#!/usr/bin/perl
#------------------------------------------------------------------------------
# This broker filter script is part of Data Leakage Protection (DLP) system.
#
# Imply -u
#
# This broker filter script overrides P4D default behaviour, making it so
# the user running the specified command has the '-u' flag implied, so that
# the user can only see their own specs (clients, labels) in the
# system. For example, a 'p4 clients' command has the '-u <yourself>',
# implied.
#
# Note that for Streams, P4D already has sufficient logic (based on list
# access in the Protections table) to determine which streams to list, so
# no special handling of streams is needed.
#
# Enable in the broker config file like this example:
#
# command: ^branches|clients|groups|labels|remotes|workspaces$
# {
# action = filter;
# checkauth = true;
# execute = /p4/common/hms/scripts/broker_imply-u.pl;
# }
use strict;
my $User;
my $Cmd;
my $Access;
my $Arg;
my @ArgList;
my $ArgCount = 0;
my $ArgListSize = 0;
my $SkipNext = 0;
while (<STDIN>) {
if (/^user: /) {
$User = $_;
chomp $User;
$User =~ s/^user: //;
}
if (/^command: /) {
$Cmd = $_;
chomp $Cmd;
$Cmd =~ s/^command: //;
}
# If we see a '-u', ignore it and skip the next line.
if (/^Arg\d+: -u/) {
readline;
next;
}
if (/^Arg\d+: /) {
s/^Arg\d+: //;
chomp;
$ArgList[$ArgCount++] = $_;
}
}
if ( ! $Cmd ) {
print "action: REJECT\n";
print "message: \"Data Leakage Protection: Internal Error, could not determine Cmd.\"\n";
exit (0);
}
if ( ! $User ) {
print "action: REJECT\n";
print "message: \"Data Leakage Protection: Internal Error, could not determine User.\"\n";
exit (0);
}
$Access=`$ENV{P4BIN} protects -m -u $User`;
chomp $Access;
if ($Access eq "super") {
print "action: PASS\n";
exit (0);
}
# Indicate a REWRITE action is needed, and then append '-u <current-user>'
# argument. Note that of the user explicitly specific '-u foo', that
# will be ignored as we'll add '-u me' to the end, and that will win.
print "action: REWRITE\n";
print "command: $Cmd\n";
$ArgListSize = @ArgList;
for (my $i=0; $i < $ArgListSize; $i++) {
$Arg = $ArgList[$i];
if ($SkipNext) {
$SkipNext = 0;
next;
}
if (/$Arg =~ ^-u$/) {
$SkipNext = 1;
next;
}
print "arg: $Arg\n";
}
print "arg: -u\n";
print "arg: $User\n";
exit (0);