#!/usr/bin/perl
#------------------------------------------------------------------------------
# Must Be Super
#
# This broker filter script overrides P4D default behaviour, requiring that
# the user running the specified command must have 'super' access, as reported
# by 'p4 protects -m -u <user>'. This is for scenarios where the P4D default
# is too insecure. For example, this can be used to require that the 'p4 groups'
# command, which by default can be run as any logged in user, is restricted to
# super users (as the mere names of groups is inherently sensitive info).
#
# Enable in the broker config file like this example for the 'p4 groups' and
# 'p4 users' commands.
#
# command: ^groups|users$
# {
# action = filter;
# checkauth = true;
# execute = /p4/common/hms/scripts/broker_must_be_super.pl;
# }
use strict;
my $User;
my $Cmd;
my $AccessLevel;
while (<STDIN>) {
if (/^user: /) {
$User = $_;
chomp $User;
$User =~ s/^user: //;
}
if (/^command: /) {
$Cmd = $_;
chomp $Cmd;
$Cmd =~ s/^command: //;
}
}
if ( ! $Cmd ) {
print "action: REJECT\n";
print "message: \"Data Leakage Protection: Internal Error, could not determine Cmd.\"\n";
exit (0);
}
if ( ! $User ) {
print "action: REJECT\n";
print "message: \"Data Leakage Protection: Internal Error, could not determine User.\"\n";
exit (0);
}
$AccessLevel=`$ENV{P4BIN} protects -m -u $User`;
chomp $AccessLevel;
if ($AccessLevel eq "super") {
print "action: PASS\n";
exit (0);
}
print "action: REJECT\n";
print "message: \"Data Leakage Protection: The command 'p4 $Cmd' requires super access on this server.\"\n";
exit (0);