aboutsummaryrefslogtreecommitdiff
path: root/perl
diff options
context:
space:
mode:
authorRuss Allbery <rra@stanford.edu>2007-09-17 16:20:47 +0000
committerRuss Allbery <rra@stanford.edu>2007-09-17 16:20:47 +0000
commit66298af6358804e674748787cc0ccb642a63db3a (patch)
tree969e9efa620128896e060f9034565a92b2feb445 /perl
parent81d2da8adbf8db6629e7a223b10633e58b288b19 (diff)
Add an acl_show() method to Wallet::Server that calls the underlying ACL
show() method.
Diffstat (limited to 'perl')
-rw-r--r--perl/Wallet/Server.pm32
-rwxr-xr-xperl/t/server.t22
2 files changed, 52 insertions, 2 deletions
diff --git a/perl/Wallet/Server.pm b/perl/Wallet/Server.pm
index bd1567b..c417451 100644
--- a/perl/Wallet/Server.pm
+++ b/perl/Wallet/Server.pm
@@ -388,6 +388,26 @@ sub acl_error {
$self->error ("$self->{user} not authorized to $action ACL $acl");
}
+# Display the membership of an ACL or return undef and set the internal error.
+sub acl_show {
+ my ($self, $id) = @_;
+ unless ($self->{admin}->check ($self->{user})) {
+ $self->acl_error ($id, 'show');
+ return undef;
+ }
+ my $acl = eval { Wallet::ACL->new ($id, $self->{dbh}) };
+ if ($@) {
+ $self->error ($@);
+ return undef;
+ }
+ my $result = $acl->show;
+ if (not defined $result) {
+ $self->error ($acl->error);
+ return undef;
+ }
+ return $result;
+}
+
# Change the human-readable name of an ACL or return undef and set the
# internal error.
sub acl_rename {
@@ -620,6 +640,15 @@ current name or the numeric ID. NEW must not be all-numeric. To rename an
ACL, the current user must be authorized by the ADMIN ACL. Returns true on
success and false on failure.
+=item acl_show(ID)
+
+Returns a human-readable description, including membership, of the ACL
+identified by ID, which may be either the ACL name or its numeric ID. To
+show an ACL, the current user must be authorized by the ADMIN ACL (although
+be aware that anyone with show access to an object can see the membership of
+ACLs associated with that object through the show() method). Returns the
+human-readable description on success and undef on failure.
+
=item create(TYPE, NAME)
Creates a new object of type TYPE and name NAME. TYPE must be a recognized
@@ -698,7 +727,8 @@ ACLs as well.
=item show(TYPE, NAME)
Returns (as a string) a human-readable representation of the metadata stored
-for the object identified by TYPE and NAME, or undef on error. To show an
+for the object identified by TYPE and NAME, or undef on error. Included is
+the metadata and entries of any ACLs associated with the object. To show an
object, the current user must be a member of the ADMIN ACL, authorized by
the show ACL, or authorized by the owner ACL; however, if the show ACL is
set, the owner ACL will not be checked.
diff --git a/perl/t/server.t b/perl/t/server.t
index 0b7ef17..84fe901 100755
--- a/perl/t/server.t
+++ b/perl/t/server.t
@@ -3,7 +3,7 @@
#
# t/server.t -- Tests for the wallet server API.
-use Test::More tests => 211;
+use Test::More tests => 221;
use Wallet::Config;
use Wallet::Server;
@@ -38,10 +38,18 @@ ok (defined ($dbh), ' and returns a defined database handle');
# We're currently running as the administrator, so everything should succeed.
# Set up a bunch of data for us to test with, starting with some ACLs. Test
# the error handling while we're at it.
+is ($server->acl_show ('ADMIN'),
+ "Members of ACL ADMIN (id: 1) are:\n krb5 $admin\n",
+ 'Showing the ADMIN ACL works');
+is ($server->acl_show (1),
+ "Members of ACL ADMIN (id: 1) are:\n krb5 $admin\n",
+ ' including by number');
is ($server->acl_create (3), undef, 'Cannot create ACL with a numeric name');
is ($server->error, 'ACL name may not be all numbers',
' and returns the right error');
is ($server->acl_create ('user1'), 1, 'Can create regular ACL');
+is ($server->acl_show ('user1'), "Members of ACL user1 (id: 2) are:\n",
+ ' and show works');
is ($server->acl_create ('user1'), undef, ' but not twice');
like ($server->error, qr/^cannot create ACL user1: /,
' and returns a good error');
@@ -62,6 +70,8 @@ like ($server->error, qr/^cannot rename ACL 5 to test2: /,
is ($server->acl_rename ('test', 'empty'), 1, 'Renaming does work');
is ($server->acl_rename ('test', 'empty'), undef, ' but not twice');
is ($server->error, 'ACL test not found', ' and returns the right error');
+is ($server->acl_show ('test'), undef, ' and show fails');
+is ($server->error, 'ACL test not found', ' and returns the right error');
is ($server->acl_destroy ('test'), undef, 'Destroying the old name fails');
is ($server->error, 'ACL test not found', ' and returns the right error');
is ($server->acl_destroy ('test2'), 1, ' but destroying another one works');
@@ -76,6 +86,9 @@ is ($server->acl_add ('user2', 'krb5', $user2), 1, 'Add another entry');
is ($server->acl_add ('both', 'krb5', $user1), 1, ' and another');
is ($server->acl_add ('both', 'krb5', $user2), 1,
' and another to the same ACL');
+is ($server->acl_show ('both'),
+ "Members of ACL both (id: 4) are:\n krb5 $user1\n krb5 $user2\n",
+ ' and show returns the correct result');
is ($server->acl_add ('empty', 'krb5', $user1), 1, ' and another to empty');
is ($server->acl_add ('test', 'krb5', $user1), undef,
' but adding to an unknown ACL fails');
@@ -88,6 +101,9 @@ is ($server->acl_remove ('empty', 'krb5', $user2), undef,
is ($server->error,
"cannot remove krb5:$user2 from 5: entry not found in ACL",
' and returns the right error');
+is ($server->acl_show ('empty'),
+ "Members of ACL empty (id: 5) are:\n krb5 $user1\n",
+ ' and show returns the correct status');
is ($server->acl_remove ('empty', 'krb5', $user1), 1,
' but removing a good one works');
is ($server->acl_remove ('empty', 'krb5', $user1), undef,
@@ -95,6 +111,8 @@ is ($server->acl_remove ('empty', 'krb5', $user1), undef,
is ($server->error,
"cannot remove krb5:$user1 from 5: entry not found in ACL",
' and returns the right error');
+is ($server->acl_show ('empty'), "Members of ACL empty (id: 5) are:\n",
+ ' and show returns the correct status');
# Make sure we can't cripple the ADMIN ACL.
is ($server->acl_destroy ('ADMIN'), undef, 'Cannot destroy the ADMIN ACL');
@@ -299,6 +317,8 @@ is ($server->error, "$user1 not authorized to create ACL", ' with error');
is ($server->acl_rename ('user1', 'alice'), undef, ' or rename ACLs');
is ($server->error, "$user1 not authorized to rename ACL user1",
' with error');
+is ($server->acl_show ('user1'), undef, ' or show ACLs');
+is ($server->error, "$user1 not authorized to show ACL user1", ' with error');
is ($server->acl_destroy ('user2'), undef, ' or destroy ACLs');
is ($server->error, "$user1 not authorized to destroy ACL user2",
' with error');