broker_must_be_owner.pl #1 

#!/usr/bin/perl

#------------------------------------------------------------------------------
# Must Be Owner
#
# This broker filter script overrides P4D default behaviour, requiring that
# the user running the specified command to edit/view a spec must be the
# owner of the given spec, or else their command is rejected.  For example,
# if you do 'p4 client' p4 'p4 client -o MyWS', you must own the indicated
# workspace.  Super users bypass this always.
#
# Enable in the broker config file like this example for various commands:
#
# command: ^branch|client|label|group$
# {
#    action  = filter;
#    checkauth = true;
#    execute = /p4/common/hms/scripts/broker_must_be_owner.pl;
# }

use strict;

my $User;
my $Cmd;
my $AccessLevel;
my $UpdateTime;
my $ClientSpecName;
my $SpecName;
my $SpecOwner;

while (<STDIN>) {
   if (/^user: /) {
      $User = $_;
      chomp $User;
      $User =~ s/^user: //;
   }
   if (/^command: /) {
      $Cmd = $_;
      chomp $Cmd;
      $Cmd =~ s/^command: //;
   }

   if (/^workspace: /) {
      $ClientSpecName = $_;
      $ClientSpecName =~ s/^workspace: //;
      chomp $ClientSpecName;
   }

   # If we see certain flags that take an argument, like '-S <stream>' or
   # '-t <template>', ignore them and skip the next argument.
   if (/^Arg\d+: -(S|t)/) {
      readline;
      next;
   }

   # Ignore all remaining '-' flags, so only the spec name remains.
   if (/^Arg\d+: -/) {
      next;
   }

   if (/^Arg\d+: /) {
      $SpecName = $_;
      $SpecName =~ s/^Arg\d+: //;
      chomp $SpecName;
   }
}

if ( ! $Cmd ) {
   print "action: REJECT\n";
   print "message: \"Data Leakage Protection: Internal Error, could not determine Cmd.\"\n";
   exit (0);
}

if ( ! $User ) {
   print "action: REJECT\n";
   print "message: \"Data Leakage Protection: Internal Error, could not determine User.\"\n";
   exit (0);
}

$AccessLevel=`$ENV{P4BIN} protects -m -u $User`;
chomp $AccessLevel;

if ($AccessLevel eq "super") {
   print "action: PASS\n";
   exit (0);
}

if ( ! $SpecName ) {
   # Special case for the 'p4 client' command; a default for the client
   # spec name (if unspecified) is the current workspace from the
   # environment context.
   if ($ClientSpecName) {
      $SpecName = $ClientSpecName;
   } else {
      print "action: REJECT\n";
      print "message: \"Data Leakage Protection: Internal Error, could not determine SpecName.\"\n";
      exit (0);
   }
}

# If the spec doesn't yet exist, the user is creating or querying
# a non-existent spec.  Allow the command to pass.
$UpdateTime=`$ENV{P4BIN} -ztag -F %Update% $Cmd -o $SpecName`;
chomp $UpdateTime;

if ($UpdateTime eq "") {
   print "action: PASS\n";
   exit (0);
}

$SpecOwner=`$ENV{P4BIN} -ztag -F %Owner% $Cmd -o $SpecName`;
chomp $SpecOwner;

if ($User eq $SpecOwner) {
   print "action: PASS\n";
   exit (0);
}

print "action: REJECT\n";
print "message: \"Data Leakage Protection: The command 'p4 $Cmd' requires super access or ownership of the $Cmd spec on this server.\"\n";
exit (0);
# Change User Description Committed
#1 26284 C. Thomas Tyler Released HMS 2020.1.26282.
//guest/perforce_software/hms/dev/p4/common/hms/dlp/broker_must_be_owner.pl
#1 25975 C. Thomas Tyler Added first cut of DLP as optional component of HMS.