Separate legacy groups from new groups in Stanford policy

Add all the new group names for the Stanford naming policy and associate them with default ACLs (not yet used). Distinguish them from the legacy group names, and use the appropriate ones for naming policy enforcement. Change-Id: I4b87ff48d34d82195245798f41afefff26efa95d Reviewed-on: https://gerrit.stanford.edu/758 Reviewed-by: Russ Allbery <rra@stanford.edu> Tested-by: Russ Allbery <rra@stanford.edu>
author: Russ Allbery <rra@stanford.edu> 2013-02-05 19:51:00 -0800
committer: Russ Allbery <rra@stanford.edu> 2013-02-05 20:22:52 -0800
commit: 271896c3a9dee9108e021519e340e4547ef5ab93 (patch)
tree: 214e36e8e60596e67fddfd456a72376d817255cd
parent: 7001e303c51b1b18f07fb764c91b5ff67b2318f8 (diff)
2 files changed, 31 insertions, 20 deletions
diff --git a/perl/Wallet/Policy/Stanford.pm b/perl/Wallet/Policy/Stanford.pm
index 0183df8..840f5f3 100644
--- a/perl/Wallet/Policy/Stanford.pm
+++ b/perl/Wallet/Policy/Stanford.pm
@@ -39,9 +39,19 @@ BEGIN {
 # The domain to append to hostnames to fully-qualify them.
 our $DOMAIN = 'stanford.edu';
 
-# Groups for file object naming.  This default is entirely Stanford-specific,
-# even more so than the rest of this file.
-our @GROUPS = qw(apps crcsg gsb idg sysadmin sulair vast);
+# Groups for file object naming, each mapped to the ACL to use for
+# non-host-based objects owned by that group.  This default is entirely
+# Stanford-specific, even more so than the rest of this file.
+our %GROUPS = (
+    'its-apps'    => 'group/sharedapps',
+    'its-crc-sg'  => 'group/crcsg',
+    'its-idg'     => 'group/its-idg',
+    'its-rc'      => 'group/its-rc',
+    'its-sa-core' => 'group/its-sa-core',
+);
+
+# Legacy group names for older file objects.
+our @GROUPS_LEGACY = qw(apps crcsg gsb idg sysadmin sulair vast);
 
 # File object types.  Each type can have one or more parameters: whether it is
 # host-based (host), whether it takes a qualifier after the host or service
@@ -233,7 +243,6 @@ sub verify_name {
 
     # Check file object naming conventions.
     if ($type eq 'file') {
-        my %groups = map { $_ => 1 } @GROUPS;
         if ($name =~ m{ / }xms) {
             my @name = split('/', $name);
 
@@ -274,7 +283,7 @@ sub verify_name {
             my ($group, $service, $extra) = @name;
 
             # Check the group.
-            if (!$groups{$group}) {
+            if (!$GROUPS{$group}) {
                 return "unknown group $group";
             }
 
@@ -296,6 +305,7 @@ sub verify_name {
             return;
         } else {
             # Legacy naming scheme.
+            my %groups = map { $_ => 1 } @GROUPS_LEGACY;
             my %types  = map { $_ => 1 } @FILE_TYPES_LEGACY;
             if ($name !~ m,^[a-zA-Z0-9_.-]+$,) {
                 return "invalid file object $name";
diff --git a/perl/t/stanford-naming.t b/perl/t/stanford-naming.t
index 909ad1e..00c7121 100755
--- a/perl/t/stanford-naming.t
+++ b/perl/t/stanford-naming.t
@@ -16,7 +16,7 @@ use 5.008;
 use strict;
 use warnings;
 
-use Test::More tests => 94;
+use Test::More tests => 95;
 
 use lib 't/lib';
 use Util;
@@ -47,16 +47,16 @@ my @VALID_FILES = qw(htpasswd/example.stanford.edu/web
     ssl-key/example.stanford.edu
     ssl-key/example.stanford.edu/mysql
     tivoli-key/example.stanford.edu
-    config/idg/example/foo
-    db/idg/example/s_foo
-    gpg-key/idg/debian
-    password/idg/example/backup
-    properties/idg/accounts
-    properties/idg/accounts/sponsorship
-    ssl-keystore/idg/accounts
-    ssl-keystore/idg/accounts/sponsorship
-    ssl-pkcs12/idg/accounts
-    ssl-pkcs12/idg/accounts/sponsorship);
+    config/its-idg/example/foo
+    db/its-idg/example/s_foo
+    gpg-key/its-idg/debian
+    password/its-idg/example/backup
+    properties/its-idg/accounts
+    properties/its-idg/accounts/sponsorship
+    ssl-keystore/its-idg/accounts
+    ssl-keystore/its-idg/accounts/sponsorship
+    ssl-pkcs12/its-idg/accounts
+    ssl-pkcs12/its-idg/accounts/sponsorship);
 
 # Various valid legacy file names.
 my @VALID_LEGACY_FILES = qw(apps-example-config-file crcsg-example-db-s_example
@@ -71,9 +71,10 @@ my @VALID_LEGACY_FILES = qw(apps-example-config-file crcsg-example-db-s_example
 my @INVALID_FILES = qw(unknown foo-example-ssh-rsa idg-accounts-foo !!bad
     htpasswd/example.stanford.edu htpasswd/example password-root/example
     password-root/example.stanford.edu/foo ssh-foo/example.stanford.edu
-    tivoli-key/example.stanford.edu/foo tivoli-key config config/idg
-    config/idg/example db/idg/example password/idg/example
-    idg/password/example properties//accounts properties/idg/);
+    tivoli-key/example.stanford.edu/foo tivoli-key config config/its-idg
+    config/its-idg/example db/its-idg/example password/its-idg/example
+    its-idg/password/example properties//accounts properties/its-idg/
+    ssl-keystore/idg/accounts);
 
 # Global variables for the wallet server setup.
 my $ADMIN = 'admin@EXAMPLE.COM';
@@ -224,7 +225,7 @@ is_deeply(
 );
 
 # Check for a file object that isn't host-based.
-is(default_owner('file', 'config/idg/example/foo'), undef,
+is(default_owner('file', 'config/its-idg/example/foo'), undef,
     'No default owner for non-host-based file type');
 
 # Check for legacy autocreation mappings for file objects.
author	Russ Allbery <rra@stanford.edu>	2013-02-05 19:51:00 -0800
committer	Russ Allbery <rra@stanford.edu>	2013-02-05 20:22:52 -0800
commit	271896c3a9dee9108e021519e340e4547ef5ab93 (patch)
tree	214e36e8e60596e67fddfd456a72376d817255cd
parent	7001e303c51b1b18f07fb764c91b5ff67b2318f8 (diff)