diff options
| author | Russ Allbery <rra@stanford.edu> | 2007-12-04 22:16:28 +0000 | 
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2007-12-04 22:16:28 +0000 | 
| commit | 0e9a5e25ec9c1977c6426f4aea4b61a658fe6855 (patch) | |
| tree | 733ceb199f5db47e210496fc8020952a0684ebc0 /perl/t | |
| parent | 1eb6e3db86a56e1b8839bd5345cd2c20d0dc0dcd (diff) | |
Add a subclass of the NetDB ACL verifier that requires the principal
have an instance of "root" and strips that instance before checking
NetDB roles.
Diffstat (limited to 'perl/t')
| -rwxr-xr-x | perl/t/verifier.t | 33 | 
1 files changed, 28 insertions, 5 deletions
| diff --git a/perl/t/verifier.t b/perl/t/verifier.t index 878c310..65b3923 100755 --- a/perl/t/verifier.t +++ b/perl/t/verifier.t @@ -8,11 +8,12 @@  #  # See LICENSE for licensing terms. -use Test::More tests => 37; +use Test::More tests => 47;  use Wallet::ACL::Base;  use Wallet::ACL::Krb5;  use Wallet::ACL::NetDB; +use Wallet::ACL::NetDB::Root;  use Wallet::Config;  use lib 't/lib'; @@ -87,12 +88,12 @@ is ($verifier->error, 'malformed krb5 ACL', ' and right error');  # Tests for unchanging support.  Skip these if we don't have a keytab or if we  # can't find remctld.  SKIP: { -    skip 'no keytab configuration', 24 unless -f 't/data/test.keytab'; +    skip 'no keytab configuration', 34 unless -f 't/data/test.keytab';      my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin');      my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path; -    skip 'remctld not found', 24 unless $remctld; +    skip 'remctld not found', 34 unless $remctld;      eval { require Net::Remctl }; -    skip 'Net::Remctl not available', 24 if $@; +    skip 'Net::Remctl not available', 34 if $@;      # Set up our configuration.      $Wallet::Config::NETDB_REALM = 'EXAMPLE.COM'; @@ -154,7 +155,29 @@ SKIP: {      is ($verifier->error,          'error checking NetDB ACL: Unknown principal unknown',          ' and correct error'); -    stop_remctld; +    # Test the Wallet::ACL::NetDB::Root subclass.  We don't retest shared code +    # (kind of grey-box of us), just the changed check behavior. +    $verifier = eval { Wallet::ACL::NetDB::Root->new }; +    if (defined $verifier) { +        ok (1, 'Wallet::ACL::NetDB::Root creation succeeds'); +    } else { +        is ($@, '', 'Wallet::ACL::NetDB::Root creation succeeds'); +    } +    ok ($verifier->isa ('Wallet::ACL::NetDB::Root'), +        ' and returns the right class'); +    for my $node (qw/admin team user/) { +        is ($verifier->check ('test-user', $node), 0, +            "Verification fails for non-root user for $node"); +    } +    for my $node (qw/admin team user/) { +        is ($verifier->check ('test-user/root', $node), 1, +            "Verification succeeds for root user for $node"); +    } +    is ($verifier->check (undef, 'all'), undef, +        'Undefined principal'); +    is ($verifier->error, 'no principal specified', ' and right error'); + +    stop_remctld;      unlink ('krb5cc_test', 'test-acl', 'test-pid');  } | 
