Merge tag 'upstream/1.1' into debian

Upstream version 1.1

Conflicts:
	NEWS
	README
	client/keytab.c
	perl/lib/Wallet/ACL.pm
	perl/sql/Wallet-Schema-0.08-PostgreSQL.sql
	perl/t/general/admin.t
	perl/t/verifier/ldap-attr.t

Change-Id: I1a1dc09b97c9258e61f1c8877d0837193c8ae2c6

3 files changed, 282 insertions, 0 deletions

diff --git a/perl/t/verifier/basic.t b/perl/t/verifier/basic.t
new file mode 100755
index 0000000..ce44d44
--- /dev/null
+++ b/perl/t/verifier/basic.t
@@ -0,0 +1,158 @@
+#!/usr/bin/perl
+#
+# Tests for the basic wallet ACL verifiers.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2007, 2008, 2010, 2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More tests => 57;
+
+use Wallet::ACL::Base;
+use Wallet::ACL::Krb5;
+use Wallet::ACL::Krb5::Regex;
+use Wallet::ACL::NetDB;
+use Wallet::ACL::NetDB::Root;
+use Wallet::Config;
+
+use lib 't/lib';
+use Util;
+
+my $verifier = Wallet::ACL::Base->new;
+ok (defined $verifier, 'Wallet::ACL::Base creation');
+ok ($verifier->isa ('Wallet::ACL::Base'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'eagle@eyrie.org'), 0,
+    'Default check declines');
+is ($verifier->error, undef, 'No error set');
+
+$verifier = Wallet::ACL::Krb5->new;
+ok (defined $verifier, 'Wallet::ACL::Krb5 creation');
+ok ($verifier->isa ('Wallet::ACL::Krb5'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'eagle@eyrie.org'), 1,
+    'Simple check');
+is ($verifier->check ('eagle@eyrie.org', 'thoron@stanford.edu'), 0,
+    'Simple failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check (undef, 'eagle@eyrie.org'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');
+is ($verifier->check ('eagle@eyrie.org', ''), undef, 'Empty ACL');
+is ($verifier->error, 'malformed krb5 ACL', ' and right error');
+
+$verifier = Wallet::ACL::Krb5::Regex->new;
+isa_ok ($verifier, 'Wallet::ACL::Krb5::Regex', 'krb5-regex verifier');
+is ($verifier->check ('rra@stanford.edu', '.*@stanford\.edu\z'), 1,
+    'Simple check');
+is ($verifier->check ('rra@stanford.edu', '^a.*@stanford\.edu'), 0,
+    'Simple failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check (undef, '^rra@stanford\.edu\z'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');
+is ($verifier->check ('eagle@eyrie.org', ''), undef, 'Empty ACL');
+is ($verifier->error, 'no ACL specified', ' and right error');
+is ($verifier->check ('eagle@eyrie.org', '(rra'), undef, 'Malformed regex');
+is ($verifier->error, 'malformed krb5-regex ACL', ' and right error');
+
+# Tests for the NetDB verifiers.  Skip these if we don't have a keytab or if
+# we can't find remctld.
+SKIP: {
+    skip 'no keytab configuration', 34 unless -f 't/data/test.keytab';
+    my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin');
+    my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path;
+    skip 'remctld not found', 34 unless $remctld;
+    eval { require Net::Remctl };
+    skip 'Net::Remctl not available', 34 if $@;
+
+    # Set up our configuration.
+    $Wallet::Config::NETDB_REALM = 'EXAMPLE.COM';
+    my $principal = contents ('t/data/test.principal');
+
+    # Now spawn our remctld server and get a ticket cache.
+    unlink ('krb5cc_test', 'test-acl', 'test-pid');
+    remctld_spawn ($remctld, $principal, 't/data/test.keytab',
+                   't/data/netdb.conf');
+    $ENV{KRB5CCNAME} = 'krb5cc_test';
+    getcreds ('t/data/test.keytab', $principal);
+
+    # Finally, we can test.
+    my $verifier = eval { Wallet::ACL::NetDB->new };
+    is ($verifier, undef, 'Constructor fails without configuration');
+    is ($@, "NetDB ACL support not configured\n", ' with the right exception');
+    $Wallet::Config::NETDB_REMCTL_CACHE = 'krb5cc_test';
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    is ($verifier, undef, ' and still fails without host');
+    is ($@, "NetDB ACL support not configured\n", ' with the right exception');
+    $Wallet::Config::NETDB_REMCTL_HOST = 'localhost';
+    $Wallet::Config::NETDB_REMCTL_PRINCIPAL = $principal;
+    $Wallet::Config::NETDB_REMCTL_PORT = 14373;
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    ok (defined $verifier, ' and now creation succeeds');
+    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class');
+    is ($verifier->check ('test-user', 'all'), undef,
+        ' but verification fails without an ACL');
+    is ($verifier->error, 'cannot check NetDB ACL: Access denied',
+        ' with the right error');
+
+    # Create an ACL so that tests will start working.
+    open (ACL, '>', 'test-acl') or die "cannot create test-acl: $!\n";
+    print ACL "$principal\n";
+    close ACL;
+    is ($verifier->check ('test-user', 'all'), 1,
+        ' and now verification works');
+
+    # Test the successful verifications.
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user', $node), 1,
+            "Verification succeeds for $node");
+    }
+
+    # Test various failures.
+    is ($verifier->check ('test-user', 'unknown'), 0,
+        'Verification fails for unknown');
+    is ($verifier->check ('test-user', 'none'), 0, ' and for none');
+    is ($verifier->check (undef, 'all'), undef,
+        'Undefined principal');
+    is ($verifier->error, 'no principal specified', ' and right error');
+    is ($verifier->check ('test-user', ''), undef, 'Empty ACL');
+    is ($verifier->error, 'malformed netdb ACL', ' and right error');
+    is ($verifier->check ('error', 'normal'), undef, 'Regular error');
+    is ($verifier->error, 'error checking NetDB ACL: some error',
+        ' and correct error return');
+    is ($verifier->check ('error', 'status'), undef, 'Status-only error');
+    is ($verifier->error, 'error checking NetDB ACL', ' and correct error');
+    is ($verifier->check ('unknown', 'unknown'), undef, 'Unknown node');
+    is ($verifier->error,
+        'error checking NetDB ACL: Unknown principal unknown',
+        ' and correct error');
+
+    # Test the Wallet::ACL::NetDB::Root subclass.  We don't retest shared code
+    # (kind of grey-box of us), just the changed check behavior.
+    $verifier = eval { Wallet::ACL::NetDB::Root->new };
+    if (defined $verifier) {
+        ok (1, 'Wallet::ACL::NetDB::Root creation succeeds');
+    } else {
+        is ($@, '', 'Wallet::ACL::NetDB::Root creation succeeds');
+    }
+    ok ($verifier->isa ('Wallet::ACL::NetDB::Root'),
+        ' and returns the right class');
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user', $node), 0,
+            "Verification fails for non-root user for $node");
+    }
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user/root', $node), 1,
+            "Verification succeeds for root user for $node");
+    }
+    is ($verifier->check (undef, 'all'), undef,
+        'Undefined principal');
+    is ($verifier->error, 'no principal specified', ' and right error');
+
+    remctld_stop;
+    unlink ('krb5cc_test', 'test-acl', 'test-pid');
+}
diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t
new file mode 100755
index 0000000..3c132e2
--- /dev/null
+++ b/perl/t/verifier/ldap-attr.t
@@ -0,0 +1,76 @@
+#!/usr/bin/perl
+#
+# Tests for the LDAP attribute ACL verifier.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the LDAP server and will be skipped in all other environments.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2012, 2013, 2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More;
+
+use lib 't/lib';
+use Util;
+
+# Skip all spelling tests unless the maintainer environment variable is set.
+plan skip_all => 'LDAP verifier tests only run for maintainer'
+    unless $ENV{RRA_MAINTAINER_TESTS};
+
+# Declare a plan.
+plan tests => 10;
+
+require_ok ('Wallet::ACL::LDAP::Attribute');
+
+my $host   = 'ldap.stanford.edu';
+my $base   = 'cn=people,dc=stanford,dc=edu';
+my $filter = 'uid';
+my $user   = 'rra@stanford.edu';
+my $attr   = 'suPrivilegeGroup';
+my $value  = 'stanford:stanford';
+
+# Remove the realm from principal names.
+package Wallet::Config;
+sub ldap_map_principal {
+    my ($principal) = @_;
+    $principal =~ s/\@.*//;
+    return $principal;
+}
+package main;
+
+# Determine the local principal.
+my $klist = `klist 2>&1` || '';
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 9
+        unless ($klist =~ /[Pp]rincipal: \S+\@stanford\.edu$/m);
+
+    # Set up our configuration.
+    $Wallet::Config::LDAP_HOST        = $host;
+    $Wallet::Config::LDAP_CACHE       = $ENV{KRB5CCNAME};
+    $Wallet::Config::LDAP_BASE        = $base;
+    $Wallet::Config::LDAP_FILTER_ATTR = $filter;
+
+    # Finally, we can test.
+    my $verifier = eval { Wallet::ACL::LDAP::Attribute->new };
+    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute');
+    is ($verifier->check ($user, "$attr=$value"), 1,
+        "Checking $attr=$value succeeds");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($user, "$attr=BOGUS"), 0,
+        "Checking $attr=BOGUS fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($user, "BOGUS=$value"), undef,
+        "Checking BOGUS=$value fails with error");
+    is ($verifier->error,
+        'cannot check LDAP attribute BOGUS for rra: Undefined attribute type',
+        '...with correct error');
+    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
+        "Checking for nonexistent user fails");
+    is ($verifier->error, undef, '...with no error');
+}
diff --git a/perl/t/verifier/netdb.t b/perl/t/verifier/netdb.t
new file mode 100755
index 0000000..7048ef9
--- /dev/null
+++ b/perl/t/verifier/netdb.t
@@ -0,0 +1,48 @@
+#!/usr/bin/perl
+#
+# Tests for the NetDB wallet ACL verifiers.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the NetDB role server and will be skipped in all other
+# environments.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2008, 2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More tests => 5;
+
+use Wallet::ACL::NetDB;
+
+use lib 't/lib';
+use Util;
+
+my $netdb = 'netdb-node-roles-rc.stanford.edu';
+my $host  = 'windlord.stanford.edu';
+my $user  = 'rra@stanford.edu';
+
+# Determine the local principal.
+my $klist = `klist 2>&1` || '';
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 5
+        unless ($klist =~ /^(Default p|\s+P)rincipal: \S+\@stanford\.edu$/m);
+
+    # Set up our configuration.
+    $Wallet::Config::NETDB_REALM = 'stanford.edu';
+    $Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME};
+    $Wallet::Config::NETDB_REMCTL_HOST  = $netdb;
+
+    # Finally, we can test.
+    my $verifier = eval { Wallet::ACL::NetDB->new };
+    ok (defined $verifier, ' and now creation succeeds');
+    is ($@, q{}, ' with no errors');
+    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class');
+    is ($verifier->check ($user, $host), 1, "Checking $host succeeds");
+    is ($verifier->check ('test-user@stanford.edu', $host), 0,
+        ' but fails with another user');
+}