diff options
Diffstat (limited to 'perl/t/general/acl.t')
| -rwxr-xr-x | perl/t/general/acl.t | 232 |
1 files changed, 232 insertions, 0 deletions
diff --git a/perl/t/general/acl.t b/perl/t/general/acl.t new file mode 100755 index 0000000..e633f46 --- /dev/null +++ b/perl/t/general/acl.t @@ -0,0 +1,232 @@ +#!/usr/bin/perl -w +# +# Tests for the wallet ACL API. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2007, 2008, 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use POSIX qw(strftime); +use Test::More tests => 101; + +use Wallet::ACL; +use Wallet::Admin; +use Wallet::Server; + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $admin = 'admin@EXAMPLE.COM'; +my $user1 = 'alice@EXAMPLE.COM'; +my $user2 = 'bob@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($admin, $host, time); + +# Use Wallet::Admin to set up the database. +db_setup; +my $setup = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($setup->reinitialize ($setup), 1, 'Database initialization succeeded'); +my $schema = $setup->schema; + +# Test create and new. +my $acl = eval { Wallet::ACL->create ('test', $schema, @trace) }; +ok (defined ($acl), 'ACL creation'); +is ($@, '', ' with no exceptions'); +ok ($acl->isa ('Wallet::ACL'), ' and the right class'); +is ($acl->name, 'test', ' and the right name'); +is ($acl->id, 2, ' and the right ID'); +$acl = eval { Wallet::ACL->create (3, $schema, @trace) }; +ok (!defined ($acl), 'Creating with a numeric name'); +is ($@, "ACL name may not be all numbers\n", ' with the right error message'); +$acl = eval { Wallet::ACL->create ('test', $schema, @trace) }; +ok (!defined ($acl), 'Creating a duplicate object'); +like ($@, qr/^cannot create ACL test: /, ' with the right error message'); +$acl = eval { Wallet::ACL->new ('test2', $schema) }; +ok (!defined ($acl), 'Searching for a non-existent ACL'); +is ($@, "ACL test2 not found\n", ' with the right error message'); +$acl = eval { Wallet::ACL->new ('test', $schema) }; +ok (defined ($acl), 'Searching for the test ACL by name'); +is ($@, '', ' with no exceptions'); +ok ($acl->isa ('Wallet::ACL'), ' and the right class'); +is ($acl->id, 2, ' and the right ID'); +$acl = eval { Wallet::ACL->new (2, $schema) }; +ok (defined ($acl), 'Searching for the test ACL by ID'); +is ($@, '', ' with no exceptions'); +ok ($acl->isa ('Wallet::ACL'), ' and the right class'); +is ($acl->name, 'test', ' and the right name'); + +# Test rename. +if ($acl->rename ('example')) { + ok (1, 'Renaming the ACL'); +} else { + is ($acl->error, '', 'Renaming the ACL'); +} +is ($acl->name, 'example', ' and the new name is right'); +is ($acl->id, 2, ' and the ID did not change'); +$acl = eval { Wallet::ACL->new ('test', $schema) }; +ok (!defined ($acl), ' and it cannot be found under the old name'); +is ($@, "ACL test not found\n", ' with the right error message'); +$acl = eval { Wallet::ACL->new ('example', $schema) }; +ok (defined ($acl), ' and it can be found with the new name'); +is ($@, '', ' with no exceptions'); +is ($acl->name, 'example', ' and the right name'); +is ($acl->id, 2, ' and the right ID'); +$acl = eval { Wallet::ACL->new (2, $schema) }; +ok (defined ($acl), ' and it can still found by ID'); +is ($@, '', ' with no exceptions'); +is ($acl->name, 'example', ' and the right name'); +is ($acl->id, 2, ' and the right ID'); +ok (! $acl->rename ('ADMIN'), ' but renaming to an existing name fails'); +like ($acl->error, qr/^cannot rename ACL 2 to ADMIN: /, + ' with the right error'); + +# Test add, check, remove, list, and show. +my @entries = $acl->list; +is (scalar (@entries), 0, 'ACL starts empty'); +is ($acl->check ($user1), 0, ' so check fails'); +is (scalar ($acl->check_errors), '', ' with no errors'); +ok (! $acl->add ('example', 'foo', @trace), ' and cannot add bad scheme'); +is ($acl->error, 'unknown ACL scheme example', ' with the right error'); +if ($acl->add ('krb5', $user1, @trace)) { + ok (1, ' and can add a good scheme'); +} else { + is ($acl->error, '', ' and can add a good scheme'); +} +@entries = $acl->list; +is (scalar (@entries), 1, ' and now there is one element'); +is ($entries[0][0], 'krb5', ' with the right scheme'); +is ($entries[0][1], $user1, ' and identifier'); +is ($acl->check ($user1), 1, ' so check succeeds'); +is (scalar ($acl->check_errors), '', ' with no errors'); +is ($acl->check ($user2), 0, ' but the second user still fails'); +is (scalar ($acl->check_errors), '', ' with no errors'); +if ($acl->add ('krb5', $user2, @trace)) { + ok (1, ' and can add a second entry'); +} else { + is ($acl->error, '', ' and can add a second entry'); +} +is ($acl->check ($user2), 1, ' and now the second user checks'); +is (scalar ($acl->check_errors), '', ' with no errors'); +is ($acl->check ($user1), 1, ' and the first one still checks'); +is (scalar ($acl->check_errors), '', ' with no errors'); +@entries = sort { $a->[1] cmp $b->[1] } $acl->list; +is (scalar (@entries), 2, ' and now there are two entries'); +is ($entries[0][0], 'krb5', ' with the right scheme for 1'); +is ($entries[0][1], $user1, ' and the right identifier for 1'); +is ($entries[1][0], 'krb5', ' and the right scheme for 2'); +is ($entries[1][1], $user2, ' and the right identifier for 2'); +my $expected = <<"EOE"; +Members of ACL example (id: 2) are: + krb5 $user1 + krb5 $user2 +EOE +is ($acl->show, $expected, ' and show returns correctly'); +ok (! $acl->remove ('krb5', $admin, @trace), + 'Removing a nonexistent entry fails'); +is ($acl->error, "cannot remove krb5:$admin from 2: entry not found in ACL", + ' with the right error'); +if ($acl->remove ('krb5', $user1, @trace)) { + ok (1, ' but removing the first user works'); +} else { + is ($acl->error, '', ' but removing the first user works'); +} +is ($acl->check ($user1), 0, ' and now they do not check'); +is (scalar ($acl->check_errors), '', ' with no errors'); +@entries = $acl->list; +is (scalar (@entries), 1, ' and now there is one entry'); +is ($entries[0][0], 'krb5', ' with the right scheme'); +is ($entries[0][1], $user2, ' and the right identifier'); +ok (! $acl->add ('krb5', $user2), 'Adding the same entry again fails'); +like ($acl->error, qr/^cannot add \Qkrb5:$user2\E to 2: /, + ' with the right error'); +if ($acl->add ('krb5', '', @trace)) { + ok (1, 'Adding a bad entry works'); +} else { + is ($acl->error, '', 'Adding a bad entry works'); +} +@entries = sort { $a->[1] cmp $b->[1] } $acl->list; +is (scalar (@entries), 2, ' and now there are two entries'); +is ($entries[0][0], 'krb5', ' with the right scheme for 1'); +is ($entries[0][1], '', ' and the right identifier for 1'); +is ($entries[1][0], 'krb5', ' and the right scheme for 2'); +is ($entries[1][1], $user2, ' and the right identifier for 2'); +$expected = <<"EOE"; +Members of ACL example (id: 2) are: + krb5 + krb5 $user2 +EOE +is ($acl->show, $expected, ' and show returns correctly'); +is ($acl->check ($user2), 1, ' and checking the good entry still works'); +is (scalar ($acl->check_errors), "malformed krb5 ACL\n", + ' but now with the right error'); +my @errors = $acl->check_errors; +is (scalar (@errors), 1, ' and the error return is right in list context'); +is ($errors[0], 'malformed krb5 ACL', ' with the same text'); +is ($acl->check (''), undef, 'Checking with an empty principal fails'); +is ($acl->error, 'no principal specified', ' with the right error'); +if ($acl->remove ('krb5', $user2, @trace)) { + ok (1, 'Removing the second user works'); +} else { + is ($acl->error, '', 'Removing the second user works'); +} +is ($acl->check ($user2), 0, ' and now the second user check fails'); +is (scalar ($acl->check_errors), "malformed krb5 ACL\n", + ' with the right error'); +if ($acl->remove ('krb5', '', @trace)) { + ok (1, 'Removing the bad entry works'); +} else { + is ($acl->error, '', 'Removing the bad entry works'); +} +@entries = $acl->list; +is (scalar (@entries), 0, ' and now there are no entries'); +is ($acl->show, "Members of ACL example (id: 2) are:\n", ' and show concurs'); +is ($acl->check ($user2), 0, ' and the second user check fails'); +is (scalar ($acl->check_errors), '', ' with no error message'); + +# Test history. +my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); +my $history = <<"EOO"; +$date create + by $admin from $host +$date add krb5 $user1 + by $admin from $host +$date add krb5 $user2 + by $admin from $host +$date remove krb5 $user1 + by $admin from $host +$date add krb5 + by $admin from $host +$date remove krb5 $user2 + by $admin from $host +$date remove krb5 + by $admin from $host +EOO +is ($acl->history, $history, 'History is correct'); + +# Test destroy. +if ($acl->destroy (@trace)) { + ok (1, 'Destroying the ACL works'); +} else { + is ($acl->error, '', 'Destroying the ACL works'); +} +$acl = eval { Wallet::ACL->new ('example', $schema) }; +ok (!defined ($acl), ' and now cannot be found'); +is ($@, "ACL example not found\n", ' with the right error message'); +$acl = eval { Wallet::ACL->new (2, $schema) }; +ok (!defined ($acl), ' or by ID'); +is ($@, "ACL 2 not found\n", ' with the right error message'); +$acl = eval { Wallet::ACL->create ('example', $schema, @trace) }; +ok (defined ($acl), ' and creating another with the same name works'); +is ($@, '', ' with no exceptions'); +is ($acl->name, 'example', ' and the right name'); +like ($acl->id, qr{\A[23]\z}, ' and an ID of 2 or 3'); + +# Clean up. +$setup->destroy; +END { + unlink 'wallet-db'; +} |