1 |
package WOU_Secure; |
2 |
|
3 |
# Security functions |
4 |
# |
5 |
# Jeremy Hickerson, 3/6/2002 |
6 |
|
7 |
use strict; |
8 |
|
9 |
BEGIN { |
10 |
use Exporter (); |
11 |
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); |
12 |
|
13 |
# set the version for version checking |
14 |
$VERSION = 1.00; |
15 |
@ISA = qw(Exporter); |
16 |
@EXPORT = qw(&gwrsecp &sis_object); |
17 |
%EXPORT_TAGS = ( ); # eg: TAG => [ qw!name1 name2! ], |
18 |
@EXPORT_OK = qw( ); |
19 |
} |
20 |
use vars @EXPORT_OK; |
21 |
use subs qw(gwrsecp sis_object); |
22 |
|
23 |
use DBI; |
24 |
|
25 |
|
26 |
# ============================================================ |
27 |
# GWRSECP - turns on user security role inside a DBI session |
28 |
# ============================================================ |
29 |
sub gwrsecp { |
30 |
|
31 |
my ($dbh, $object) = @_; |
32 |
|
33 |
# set session for cost-based optimization now that spriden is on WOPS |
34 |
$dbh->do("alter session set optimizer_goal = ALL_ROWS"); |
35 |
|
36 |
# Copied below from gen$plus:gwrsecp.sql, changed the parts that |
37 |
# were specific to sqlplus scripts (the parsing of the object name |
38 |
# from the full pathname of the sql script, and the running of the |
39 |
# script after setting the role). This sub gets the actual object |
40 |
# name as a parameter and sets the role for the $dbh. You then use |
41 |
# that $dbh in your perl script with the access rights of that role. |
42 |
|
43 |
my $sth_pl_sql = $dbh->prepare(q{ |
44 |
|
45 |
DECLARE |
46 |
-- |
47 |
-- Character string variables. |
48 |
-- |
49 |
HOLD_CMD VARCHAR2(240); |
50 |
OBJECT VARCHAR2(30); |
51 |
PASSWORD VARCHAR2(30); |
52 |
PASSWORD_OUT VARCHAR2(30); |
53 |
ROLE_NAME VARCHAR2(30); |
54 |
VERSION VARCHAR2(10); |
55 |
-- |
56 |
-- Number variables. |
57 |
-- |
58 |
SEED1 NUMBER(8); |
59 |
SEED3 NUMBER(8); |
60 |
-- |
61 |
-- Begin main logic. |
62 |
-- |
63 |
BEGIN |
64 |
-- jdh, object is passed directly, don't need to parse |
65 |
OBJECT := ?; |
66 |
SEED1 := 99999999; # use your numbers here |
67 |
SEED3 := 99999999; # use your numbers here |
68 |
VERSION := NULL; |
69 |
-- |
70 |
-- Obtain encrypted password. |
71 |
-- |
72 |
G$_SECURITY.G$_VERIFY_PASSWORD1_PRD(OBJECT, |
73 |
VERSION, |
74 |
PASSWORD, |
75 |
ROLE_NAME); |
76 |
-- |
77 |
-- Check security status. |
78 |
-- |
79 |
IF PASSWORD = 'INSECURED' THEN |
80 |
RETURN; |
81 |
END IF; |
82 |
-- |
83 |
-- Call for second phase processing. |
84 |
-- |
85 |
PASSWORD_OUT := G$_SECURITY.G$_DECRYPT_FNC(PASSWORD, |
86 |
SEED3); |
87 |
PASSWORD := PASSWORD_OUT; |
88 |
-- |
89 |
-- Call for third phase processing. |
90 |
-- |
91 |
G$_SECURITY.G$_VERIFY_PASSWORD1_PRD(OBJECT, |
92 |
VERSION, |
93 |
PASSWORD, |
94 |
ROLE_NAME); |
95 |
-- |
96 |
-- Call for fourth phase processing. |
97 |
-- |
98 |
PASSWORD_OUT := G$_SECURITY.G$_DECRYPT_FNC(PASSWORD, |
99 |
SEED1); |
100 |
PASSWORD := '"' || PASSWORD_OUT || '"'; |
101 |
-- |
102 |
-- Invoke needed role. |
103 |
-- |
104 |
HOLD_CMD := ROLE_NAME || ' IDENTIFIED BY ' || PASSWORD; |
105 |
DBMS_SESSION.SET_ROLE(HOLD_CMD); |
106 |
-- |
107 |
-- Clear variables. |
108 |
-- |
109 |
HOLD_CMD := NULL; |
110 |
OBJECT := NULL; |
111 |
PASSWORD := NULL; |
112 |
PASSWORD_OUT := NULL; |
113 |
ROLE_NAME := NULL; |
114 |
SEED1 := 0; |
115 |
SEED3 := 0; |
116 |
-- |
117 |
END;} ); |
118 |
|
119 |
return $sth_pl_sql->execute($object); |
120 |
|
121 |
} |
122 |
|
123 |
|
124 |
sub sis_object { |
125 |
(my $sis_object = uc(shift) ) =~ s/(\S+[:\]])?(\S+)\.pl/$2/i; # perl |
126 |
$sis_object =~ s/@(\S+[:\]])?(\S+)/$2/i; # com |
127 |
return $sis_object; |
128 |
} |
129 |
|
130 |
return 1; |
131 |
|
132 |
|