File Coverage

blib/lib/Beam/Runnable/AllowUsers.pm
Criterion Covered Total %
statement 15 15 100.0
branch n/a
condition n/a
subroutine 5 5 100.0
pod n/a
total 20 20 100.0


line stmt bran cond sub pod time code
1             package Beam::Runnable::AllowUsers;
2             our $VERSION = '0.014';
3             # ABSTRACT: Only allow certain users to run a command
4              
5             #pod =head1 SYNOPSIS
6             #pod
7             #pod ### In a Runnable module
8             #pod package My::Runnable::Script;
9             #pod use Moo;
10             #pod with 'Beam::Runnable', 'Beam::Runnable::AllowUsers';
11             #pod has '+allow_users' => ( default => [ 'root' ] );
12             #pod sub run { }
13             #pod
14             #pod ### In a container config file
15             #pod runnable:
16             #pod $class: My::Runnable::Script
17             #pod $with:
18             #pod - 'Beam::Runnable::AllowUsers'
19             #pod allow_users:
20             #pod - root
21             #pod - doug
22             #pod
23             #pod =head1 DESCRIPTION
24             #pod
25             #pod This role checks to ensure that only certain users can run a command. If
26             #pod an unauthorized user runs the command, it dies with an error instead.
27             #pod
28             #pod B This is mostly a demonstration of a L role.
29             #pod Users that can write to the configuration file can edit who is allowed
30             #pod to run the command, and there are other ways to prevent access to
31             #pod a file/command.
32             #pod
33             #pod =head1 SEE ALSO
34             #pod
35             #pod L, L, L<< perlvar/$> >>
36             #pod
37             #pod =cut
38              
39 1     1   356 use strict;
  1         2  
  1         25  
40 1     1   4 use warnings;
  1         2  
  1         20  
41 1     1   4 use Moo::Role;
  1         2  
  1         5  
42 1     1   276 use List::Util qw( any );
  1         1  
  1         72  
43 1     1   5 use Types::Standard qw( ArrayRef Str );
  1         1  
  1         6  
44              
45             #pod =attr allow_users
46             #pod
47             #pod An array reference of user names that are allowed to run this task.
48             #pod
49             #pod =cut
50              
51             has allow_users => (
52             is => 'ro',
53             isa => ArrayRef[ Str ],
54             required => 1,
55             );
56              
57             #pod =method run
58             #pod
59             #pod This role wraps the C method of your runnable class to check that
60             #pod the user is authorized.
61             #pod
62             #pod =cut
63              
64             before run => sub {
65             my ( $self, @args ) = @_;
66             my $user = getpwuid( $> );
67             die "Unauthorized user: $user\n"
68             unless any { $_ eq $user } @{ $self->allow_users };
69             };
70              
71             1;
72              
73             __END__