]>
Commit | Line | Data |
---|---|---|
7442fd06 MG |
1 | package Apache2::AuthzCaps 0.001; |
2 | ||
3 | use 5.014000; | |
4 | use strict; | |
5 | use warnings; | |
6 | ||
7 | use Apache2::Access; | |
8 | use Apache2::Const qw/OK DECLINED/; | |
9 | use Apache2::RequestRec; | |
10 | use YAML::Any qw/LoadFile DumpFile/; | |
11 | ||
12 | use parent qw/Exporter/; | |
13 | ||
14 | our @EXPORT_OK = qw/setcap hascaps/; | |
15 | ||
16 | ################################################## | |
17 | ||
18 | our $rootdir; | |
19 | ||
20 | sub setcap{ | |
21 | my ($user, $cap, $value) = @_; | |
22 | my $config = eval { LoadFile "$rootdir/$user.yml" } // {}; | |
23 | $config->{caps}//={}; | |
24 | my $caps=$config->{caps}; | |
25 | ||
26 | delete $caps->{$cap} unless $value; | |
27 | $caps->{$cap} = 1 if $value; | |
28 | DumpFile "$rootdir/$user.yml", $config | |
29 | } | |
30 | ||
31 | sub hascaps{ | |
32 | my ($user, @caps) = @_; | |
33 | my $config = LoadFile "$rootdir/$user.yml"; | |
34 | my $caps = $config->{caps}; | |
35 | for (@caps) { | |
36 | return 0 unless $caps->{$_} | |
37 | } | |
38 | 1 | |
39 | } | |
40 | ||
41 | sub handler{ | |
42 | my $r=shift; | |
43 | my $user = $r->user; | |
44 | local $rootdir = $r->dir_config('AuthzCapsRootdir'); | |
45 | ||
46 | if ($user) { | |
47 | LOOP: for my $requirement (map { $_->{requirement} } @{$r->requires}) { | |
48 | my ($command, @args) = split ' ', $requirement; | |
49 | ||
50 | given ($command){ | |
51 | when('cap'){ | |
52 | return OK if hascaps $user, @args | |
53 | } | |
54 | ||
55 | } | |
56 | } | |
57 | } | |
58 | ||
59 | DECLINED | |
60 | } | |
61 | ||
62 | 1; | |
63 | __END__ | |
64 | ||
65 | =head1 NAME | |
66 | ||
67 | Apache2::AuthzCaps - mod_perl2 capability authorization | |
68 | ||
69 | =head1 SYNOPSIS | |
70 | ||
71 | use Apache2::AuthzCaps qw/setcap hascaps/; | |
72 | $Apache2::AuthzCaps::rootdir = "/path/to/user/directory" | |
73 | setcap marius => deleteusers => 1; # Grant marius the deleteusers capability | |
74 | setcap marius => createusers => 0; | |
75 | hascaps marius => qw/deleteusers/; # returns 1, since marius can delete users | |
76 | hascaps marius => qw/deleteusers createusers/; # returns 0, since marius can delete users but cannot create users | |
77 | ||
78 | # In Apache2 config | |
79 | <Location /protected> | |
80 | # Insert authentication here | |
81 | PerlAuthzHandler Apache2::AuthzCaps | |
82 | PerlSetVar AuthzCapsRootdir /path/to/user/directory | |
83 | Require cap staff important | |
84 | Require cap admin | |
85 | </Location> | |
86 | # This will: | |
87 | # 1) Let important staff members access /protected | |
88 | # 2) Let admins access /protected | |
89 | # 3) Not let anyone else (such as an important non-staff member or an non-important staff member) access /protected | |
90 | ||
91 | =head1 DESCRIPTION | |
92 | ||
93 | Apache2::AuthzCaps is a perl module which provides simple Apache2 capability-based authorization. It contains a PerlAuthzHandler and some utility functions. | |
94 | ||
95 | The user data is stored in YAML files in a user-set directory. Set this directory using: | |
96 | ||
97 | $Apache2::AuthzCaps::rootdir = "/path/to/directory"; # From perl | |
98 | PerlSetVar AuthzCapsRootdir /path/to/directory # From Apache2 config | |
99 | ||
100 | =head1 FUNCTIONS | |
101 | ||
102 | =over | |
103 | ||
104 | =item B<setcap>(I<$username>, I<$capability>, I<$value>) | |
105 | ||
106 | If I<$value> is true, grants I<$username> the I<$capability> capability. Otherwise denies I<$username> that capability. | |
107 | ||
108 | =item B<hascaps>(I<$username>, I<$cap>, ...) | |
109 | ||
110 | Returns true if and only of I<$username> has ALL of the listed capabilities. Dies if I<$username> does not exist. | |
111 | ||
112 | =item B<handler> | |
113 | ||
114 | The PerlAuthzHandler for use in apache2. | |
115 | ||
116 | =back | |
117 | ||
118 | =head1 AUTHOR | |
119 | ||
120 | Marius Gavrilescu, E<lt>marius@ieval.roE<gt> | |
121 | ||
122 | =head1 COPYRIGHT AND LICENSE | |
123 | ||
124 | Copyright (C) 2013 by Marius Gavrilescu | |
125 | ||
126 | This library is free software; you can redistribute it and/or modify | |
127 | it under the same terms as Perl itself, either Perl version 5.14.2 or, | |
128 | at your option, any later version of Perl 5 you may have available. | |
129 | ||
130 | ||
131 | =cut |