diff options
Diffstat (limited to 'perl/t/verifier')
| -rwxr-xr-x | perl/t/verifier/basic.t | 155 | ||||
| -rwxr-xr-x | perl/t/verifier/ldap-attr.t | 73 | ||||
| -rwxr-xr-x | perl/t/verifier/netdb.t | 45 | 
3 files changed, 273 insertions, 0 deletions
| diff --git a/perl/t/verifier/basic.t b/perl/t/verifier/basic.t new file mode 100755 index 0000000..5697ae6 --- /dev/null +++ b/perl/t/verifier/basic.t @@ -0,0 +1,155 @@ +#!/usr/bin/perl -w +# +# Tests for the basic wallet ACL verifiers. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2007, 2008, 2010, 2014 +#     The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use Test::More tests => 57; + +use Wallet::ACL::Base; +use Wallet::ACL::Krb5; +use Wallet::ACL::Krb5::Regex; +use Wallet::ACL::NetDB; +use Wallet::ACL::NetDB::Root; +use Wallet::Config; + +use lib 't/lib'; +use Util; + +my $verifier = Wallet::ACL::Base->new; +ok (defined $verifier, 'Wallet::ACL::Base creation'); +ok ($verifier->isa ('Wallet::ACL::Base'), ' and class verification'); +is ($verifier->check ('eagle@eyrie.org', 'eagle@eyrie.org'), 0, +    'Default check declines'); +is ($verifier->error, undef, 'No error set'); + +$verifier = Wallet::ACL::Krb5->new; +ok (defined $verifier, 'Wallet::ACL::Krb5 creation'); +ok ($verifier->isa ('Wallet::ACL::Krb5'), ' and class verification'); +is ($verifier->check ('eagle@eyrie.org', 'eagle@eyrie.org'), 1, +    'Simple check'); +is ($verifier->check ('eagle@eyrie.org', 'thoron@stanford.edu'), 0, +    'Simple failure'); +is ($verifier->error, undef, 'No error set'); +is ($verifier->check (undef, 'eagle@eyrie.org'), undef, +    'Undefined principal'); +is ($verifier->error, 'no principal specified', ' and right error'); +is ($verifier->check ('eagle@eyrie.org', ''), undef, 'Empty ACL'); +is ($verifier->error, 'malformed krb5 ACL', ' and right error'); + +$verifier = Wallet::ACL::Krb5::Regex->new; +isa_ok ($verifier, 'Wallet::ACL::Krb5::Regex', 'krb5-regex verifier'); +is ($verifier->check ('rra@stanford.edu', '.*@stanford\.edu\z'), 1, +    'Simple check'); +is ($verifier->check ('rra@stanford.edu', '^a.*@stanford\.edu'), 0, +    'Simple failure'); +is ($verifier->error, undef, 'No error set'); +is ($verifier->check (undef, '^rra@stanford\.edu\z'), undef, +    'Undefined principal'); +is ($verifier->error, 'no principal specified', ' and right error'); +is ($verifier->check ('eagle@eyrie.org', ''), undef, 'Empty ACL'); +is ($verifier->error, 'no ACL specified', ' and right error'); +is ($verifier->check ('eagle@eyrie.org', '(rra'), undef, 'Malformed regex'); +is ($verifier->error, 'malformed krb5-regex ACL', ' and right error'); + +# Tests for the NetDB verifiers.  Skip these if we don't have a keytab or if +# we can't find remctld. +SKIP: { +    skip 'no keytab configuration', 34 unless -f 't/data/test.keytab'; +    my @path = (split (':', $ENV{PATH}), '/usr/local/sbin', '/usr/sbin'); +    my ($remctld) = grep { -x $_ } map { "$_/remctld" } @path; +    skip 'remctld not found', 34 unless $remctld; +    eval { require Net::Remctl }; +    skip 'Net::Remctl not available', 34 if $@; + +    # Set up our configuration. +    $Wallet::Config::NETDB_REALM = 'EXAMPLE.COM'; +    my $principal = contents ('t/data/test.principal'); + +    # Now spawn our remctld server and get a ticket cache. +    unlink ('krb5cc_test', 'test-acl', 'test-pid'); +    remctld_spawn ($remctld, $principal, 't/data/test.keytab', +                   't/data/netdb.conf'); +    $ENV{KRB5CCNAME} = 'krb5cc_test'; +    getcreds ('t/data/test.keytab', $principal); + +    # Finally, we can test. +    my $verifier = eval { Wallet::ACL::NetDB->new }; +    is ($verifier, undef, 'Constructor fails without configuration'); +    is ($@, "NetDB ACL support not configured\n", ' with the right exception'); +    $Wallet::Config::NETDB_REMCTL_CACHE = 'krb5cc_test'; +    $verifier = eval { Wallet::ACL::NetDB->new }; +    is ($verifier, undef, ' and still fails without host'); +    is ($@, "NetDB ACL support not configured\n", ' with the right exception'); +    $Wallet::Config::NETDB_REMCTL_HOST = 'localhost'; +    $Wallet::Config::NETDB_REMCTL_PRINCIPAL = $principal; +    $Wallet::Config::NETDB_REMCTL_PORT = 14373; +    $verifier = eval { Wallet::ACL::NetDB->new }; +    ok (defined $verifier, ' and now creation succeeds'); +    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class'); +    is ($verifier->check ('test-user', 'all'), undef, +        ' but verification fails without an ACL'); +    is ($verifier->error, 'cannot check NetDB ACL: Access denied', +        ' with the right error'); + +    # Create an ACL so that tests will start working. +    open (ACL, '>', 'test-acl') or die "cannot create test-acl: $!\n"; +    print ACL "$principal\n"; +    close ACL; +    is ($verifier->check ('test-user', 'all'), 1, +        ' and now verification works'); + +    # Test the successful verifications. +    for my $node (qw/admin team user/) { +        is ($verifier->check ('test-user', $node), 1, +            "Verification succeeds for $node"); +    } + +    # Test various failures. +    is ($verifier->check ('test-user', 'unknown'), 0, +        'Verification fails for unknown'); +    is ($verifier->check ('test-user', 'none'), 0, ' and for none'); +    is ($verifier->check (undef, 'all'), undef, +        'Undefined principal'); +    is ($verifier->error, 'no principal specified', ' and right error'); +    is ($verifier->check ('test-user', ''), undef, 'Empty ACL'); +    is ($verifier->error, 'malformed netdb ACL', ' and right error'); +    is ($verifier->check ('error', 'normal'), undef, 'Regular error'); +    is ($verifier->error, 'error checking NetDB ACL: some error', +        ' and correct error return'); +    is ($verifier->check ('error', 'status'), undef, 'Status-only error'); +    is ($verifier->error, 'error checking NetDB ACL', ' and correct error'); +    is ($verifier->check ('unknown', 'unknown'), undef, 'Unknown node'); +    is ($verifier->error, +        'error checking NetDB ACL: Unknown principal unknown', +        ' and correct error'); + +    # Test the Wallet::ACL::NetDB::Root subclass.  We don't retest shared code +    # (kind of grey-box of us), just the changed check behavior. +    $verifier = eval { Wallet::ACL::NetDB::Root->new }; +    if (defined $verifier) { +        ok (1, 'Wallet::ACL::NetDB::Root creation succeeds'); +    } else { +        is ($@, '', 'Wallet::ACL::NetDB::Root creation succeeds'); +    } +    ok ($verifier->isa ('Wallet::ACL::NetDB::Root'), +        ' and returns the right class'); +    for my $node (qw/admin team user/) { +        is ($verifier->check ('test-user', $node), 0, +            "Verification fails for non-root user for $node"); +    } +    for my $node (qw/admin team user/) { +        is ($verifier->check ('test-user/root', $node), 1, +            "Verification succeeds for root user for $node"); +    } +    is ($verifier->check (undef, 'all'), undef, +        'Undefined principal'); +    is ($verifier->error, 'no principal specified', ' and right error'); + +    remctld_stop; +    unlink ('krb5cc_test', 'test-acl', 'test-pid'); +} diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t new file mode 100755 index 0000000..d8e416b --- /dev/null +++ b/perl/t/verifier/ldap-attr.t @@ -0,0 +1,73 @@ +#!/usr/bin/perl -w +# +# Tests for the LDAP attribute ACL verifier. +# +# This test can only be run by someone local to Stanford with appropriate +# access to the LDAP server and will be skipped in all other environments. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2012, 2013, 2014 +#     The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use Test::More; + +use lib 't/lib'; +use Util; + +# Skip all spelling tests unless the maintainer environment variable is set. +plan skip_all => 'LDAP verifier tests only run for maintainer' +    unless $ENV{RRA_MAINTAINER_TESTS}; + +# Declare a plan. +plan tests => 10; + +require_ok ('Wallet::ACL::LDAP::Attribute'); + +my $host   = 'ldap.stanford.edu'; +my $base   = 'cn=people,dc=stanford,dc=edu'; +my $filter = 'uid'; +my $user   = 'rra@stanford.edu'; +my $attr   = 'suPrivilegeGroup'; +my $value  = 'stanford:stanford'; + +# Remove the realm from principal names. +package Wallet::Config; +sub ldap_map_principal { +    my ($principal) = @_; +    $principal =~ s/\@.*//; +    return $principal; +} +package main; + +# Determine the local principal. +my $klist = `klist 2>&1` || ''; +SKIP: { +    skip "tests useful only with Stanford Kerberos tickets", 9 +        unless ($klist =~ /[Pp]rincipal: \S+\@stanford\.edu$/m); + +    # Set up our configuration. +    $Wallet::Config::LDAP_HOST        = $host; +    $Wallet::Config::LDAP_CACHE       = $ENV{KRB5CCNAME}; +    $Wallet::Config::LDAP_BASE        = $base; +    $Wallet::Config::LDAP_FILTER_ATTR = $filter; + +    # Finally, we can test. +    my $verifier = eval { Wallet::ACL::LDAP::Attribute->new }; +    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute'); +    is ($verifier->check ($user, "$attr=$value"), 1, +        "Checking $attr=$value succeeds"); +    is ($verifier->error, undef, '...with no error'); +    is ($verifier->check ($user, "$attr=BOGUS"), 0, +        "Checking $attr=BOGUS fails"); +    is ($verifier->error, undef, '...with no error'); +    is ($verifier->check ($user, "BOGUS=$value"), undef, +        "Checking BOGUS=$value fails with error"); +    is ($verifier->error, +        'cannot check LDAP attribute BOGUS for rra: Undefined attribute type', +        '...with correct error'); +    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0, +        "Checking for nonexistent user fails"); +    is ($verifier->error, undef, '...with no error'); +} diff --git a/perl/t/verifier/netdb.t b/perl/t/verifier/netdb.t new file mode 100755 index 0000000..d8fe561 --- /dev/null +++ b/perl/t/verifier/netdb.t @@ -0,0 +1,45 @@ +#!/usr/bin/perl -w +# +# Tests for the NetDB wallet ACL verifiers. +# +# This test can only be run by someone local to Stanford with appropriate +# access to the NetDB role server and will be skipped in all other +# environments. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2008, 2014 +#     The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use Test::More tests => 5; + +use Wallet::ACL::NetDB; + +use lib 't/lib'; +use Util; + +my $netdb = 'netdb-node-roles-rc.stanford.edu'; +my $host  = 'windlord.stanford.edu'; +my $user  = 'rra@stanford.edu'; + +# Determine the local principal. +my $klist = `klist 2>&1` || ''; +SKIP: { +    skip "tests useful only with Stanford Kerberos tickets", 5 +        unless ($klist =~ /^(Default p|\s+P)rincipal: \S+\@stanford\.edu$/m); + +    # Set up our configuration. +    $Wallet::Config::NETDB_REALM = 'stanford.edu'; +    $Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME}; +    $Wallet::Config::NETDB_REMCTL_HOST  = $netdb; + +    # Finally, we can test. +    $verifier = eval { Wallet::ACL::NetDB->new }; +    ok (defined $verifier, ' and now creation succeeds'); +    is ($@, q{}, ' with no errors'); +    ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class'); +    is ($verifier->check ($user, $host), 1, "Checking $host succeeds"); +    is ($verifier->check ('test-user@stanford.edu', $host), 0, +        ' but fails with another user'); +} | 
