source: trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Acls.pm @ 2259

Last change on this file since 2259 was 2259, checked in by nanardon, 5 years ago

Add log page to users objects
File size: 4.7 KB
Line 
1package LATMOS::Accounts::Acls;
2
3use strict;
4use warnings;
5use LATMOS::Accounts::Log;
6use LATMOS::Accounts::Acls::Acl;
7
8our $VERSION = (q$Rev: 330 $ =~ /^Rev: (\d+) /)[0];
9
10=head1 NAME
11
12LATMOS::Accounts::Acls - Acl support in L<LATMOS::Accounts>
13
14=head1 FUNCTIONS
15
16=cut
17
18=head2 new ($file)
19
20Instanciate Acls from C<$file>
21
22=cut
23
24sub new {
25    my ($class, $file) = @_;
26    my $acls = bless(
27        {
28            _acls => []
29        }, $class
30    );
31    if ($file) {
32        $acls->read_acl_file($file) or return;
33    }
34
35    # Default ACLS:
36    $acls->add( '*.log', [ '$uid: read', '*: deny' ] );
37    $acls->add(
38        'user.{userPasswd,userPassword,encryptedPassword}',
39        [ '$uid: write', '*: deny' ],
40    );
41    $acls
42}
43
44=head1 ACL FILE FORMAT
45
46    OBJ_TYPE.ATTRIBUTE
47        USER:  read,write
48        USER2: read
49
50=over 4
51
52=item OBJ_TYPE is the type the object, '*' match all
53
54=item ATTRIBUTE is either an attribute, either an comma separate attribute
55enclose into bracket, either a '*' to match any attribute.
56
57Special keyword C<@CREATE> and C<@DELETE> can be used to allow or deny object
58creation and deletion. In this case read permission and USER in form C<$...> for
59C<@CREATE> have no effect (see below). C<*> do not include C<@CREATE> and
60C<@DELETE> action.
61
62=item USER can be
63
64=over 4
65
66=item a username
67
68=item group, prefixed by a '%'
69
70=item an attribute of the accessed object which should contains the username,
71prefixed by '$'
72
73=item C<*> to math any user
74
75=item @authenticated or @anonymous for any authenticated user and non
76authenticated user ('*' include both)
77
78=back
79
80=item Permission are read and or write, or deny.
81
82=back
83
84ACL are applied in the order they appear in the file.
85
86=cut
87
88=head2 read_acl_file ($file)
89
90Load acls from file C<$file>.
91
92=cut
93
94sub read_acl_file {
95    my ($self, $file) = @_;
96
97    my $acl;
98    my $line_nb = 0;
99    my $prevline = "";
100    if (open(my $handle, '<', $file)) {
101        while(my $realline = <$handle>) {
102            $line_nb++;
103            chomp($realline);
104            if ($realline =~ /\\$/) {
105                # continuation line
106                $prevline .= $realline;
107                $prevline =~ s/\s*\\$//;
108                next;
109            }
110            my $line = $prevline . $realline; # keep track to report malformed file
111            $prevline = "";
112            $line =~ s/\s*#.*//;
113            if ($line =~ /^(\S.*)/) {
114                if ($acl) {
115                    push(@{$self->{_acls}}, $acl);
116                }
117                $acl = LATMOS::Accounts::Acls::Acl->new($1) or do {
118                    la_log(LA_ERR, "Error in %s at line %d", $file,
119                        $line_nb);
120                    return;
121                };
122            } elsif ($line =~ /^\s+(\S.*)/) {
123                if ($acl) {
124                    $acl->add_perm($line) or do {
125                        la_log(LA_ERR, "Error in %s at line %d", $file,
126                            $line_nb);
127                        return;
128                    };
129                } else {
130                    # err no acl
131                    return;
132                }
133            } elsif ($line =~ /^\s*$/) {
134                # just empty line
135            } else {
136            }
137        }
138        if ($acl) {
139            push(@{$self->{_acls}}, $acl);
140        }
141    } else {
142        la_log(LA_ERR, "Cannot open acl file %s", $file);
143        return;
144    }
145    1;
146}
147
148=head2 add ($obj_dot_attr, $list)
149
150A new acl for C<$obj_dot_attr> (in form C<object.attribute>) with C<$list>
151permissions.
152
153=cut
154
155sub add {
156    my ($self, $obj, $list) = @_;
157    my $acl = LATMOS::Accounts::Acls::Acl->new(
158        $obj, $list) or return;
159    push(@{$self->{_acls}}, $acl);
160    return 1;
161}
162
163=head2 check ($obj, $attr, $perm, $who, $groups)
164
165Return true is this acl apply to C<$obj>/C<$attr> for C<$perm> by user
166C<$who> in groups C<$groups>.
167
168=cut
169
170sub check {
171    my ($self, $obj, $attr, $perm, $who, $groups) = @_;
172    # Asking 'r' perm over create or delete has no sense:
173    $attr =~ /^@(CREATE|DELETE)$/ && $perm eq 'r' and return;
174
175    foreach my $acl (@{$self->{_acls}}) {
176        my $res = $acl->match($obj, $attr, $perm, $who, $groups);
177        defined($res) and return $res;
178    }
179    return 0;
180}
181
182=head2 dump
183
184Return currently load acl as text
185
186=cut
187
188sub dump {
189    my ($self) = @_;
190    foreach my $acl (@{$self->{_acls}}) {
191        print $acl->dump, "\n";
192    }
193}
194
1951;
196
197__END__
198
199=head1 SEE ALSO
200
201L<LATMOS::Accounts::Acls::Acl>
202
203=head1 AUTHOR
204
205Thauvin Olivier, E<lt>olivier.thauvin@latmos.ipsl.frE<gt>
206
207=head1 COPYRIGHT AND LICENSE
208
209Copyright (C) 2009, 2010, 2011, 2012 by Thauvin Olivier
210
211This library is free software; you can redistribute it and/or modify
212it under the same terms as Perl itself, either Perl version 5.10.0 or,
213at your option, any later version of Perl 5 you may have available.
214
215=cut
Note: See TracBrowser for help on using the repository browser.