File Coverage

blib/lib/Data/Censor.pm

Criterion	Covered	Total	%
statement	40	57	70.1
branch	13	22	59.0
condition	8	16	50.0
subroutine	7	8	87.5
pod	2	3	66.6
total	70	106	66.0

line	stmt	bran	cond	sub	pod	time	code
1							package Data::Censor;
2
3	2			2		131192	use 5.006;
	2					20
4	2			2		12	use strict;
	2					3
	2					60
5	2			2		13	use warnings FATAL => 'all';
	2					3
	2					81
6	2			2		12	use Carp;
	2					4
	2					658
7
8							=head1 NAME
9
10							Data::Censor - censor sensitive stuff in a data structure
11
12							=head1 VERSION
13
14							Version 0.03
15
16							=cut
17
18							our $VERSION = '0.03';
19
20
21							=head1 SYNOPSIS
22
23							# OO way, letting you specify your own list of sensitive-looking fields, and
24							# what they should be replaced by (all options here are optional)
25							my $censor = Data::Censor->new(
26							# Specify which fields to censor:
27							sensitive_fields => [ qw(card_number password) ],
28
29							# Specify text to replace their values with:
30							replacement => '(Sensitive data hidden)',
31
32							# Or specify callbacks for each field name which return the "censored"
33							# value - in this case, masking a card number (PAN) to show only the
34							# last four digits:
35							replacement_callbacks => {
36							card_number => sub {
37							my $pan = shift;
38							return "x" x (length($pan) - 4) . substr($pan, -4, 4);
39							},
40							},
41							);
42
43							# Censor the data in-place (changes the data structure, returns the number
44							# of keys censored)
45							my $censor_count = $censor->censor(\%data);
46
47							# Alternate non-OO interface, using default settings and returning a cloned
48							# version of the data after censoring:
49							my $censored_data = Data::Censor->clone_and_censor(\%data);
50
51
52							=head1 new (CONSTRUCTOR)
53
54							Accepts the following arguments:
55
56							=over
57
58							=item sensitive_fields
59
60							Either an arrayref of sensitive fields, checked for equality, or a regex to test
61							against each key to see if it's considered sensitive.
62
63							=item replacement
64
65							The string to replace each value with. Any censoring callback provided in
66							C which matches this key will take precedence over this
67							straightforward value.
68
69							=item replacement_callbacks
70
71							A hashref of key => sub {...}, where each key is a column name to match, and the
72							coderef takes the uncensored value and returns the censored value, letting you
73							for instance mask a card number but leave the last 4 digits visible.
74
75							If you provide both C and C, any callback
76							defined which matches the key being considered takes precedence.
77
78							=back
79
80							=cut
81
82							sub new {
83	2			2	0	4280	my $class = shift;
84	2					7	my %args = @_;
85
86	2					5	my $self = bless {} => $class;
87
88	2	50				11	if (ref $args{sensitive_fields} eq 'Regexp') {
		50
89	0					0	$self->{censor_regex} = $args{sensitive_fields};
90							} elsif (ref $args{sensitive_fields} eq 'ARRAY') {
91							$self->{is_sensitive_field} = {
92	0					0	map { $_ => 1 } @{ $args{sensitive_fields} }
	0					0
	0					0
93							};
94							} else {
95							$self->{is_sensitive_field} = {
96	2					7	map { $_ => 1 } qw(
	22					47
97							pass password old_password secret
98							private_key cardnum card_number pan
99							cvv cvv2 ccv
100							)
101							};
102							}
103
104	2	100				11	if (ref $args{replacement_callbacks} eq 'HASH') {
105	1					2	$self->{replacement_callbacks} = $args{replacement_callbacks};
106							}
107	2	50				6	if (exists $args{replacement}) {
108	0					0	$self->{replacement} = $args{replacement};
109							} else {
110	2					5	$self->{replacement} = 'Hidden (looks potentially sensitive)';
111							}
112
113	2		50			11	$self->{recurse_limit} = $args{recurse_limit} \|\| 100;
114
115	2					13	return $self;
116							}
117
118							=head1 METHODS
119
120							=head2 censor
121
122							Given a data structure (hashref), clones it and returns the cloned version after
123							censoring potentially sensitive data within.
124
125							=cut
126
127							sub censor {
128	4			4	1	33	my ($self, $data, $recurse_count) = @_;
129	4		100			17	$recurse_count \|\|= 0;
130
131	2			2		16	no warnings 'recursion'; # we're checking ourselves.
	2					4
	2					726
132
133	4	50				11	if ($recurse_count++ > $self->{recurse_limit}) {
134	0					0	warn "Data exceeding $self->{recurse_limit} levels";
135	0					0	return;
136							}
137
138	4	50				11	if (ref $data ne 'HASH') {
139	0					0	croak('censor expects a hashref');
140							}
141
142	4					6	my $censored = 0;
143	4					88	for my $key (keys %$data) {
144	14	100	66			93	if (ref $data->{$key} eq 'HASH') {
		100	33
			66
145	2					8	$censored += $self->censor($data->{$key}, $recurse_count);
146							} elsif (
147							($self->{is_sensitive_field} && $self->{is_sensitive_field}{lc $key})
148							\|\|
149							($self->{censor_regex} && $key =~ $self->{censor_regex})
150							) {
151							# OK, censor this
152	6	100				23	if ($self->{replacement_callbacks}{lc $key}) {
153							$data->{$key} = $self->{replacement_callbacks}{lc $key}->(
154	1					4	$data->{$key}
155							);
156	1					11	$censored++;
157							} else {
158	5					30	$data->{$key} = $self->{replacement};
159	5					14	$censored++;
160							}
161							}
162							}
163
164	4					14	return $censored;
165							}
166
167							=head2 clone_and_censor
168
169							Clones the provided hashref (using L - will die if not installed), then
170							censors the cloned data and returns it.
171
172							Can be used both as a class or object method - the former for a quick way to use
173							it without having to instantiate an object, the latter if you want to apply
174							custom settings to the object before using it.
175
176							# As a class method
177							my $censored_data = Data::Censor->clone_and_censor($data);
178
179							# or as an object method
180							my $censor = Data::Censor->new( replacement => "SECRET!" );
181							my $censored_data = $censor->clone_and_censor($data);
182
183							=cut
184							sub clone_and_censor {
185	0			0	1		my $class = shift;
186	0						my $data = shift;
187
188	0	0					eval { require Clone; 1 }
	0
	0
189							or die "Can't clone data without Clone installed";
190
191	0						my $cloned_data = Clone::clone($data);
192
193							# if $class is a Data::Censor object, then we were called as an object method
194							# rather than a class method - that's fine - otherwise, create a new
195							# instance and use it:
196	0	0	0				my $self = ref $class && $class->isa('Data::Censor')
197							? $class
198							: $class->new;
199
200	0						$self->censor($cloned_data);
201	0						return $cloned_data;
202							};
203
204
205							=head1 AUTHOR
206
207							David Precious (BIGPRESH), C<< >>
208
209							This code was originally written for the L project by myself; I've
210							pulled it out into a seperate distribution as I was using it for code at work.
211
212
213
214							=head1 SUPPORT
215
216							You can find documentation for this module with the perldoc command.
217
218							perldoc Data::Censor
219
220
221							=head1 LICENSE AND COPYRIGHT
222
223							Copyright 2018 David Precious.
224
225							This program is free software; you can redistribute it and/or modify it
226							under the terms of the the Artistic License (2.0). You may obtain a
227							copy of the full license at:
228
229							L
230
231							Any use, modification, and distribution of the Standard or Modified
232							Versions is governed by this Artistic License. By using, modifying or
233							distributing the Package, you accept this license. Do not use, modify,
234							or distribute the Package, if you do not accept this license.
235
236							If your Modified Version has been derived from a Modified Version made
237							by someone other than you, you are nevertheless required to ensure that
238							your Modified Version complies with the requirements of this license.
239
240							This license does not grant you the right to use any trademark, service
241							mark, tradename, or logo of the Copyright Holder.
242
243							This license includes the non-exclusive, worldwide, free-of-charge
244							patent license to make, have made, use, offer to sell, sell, import and
245							otherwise transfer the Package with respect to any patent claims
246							licensable by the Copyright Holder that are necessarily infringed by the
247							Package. If you institute patent litigation (including a cross-claim or
248							counterclaim) against any party alleging that the Package constitutes
249							direct or contributory patent infringement, then this Artistic License
250							to you shall terminate on the date that such litigation is filed.
251
252							Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
253							AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
254							THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
255							PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY
256							YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR
257							CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR
258							CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE,
259							EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
260
261
262							=cut
263
264							1; # End of Data::Censor