Allow afs/* principals in the Stanford naming policy

Change-Id: I59db1e8638a602d9c118ac01da17280c9ed7d005
Reviewed-on: https://gerrit.stanford.edu/1067
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

2 files changed, 8 insertions, 3 deletions

diff --git a/perl/Wallet/Policy/Stanford.pm b/perl/Wallet/Policy/Stanford.pm
index 4386594..72abd09 100644
--- a/perl/Wallet/Policy/Stanford.pm
+++ b/perl/Wallet/Policy/Stanford.pm
@@ -266,6 +266,10 @@ sub verify_name {
             if ($instance !~ /^[a-z0-9-]+\.[a-z0-9.-]+$/) {
                 return "host name $instance is not fully qualified";
             }
+        } elsif ($principal eq 'afs') {
+            if ($instance !~ /^[a-z0-9-]+\.[a-z0-9.-]+$/) {
+                return "AFS cell name $instance is not fully qualified";
+            }
         } elsif ($principal eq 'service') {
             if ($instance !~ /^[a-z0-9-]+$/) {
                 return "invalid service principal name $name";
diff --git a/perl/t/stanford-naming.t b/perl/t/stanford-naming.t
index 3b9ea60..f222c49 100755
--- a/perl/t/stanford-naming.t
+++ b/perl/t/stanford-naming.t
@@ -16,7 +16,7 @@ use 5.008;
 use strict;
 use warnings;
 
-use Test::More tests => 99;
+use Test::More tests => 101;
 
 use lib 't/lib';
 use Util;
@@ -31,11 +31,12 @@ BEGIN {
 # Various valid keytab names.
 my @VALID_KEYTABS = qw(host/example.stanford.edu HTTP/example.stanford.edu
     service/example example/cgi class-example01/cgi dept-01example/cgi
-    group-example-01/cgi);
+    group-example-01/cgi afs/testcell.stanford.edu);
 
 # Various invalid keytab names.
 my @INVALID_KEYTABS = qw(example host/example service/example.stanford.edu
-    thisistoolong/cgi not-valid/cgi unknown/example.stanford.edu);
+    thisistoolong/cgi not-valid/cgi unknown/example.stanford.edu
+    afs/testcell);
 
 # Various valid file names.
 my @VALID_FILES = qw(htpasswd/example.stanford.edu/web