diff options
| author | Russ Allbery <rra@stanford.edu> | 2007-12-04 22:16:28 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2007-12-04 22:16:28 +0000 |
| commit | 0e9a5e25ec9c1977c6426f4aea4b61a658fe6855 (patch) | |
| tree | 733ceb199f5db47e210496fc8020952a0684ebc0 /perl/t | |
| parent | 1eb6e3db86a56e1b8839bd5345cd2c20d0dc0dcd (diff) | |
Add a subclass of the NetDB ACL verifier that requires the principal
have an instance of "root" and strips that instance before checking
NetDB roles.
Diffstat (limited to 'perl/t')
| -rwxr-xr-x | perl/t/verifier.t | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/perl/t/verifier.t b/perl/t/verifier.t index 878c310..65b3923 100755 --- a/perl/t/verifier.t +++ b/perl/t/verifier.t @@ -8,11 +8,12 @@ # # See LICENSE for licensing terms. -use Test::More tests => 37; +use Test::More tests => 47; use Wallet::ACL::Base; use Wallet::ACL::Krb5; use Wallet::ACL::NetDB; +use Wallet::ACL::NetDB::Root; use Wallet::Config; use lib 't/lib'; @@ -87,12 +88,12 @@ is ($verifier->error, 'malformed krb5 ACL', ' and right error'); # Tests for unchanging support. Skip these if we don't have a keytab or if we # can't find remctld. SKIP: { - skip 'no keytab configuration', 24 unless -f 't/data/test.keytab'; + skip 'no keytab configuration', 34 unless -f 't/data/test.keytab'; my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin'); my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path; - skip 'remctld not found', 24 unless $remctld; + skip 'remctld not found', 34 unless $remctld; eval { require Net::Remctl }; - skip 'Net::Remctl not available', 24 if $@; + skip 'Net::Remctl not available', 34 if $@; # Set up our configuration. $Wallet::Config::NETDB_REALM = 'EXAMPLE.COM'; @@ -154,7 +155,29 @@ SKIP: { is ($verifier->error, 'error checking NetDB ACL: Unknown principal unknown', ' and correct error'); - stop_remctld; + # Test the Wallet::ACL::NetDB::Root subclass. We don't retest shared code + # (kind of grey-box of us), just the changed check behavior. + $verifier = eval { Wallet::ACL::NetDB::Root->new }; + if (defined $verifier) { + ok (1, 'Wallet::ACL::NetDB::Root creation succeeds'); + } else { + is ($@, '', 'Wallet::ACL::NetDB::Root creation succeeds'); + } + ok ($verifier->isa ('Wallet::ACL::NetDB::Root'), + ' and returns the right class'); + for my $node (qw/admin team user/) { + is ($verifier->check ('test-user', $node), 0, + "Verification fails for non-root user for $node"); + } + for my $node (qw/admin team user/) { + is ($verifier->check ('test-user/root', $node), 1, + "Verification succeeds for root user for $node"); + } + is ($verifier->check (undef, 'all'), undef, + 'Undefined principal'); + is ($verifier->error, 'no principal specified', ' and right error'); + + stop_remctld; unlink ('krb5cc_test', 'test-acl', 'test-pid'); } |