diff options
| author | Bill MacAllister <whm@dropbox.com> | 2015-12-18 21:54:52 +0000 | 
|---|---|---|
| committer | Bill MacAllister <whm@dropbox.com> | 2015-12-18 21:54:52 +0000 | 
| commit | f61bff40b0c76b01b89f8b977eb27fdef9409c2a (patch) | |
| tree | 9812f0b1c38e001d6ddd8d7343adc40fa800e338 /perl/t/policy | |
| parent | 0eb853eb2ef7e7063c0219ce2cbd1e239d5579b7 (diff) | |
| parent | 4a777845b06b62a6deb1df5e69cc9b21226c3c2f (diff) | |
Merge branch 'master' into ad-keytabs
Conflicts:
	NEWS
Diffstat (limited to 'perl/t/policy')
| -rwxr-xr-x | perl/t/policy/stanford.t | 329 | 
1 files changed, 192 insertions, 137 deletions
| diff --git a/perl/t/policy/stanford.t b/perl/t/policy/stanford.t index 555086c..d2727c8 100755 --- a/perl/t/policy/stanford.t +++ b/perl/t/policy/stanford.t @@ -16,7 +16,7 @@ use 5.008;  use strict;  use warnings; -use Test::More tests => 101; +use Test::More tests => 130;  use lib 't/lib';  use Util; @@ -24,10 +24,16 @@ use Util;  # Load the naming policy module.  BEGIN {      use_ok('Wallet::Admin'); -    use_ok('Wallet::Policy::Stanford', qw(default_owner verify_name)); +    use_ok('Wallet::Policy::Stanford', +           qw(default_owner verify_name is_for_host));      use_ok('Wallet::Server');  } +# Set up our configuration for netdb, needed for the netdb verifier. +$Wallet::Config::NETDB_REALM        = 'stanford.edu'; +$Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME}; +$Wallet::Config::NETDB_REMCTL_HOST  = 'netdb-node-roles-rc.stanford.edu'; +  # Various valid keytab names.  my @VALID_KEYTABS = qw(host/example.stanford.edu HTTP/example.stanford.edu      service/example example/cgi class-example01/cgi dept-01example/cgi @@ -101,160 +107,209 @@ for my $name (@INVALID_FILES) {      isnt(verify_name('file', $name), undef, "Invalid file $name");  } -# Now we need an actual database.  Use Wallet::Admin to set it up. -db_setup; -my $setup = eval { Wallet::Admin->new }; -is($@, q{}, 'Database initialization did not die'); -is($setup->reinitialize($ADMIN), 1, 'Database initialization succeeded'); -my $server = eval { Wallet::Server->new(@TRACE) }; -is($@, q{}, 'Server creation did not die'); +# Now test a few cases for checking to see if a file is host-based.  We don't +# test the legacy examples because they're more complicated and less obvious. +for my $name (@VALID_KEYTABS) { +    my $hostname = 'example.stanford.edu'; +    if ($name =~ m{\b$hostname\b}) { +        is(is_for_host('keytab', $name, $hostname), 1, +           "Keytab $name belongs to $hostname"); +    } else { +        is(is_for_host('keytab', $name, $hostname), 0, +           "Keytab $name doesn't belong to $hostname"); +    } +} +for my $name (@VALID_FILES) { +    my $hostname = 'example.stanford.edu'; +    if ($name =~ m{\b$hostname\b}) { +        is(is_for_host('file', $name, $hostname), 1, +           "File $name belongs to $hostname"); +    } else { +        is(is_for_host('file', $name, $hostname), 0, +           "File $name doesn't belong to $hostname"); +    } +} -# Create a host/example.stanford.edu ACL that uses the netdb ACL type. -is($server->acl_create('host/example.stanford.edu'), 1, 'Created netdb ACL'); -is( -    $server->acl_add('host/example.stanford.edu', 'netdb', -      'example.stanford.edu'), -    1, -    '...with netdb ACL line' -); -is( -    $server->acl_add('host/example.stanford.edu', 'krb5', -      'host/example.stanford.edu@stanford.edu'), -    1, -    '...and krb5 ACL line' -); +# Now we need an actual database.  Use Wallet::Admin to set it up.  These +# remaining tests require creating NetDB ACLs, so need a Stanford Kerberos +# principal currently. +my $klist = `klist 2>&1` || ''; +SKIP: { +    skip "tests useful only with Stanford Kerberos tickets", 27 +        unless ($klist =~ /^(Default p|\s+P)rincipal: \S+\@stanford\.edu$/m); -# Likewise for host/foo.example.edu with the netdb-root ACL type. -is($server->acl_create('host/foo.stanford.edu'), 1, 'Created netdb-root ACL'); -is( -    $server->acl_add('host/foo.stanford.edu', 'netdb-root', -      'foo.stanford.edu'), -    1, -    '...with netdb-root ACL line' -); -is( -    $server->acl_add('host/foo.stanford.edu', 'krb5', -      'host/foo.stanford.edu@stanford.edu'), -    1, -    '...and krb5 ACL line' -); +    db_setup; +    my $setup = eval { Wallet::Admin->new }; +    is($@, q{}, 'Database initialization did not die'); +    is($setup->reinitialize($ADMIN), 1, 'Database initialization succeeded'); +    my $server = eval { Wallet::Server->new(@TRACE) }; +    is($@, q{}, 'Server creation did not die'); -# Create a group/its-idg ACL, which will be used for autocreation of file -# objects. -is($server->acl_create('group/its-idg'), 1, 'Created group/its-idg ACL'); -is($server->acl_add('group/its-idg', 'krb5', $ADMIN), 1, '...with member'); +    # Create a host/example.stanford.edu ACL that uses the netdb ACL type. +    is( +        $server->acl_create('host/example.stanford.edu'), +        1, +        'Created netdb ACL' +    ); +    is($server->error, undef, ' with no error'); +    is( +        $server->acl_add('host/example.stanford.edu', 'netdb', +                         'example.stanford.edu'), +        1, +        '...with netdb ACL line' +    ); +    is($server->error, undef, ' with no error'); +    is( +        $server->acl_add('host/example.stanford.edu', 'krb5', +                         'host/example.stanford.edu@stanford.edu'), +        1, +        '...and krb5 ACL line' +    ); +    is($server->error, undef, ' with no error'); -# Now we can test default ACLs.  First, without a root instance. -local $ENV{REMOTE_USER} = $ADMIN; -is_deeply( -    [default_owner('keytab', 'host/bar.stanford.edu')], -    [ -        'host/bar.stanford.edu', -        ['netdb', 'bar.stanford.edu'], -        ['krb5', 'host/bar.stanford.edu@stanford.edu'] -    ], -    'Correct default owner for host-based keytab' -); -is_deeply( -    [default_owner('keytab', 'HTTP/example.stanford.edu')], -    [ -        'host/example.stanford.edu', -        ['netdb', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    '...and when netdb ACL already exists' -); -is_deeply( -    [default_owner('keytab', 'webauth/foo.stanford.edu')], -    [ -        'host/foo.stanford.edu', -        ['netdb-root', 'foo.stanford.edu'], -        ['krb5', 'host/foo.stanford.edu@stanford.edu'] -    ], -    '...and when netdb-root ACL already exists' -); +    # Likewise for host/foo.example.edu with the netdb-root ACL type. +    is( +        $server->acl_create('host/foo.stanford.edu'), +        1, +        'Created netdb-root ACL' +    ); +    is( +        $server->acl_add('host/foo.stanford.edu', 'netdb-root', +                         'foo.stanford.edu'), +        1, +        '...with netdb-root ACL line' +    ); +    is( +        $server->acl_add('host/foo.stanford.edu', 'krb5', +                         'host/foo.stanford.edu@stanford.edu'), +        1, +        '...and krb5 ACL line' +    ); -# Now with a root instance. -local $ENV{REMOTE_USER} = 'admin/root@stanford.edu'; -is_deeply( -    [default_owner('keytab', 'host/bar.stanford.edu')], -    [ -        'host/bar.stanford.edu', -        ['netdb-root', 'bar.stanford.edu'], -        ['krb5', 'host/bar.stanford.edu@stanford.edu'] -    ], -    'Correct default owner for host-based keytab for /root' -); -is_deeply( -    [default_owner('keytab', 'HTTP/example.stanford.edu')], -    [ -        'host/example.stanford.edu', -        ['netdb-root', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    '...and when netdb ACL already exists' -); -is_deeply( -    [default_owner('keytab', 'webauth/foo.stanford.edu')], -    [ -        'host/foo.stanford.edu', -        ['netdb-root', 'foo.stanford.edu'], -        ['krb5', 'host/foo.stanford.edu@stanford.edu'] -    ], -    '...and when netdb-root ACL already exists' -); +    # Create a group/its-idg ACL, which will be used for autocreation of file +    # objects. +    is($server->acl_create('group/its-idg'), 1, 'Created group/its-idg ACL'); +    is($server->acl_add('group/its-idg', 'krb5', $ADMIN), 1, '...with member'); -# Check for a type that isn't host-based. -is(default_owner('keytab', 'service/foo'), undef, -    'No default owner for service/foo'); +    # Now we can test default ACLs.  First, without a root instance. +    local $ENV{REMOTE_USER} = $ADMIN; +    is_deeply( +        [default_owner('keytab', 'host/bar.stanford.edu')], +        [ +            'host/bar.stanford.edu', +            ['netdb', 'bar.stanford.edu'], +            ['krb5', 'host/bar.stanford.edu@stanford.edu'] +        ], +        'Correct default owner for host-based keytab' +    ); +    is_deeply( +        [default_owner('keytab', 'HTTP/example.stanford.edu')], +        [ +            'host/example.stanford.edu', +            ['netdb', 'example.stanford.edu'], +            ['krb5', 'host/example.stanford.edu@stanford.edu'] +        ], +        '...and when netdb ACL already exists' +    ); +    is_deeply( +        [default_owner('keytab', 'webauth/foo.stanford.edu')], +        [ +            'host/foo.stanford.edu', +            ['netdb-root', 'foo.stanford.edu'], +            ['krb5', 'host/foo.stanford.edu@stanford.edu'] +        ], +        '...and when netdb-root ACL already exists' +    ); -# Check for an unknown object type. -is(default_owner('unknown', 'foo'), undef, -    'No default owner for unknown type'); +    # Now with a root instance. +    local $ENV{REMOTE_USER} = 'admin/root@stanford.edu'; +    is_deeply( +        [default_owner('keytab', 'host/bar.stanford.edu')], +        [ +            'host/bar.stanford.edu', +            ['netdb-root', 'bar.stanford.edu'], +            ['krb5', 'host/bar.stanford.edu@stanford.edu'] +        ], +        'Correct default owner for host-based keytab for /root' +    ); +    is_deeply( +        [default_owner('keytab', 'HTTP/example.stanford.edu')], +        [ +            'host/example.stanford.edu', +            ['netdb-root', 'example.stanford.edu'], +            ['krb5', 'host/example.stanford.edu@stanford.edu'] +        ], +        '...and when netdb ACL already exists' +    ); +    is_deeply( +        [default_owner('keytab', 'webauth/foo.stanford.edu')], +        [ +            'host/foo.stanford.edu', +            ['netdb-root', 'foo.stanford.edu'], +            ['krb5', 'host/foo.stanford.edu@stanford.edu'] +        ], +        '...and when netdb-root ACL already exists' +    ); -# Check for autocreation mappings for host-based file objects. -is_deeply( -    [default_owner('file', 'ssl-key/example.stanford.edu')], -    [ -        'host/example.stanford.edu', -        ['netdb-root', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    'Default owner for file ssl-key/example.stanford.edu', -); -is_deeply( -    [default_owner('file', 'ssl-key/example.stanford.edu/mysql')], -    [ -        'host/example.stanford.edu', -        ['netdb-root', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    'Default owner for file ssl-key/example.stanford.edu/mysql', -); +    # Check for a type that isn't host-based. +    is( +        default_owner('keytab', 'service/foo'), +        undef, +        'No default owner for service/foo' +    ); -# Check for a file object that isn't host-based. -is_deeply( -    [default_owner('file', 'config/its-idg/example/foo')], -    ['group/its-idg', ['krb5', $ADMIN]], -    'Default owner for file config/its-idg/example/foo', -); +    # Check for an unknown object type. +    is( +        default_owner('unknown', 'foo'), +        undef, +        'No default owner for unknown type' +    ); -# Check for legacy autocreation mappings for file objects. -for my $type (qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key)) { -    my $name = "idg-example-$type"; +    # Check for autocreation mappings for host-based file objects.      is_deeply( -        [default_owner('file', $name)], +        [default_owner('file', 'ssl-key/example.stanford.edu')],          [              'host/example.stanford.edu',              ['netdb-root', 'example.stanford.edu'],              ['krb5', 'host/example.stanford.edu@stanford.edu']          ], -        "Default owner for file $name", +        'Default owner for file ssl-key/example.stanford.edu',      ); +    is_deeply( +        [default_owner('file', 'ssl-key/example.stanford.edu/mysql')], +        [ +            'host/example.stanford.edu', +            ['netdb-root', 'example.stanford.edu'], +            ['krb5', 'host/example.stanford.edu@stanford.edu'] +        ], +        'Default owner for file ssl-key/example.stanford.edu/mysql', +    ); + +    # Check for a file object that isn't host-based. +    is_deeply( +        [default_owner('file', 'config/its-idg/example/foo')], +        ['group/its-idg', ['krb5', $ADMIN]], +        'Default owner for file config/its-idg/example/foo', +    ); + +    # Check for legacy autocreation mappings for file objects. +    for my $type (qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key)) { +        my $name = "idg-example-$type"; +        is_deeply( +            [default_owner('file', $name)], +            [ +                'host/example.stanford.edu', +                ['netdb-root', 'example.stanford.edu'], +                ['krb5', 'host/example.stanford.edu@stanford.edu'] +            ], +            "Default owner for file $name", +        ); +    } + +    # Clean up. +    $setup->destroy;  } -# Clean up. -$setup->destroy;  END {      unlink 'wallet-db';  } | 
