File Coverage

blib/lib/PlugAuth/Role/Authz.pm

Criterion	Covered	Total	%
statement	12	31	38.7
branch	0	8	0.0
condition			n/a
subroutine	4	12	33.3
pod	8	8	100.0
total	24	59	40.6

line	stmt	bran	sub	pod	time	code
1						package PlugAuth::Role::Authz;
2
3	41		41		32456	use strict;
	41				87
	41				1677
4	41		41		235	use warnings;
	41				85
	41				1639
5	41		41		217	use Role::Tiny;
	41				77
	41				294
6	41		41		5846	use List::MoreUtils qw( uniq );
	41				80
	41				781
7
8						# ABSTRACT: Role for PlugAuth authorization plugins
9						our $VERSION = '0.35'; # VERSION
10
11
12						requires qw(
13						can_user_action_resource
14						match_resources
15						host_has_tag
16						actions
17						groups_for_user
18						all_groups
19						users_in_group
20						);
21
22
23	0		0	1		sub create_group { 0 }
24
25
26	0		0	1		sub delete_group { 0 }
27
28
29	0		0	1		sub grant { 0 }
30
31
32	0		0	1		sub revoke { 0 }
33
34
35	0		0	1		sub granted { [] }
36
37
38	0		0	1		sub update_group { 0 }
39
40
41						sub add_user_to_group
42						{
43	0		0	1		my($self, $group, $user) = @_;
44	0					my $users = $self->users_in_group($group);
45	0	0				return 0 unless defined $users;
46	0					push @$users, $user;
47	0					$users = join(',', uniq @$users);
48	0	0				return $self->update_group($group, $users) ? $users : ();
49						}
50
51
52						sub remove_user_from_group
53						{
54	0		0	1		my($self, $group, $user) = @_;
55	0					my $users = $self->users_in_group($group);
56	0	0				return 0 unless defined $users;
57	0					@$users = grep { lc $_ ne lc $user } @$users;
	0
58	0					$users = join(',', uniq @$users);
59	0	0				return $self->update_group($group, $users) ? $users : ();
60						}
61
62						1;
63
64						__END__
65
66						=pod
67
68						=encoding UTF-8
69
70						=head1 NAME
71
72						PlugAuth::Role::Authz - Role for PlugAuth authorization plugins
73
74						=head1 VERSION
75
76						version 0.35
77
78						=head1 SYNOPSIS
79
80						package PlugAuth::Plugin::MyAuthz;
81
82						use Role::Tiny::With;
83
84						with 'PlugAuth::Role::Plugin';
85						with 'PlugAuth::Role::Authz';
86
87						# implement at least: can_user_action_resource, match_resources,
88						# host_has_tag, actions, groups_for_user, all_groups
89						# and users_in_group
90
91						# optionall implement: create_group, delete_group, update_group
92						# and delete_group
93
94						1;
95
96						=head1 DESCRIPTION
97
98						Use this role when writing PlugAuth plugins that manage
99						authorization (ie. determine what the user has authorization
100						to actually do).
101
102						=head1 REQUIRED ABSTRACT METHODS
103
104						=head2 $plugin-E<gt>can_user_action_resource( $user, $action, $resource )
105
106						If $user can perform $action on $resource, return a string containing the
107						group and resource that permits this. Otherwise, return false.
108
109						=head2 $plugin-E<gt>match_resources( $regex )
110
111						Given a regex, return all resources that match that regex.
112
113						=head2 $plugin-E<gt>host_has_tag( $host, $tag )
114
115						Returns true if the given host has the given tag.
116
117						=head2 $plugin-E<gt>actions
118
119						Returns a list of actions.
120
121						=head2 $plugin-E<gt>groups_for_user( $user )
122
123						Returns the groups the given user belongs to.
124
125						=head2 $plugin-E<gt>all_groups
126
127						Returns a list of all groups.
128
129						=head2 $plugin-E<gt>users_in_group( $group )
130
131						Return the list of users (as an array ref) that belong to the given group.
132						Each user belongs to a special group that is the same as their user name
133						and just contains themselves, and this will be included in the list.
134
135						Returns undef if there is no such group.
136
137						=head1 OPTIONAL ABSTRACT METHODS
138
139						These methods may be implemented by your class.
140
141						=head2 $plugin-E<gt>create_group( $group, $users )
142
143						Create a new group with the given users. $users is a
144						comma separated list of user names.
145
146						=head2 $plugin-E<gt>delete_group( $group )
147
148						Delete the given group.
149
150						=head2 $plugin-E<gt>grant( $group, $action, $resource )
151
152						Grant the given group or user ($group) the authorization to perform the given
153						action ($action) on the given resource ($resource).
154
155						=head2 $plugin-E<gt>revoke( $group, $action, $resource )
156
157						Revoke the given group or user ($group) the authorization to perform
158						the given action ($action) on the given resource ($resource)
159
160						=head2 $plugin-E<gt>granted
161
162						Returns a list of granted permissions
163
164						=head2 $plugin-E<gt>update_group( $group, $users )
165
166						Update the given group, setting the set of users that belong to that
167						group. The existing group membership will be replaced with the new one.
168						$users is a comma separated list of user names.
169
170						=head2 $plugin-E<gt>add_user_to_group( $group, $user )
171
172						Add the given user to the given group. If you do not implement this
173						method, but do implement the C<update_group> method above, then
174						this method will get the group using C<users_in_group> and
175						C<update_group>, but there is a race condition if another process
176						updates the group between these two calls, so it is better to
177						implement it yourself using whatever native locking mechanism you can.
178
179						This method should return the new list of users that belong to the
180						given group.
181
182						=head2 $plugin-E<gt>remove_user_from_group( $group, $user )
183
184						Remove the given user from the given group. If you do not implement this
185						method, but do implement the C<update_group> method above, then
186						this method will get the group using C<users_in_group> and
187						C<update_group>, but there is a race condition if another process
188						updates the group between these two calls, so it is better to
189						implement it yourself using whatever native locking mechanism you can.
190
191						This method should return the new list of users that belong to the
192						given group.
193
194						=head1 SEE ALSO
195
196						L<PlugAuth>,
197						L<PlugAuth::Guide::Plugin>
198
199						=head1 AUTHOR
200
201						Graham Ollis <gollis@sesda3.com>
202
203						=head1 COPYRIGHT AND LICENSE
204
205						This software is copyright (c) 2012 by NASA GSFC.
206
207						This is free software; you can redistribute it and/or modify it under
208						the same terms as the Perl 5 programming language system itself.
209
210						=cut