Added Wallet::ACL::LDAP::Attribute::Root

Added a version of the LDAP attribute ACL.  Like the root version for
NetDB, this requires that the principal end in /root, and then strips
off /root before doing matching against the given LDAP attribute.

Change-Id: I23119ef9c9ce3e0556f5d71a509815f2efc1bbe6

2 files changed, 36 insertions, 12 deletions

diff --git a/perl/t/general/report.t b/perl/t/general/report.t
index a841acd..e47cdc6 100755
--- a/perl/t/general/report.t
+++ b/perl/t/general/report.t
@@ -11,7 +11,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 222;
+use Test::More tests => 223;
 
 use Wallet::Admin;
 use Wallet::Report;
@@ -57,14 +57,15 @@ is ($types[9][0], 'wa-keyring', ' and the tenth member is correct');
 
 # And that we have all schemes that we expect.
 my @schemes = $report->acl_schemes;
-is (scalar (@schemes), 7, 'There are seven acl schemes created');
+is (scalar (@schemes), 8, 'There are seven acl schemes created');
 is ($schemes[0][0], 'base', ' and the first member is correct');
 is ($schemes[1][0], 'krb5', ' and the second member is correct');
 is ($schemes[2][0], 'krb5-regex', ' and the third member is correct');
 is ($schemes[3][0], 'ldap-attr', ' and the fourth member is correct');
-is ($schemes[4][0], 'nested', ' and the fifth member is correct');
-is ($schemes[5][0], 'netdb', ' and the sixth member is correct');
-is ($schemes[6][0], 'netdb-root', ' and the seventh member is correct');
+is ($schemes[4][0], 'ldap-attr-root', ' and the fifth member is correct');
+is ($schemes[5][0], 'nested', ' and the sixth member is correct');
+is ($schemes[6][0], 'netdb', ' and the seventh member is correct');
+is ($schemes[7][0], 'netdb-root', ' and the eighth member is correct');
 
 # Create an object.
 my $server = eval { Wallet::Server->new ('admin@EXAMPLE.COM', 'localhost') };
diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t
index 3caaf8b..cff3b63 100755
--- a/perl/t/verifier/ldap-attr.t
+++ b/perl/t/verifier/ldap-attr.t
@@ -24,16 +24,18 @@ plan skip_all => 'LDAP verifier tests only run for maintainer'
     unless $ENV{RRA_MAINTAINER_TESTS};
 
 # Declare a plan.
-plan tests => 10;
+plan tests => 22;
 
 require_ok ('Wallet::ACL::LDAP::Attribute');
+require_ok ('Wallet::ACL::LDAP::Attribute::Root');
 
-my $host   = 'ldap.stanford.edu';
-my $base   = 'cn=people,dc=stanford,dc=edu';
-my $filter = 'uid';
-my $user   = 'jonrober@stanford.edu';
-my $attr   = 'suPrivilegeGroup';
-my $value  = 'stanford:stanford';
+my $host     = 'ldap.stanford.edu';
+my $base     = 'cn=people,dc=stanford,dc=edu';
+my $filter   = 'uid';
+my $user     = 'jonrober@stanford.edu';
+my $rootuser = 'jonrober/root@stanford.edu';
+my $attr     = 'suPrivilegeGroup';
+my $value    = 'stanford:stanford';
 
 # Remove the realm from principal names.
 package Wallet::Config;
@@ -73,4 +75,25 @@ SKIP: {
     is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
         "Checking for nonexistent user fails");
     is ($verifier->error, undef, '...with no error');
+
+    # Then also test the root version.
+    $verifier = eval { Wallet::ACL::LDAP::Attribute::Root->new };
+    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute::Root');
+    is ($verifier->check ($user, "$attr=$value"), 0,
+        "Checking as a non /root user fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($rootuser, "$attr=$value"), 1,
+        "Checking $attr=$value succeeds");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($rootuser, "$attr=BOGUS"), 0,
+        "Checking $attr=BOGUS fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($rootuser, "BOGUS=$value"), undef,
+        "Checking BOGUS=$value fails with error");
+    is ($verifier->error,
+        'cannot check LDAP attribute BOGUS for jonrober: Undefined attribute type',
+        '...with correct error');
+    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
+        "Checking for nonexistent user fails");
+    is ($verifier->error, undef, '...with no error');
 }