Peter Blair

Perl ACL library

Hacked together a little ACL package for creating dynamic ACLs based on a few simple ideas:

  1. Sys-Admins like Perl style Regex
  2. Must be versatile enough to handle many types of applications
  3. Should be robust enough to handle auto-generated ACLs

I was sitting at $WORK, thinking of a way to restrict access to certain API calls from a shared script.  I wanted a way that I could limit what was done with that script based on the parameters being called, the permission level of the user calling it, the day of the week, etc.  So I hacked up this package that does all that.

acl_screenshot

The module does three things:

  1. Parses a file containing ACLS
  2. Cleans the ACLs by splitting the line into key/value pairs & extracts a “reason” message
  3. Cleans up an action line by inserting all missing required key/value pairs and orders them correctly.

This way, if your action is missing any of the required values, the library will fill them in with empty values.  This works because if the ACL is missing the same key/value pair, then the library will fill it in with an appropriate:

key=\[.*?\]

Whenever a client application starts to add key/value pairs, just update the required variable in the ACL.pm file and those values will be included in all sanitized ACLs and actions.

Calling the library is super simple:

#!/usr/bin/perl
use warnings;
use strict;
use lib( "./" );
use ACL;
 
my $accept_acl = ACL->new;
$accept_acl->parse_acl_from_file( { Filename => "acl.permit.txt" } );
my $reject_acl = ACL->new;
$reject_acl->parse_acl_from_file( { Filename => "acl.reject.txt" } );
 
my @actions;
# Read an action
while( <> ){
        chomp;
        push( @actions, $_ );
}
 
ACTION: for my $action ( @actions ){
        print "Action: $action\n";
        # Check against the reject
        my ($rc,$regex,$comment) = $reject_acl->match( $action );
        if( $rc ){
                print "\t! Rejected against $regex\n";
                print "\t: Reason: $comment\n";
                next ACTION;
        }
        ($rc,$regex,$comment) = $accept_acl->match( $action );
        if( $rc ){
                print "\t* Accepted against $regex\n";
                print "\t: Reason: $comment\n";
                next ACTION;
        }
        print "\t? No ACLs matched\n";
}

Tagged with: , , , , ,

Categorised as: Perl, UNIX

Comments are closed.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes