diff options
| author | Russ Allbery <rra@stanford.edu> | 2007-10-11 00:11:43 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2007-10-11 00:11:43 +0000 |
| commit | 32ec05c61136ceff5c6013f304e309c7abdd2fb0 (patch) | |
| tree | 0cc3e17dd1d73f2c267c20ca13693ffe2feac458 /perl | |
| parent | c940a0f4716b0c8048c46ab3e783f543d190eed6 (diff) | |
Add an acl_history method to the server layer and test it.
Diffstat (limited to 'perl')
| -rw-r--r-- | perl/Wallet/Server.pm | 32 | ||||
| -rwxr-xr-x | perl/t/server.t | 34 |
2 files changed, 63 insertions, 3 deletions
diff --git a/perl/Wallet/Server.pm b/perl/Wallet/Server.pm index 2bc6ba1..41072a8 100644 --- a/perl/Wallet/Server.pm +++ b/perl/Wallet/Server.pm @@ -461,10 +461,32 @@ sub acl_error { $action = 'add to'; } elsif ($action eq 'remove') { $action = 'remove from'; + } elsif ($action eq 'history') { + $action = 'see history of'; } $self->error ("$self->{user} not authorized to $action ACL $acl"); } +# Display the history of an ACL or return undef and set the internal error. +sub acl_history { + my ($self, $id) = @_; + unless ($self->{admin}->check ($self->{user})) { + $self->acl_error ($id, 'history'); + return undef; + } + my $acl = eval { Wallet::ACL->new ($id, $self->{dbh}) }; + if ($@) { + $self->error ($@); + return undef; + } + my $result = $acl->history; + if (not defined $result) { + $self->error ($acl->error); + return undef; + } + return $result; +} + # Display the membership of an ACL or return undef and set the internal error. sub acl_show { my ($self, $id) = @_; @@ -700,6 +722,16 @@ object. The ADMIN ACL may not be destroyed. To destroy an ACL, the current user must be authorized by the ADMIN ACL. Returns true on success and false on failure. +=item acl_history(ID) + +Returns the history of the ACL identified by ID, which may be either the ACL +name or its numeric ID. To see the history of an ACL, the current user must +be authorized by the ADMIN ACL. Each change that modifies the ACL (not +counting changes in the name of the ACL) will be represented by two lines. +The first line will have a timestamp of the change followed by a description +of the change, and the second line will give the user who made the change +and the host from which the change was made. Returns undef on failure. + =item acl_remove(ID, SCHEME, IDENTIFIER) Removes from the ACL identified by ID the entry matching SCHEME and diff --git a/perl/t/server.t b/perl/t/server.t index 9d04c3a..d6ae35d 100755 --- a/perl/t/server.t +++ b/perl/t/server.t @@ -8,7 +8,7 @@ # # See LICENSE for licensing terms. -use Test::More tests => 296; +use Test::More tests => 303; use Wallet::Config; use Wallet::Server; @@ -49,6 +49,18 @@ is ($server->acl_show ('ADMIN'), is ($server->acl_show (1), "Members of ACL ADMIN (id: 1) are:\n krb5 $admin\n", ' including by number'); +my $history = <<"EOO"; +DATE create + by $admin from $host +DATE add krb5 $admin + by $admin from $host +EOO +my $result = $server->acl_history ('ADMIN'); +$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($result, $history, ' and displaying history works'); +$result = $server->acl_history (1); +$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($result, $history, ' including by number'); is ($server->acl_create (3), undef, 'Cannot create ACL with a numeric name'); is ($server->error, 'ACL name may not be all numbers', ' and returns the right error'); @@ -77,6 +89,8 @@ is ($server->acl_rename ('test', 'empty'), undef, ' but not twice'); is ($server->error, 'ACL test not found', ' and returns the right error'); is ($server->acl_show ('test'), undef, ' and show fails'); is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_history ('test'), undef, ' and history fails'); +is ($server->error, 'ACL test not found', ' and returns the right error'); is ($server->acl_destroy ('test'), undef, 'Destroying the old name fails'); is ($server->error, 'ACL test not found', ' and returns the right error'); is ($server->acl_destroy ('test2'), 1, ' but destroying another one works'); @@ -94,6 +108,17 @@ is ($server->acl_add ('both', 'krb5', $user2), 1, is ($server->acl_show ('both'), "Members of ACL both (id: 4) are:\n krb5 $user1\n krb5 $user2\n", ' and show returns the correct result'); +$history = <<"EOO"; +DATE create + by $admin from $host +DATE add krb5 $user1 + by $admin from $host +DATE add krb5 $user2 + by $admin from $host +EOO +$result = $server->acl_history ('both'); +$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($result, $history, ' as does history'); is ($server->acl_add ('empty', 'krb5', $user1), 1, ' and another to empty'); is ($server->acl_add ('test', 'krb5', $user1), undef, ' but adding to an unknown ACL fails'); @@ -230,7 +255,7 @@ is ($server->acl ('base', 'service/admin', 'get', 'test2'), undef, is ($server->error, 'ACL test2 not found', ' with the right error'); is ($server->acl ('base', 'service/admin', 'get', 'ADMIN'), 1, ' but setting the right ACL works'); -my $result = eval { $server->get ('base', 'service/admin') }; +$result = eval { $server->get ('base', 'service/admin') }; is ($result, undef, 'Get still fails'); is ($@, "Do not instantiate Wallet::Object::Base directly\n", ' but the method is called'); @@ -359,7 +384,7 @@ is ($server->flag_clear ('base', 'service/admin', 'unchanging'), 1, ' and clearing unchanging works'); # Test history. -my $history = <<"EOO"; +$history = <<"EOO"; DATE create by $admin from $host DATE set expires to $now @@ -422,6 +447,9 @@ is ($server->error, "$user1 not authorized to rename ACL user1", ' with error'); is ($server->acl_show ('user1'), undef, ' or show ACLs'); is ($server->error, "$user1 not authorized to show ACL user1", ' with error'); +is ($server->acl_history ('user1'), undef, ' or see history for ACLs'); +is ($server->error, "$user1 not authorized to see history of ACL user1", + ' with error'); is ($server->acl_destroy ('user2'), undef, ' or destroy ACLs'); is ($server->error, "$user1 not authorized to destroy ACL user2", ' with error'); |