File Coverage

blib/lib/Data/Censor.pm

Criterion	Covered	Total	%
statement	41	58	70.6
branch	13	22	59.0
condition	8	16	50.0
subroutine	7	8	87.5
pod	2	3	66.6
total	71	107	66.3

line	stmt	bran	cond	sub	pod	time	code
1							package Data::Censor;
2
3	2			2		52844	use 5.006;
	2					8
	2					84
4	2			2		16	use strict;
	2					6
	2					75
5	2			2		10	use warnings FATAL => 'all';
	2					8
	2					83
6	2			2		10	use Carp;
	2					2
	2					743
7
8							=head1 NAME
9
10							Data::Censor - censor sensitive stuff in a data structure
11
12							=head1 VERSION
13
14							Version 0.02
15
16							=cut
17
18							our $VERSION = '0.02';
19
20
21							=head1 SYNOPSIS
22
23							# OO way, letting you specify your own list of sensitive-looking fields, and
24							# what they should be replaced by (all options here are optional)
25							my $censor = Data::Censor->new(
26							# Specify which fields to censor:
27							sensitive_fields => [ qw(card_number password) ],
28
29							# Specify text to replace their values with:
30							replacement => '(Sensitive data hidden)',
31
32							# Or specify callbacks for each field name which return the "censored"
33							# value - in this case, masking a card number (PAN) to show only the
34							# last four digits:
35							replacement_callbacks => {
36							card_number => sub {
37							my $pan = shift;
38							return "x" x (length($pan) - 4) . substr($pan, -4, 4);
39							},
40							},
41							);
42
43							# Censor the data in-place (changes the data structure, returns the number
44							# of keys censored)
45							my $censor_count = $censor->censor(\%data);
46
47							# Alternate non-OO interface, using default settings and returning a cloned
48							# version of the data after censoring:
49							my $censored_data = Data::Censor->clone_and_censor(\%data);
50
51
52							=head1 new (CONSTRUCTOR)
53
54							Accepts the following arguments:
55
56							=over
57
58							=item sensitive_fields
59
60							Either an arrayref of sensitive fields, checked for equality, or a regex to test
61							against each key to see if it's considered sensitive.
62
63							=item replacement
64
65							The string to replace each value with. Any censoring callback provided in
66							C which matches this key will take precedence over this
67							straightforward value.
68
69							=item replacement_callbacks
70
71							A hashref of key => sub {...}, where each key is a column name to match, and the
72							coderef takes the uncensored value and returns the censored value, letting you
73							for instance mask a card number but leave the last 4 digits visible.
74
75							If you provide both C and C, any callback
76							defined which matches the key being considered takes precedence.
77
78							=back
79
80							=cut
81
82							sub new {
83	2			2	0	4033	my $class = shift;
84	2					9	my %args = @_;
85
86	2					9	my $self = bless {} => $class;
87
88	2	50				16	if (ref $args{sensitive_fields} eq 'Regexp') {
		50
89	0					0	$self->{censor_regex} = $args{sensitive_fields};
90							} elsif (ref $args{sensitive_fields} eq 'ARRAY') {
91	0					0	$self->{is_sensitive_field} = {
92	0					0	map { $_ => 1 } @{ $args{sensitive_fields} }
	0					0
93							};
94							} else {
95	20					67	$self->{is_sensitive_field} = {
96	2					7	map { $_ => 1 } qw(
97							pass password secret private_key
98							cardnum card_number pan cvv cvv2 ccv
99							)
100							};
101							}
102
103	2	100				11	if (ref $args{replacement_callbacks} eq 'HASH') {
104	1					3	$self->{replacement_callbacks} = $args{replacement_callbacks};
105							}
106	2	50				7	if (exists $args{replacement}) {
107	0					0	$self->{replacement} = $args{replacement};
108							} else {
109	2					6	$self->{replacement} = 'Hidden (looks potentially sensitive)';
110							}
111
112	2		50			17	$self->{recurse_limit} = $args{recurse_limit} \|\| 100;
113
114	2					9	return $self;
115							}
116
117							=head1 METHODS
118
119							=head2 censor
120
121							Given a data structure (hashref), clones it and returns the cloned version after
122							censoring potentially sensitive data within.
123
124							=cut
125
126							sub censor {
127	4			4	1	46	my ($self, $data, $recurse_count) = @_;
128	4		100			18	$recurse_count \|\|= 0;
129
130	2			2		12	no warnings 'recursion'; # we're checking ourselves.
	2					3
	2					806
131
132	4	50				13	if ($recurse_count++ > $self->{recurse_limit}) {
133	0					0	warn "Data exceeding $self->{recurse_limit} levels";
134	0					0	return;
135							}
136
137	4	50				12	if (ref $data ne 'HASH') {
138	0					0	croak('censor expects a hashref');
139							}
140
141	4					6	my $censored = 0;
142	4					14	for my $key (keys %$data) {
143	14	100	66			120	if (ref $data->{$key} eq 'HASH') {
		100	33
			66
144	2					7	$censored += $self->censor($data->{$key}, $recurse_count);
145							} elsif (
146							($self->{is_sensitive_field} && $self->{is_sensitive_field}{lc $key})
147							\|\|
148							($self->{censor_regex} && $key =~ $self->{censor_regex})
149							) {
150							# OK, censor this
151	6	100				17	if ($self->{replacement_callbacks}{lc $key}) {
152	1					6	$data->{$key} = $self->{replacement_callbacks}{lc $key}->(
153							$data->{$key}
154							);
155	1					12	$censored++;
156							} else {
157	5					10	$data->{$key} = $self->{replacement};
158	5					10	$censored++;
159							}
160							}
161							}
162
163	4					14	return $censored;
164							}
165
166							=head2 clone_and_censor
167
168							Clones the provided hashref (using L - will die if not installed), then
169							censors the cloned data and returns it.
170
171							Can be used both as a class or object method - the former for a quick way to use
172							it without having to instantiate an object, the latter if you want to apply
173							custom settings to the object before using it.
174
175							# As a class method
176							my $censored_data = Data::Censor->clone_and_censor($data);
177
178							# or as an object method
179							my $censor = Data::Censor->new( replacement => "SECRET!" );
180							my $censored_data = $censor->clone_and_censor($data);
181
182							=cut
183							sub clone_and_censor {
184	0			0	1		my $class = shift;
185	0						my $data = shift;
186
187	0	0					eval { require Clone; 1 }
	0
	0
188							or die "Can't clone data without Clone installed";
189
190	0						my $cloned_data = Clone::clone($data);
191
192							# if $class is a Data::Censor object, then we were called as an object method
193							# rather than a class method - that's fine - otherwise, create a new
194							# instance and use it:
195	0	0	0				my $self = ref $class && $class->isa('Data::Censor')
196							? $class
197							: $class->new;
198
199	0						$self->censor($cloned_data);
200	0						return $cloned_data;
201							};
202
203
204							=head1 AUTHOR
205
206							David Precious (BIGPRESH), C<< >>
207
208							This code was originally written for the L project by myself; I've
209							pulled it out into a seperate distribution as I was using it for code at work.
210
211
212
213							=head1 SUPPORT
214
215							You can find documentation for this module with the perldoc command.
216
217							perldoc Data::Censor
218
219
220							=head1 LICENSE AND COPYRIGHT
221
222							Copyright 2014 David Precious.
223
224							This program is free software; you can redistribute it and/or modify it
225							under the terms of the the Artistic License (2.0). You may obtain a
226							copy of the full license at:
227
228							L
229
230							Any use, modification, and distribution of the Standard or Modified
231							Versions is governed by this Artistic License. By using, modifying or
232							distributing the Package, you accept this license. Do not use, modify,
233							or distribute the Package, if you do not accept this license.
234
235							If your Modified Version has been derived from a Modified Version made
236							by someone other than you, you are nevertheless required to ensure that
237							your Modified Version complies with the requirements of this license.
238
239							This license does not grant you the right to use any trademark, service
240							mark, tradename, or logo of the Copyright Holder.
241
242							This license includes the non-exclusive, worldwide, free-of-charge
243							patent license to make, have made, use, offer to sell, sell, import and
244							otherwise transfer the Package with respect to any patent claims
245							licensable by the Copyright Holder that are necessarily infringed by the
246							Package. If you institute patent litigation (including a cross-claim or
247							counterclaim) against any party alleging that the Package constitutes
248							direct or contributory patent infringement, then this Artistic License
249							to you shall terminate on the date that such litigation is filed.
250
251							Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
252							AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
253							THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
254							PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY
255							YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR
256							CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR
257							CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE,
258							EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
259
260
261							=cut
262
263							1; # End of Data::Censor