File Coverage

File:/home/mik/work/module/Tivoli/AccessManager/Admin/ACL.pm
Coverage:99.7%

linestmtbrancondsubpodtimecode
1package Tivoli::AccessManager::Admin::ACL;
2
15
15
15
539
65
186
use strict;
3
15
15
15
212
60
254
use warnings;
4
15
15
15
200
77
269
use Carp;
5
6
15
15
15
289
95
379
use Tivoli::AccessManager::Admin::Response;
7
8#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
9# $Id: ACL.pm 305 2006-09-28 19:18:01Z mik $
10#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
11$Tivoli::AccessManager::Admin::ACL::VERSION = "0.04";
12
15
192
use Inline( C => 'DATA',
13                 INC => '-I/opt/PolicyDirector/include',
14                 LIBS => ' -lpthread -lpdadminapi -lstdc++',
15                 CCFLAGS => '-Wall',
16# VERSION => '0.04',
17
15
15
281
70
                 NAME => 'Tivoli::AccessManager::Admin::ACL');
18
19sub new {
20
10
1
73
    my $class = shift;
21
10
30
    my $cont = shift;
22
10
59
    my $self = {};
23
10
111
    my $resp = Tivoli::AccessManager::Admin::Response->new();
24
10
45
    my $name = '';
25
26
10
250
    unless ( defined($cont) and UNIVERSAL::isa($cont,'Tivoli::AccessManager::Admin::Context' ) ) {
27
2
57
        warn "Incorrect syntax -- did you forget the context?\n";
28
2
9
        return undef;
29    }
30
31
8
53
    bless $self, $class;
32
33
8
70
    if ( @_ == 1 ) {
34
4
23
        $name = shift;
35    }
36    elsif ( @_ % 2 ) {
37
1
24
        warn "Incorrent syntax -- too many parameters\n";
38
1
8
        return undef;
39    }
40    elsif ( @_ ) {
41
2
17
        my %opts = @_;
42
2
54
        $name = $opts{name} || '';
43    }
44
45
7
47
    $self->{name} = $name;
46
7
33
    $self->{context} = $cont;
47
48
7
39
    if ( $name ) {
49
5
245290
        $self->{exist} = $self->acl_get( $resp );
50    }
51    else {
52
2
17
        $self->{exist} = 0;
53    }
54
55
7
92
    return $self;
56}
57
58sub list {
59
2
1
8
    my $class = shift;
60
2
20
    my $resp = Tivoli::AccessManager::Admin::Response->new();
61
2
6
    my $pd;
62
63
2
13
    if ( ref($class) ) {
64
1
7
        $pd = $class->{context};
65    }
66    else {
67
1
3
        $pd = shift;
68    }
69
70
2
88661
    my @acls = acl_list($pd,$resp);
71
2
41
    $resp->isok and $resp->set_value(\@acls);
72
73
2
14
    return $resp;
74}
75
76sub find {
77
1
1
34
    my $self = shift;
78
1
11
    my $pd = $self->{context};
79
80
1
11
    return Tivoli::AccessManager::Admin::ProtObject->find( $pd, acl => $self->name );
81}
82
83sub listgroups {
84
4
1
34
    my $self = shift;
85
4
27
    my ($acl, @groups);
86
87
4
51
    my $resp = Tivoli::AccessManager::Admin::Response->new();
88
89
4
39
    unless ( $self->exist ) {
90
2
16
        $resp->set_message($self->name . " does not exist");
91
2
27
        $resp->set_isok(0);
92
2
23
        return $resp;
93    }
94
95
2
165
    @groups = $self->acl_listgroups();
96
2
18
    if ( @groups ) {
97
1
16
        $resp->set_value( $groups[0],\@groups );
98    }
99    else {
100
1
14
        $resp->set_value( 'none' );
101    }
102
2
18
    return $resp;
103}
104
105sub listusers {
106
4
1
37
    my $self = shift;
107
4
18
    my ($acl, @users);
108
109
4
58
    my $resp = Tivoli::AccessManager::Admin::Response->new();
110
111
4
37
    unless ( $self->exist ) {
112
2
19
        $resp->set_message($self->name . " does not exist");
113
2
27
        $resp->set_isok(0);
114
2
19
        return $resp;
115    }
116
117
2
140
    @users = $self->acl_listusers();
118
2
18
    if ( @users ) {
119
1
19
        $resp->set_value( $users[0], \@users );
120    }
121    else {
122
1
10
        $resp->set_value( 'none' );
123    }
124
2
22
    return $resp;
125}
126
127sub create {
128
6
1
46
    my $self = shift;
129
6
76
    my $resp = Tivoli::AccessManager::Admin::Response->new();
130
131
6
47
    unless ( ref( $self ) ) {
132
3
25
        my $pd = shift;
133
3
83
        unless (defined($pd) and UNIVERSAL::isa($pd,'Tivoli::AccessManager::Admin::Context')){
134
2
31
            $resp->set_message("Invalid Tivoli::AccessManager::Admin::Context object");
135
2
30
            $resp->set_isok(0);
136
2
24
            return $resp;
137        }
138
1
12
        $self = $self->new( $pd, @_ );
139    }
140
141
4
78
    if ( $self->{exist} ) {
142
2
9
        $resp->set_message( $self->name . " already exists" );
143
2
12
        $resp->set_iswarning( 1 );
144
2
9
        $resp->set_value( $self );
145
2
10
        return $resp;
146    }
147
148
2
97035
    my $rc = $self->acl_create( $resp );
149
2
67
    $self->{exist} = $resp->isok;
150
151
2
32
    $resp->set_value( $self );
152
153
2
28
    return $resp;
154}
155
156sub delete {
157
3
1
24
    my $self = shift;
158
159
3
50
    my $resp = Tivoli::AccessManager::Admin::Response->new();
160
3
137869
    my $rc = $self->acl_delete( $resp );
161
162
3
64
    unless ( $self->exist ) {
163
1
37
        $resp->set_message($self->name . " does not exist");
164
1
18
        $resp->set_iswarning(1);
165
1
19
        return $resp;
166    }
167
168
2
34
    $self->{exist} = 0 if $rc;
169
2
35
    $resp->set_value( $rc );
170
2
25
    return $resp;
171}
172
173sub description {
174
6
1
48
    my $self = shift;
175
6
31
    my $desc = '';
176
6
25
    my ($rc,$acl);
177
178
6
75
    my $resp = Tivoli::AccessManager::Admin::Response->new();
179
180
6
66
    if ( @_ == 1 ) {
181
2
16
        $desc = shift;
182    }
183    elsif ( @_ % 2 ) {
184
1
11
        $resp->set_message("Invalid syntax");
185
1
11
        $resp->set_isok(0);
186
1
5
        return $resp;
187    }
188    elsif ( @_ ) {
189
2
17
        my %opts = @_;
190
2
40
        $desc = $opts{description} || '';
191    }
192
193    # Set description
194
5
32
    if ( $desc ) {
195
3
265019
        $rc = $self->acl_setdescription($resp,$desc);
196
3
161977
        $self->acl_get($resp);
197    }
198
199
5
91
    if ( $resp->isok ) {
200
4
110
        $desc = $self->acl_getdescription();
201
4
64
        $resp->set_value( $desc || 'none' );
202    }
203
5
46
    return $resp;
204}
205
206sub _mod_perms {
207
35
206
    my $self = shift;
208
35
163
    my ($rc,$string,$acl,%opts,$name);
209
210
35
1306
    my %dispatch = ( unauth => { remove => \&acl_removeunauth,
211                                   get => \&acl_getunauth,
212                                   set => \&acl_setunauth },
213                     anyother => { remove => \&acl_removeanyother,
214                                   get => \&acl_getanyother,
215                                   set => \&acl_setanyother },
216                     group => { remove => \&acl_removegroup,
217                                   get => \&acl_getgroup,
218                                   set => \&acl_setgroup },
219                     user => { remove => \&acl_removeuser,
220                                   get => \&acl_getuser,
221                                   set => \&acl_setuser }
222                    );
223
224
225
35
562
    my $resp = Tivoli::AccessManager::Admin::Response->new();
226
227
35
264
    if ( @_ % 2 ) {
228
4
43
        $resp->set_message("Invalid syntax");
229
4
44
        $resp->set_isok(0);
230
4
96
        return $resp;
231    }
232
233
31
253
    unless ( $self->exist ) {
234
4
56
        $resp->set_message( $self->name . " doesn't exist");
235
4
44
        $resp->set_isok(0);
236
4
73
        return $resp;
237    }
238
239
27
537
    %opts = @_;
240
241
27
532
    if ( ($opts{action} eq 'user' or $opts{action} eq 'group') and not defined($opts{name}) ) {
242
2
30
        $resp->set_message( "Syntax error. You must define the $opts{action} name");
243
2
20
        $resp->set_isok(0);
244
2
39
        return $resp;
245    }
246
247
25
166
    if ( defined($opts{perms}) ) {
248
21
119
        if ( $opts{perms} eq 'remove' ) {
249
5
525510
            $rc = $dispatch{$opts{action}}{remove}->($self,$resp,$opts{name});
250        }
251        else {
252
16
1650704
            $rc = $dispatch{$opts{action}}{set}->($self,$resp,$opts{perms},$opts{name});
253        }
254    }
255
256
25
623
    if ( $resp->isok ) {
257
19
997939
        $self->acl_get($resp);
258
19
1154
        $string = $dispatch{$opts{action}}{get}->($self,$opts{name});
259
19
562
        $resp->set_value( $string || '');
260    }
261
25
859
    return $resp;
262}
263
264
7
1
84
sub unauth { _mod_perms(@_, action => 'unauth', name => ''); }
265
10
1
141
sub anyother { _mod_perms(@_, action => 'anyother', name => ''); }
266
9
1
100
sub group { _mod_perms(@_, action => 'group') }
267
9
1
121
sub user { _mod_perms(@_, action => 'user') }
268
269sub _addval {
270
3
13
    my $self = shift;
271
3
6
    my $vals = shift;
272
273
3
27
    my $resp = Tivoli::AccessManager::Admin::Response->new();
274
3
14
    my $rc;
275
276
3
3
12
24
    for my $key ( keys %{$vals} ) {
277        # Loop if given an array. Don't otherwise.
278
4
32
        if ( ref($vals->{$key} ) ) {
279
2
2
5
10
            for my $val ( @{$vals->{$key}} ) {
280
4
175443
                $rc = $self->acl_attrput( $resp, $key, $val );
281
4
82
                return $resp unless $resp->isok;
282            }
283        }
284        else {
285
2
91446
            $rc = $self->acl_attrput( $resp, $key, $vals->{$key} );
286        }
287
3
62
        return $resp unless $resp->isok;
288    }
289
1
11
    return $resp;
290}
291
292sub _remvalue {
293
5
22
    my $self = shift;
294
5
18
    my $vals = shift;
295
296
5
36
    my $resp = Tivoli::AccessManager::Admin::Response->new();
297
298
5
16
    my $rc;
299
300
5
5
11
37
    for my $key ( keys %{$vals} ) {
301        # Loop if given an array. Don't otherwise.
302
5
34
        if ( ref($vals->{$key}) ) {
303
3
3
11
14
            for my $val ( @{$vals->{$key}} ) {
304
4
179624
                $rc = $self->acl_attrdelval( $resp, $key, $val );
305
4
107
                return $resp unless $resp->isok;
306            }
307        }
308        else {
309
2
89543
            $rc = $self->acl_attrdelval( $resp, $key, $vals->{$key} );
310        }
311
3
52
        return $resp unless $resp->isok;
312    }
313
2
18
    return $resp;
314}
315
316sub _remkey {
317
2
12
    my $self = shift;
318
2
4
    my $keys = shift;
319
320
2
15
    my $resp = Tivoli::AccessManager::Admin::Response->new();
321
322
2
10
    my $rc;
323
2
2
6
6
    for ( @{$keys} ) {
324
2
91755
        $rc = $self->acl_attrdelkey( $resp, $_ );
325
2
54
        return $resp unless $resp->isok;
326    }
327
1
9
    return $resp;
328}
329
330sub attributes {
331
18
1
111
    my $self = shift;
332
18
207
    my $resp = Tivoli::AccessManager::Admin::Response->new;
333
18
87
    my $rhash = {};
334
335
18
220
    my %dpatch = ( remove => \&_remvalue,
336                   removekey => \&_remkey,
337                   add => \&_addval
338               );
339
340
18
144
    if ( @_ % 2 ) {
341
1
13
        $resp->set_message("Invalid syntax");
342
1
10
        $resp->set_isok(0);
343
1
11
        return $resp;
344    }
345
17
91
    my %opts = @_;
346
347
17
105
    unless ( $self->exist ) {
348
3
20
        $resp->set_message( $self->name . " doesn't exist");
349
3
30
        $resp->set_isok(0);
350
3
45
        return $resp;
351    }
352
353
14
70
    for my $op ( qw/remove removekey add/ ) {
354
35
208
        if ( defined( $opts{$op} ) ) {
355
10
69
            $resp = $dpatch{$op}->($self, $opts{$op});
356
10
110
            return $resp unless $resp->isok;
357
4
195964
            $self->acl_get($resp);
358        }
359    }
360
361    # The "return" in the loop means I will never get here unless either the
362    # loop succeeded, or no parameters where sent.
363
8
381
    for my $key ( $self->acl_attrlist ) {
364
10
311
        $rhash->{$key} = [ $self->acl_attrget($key) ];
365    }
366
8
80
    $resp->set_value( $rhash );
367
368
8
75
    return $resp;
369}
370
371sub DESTROY {
372
8
67
    my $self = shift;
373
374
8
133
    $self->_aclfree;
375}
376
377
61
1
624
sub exist { $_[0]->{exist} }
378
17
1
278
sub name { $_[0]->{name} }
379
3801;
381
382 - 821
=head1 NAME

Tivoli::AccessManager::Admin::ACL

=head1 SYNOPSIS

    use Tivoli::AccessManager::Admin;

    my $tam  = Tivoli::AccessManager::Admin->new( password => 'foobar' );
    my ($resp,$rc);

    # See what ACLs exist
    $resp = Tivoli::AccessManager::Admin::ACL->list($tam);
    print join("\n", $resp->value);

    # Create a new ACL
    my $acl = Tivoli::AccessManager::Admin::ACL->new( $tam );
    $resp = $acl->create('bob') unless $acl->exist;

    my $name = $acl->name;

    # Give the group 'jon' permissions in this ACL
    $resp = $acl->group(name => 'jons', perms => 'Trx' );

    print "The group 'jons' is granted these privileges by acl '$name':\n";
    print $resp->value,"\n";

    # Give the user "dave" the same access privs
    $resp = $acl->user(name => 'dave', perms => 'Trx' );

    # Dave was a mistake, lets remove him
    $resp = $acl->user(name => 'dave', perms => 'remove' );

    # Deny all access to anyother and unauth
    $resp = $acl->anyother( perms => "" );
    $resp = $acl->unauth( perms => '' );

    # list the users specified in the ACL
    $resp = $acl->listusers();

    # list the groups specified in the ACL
    $resp = $acl->listgroups();

    # Play with the attributes

    # well, that was fun.  What's say we clean up?
    $resp = $acl->delete();

    # Gain access to a system default ACL
    $acl = Tivoli::AccessManager::Admin::ACL->new($tam, 'default-webseal');

    # And find out where it is attached
    $resp = $acl->find;

=head1 DESCRIPTION

L<Tivoli::AccessManager::Admin::ACL|Tivoli::AccessManager::Admin::ACL> provides the interface to the ACL portion of the TAM
Admin API.  

=head1 CONSTRUCTOR

=head2 new( PDADMIN, NAME )

Creates a blessed B<Tivoli::AccessManager::Admin::ACL> object and returns it.

=head3 Parameters

=over 4

=item PDADMIN

An initialized L<Tivoli::AccessManager::Admin::Context|Tivoli::AccessManager::Admin::Context> object.  Please note that, after the
L<Tivoli::AccessManager::Admin::ACL|Tivoli::AccessManager::Admin::ACL> object is created, you cannot change the context w/o
destroying the object and recreating it.

=item NAME

The name of the ACL to which the object refers.

=back

=head3 Returns

A fully blessed L<Tivoli::AccessManager::Admin::ACL|Tivoli::AccessManager::Admin::ACL> object.

=head2 create(PDADMIN,NAME)

Creates a new ACL.  This is different than L<"/new"> in that the ACL will be
created in the policy database as well.

=head3 Parameters

=over 4

=item PDADMIN

An initialized L<Tivoli::AccessManager::Admin::Context|Tivoli::AccessManager::Admin::Context> object.  Please note that, after the
L<Tivoli::AccessManager::Admin::ACL|Tivoli::AccessManager::Admin::ACL> object is created, you cannot change the context w/o
destroying the object and recreating it.

=item NAME

The name of the ACL to create.  This parameter is optional, if you instatiated
the object with a name.  Otherwise, it will croak in a most unappealing
fashion.

=back

=head3 Returns

If the operational was successful, you will get the new
L<Tivoli::AccessManager::Admin::ACL|Tivoli::AccessManager::Admin::ACL> object.  If it wasn't successful, you will
get an error message why.  If the object already exists, you will get a
warning and the L<Tivoli::AccessManager::Admin::ACL|Tivoli::AccessManager::Admin::ACL> object.  And all of this
will be embedded in a L<Tivoli::AccessManager::Admin::Response|Tivoli::AccessManager::Admin::Response> object.

=head1 CLASS METHODS

Class methods behave like instance methods -- they return
L<Tivoli::AccessManager::Admin::Response|Tivoli::AccessManager::Admin::Response> objects.

=head2 list(PDADMIN)

Lists all ACLs.

=head3 Parameters

=over 4

=item PDADMIN

A fully blessed L<Tivoli::AccessManager::Admin::Context|Tivoli::AccessManager::Admin::Context> object.  

=back

=head3 Returns

The resulting list of ACLs.

=head1 METHODS

All of the methods return a L<Tam::Admin::Response|Tivoli::AccessManager::Admin::Response> object.  See the
documentation for that module on how to coax the values out.

The methods, for the most part, follow the same pattern.  If the optional
parameters are sent, it has the effect of setting the attributes.  All methods
calls will embed the results of a 'get' in the L<Tivoli::AccessManager::Admin::Response|Tivoli::AccessManager::Admin::Response> object.

=head2 list

Lists all of the ACLs.  

=head3 Parameters

none

=head3 Returns

A list of all the defined ACLs.

=head2 listgroups

Lists all the groups defined in the ACL.

=head3 Parameters

None

=head3 Returns

A list of the groups defined in the ACL.

=head2 listusers

Lists all the users defined in the ACL.

=head3 Parameters

None

=head3 Returns

A list of the users defined in the ACL.

=head2 create([NAME])

L<"/create"> can also be used as an instance method.

=head3 Parameters

=over 4

=item NAME

The name of the ACL to create.  This parameter is optional, if you instatiated
the object with a name.  Otherwise, it will croak in a most unappealing
fashion.

=back

=head3 Returns

True if the create succeeded, false it failed and a warning if the ACL already
existed.

=head2 description([STRING])

Sets the description on the ACL

=head3 Parameters

=over 4

=item STRING

The description to be set.  This is an optional parameter

=back

=head3 Returns

The current (possible empty) description.

=head2 find

Finds where in the object space the ACL has been attached.  This is really
just a wrapper for L<Tivoli::AccessManager::Admin::ProtObject|Tivoli::AccessManager::Admin::ProtObject>.  I like
an ACL object being able to tell you where it is.

=head3 Parameters

None

=head3 Returns
 
A possibly empty list of places the ACL is attached.

=head2 delete

Deletes the ACL.  

=head3 Parameters

None

=head3 Returns

True if the operation succeeded, and error and message otherwise.

=head2 anyother([perms =E<gt> STRING])

Sets or gets the permissions for any-other in the ACL.  The ACL must exist
before calling this method.

=head3 Parameters

=over 4

=item perms =E<gt> STRING

If this parameter is set, L<"anyother"> will attempt to set the permissions for
any-other to this value.  

If the value of this parameter is 'remove', L<"anyother"> will be removed from
the ACL.  

=back

=head3 Returns

The permissions currently allowed by the ACL for any-other.

=head2 unauth([perms =E<gt> STRING])

Sets or gets the permissions for unauth in the ACL.  The ACL must exist before
calling this method.

=head3 Parameters

=over 4

=item perms =E<gt> STRING

If this parameter is set, L</"unauth"> will attempt to set the permissions for
unauth to this value.  

If the value of this parameter is 'remove', L</"unauth"> will be removed from
the ACL.  

=back

=head3 Returns

A list of all of the actions currently allowed by the ACL for unauthenticated users.

=head2 group( name =E<gt> 'group'[, perms =E<gt> STRING )

Sets or gets the permissions for the named group in the ACL.  The ACL must
exist before calling this method.

=head3 Parameters

=over 4

=item name =E<gt> group

The name of the group to which the permissions apply.  This parameter is
mandatory.

=item perms =E<gt> STRING

If this parameter is set, L</"group"> will attempt to set the permissions for
the group to this value.  

If the value of this parameter is 'remove', the named group will be removed
from the ACL.  

=back

=head3 Returns

A list of all of the actions currently allowed by the ACL for the group.

=head2 user( name =E<gt> userid[, perms =E<gt> STRING )

Sets or gets the permissions for the named user in the ACL.  The ACL must
exist before calling this method.

=head3 Parameters

=over 4

=item name =E<gt> userid

The user id to which the permissions apply.  This parameter is mandatory.

=item perms =E<gt> STRING

If this parameter is set, L</"user"> will attempt to set the permissions for
the user to this value.  

If the value of this parameter is 'remove', The user will be removed from
the ACL.  

=back

=head3 Returns

A list of all of the permission currently allowed by the ACL for the user.

=head2 attributes([add =E<gt> { key => [qw/value0 value1/] | 'value0' }, 
				remove =E<gt> { key => [qw/value0 value1/] | 'value0' },
				removekey =E<gt> [qw/key0 key1] ] )

Adds key/value attributes to an ACL, removes the values and removes the
entire key/value pairs.  I find these to be the more ... annoying functions.

=head3 Parameters

=over 4

=item add =E<gt> { key =E<gt> [qw/ value0 value1/] | 'value0' }

Causes L</"attribute"> to add any number of key/value pairs to the ACL.  As
you can have multiple values associated with any given key, you can either use
an array reference for multiple values, or a simple scalar if you are playing
with only one.

You can, obviously, add multiple keys with the same call.  You can also,
strangely enough, add the same value to a key multiple times.

=item remove =E<gt> { key =E<gt> [qw/ value0 value1/] | 'value0' }

Removes the specified value(s) from the key.  This does not remove the key,
simply the values from the key.  You will get an error if you try to remove a
value that is not defined.

=item removekey =E<gt> [qw/key0 key1]

Removes both the attribute and any associated values from the ACL.

=back

=head3 Returns

A hash of lists.  The hash is keyed off of the attribute names.  The values
for each attribute are returned as a list -- even if there is only one value.  

=head2 exist

Lets you know if the ACL exists in the TAM database or not.

=head3 Parameters

None

=head3 Returns

0 if the ACL does not exist, 1 if it does.

=head2 name

Returns the name of the ACL

=head3 Parameters

None

=head3 Returns

Uhh.  The name of the ACL.

=head1 ACKNOWLEDGEMENTS

Please read L<Tivoli::AccessManager::Admin|Tivoli::AccessManager::Admin> for the full list of acks.  I stand upon the
shoulders of giants.

=head1 BUGS

The documentation is now horribly gobsmacked.  

The previous comment is really unhelpful.

The permissions needs to be extended to handle things like [PDWebPI].  It
would be better to extend them to be dynamically extendable.

=head1 AUTHOR

Mik Firestone E<lt>mikfire@gmail.comE<gt>

=head1 COPYRIGHT

Copyright (c) 2004-2011 Mik Firestone.  All rights reserved.  This program is
free software; you can redistibute it and/or modify it under the same terms as
Perl itself.

All references to TAM, Tivoli Access Manager, etc are copyrighted, trademarked
and otherwise patented by IBM.

=cut 
822