#!/usr/bin/perl #------------------------------------------------------------------------------ # Must Be Owner # # This broker filter script overrides P4D default behaviour, requiring that # the user running the specified command to edit/view a spec must be the # owner of the given spec, or else their command is rejected. For example, # if you do 'p4 client' p4 'p4 client -o MyWS', you must own the indicated # workspace. Super users bypass this always. # # Enable in the broker config file like this example for various commands: # # command: ^branch|client|label|group$ # { # action = filter; # checkauth = true; # execute = /p4/common/hms/scripts/broker_must_be_owner.pl; # } use strict; my $User; my $Cmd; my $AccessLevel; my $UpdateTime; my $ClientSpecName; my $SpecName; my $SpecOwner; while (<STDIN>) { if (/^user: /) { $User = $_; chomp $User; $User =~ s/^user: //; } if (/^command: /) { $Cmd = $_; chomp $Cmd; $Cmd =~ s/^command: //; } if (/^workspace: /) { $ClientSpecName = $_; $ClientSpecName =~ s/^workspace: //; chomp $ClientSpecName; } # If we see certain flags that take an argument, like '-S <stream>' or # '-t <template>', ignore them and skip the next argument. if (/^Arg\d+: -(S|t)/) { readline; next; } # Ignore all remaining '-' flags, so only the spec name remains. if (/^Arg\d+: -/) { next; } if (/^Arg\d+: /) { $SpecName = $_; $SpecName =~ s/^Arg\d+: //; chomp $SpecName; } } if ( ! $Cmd ) { print "action: REJECT\n"; print "message: \"Data Leakage Protection: Internal Error, could not determine Cmd.\"\n"; exit (0); } if ( ! $User ) { print "action: REJECT\n"; print "message: \"Data Leakage Protection: Internal Error, could not determine User.\"\n"; exit (0); } $AccessLevel=`$ENV{P4BIN} protects -m -u $User`; chomp $AccessLevel; if ($AccessLevel eq "super") { print "action: PASS\n"; exit (0); } if ( ! $SpecName ) { # Special case for the 'p4 client' command; a default for the client # spec name (if unspecified) is the current workspace from the # environment context. if ($ClientSpecName) { $SpecName = $ClientSpecName; } else { print "action: REJECT\n"; print "message: \"Data Leakage Protection: Internal Error, could not determine SpecName.\"\n"; exit (0); } } # If the spec doesn't yet exist, the user is creating or querying # a non-existent spec. Allow the command to pass. $UpdateTime=`$ENV{P4BIN} -ztag -F %Update% $Cmd -o $SpecName`; chomp $UpdateTime; if ($UpdateTime eq "") { print "action: PASS\n"; exit (0); } $SpecOwner=`$ENV{P4BIN} -ztag -F %Owner% $Cmd -o $SpecName`; chomp $SpecOwner; if ($User eq $SpecOwner) { print "action: PASS\n"; exit (0); } print "action: REJECT\n"; print "message: \"Data Leakage Protection: The command 'p4 $Cmd' requires super access or ownership of the $Cmd spec on this server.\"\n"; exit (0);
# | Change | User | Description | Committed | |
---|---|---|---|---|---|
#1 | 29182 | C. Thomas Tyler |
Moved HMS files from /p4/common/bin -> /p4/common/site/bin. Moved HMS files from /p4/common/lib -> /p4/common/site/lib. Removed dependency on SDP libs so that HMS can be deployed with a wider variety of SDP versions. |
||
//guest/perforce_software/hms/dev/p4/common/hms/dlp/broker_must_be_owner.pl | |||||
#1 | 25975 | C. Thomas Tyler | Added first cut of DLP as optional component of HMS. |