source: trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Acls.pm @ 2282

Last change on this file since 2282 was 2282, checked in by nanardon, 5 years ago

Ensure users cannot retrieve password, even encrypted
File size: 4.7 KB
Line 
1package LATMOS::Accounts::Acls;
2
3use strict;
4use warnings;
5use LATMOS::Accounts::Log;
6use LATMOS::Accounts::Acls::Acl;
7
8our $VERSION = (q$Rev: 330 $ =~ /^Rev: (\d+) /)[0];
9
10=head1 NAME
11
12LATMOS::Accounts::Acls - Acl support in L<LATMOS::Accounts>
13
14=head1 FUNCTIONS
15
16=cut
17
18=head2 new ($file)
19
20Instanciate Acls from C<$file>
21
22=cut
23
24sub new {
25    my ($class, $file) = @_;
26    my $acls = bless(
27        {
28            _acls => []
29        }, $class
30    );
31
32    # Default ACLS:
33#    $acls->add( '*.log', [ '$uid: read', '*: deny' ] );
34    $acls->add(
35        'user.{userPasswd,userPassword,encryptedPassword,oldPassword}',
36        [ '$uid: write', '*: deny' ],
37    );
38
39    if ($file) {
40        $acls->read_acl_file($file) or return;
41    }
42
43    $acls
44}
45
46=head1 ACL FILE FORMAT
47
48    OBJ_TYPE.ATTRIBUTE
49        USER:  read,write
50        USER2: read
51
52=over 4
53
54=item OBJ_TYPE is the type the object, '*' match all
55
56=item ATTRIBUTE is either an attribute, either an comma separate attribute
57enclose into bracket, either a '*' to match any attribute.
58
59Special keyword C<@CREATE> and C<@DELETE> can be used to allow or deny object
60creation and deletion. In this case read permission and USER in form C<$...> for
61C<@CREATE> have no effect (see below). C<*> do not include C<@CREATE> and
62C<@DELETE> action.
63
64=item USER can be
65
66=over 4
67
68=item a username
69
70=item group, prefixed by a '%'
71
72=item an attribute of the accessed object which should contains the username,
73prefixed by '$'
74
75=item C<*> to math any user
76
77=item @authenticated or @anonymous for any authenticated user and non
78authenticated user ('*' include both)
79
80=back
81
82=item Permission are read and or write, or deny.
83
84=back
85
86ACL are applied in the order they appear in the file.
87
88=cut
89
90=head2 read_acl_file ($file)
91
92Load acls from file C<$file>.
93
94=cut
95
96sub read_acl_file {
97    my ($self, $file) = @_;
98
99    my $acl;
100    my $line_nb = 0;
101    my $prevline = "";
102    if (open(my $handle, '<', $file)) {
103        while(my $realline = <$handle>) {
104            $line_nb++;
105            chomp($realline);
106            if ($realline =~ /\\$/) {
107                # continuation line
108                $prevline .= $realline;
109                $prevline =~ s/\s*\\$//;
110                next;
111            }
112            my $line = $prevline . $realline; # keep track to report malformed file
113            $prevline = "";
114            $line =~ s/\s*#.*//;
115            if ($line =~ /^(\S.*)/) {
116                if ($acl) {
117                    push(@{$self->{_acls}}, $acl);
118                }
119                $acl = LATMOS::Accounts::Acls::Acl->new($1) or do {
120                    la_log(LA_ERR, "Error in %s at line %d", $file,
121                        $line_nb);
122                    return;
123                };
124            } elsif ($line =~ /^\s+(\S.*)/) {
125                if ($acl) {
126                    $acl->add_perm($line) or do {
127                        la_log(LA_ERR, "Error in %s at line %d", $file,
128                            $line_nb);
129                        return;
130                    };
131                } else {
132                    # err no acl
133                    return;
134                }
135            } elsif ($line =~ /^\s*$/) {
136                # just empty line
137            } else {
138            }
139        }
140        if ($acl) {
141            push(@{$self->{_acls}}, $acl);
142        }
143    } else {
144        la_log(LA_ERR, "Cannot open acl file %s", $file);
145        return;
146    }
147    1;
148}
149
150=head2 add ($obj_dot_attr, $list)
151
152A new acl for C<$obj_dot_attr> (in form C<object.attribute>) with C<$list>
153permissions.
154
155=cut
156
157sub add {
158    my ($self, $obj, $list) = @_;
159    my $acl = LATMOS::Accounts::Acls::Acl->new(
160        $obj, $list) or return;
161    push(@{$self->{_acls}}, $acl);
162    return 1;
163}
164
165=head2 check ($obj, $attr, $perm, $who, $groups)
166
167Return true is this acl apply to C<$obj>/C<$attr> for C<$perm> by user
168C<$who> in groups C<$groups>.
169
170=cut
171
172sub check {
173    my ($self, $obj, $attr, $perm, $who, $groups) = @_;
174    # Asking 'r' perm over create or delete has no sense:
175    $attr =~ /^@(CREATE|DELETE)$/ && $perm eq 'r' and return;
176
177    foreach my $acl (@{$self->{_acls}}) {
178        my $res = $acl->match($obj, $attr, $perm, $who, $groups);
179        defined($res) and return $res;
180    }
181    return 0;
182}
183
184=head2 dump
185
186Return currently load acl as text
187
188=cut
189
190sub dump {
191    my ($self) = @_;
192    foreach my $acl (@{$self->{_acls}}) {
193        print $acl->dump, "\n";
194    }
195}
196
1971;
198
199__END__
200
201=head1 SEE ALSO
202
203L<LATMOS::Accounts::Acls::Acl>
204
205=head1 AUTHOR
206
207Thauvin Olivier, E<lt>olivier.thauvin@latmos.ipsl.frE<gt>
208
209=head1 COPYRIGHT AND LICENSE
210
211Copyright (C) 2009, 2010, 2011, 2012 by Thauvin Olivier
212
213This library is free software; you can redistribute it and/or modify
214it under the same terms as Perl itself, either Perl version 5.10.0 or,
215at your option, any later version of Perl 5 you may have available.
216
217=cut
Note: See TracBrowser for help on using the repository browser.