#!/usr/bin/perl

#------------------------------------------------------------------------------
# This broker filter script is part of Data Leakage Protection (DLP) system.
#
# Imply -u
#
# This broker filter script overrides P4D default behaviour, making it so
# the user running the specified command has the '-u' flag implied, so that
# the user can only see their own specs (clients, labels) in the
# system. For example, a 'p4 clients' command has the '-u <yourself>',
# implied.
#
# Note that for Streams, P4D already has sufficient logic (based on list
# access in the Protections table) to determine which streams to list, so
# no special handling of streams is needed.
#
# Enable in the broker config file like this example:
#
# command: ^branches|clients|groups|labels|remotes|workspaces$
# {
#    action  = filter;
#    checkauth = true;
#    execute = /p4/common/hms/scripts/broker_imply-u.pl;
# }

use strict;

my $User;
my $Cmd;
my $Access;
my $Arg;
my @ArgList;
my $ArgCount = 0;
my $ArgListSize = 0;
my $SkipNext = 0;

while (<STDIN>) {
   if (/^user: /) {
      $User = $_;
      chomp $User;
      $User =~ s/^user: //;
   }
   if (/^command: /) {
      $Cmd = $_;
      chomp $Cmd;
      $Cmd =~ s/^command: //;
   }

   # If we see a '-u', ignore it and skip the next line.
   if (/^Arg\d+: -u/) {
      readline;
      next;
   }

   if (/^Arg\d+: /) {
      s/^Arg\d+: //;
      chomp;
      $ArgList[$ArgCount++] = $_;
   }
}

if ( ! $Cmd ) {
   print "action: REJECT\n";
   print "message: \"Data Leakage Protection: Internal Error, could not determine Cmd.\"\n";
   exit (0);
}

if ( ! $User ) {
   print "action: REJECT\n";
   print "message: \"Data Leakage Protection: Internal Error, could not determine User.\"\n";
   exit (0);
}

$Access=`$ENV{P4BIN} protects -m -u $User`;
chomp $Access;

if ($Access eq "super") {
   print "action: PASS\n";
   exit (0);
}

# Indicate a REWRITE action is needed, and then append '-u <current-user>'
# argument.  Note that of the user explicitly specific '-u foo', that
# will be ignored as we'll add '-u me' to the end, and that will win.
print "action: REWRITE\n";
print "command: $Cmd\n";

$ArgListSize = @ArgList;

for (my $i=0; $i < $ArgListSize; $i++) {
   $Arg = $ArgList[$i];

   if ($SkipNext) {
      $SkipNext = 0;
      next;
   }

   if (/$Arg =~ ^-u$/) {
      $SkipNext = 1;
      next;
   }

   print "arg: $Arg\n";
}

print "arg: -u\n";
print "arg: $User\n";

exit (0);