Switch to Module::Build for the Perl module

The wallet server now requires Perl 5.8 or later (instead of 5.006 in
previous versions) and is now built with Module::Build instead of
ExtUtils::MakeMaker.  This should be transparent to anyone not working
with the source code, since Perl 5.8 was released in 2002, but
Module::Build is now required to build the wallet server.  It is
included in some versions of Perl, or can be installed separately from
CPAN, distribution packages, or other sources.

Also reorganize the test suite to use subdirectories.

Change-Id: Id06120ba2bad1ebbfee3d8a48ca2f25869463165
Reviewed-on: https://gerrit.stanford.edu/1530
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

3 files changed, 273 insertions, 0 deletions

diff --git a/perl/t/verifier/basic.t b/perl/t/verifier/basic.t
new file mode 100755
index 0000000..5697ae6
--- /dev/null
+++ b/perl/t/verifier/basic.t
@@ -0,0 +1,155 @@
+#!/usr/bin/perl -w
+#
+# Tests for the basic wallet ACL verifiers.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2007, 2008, 2010, 2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use Test::More tests => 57;
+
+use Wallet::ACL::Base;
+use Wallet::ACL::Krb5;
+use Wallet::ACL::Krb5::Regex;
+use Wallet::ACL::NetDB;
+use Wallet::ACL::NetDB::Root;
+use Wallet::Config;
+
+use lib 't/lib';
+use Util;
+
+my $verifier = Wallet::ACL::Base->new;
+ok (defined $verifier, 'Wallet::ACL::Base creation');
+ok ($verifier->isa ('Wallet::ACL::Base'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'eagle@eyrie.org'), 0,
+    'Default check declines');
+is ($verifier->error, undef, 'No error set');
+
+$verifier = Wallet::ACL::Krb5->new;
+ok (defined $verifier, 'Wallet::ACL::Krb5 creation');
+ok ($verifier->isa ('Wallet::ACL::Krb5'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'eagle@eyrie.org'), 1,
+    'Simple check');
+is ($verifier->check ('eagle@eyrie.org', 'thoron@stanford.edu'), 0,
+    'Simple failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check (undef, 'eagle@eyrie.org'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');
+is ($verifier->check ('eagle@eyrie.org', ''), undef, 'Empty ACL');
+is ($verifier->error, 'malformed krb5 ACL', ' and right error');
+
+$verifier = Wallet::ACL::Krb5::Regex->new;
+isa_ok ($verifier, 'Wallet::ACL::Krb5::Regex', 'krb5-regex verifier');
+is ($verifier->check ('rra@stanford.edu', '.*@stanford\.edu\z'), 1,
+    'Simple check');
+is ($verifier->check ('rra@stanford.edu', '^a.*@stanford\.edu'), 0,
+    'Simple failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check (undef, '^rra@stanford\.edu\z'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');
+is ($verifier->check ('eagle@eyrie.org', ''), undef, 'Empty ACL');
+is ($verifier->error, 'no ACL specified', ' and right error');
+is ($verifier->check ('eagle@eyrie.org', '(rra'), undef, 'Malformed regex');
+is ($verifier->error, 'malformed krb5-regex ACL', ' and right error');
+
+# Tests for the NetDB verifiers.  Skip these if we don't have a keytab or if
+# we can't find remctld.
+SKIP: {
+    skip 'no keytab configuration', 34 unless -f 't/data/test.keytab';
+    my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin');
+    my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path;
+    skip 'remctld not found', 34 unless $remctld;
+    eval { require Net::Remctl };
+    skip 'Net::Remctl not available', 34 if $@;
+
+    # Set up our configuration.
+    $Wallet::Config::NETDB_REALM = 'EXAMPLE.COM';
+    my $principal = contents ('t/data/test.principal');
+
+    # Now spawn our remctld server and get a ticket cache.
+    unlink ('krb5cc_test', 'test-acl', 'test-pid');
+    remctld_spawn ($remctld, $principal, 't/data/test.keytab',
+                   't/data/netdb.conf');
+    $ENV{KRB5CCNAME} = 'krb5cc_test';
+    getcreds ('t/data/test.keytab', $principal);
+
+    # Finally, we can test.
+    my $verifier = eval { Wallet::ACL::NetDB->new };
+    is ($verifier, undef, 'Constructor fails without configuration');
+    is ($@, "NetDB ACL support not configured\n", ' with the right exception');
+    $Wallet::Config::NETDB_REMCTL_CACHE = 'krb5cc_test';
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    is ($verifier, undef, ' and still fails without host');
+    is ($@, "NetDB ACL support not configured\n", ' with the right exception');
+    $Wallet::Config::NETDB_REMCTL_HOST = 'localhost';
+    $Wallet::Config::NETDB_REMCTL_PRINCIPAL = $principal;
+    $Wallet::Config::NETDB_REMCTL_PORT = 14373;
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    ok (defined $verifier, ' and now creation succeeds');
+    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class');
+    is ($verifier->check ('test-user', 'all'), undef,
+        ' but verification fails without an ACL');
+    is ($verifier->error, 'cannot check NetDB ACL: Access denied',
+        ' with the right error');
+
+    # Create an ACL so that tests will start working.
+    open (ACL, '>', 'test-acl') or die "cannot create test-acl: $!\n";
+    print ACL "$principal\n";
+    close ACL;
+    is ($verifier->check ('test-user', 'all'), 1,
+        ' and now verification works');
+
+    # Test the successful verifications.
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user', $node), 1,
+            "Verification succeeds for $node");
+    }
+
+    # Test various failures.
+    is ($verifier->check ('test-user', 'unknown'), 0,
+        'Verification fails for unknown');
+    is ($verifier->check ('test-user', 'none'), 0, ' and for none');
+    is ($verifier->check (undef, 'all'), undef,
+        'Undefined principal');
+    is ($verifier->error, 'no principal specified', ' and right error');
+    is ($verifier->check ('test-user', ''), undef, 'Empty ACL');
+    is ($verifier->error, 'malformed netdb ACL', ' and right error');
+    is ($verifier->check ('error', 'normal'), undef, 'Regular error');
+    is ($verifier->error, 'error checking NetDB ACL: some error',
+        ' and correct error return');
+    is ($verifier->check ('error', 'status'), undef, 'Status-only error');
+    is ($verifier->error, 'error checking NetDB ACL', ' and correct error');
+    is ($verifier->check ('unknown', 'unknown'), undef, 'Unknown node');
+    is ($verifier->error,
+        'error checking NetDB ACL: Unknown principal unknown',
+        ' and correct error');
+
+    # Test the Wallet::ACL::NetDB::Root subclass.  We don't retest shared code
+    # (kind of grey-box of us), just the changed check behavior.
+    $verifier = eval { Wallet::ACL::NetDB::Root->new };
+    if (defined $verifier) {
+        ok (1, 'Wallet::ACL::NetDB::Root creation succeeds');
+    } else {
+        is ($@, '', 'Wallet::ACL::NetDB::Root creation succeeds');
+    }
+    ok ($verifier->isa ('Wallet::ACL::NetDB::Root'),
+        ' and returns the right class');
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user', $node), 0,
+            "Verification fails for non-root user for $node");
+    }
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user/root', $node), 1,
+            "Verification succeeds for root user for $node");
+    }
+    is ($verifier->check (undef, 'all'), undef,
+        'Undefined principal');
+    is ($verifier->error, 'no principal specified', ' and right error');
+
+    remctld_stop;
+    unlink ('krb5cc_test', 'test-acl', 'test-pid');
+}
diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t
new file mode 100755
index 0000000..d8e416b
--- /dev/null
+++ b/perl/t/verifier/ldap-attr.t
@@ -0,0 +1,73 @@
+#!/usr/bin/perl -w
+#
+# Tests for the LDAP attribute ACL verifier.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the LDAP server and will be skipped in all other environments.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2012, 2013, 2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use Test::More;
+
+use lib 't/lib';
+use Util;
+
+# Skip all spelling tests unless the maintainer environment variable is set.
+plan skip_all => 'LDAP verifier tests only run for maintainer'
+    unless $ENV{RRA_MAINTAINER_TESTS};
+
+# Declare a plan.
+plan tests => 10;
+
+require_ok ('Wallet::ACL::LDAP::Attribute');
+
+my $host   = 'ldap.stanford.edu';
+my $base   = 'cn=people,dc=stanford,dc=edu';
+my $filter = 'uid';
+my $user   = 'rra@stanford.edu';
+my $attr   = 'suPrivilegeGroup';
+my $value  = 'stanford:stanford';
+
+# Remove the realm from principal names.
+package Wallet::Config;
+sub ldap_map_principal {
+    my ($principal) = @_;
+    $principal =~ s/\@.*//;
+    return $principal;
+}
+package main;
+
+# Determine the local principal.
+my $klist = `klist 2>&1` || '';
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 9
+        unless ($klist =~ /[Pp]rincipal: \S+\@stanford\.edu$/m);
+
+    # Set up our configuration.
+    $Wallet::Config::LDAP_HOST        = $host;
+    $Wallet::Config::LDAP_CACHE       = $ENV{KRB5CCNAME};
+    $Wallet::Config::LDAP_BASE        = $base;
+    $Wallet::Config::LDAP_FILTER_ATTR = $filter;
+
+    # Finally, we can test.
+    my $verifier = eval { Wallet::ACL::LDAP::Attribute->new };
+    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute');
+    is ($verifier->check ($user, "$attr=$value"), 1,
+        "Checking $attr=$value succeeds");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($user, "$attr=BOGUS"), 0,
+        "Checking $attr=BOGUS fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($user, "BOGUS=$value"), undef,
+        "Checking BOGUS=$value fails with error");
+    is ($verifier->error,
+        'cannot check LDAP attribute BOGUS for rra: Undefined attribute type',
+        '...with correct error');
+    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
+        "Checking for nonexistent user fails");
+    is ($verifier->error, undef, '...with no error');
+}
diff --git a/perl/t/verifier/netdb.t b/perl/t/verifier/netdb.t
new file mode 100755
index 0000000..d8fe561
--- /dev/null
+++ b/perl/t/verifier/netdb.t
@@ -0,0 +1,45 @@
+#!/usr/bin/perl -w
+#
+# Tests for the NetDB wallet ACL verifiers.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the NetDB role server and will be skipped in all other
+# environments.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2008, 2014
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use Test::More tests => 5;
+
+use Wallet::ACL::NetDB;
+
+use lib 't/lib';
+use Util;
+
+my $netdb = 'netdb-node-roles-rc.stanford.edu';
+my $host  = 'windlord.stanford.edu';
+my $user  = 'rra@stanford.edu';
+
+# Determine the local principal.
+my $klist = `klist 2>&1` || '';
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 5
+        unless ($klist =~ /^(Default p|\s+P)rincipal: \S+\@stanford\.edu$/m);
+
+    # Set up our configuration.
+    $Wallet::Config::NETDB_REALM = 'stanford.edu';
+    $Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME};
+    $Wallet::Config::NETDB_REMCTL_HOST  = $netdb;
+
+    # Finally, we can test.
+    $verifier = eval { Wallet::ACL::NetDB->new };
+    ok (defined $verifier, ' and now creation succeeds');
+    is ($@, q{}, ' with no errors');
+    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class');
+    is ($verifier->check ($user, $host), 1, "Checking $host succeeds");
+    is ($verifier->check ('test-user@stanford.edu', $host), 0,
+        ' but fails with another user');
+}