File Coverage

blib/lib/Plack/Middleware/PeriAHS/CheckAccess.pm

Criterion	Covered	Total	%
statement	21	23	91.3
branch			n/a
condition			n/a
subroutine	8	8	100.0
pod			n/a
total	29	31	93.5

line	stmt	sub	time	code
1				package Plack::Middleware::PeriAHS::CheckAccess;
2
3	1	1	664	use 5.010;
	1		4
4	1	1	7	use strict;
	1		5
	1		46
5	1	1	11	use warnings;
	1		4
	1		39
6	1	1	9	use Log::ger;
	1		3
	1		8
7
8	1	1	1276	use parent qw(Plack::Middleware);
	1		4
	1		11
9	1		10	use Plack::Util::Accessor qw(
10				allow_log
11				allow_uri_scheme
12				deny_uri_scheme
13				allow_uri
14				deny_uri
15				allow_action
16				deny_action
17	1	1	75	);
	1		9
18	1	1	101	use Plack::Util::PeriAHS qw(errpage);
	1		2
	1		62
19	1	1	364	use SHARYANTO::Array::Util qw(match_array_or_regex);
	0
	0
20				use URI::Split qw(uri_split);
21
22				our $VERSION = '0.61'; # VERSION
23
24				sub prepare_app {
25				my $self = shift;
26
27				$self->{allow_log} //= 0;
28				$self->{allow_uri_scheme} //= ['pl'];
29				}
30
31				sub call {
32				log_trace("=> PeriAHS::CheckAccess middleware");
33
34				my ($self, $env) = @_;
35
36				my $rreq = $env->{"riap.request"};
37				my $uri = $rreq->{uri};
38
39				if (!$self->{allow_log}) {
40				return errpage($env, [403, "Setting loglevel is forbidden"])
41				if $rreq->{loglevel};
42				}
43
44				my ($sch, $auth, $path) = uri_split($uri);
45				$sch //= "pl";
46				if ($self->{allow_uri_scheme}) {
47				return errpage($env, [403, "Riap URI scheme not allowed (not in list)"])
48				unless match_array_or_regex($sch, $self->{allow_uri_scheme});
49				}
50				if ($self->{deny_uri_scheme}) {
51				return errpage($env, [403, "Riap URI scheme not allowed (deny list)"])
52				if match_array_or_regex($sch, $self->{deny_uri_scheme});
53				}
54
55				if ($self->{allow_uri}) {
56				return errpage($env, [403, "Riap URI not allowed (not in list)"])
57				unless match_array_or_regex($uri, $self->{allow_uri});
58				}
59				if ($self->{deny_uri}) {
60				return errpage($env, [403, "Riap URI not allowed (deny list)"])
61				if match_array_or_regex($uri, $self->{deny_uri});
62				}
63
64				if ($self->{allow_action}) {
65				return errpage($env, [403, "Riap action not allowed (not in list)"])
66				unless match_array_or_regex($rreq->{action}, $self->{allow_action});
67				}
68				if ($self->{deny_action}) {
69				return errpage($env, [403, "Riap action '$rreq->{action}' not allowed ".
70				"(deny list)"])
71				if match_array_or_regex($rreq->{action}, $self->{deny_action});
72				}
73
74				# continue to app
75				$self->app->($env);
76				}
77
78				1;
79				# ABSTRACT: Deny access based on some criteria
80
81				__END__
82
83				=pod
84
85				=encoding UTF-8
86
87				=head1 NAME
88
89				Plack::Middleware::PeriAHS::CheckAccess - Deny access based on some criteria
90
91				=head1 VERSION
92
93				This document describes version 0.61 of Plack::Middleware::PeriAHS::CheckAccess (from Perl distribution Perinci-Access-HTTP-Server), released on 2017-07-10.
94
95				=head1 DESCRIPTION
96
97				This middleware denies access according to some criterias in
98				C<$env->{"riap.request"}>. It should be put after ParseRequest.
99
100				For a more sophisticated access control, try the PeriAHS::ACL middleware.
101
102				=for Pod::Coverage .*
103
104				=head1 CONFIGURATIONS
105
106				=over 4
107
108				=item * allow_log => BOOL (default 1)
109
110				Whether to allow request for returning log messages (request key C<loglevel>
111				with values larger than 0). You might want to turn this off on production
112				servers.
113
114				=item * allow_uri_scheme => ARRAY\|REGEX (default ['pl'])
115
116				Which URI schemes are allowed. By default only local schemes are allowed. Add
117				'http' or 'https' if you want proxying capability.
118
119				=item * deny_uri_scheme => ARRAY\|REGEX
120
121				Which URI schemes are forbidden.
122
123				=item * allow_uri => ARRAY\|REGEX (default ['pl'])
124
125				Allowed URIs. Note that URIs are normalized with scheme C<pl> if unschemed.
126				Example:
127
128				=item * deny_uri => ARRAY\|REGEX (default ['pl'])
129
130				Forbidden URIs.
131
132				=item * allow_action => ARRAY\|REGEX
133
134				Which actions are allowed.
135
136				=item * deny_action => ARRAY\|REGEX
137
138				Which actions are forbidden.
139
140				=back
141
142				=head1 HOMEPAGE
143
144				Please visit the project's homepage at L<https://metacpan.org/release/Perinci-Access-HTTP-Server>.
145
146				=head1 SOURCE
147
148				Source repository is at L<https://github.com/perlancar/perl-Perinci-Access-HTTP-Server>.
149
150				=head1 BUGS
151
152				Please report any bugs or feature requests on the bugtracker website L<https://rt.cpan.org/Public/Dist/Display.html?Name=Perinci-Access-HTTP-Server>
153
154				When submitting a bug or request, please include a test-file or a
155				patch to an existing test-file that illustrates the bug or desired
156				feature.
157
158				=head1 AUTHOR
159
160				perlancar <perlancar@cpan.org>
161
162				=head1 COPYRIGHT AND LICENSE
163
164				This software is copyright (c) 2017, 2015, 2014, 2013, 2012, 2011 by perlancar@cpan.org.
165
166				This is free software; you can redistribute it and/or modify it under
167				the same terms as the Perl 5 programming language system itself.
168
169				=cut