include C<@CREATE> and
53C<@DELETE> action.
54
55=item USER can be
56
57=over 4
58
59=item a username
60
61=item group, prefixed by a '%'
62
63=item an attribute of the accessed object which should contains the username,
64prefixed by '$'
65
66=item C<*> to math any user
67
68=item @authenticated or @anonymous for any authenticated user and non
69authenticated user ('*' include both)
70
71=back
72
73=item Permission are read and or write, or deny.
74
75=back
76
77ACL are applied in the order they appear in the file.
78
79=cut
80
81=head2 read_acl_file ($file)
82
83Load acls from file C<$file>.
84
85=cut
86
87sub read_acl_file {
88    my ($self, $file) = @_;
89
90    my $acl;
91    my $line_nb = 0;
92    my $prevline = "";
93    if (open(my $handle, '<', $file)) {
94        while(my $realline = <$handle>) {
95            $line_nb++;
96            chomp($realline);
97            if ($realline =~ /\\$/) {
98                # continuation line
99                $prevline .= $realline;
100                $prevline =~ s/\s*\\$//;
101                next;
102            }
103            my $line = $prevline . $realline; # keep track to report malformed file
104            $prevline = "";
105            $line =~ s/\s*#.*//;
106            if ($line =~ /^(\S.*)/) {
107                if ($acl) {
108                    push(@{$self->{_acls}}, $acl);
109                }
110                $acl = LATMOS::Accounts::Acls::Acl->new($1) or do {
111                    la_log(LA_ERR, "Error in %s at line %d", $file,
112                        $line_nb);
113                    return;
114                };
115            } elsif ($line =~ /^\s+(\S.*)/) {
116                if ($acl) {
117                    $acl->add_perm($line) or do {
118                        la_log(LA_ERR, "Error in %s at line %d", $file,
119                            $line_nb);
120                        return;
121                    };
122                } else {
123                    # err no acl
124                    return;
125                }
126            } elsif ($line =~ /^\s*$/) {
127                # just empty line
128            } else {
129            }
130        }
131        if ($acl) {
132            push(@{$self->{_acls}}, $acl);
133        }
134    } else {
135        la_log(LA_ERR, "Cannot open acl file %s", $file);
136        return;
137    }
138    1;
139}
140
141=head2 add ($obj_dot_attr, $list)
142
143A new acl for C<$obj_dot_attr> (in form C<object.attribute>) with C<$list>
144permissions.
145
146=cut
147
148sub add {
149    my ($self, $obj, $list) = @_;
150    my $acl = LATMOS::Accounts::Acls::Acl->new(
151        $obj, $list) or return;
152    push(@{$self->{_acls}}, $acl);
153    return 1;
154}
155
156=head2 check ($obj, $attr, $perm, $who, $groups)
157
158Return true is this acl apply to C<$obj>/C<$attr> for C<$perm> by user
159C<$who> in groups C<$groups>.
160
161=cut
162
163sub check {
164    my ($self, $obj, $attr, $perm, $who, $groups) = @_;
165    # Asking 'r' perm over create or delete has no sense:
166    $attr =~ /^@(CREATE|DELETE)$/ && $perm eq 'r' and return;
167
168    foreach my $acl (@{$self->{_acls}}) {
169        my $res = $acl->match($obj, $attr, $perm, $who, $groups);
170        defined($res) and return $res;
171    }
172    return 0;
173}
174
175=head2 dump
176
177Return currently load acl as text
178
179=cut
180
181sub dump {
182    my ($self) = @_;
183    foreach my $acl (@{$self->{_acls}}) {
184        print $acl->dump, "\n";
185    }
186}
187
1881;
189
190__END__
191
192=head1 SEE ALSO
193
194L<LATMOS::Accounts::Acls::Acl>
195
196=head1 AUTHOR
197
198Thauvin Olivier, E<lt>olivier.thauvin@latmos.ipsl.frE<gt>
199
200=head1 COPYRIGHT AND LICENSE
201
202Copyright (C) 2009, 2010, 2011, 2012 by Thauvin Olivier
203
204This library is free software; you can redistribute it and/or modify
205it under the same terms as Perl itself, either Perl version 5.10.0 or,
206at your option, any later version of Perl 5 you may have available.
207
208=cut
Note: See TracBrowser for help on using the repository browser.