Add a subclass of the NetDB ACL verifier that requires the principal

have an instance of "root" and strips that instance before checking
NetDB roles.

3 files changed, 156 insertions, 5 deletions

diff --git a/perl/Wallet/ACL/NetDB/Root.pm b/perl/Wallet/ACL/NetDB/Root.pm
new file mode 100644
index 0000000..5400d99
--- /dev/null
+++ b/perl/Wallet/ACL/NetDB/Root.pm
@@ -0,0 +1,124 @@
+# Wallet::ACL::NetDB::Root -- Wallet NetDB role ACL verifier (root instances).
+# $Id$
+#
+# Written by Russ Allbery <rra@stanford.edu>
+# Copyright 2007 Board of Trustees, Leland Stanford Jr. University
+#
+# See LICENSE for licensing terms.
+
+##############################################################################
+# Modules and declarations
+##############################################################################
+
+package Wallet::ACL::NetDB::Root;
+require 5.006;
+
+use strict;
+use vars qw(@ISA $VERSION);
+
+use Wallet::ACL::NetDB;
+use Wallet::Config;
+
+@ISA = qw(Wallet::ACL::NetDB);
+
+# This version should be increased on any code change to this module.  Always
+# use two digits for the minor version with a leading zero if necessary so
+# that it will sort properly.
+$VERSION = '0.01';
+
+##############################################################################
+# Interface
+##############################################################################
+
+# Override the check method of Wallet::ACL::NetDB to require that the
+# principal be a root instance and to strip /root out of the principal name
+# before checking roles.
+sub check {
+    my ($self, $principal, $acl) = @_;
+    unless ($principal) {
+        $self->error ('no principal specified');
+        return undef;
+    }
+    unless ($principal =~ s%^([^/\@]+)/root(\@|\z)%$1$2%) {
+        return 0;
+    }
+    return $self->SUPER::check ($principal, $acl);
+}
+
+##############################################################################
+# Documentation
+##############################################################################
+
+=head1 NAME
+
+Wallet::ACL::NetDB::Root - Wallet ACL verifier for NetDB roles (root instances)
+
+=head1 SYNOPSIS
+
+    my $verifier = Wallet::ACL::NetDB->new;
+    my $status = $verifier->check ($principal, $node);
+    if (not defined $status) {
+        die "Something failed: ", $verifier->error, "\n";
+    } elsif ($status) {
+        print "Access granted\n";
+    } else {
+        print "Access denied\n";
+    }
+
+=head1 DESCRIPTION
+
+Wallet::ACL::NetDB::Root works identically to Wallet::ACL::NetDB except that
+it requires the principal to be a root instance (in other words, to be in
+the form <principal>/root@<realm>) and strips the C</root> portion from the
+principal before checking against NetDB roles.  As with the base NetDB ACL
+verifier, the value of a netdb-root ACL is a node, and the ACL grants access
+to a given principal if and only if the that principal (with C</root>
+stripped) has one of the roles user, admin, or team for that node.
+
+To use this object, the same configuration parameters must be set as for
+Wallet::ACL::NetDB.  See Wallet::Config(3) for details on those
+configuration parameters and information about how to set wallet
+configuration.
+
+=head1 METHODS
+
+=over 4
+
+=item check(PRINCIPAL, ACL)
+
+Returns true if PRINCIPAL is granted access according to ACL, false if not,
+and undef on an error (see L<"DIAGNOSTICS"> below).  ACL is a node, and
+PRINCIPAL will be granted access if it has an instance of C<root> and if
+(with C</root> stripped off and the realm stripped off if configured) has
+the user, admin, or team role for that node.
+
+=back
+
+=head1 DIAGNOSTICS
+
+Same as for Wallet::ACL::NetDB.
+
+=head1 CAVEATS
+
+The instance to strip is not currently configurable.
+
+The list of possible NetDB roles that should be considered sufficient to
+grant access is not currently configurable.
+
+=head1 SEE ALSO
+
+Net::Remctl(3), Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::ACL::NetDB(3),
+Wallet::Config(3), wallet-backend(8)
+
+NetDB is a free software system for managing DNS, DHCP, and related machine
+information for large organizations.  For more information on NetDB, see
+L<http://www.stanford.edu/group/networking/netdb/>.
+
+This module is part of the wallet system.  The current version is available
+from L<http://www.eyrie.org/~eagle/software/wallet/>.
+
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=cut
diff --git a/perl/Wallet/Schema.pm b/perl/Wallet/Schema.pm
index 5068d03..532c61e 100644
--- a/perl/Wallet/Schema.pm
+++ b/perl/Wallet/Schema.pm
@@ -210,6 +210,10 @@ Holds the supported ACL schemes and their corresponding Perl classes:
       as_class            varchar(64));
   insert into acl_schemes (as_name, as_class)
       values ('krb5', 'Wallet::ACL::Krb5');
+  insert into acl_schemes (as_name, as_class)
+      values ('netdb', 'Wallet::ACL::NetDB');
+  insert into acl_schemes (as_name, as_class)
+      values ('netdb-root', 'Wallet::ACL::NetDB::Root');
 
 If you have extended the wallet to support additional object types or
 additional ACL schemes, you will want to add additional rows to these tables
diff --git a/perl/t/verifier.t b/perl/t/verifier.t
index 878c310..65b3923 100755
--- a/perl/t/verifier.t
+++ b/perl/t/verifier.t
@@ -8,11 +8,12 @@
 #
 # See LICENSE for licensing terms.
 
-use Test::More tests => 37;
+use Test::More tests => 47;
 
 use Wallet::ACL::Base;
 use Wallet::ACL::Krb5;
 use Wallet::ACL::NetDB;
+use Wallet::ACL::NetDB::Root;
 use Wallet::Config;
 
 use lib 't/lib';
@@ -87,12 +88,12 @@ is ($verifier->error, 'malformed krb5 ACL', ' and right error');
 # Tests for unchanging support.  Skip these if we don't have a keytab or if we
 # can't find remctld.
 SKIP: {
-    skip 'no keytab configuration', 24 unless -f 't/data/test.keytab';
+    skip 'no keytab configuration', 34 unless -f 't/data/test.keytab';
     my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin');
     my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path;
-    skip 'remctld not found', 24 unless $remctld;
+    skip 'remctld not found', 34 unless $remctld;
     eval { require Net::Remctl };
-    skip 'Net::Remctl not available', 24 if $@;
+    skip 'Net::Remctl not available', 34 if $@;
 
     # Set up our configuration.
     $Wallet::Config::NETDB_REALM = 'EXAMPLE.COM';
@@ -154,7 +155,29 @@ SKIP: {
     is ($verifier->error,
         'error checking NetDB ACL: Unknown principal unknown',
         ' and correct error');
-    stop_remctld;
 
+    # Test the Wallet::ACL::NetDB::Root subclass.  We don't retest shared code
+    # (kind of grey-box of us), just the changed check behavior.
+    $verifier = eval { Wallet::ACL::NetDB::Root->new };
+    if (defined $verifier) {
+        ok (1, 'Wallet::ACL::NetDB::Root creation succeeds');
+    } else {
+        is ($@, '', 'Wallet::ACL::NetDB::Root creation succeeds');
+    }
+    ok ($verifier->isa ('Wallet::ACL::NetDB::Root'),
+        ' and returns the right class');
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user', $node), 0,
+            "Verification fails for non-root user for $node");
+    }
+    for my $node (qw/admin team user/) {
+        is ($verifier->check ('test-user/root', $node), 1,
+            "Verification succeeds for root user for $node");
+    }
+    is ($verifier->check (undef, 'all'), undef,
+        'Undefined principal');
+    is ($verifier->error, 'no principal specified', ' and right error');
+
+    stop_remctld;
     unlink ('krb5cc_test', 'test-acl', 'test-pid');
 }