3 files changed, 150 insertions, 8 deletions

diff --git a/perl/t/verifier/external.t b/perl/t/verifier/external.t
new file mode 100755
index 0000000..d1438de
--- /dev/null
+++ b/perl/t/verifier/external.t
@@ -0,0 +1,35 @@
+#!/usr/bin/perl
+#
+# Tests for the external wallet ACL verifier.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More tests => 9;
+
+use Wallet::ACL::External;
+use Wallet::Config;
+
+# Configure the external ACL verifier.
+$Wallet::Config::EXTERNAL_COMMAND = 't/data/acl-command';
+
+# Check a few verifications.
+my $verifier = Wallet::ACL::External->new;
+ok (defined $verifier, 'Wallet::ACL::External creation');
+ok ($verifier->isa ('Wallet::ACL::External'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'test success', 'file', 'test'),
+    1, 'Success');
+is ($verifier->check ('eagle@eyrie.org', 'test failure', 'file', 'test'),
+    0, 'Failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check ('eagle@eyrie.org', 'test error', 'file', 'test'),
+    undef, 'Error');
+is ($verifier->error, 'some error', ' and right error');
+is ($verifier->check (undef, 'eagle@eyrie.org', 'file', 'test'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');
diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t
index 3c132e2..cff3b63 100755
--- a/perl/t/verifier/ldap-attr.t
+++ b/perl/t/verifier/ldap-attr.t
@@ -24,16 +24,18 @@ plan skip_all => 'LDAP verifier tests only run for maintainer'
     unless $ENV{RRA_MAINTAINER_TESTS};
 
 # Declare a plan.
-plan tests => 10;
+plan tests => 22;
 
 require_ok ('Wallet::ACL::LDAP::Attribute');
+require_ok ('Wallet::ACL::LDAP::Attribute::Root');
 
-my $host   = 'ldap.stanford.edu';
-my $base   = 'cn=people,dc=stanford,dc=edu';
-my $filter = 'uid';
-my $user   = 'rra@stanford.edu';
-my $attr   = 'suPrivilegeGroup';
-my $value  = 'stanford:stanford';
+my $host     = 'ldap.stanford.edu';
+my $base     = 'cn=people,dc=stanford,dc=edu';
+my $filter   = 'uid';
+my $user     = 'jonrober@stanford.edu';
+my $rootuser = 'jonrober/root@stanford.edu';
+my $attr     = 'suPrivilegeGroup';
+my $value    = 'stanford:stanford';
 
 # Remove the realm from principal names.
 package Wallet::Config;
@@ -68,7 +70,28 @@ SKIP: {
     is ($verifier->check ($user, "BOGUS=$value"), undef,
         "Checking BOGUS=$value fails with error");
     is ($verifier->error,
-        'cannot check LDAP attribute BOGUS for rra: Undefined attribute type',
+        'cannot check LDAP attribute BOGUS for jonrober: Undefined attribute type',
+        '...with correct error');
+    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
+        "Checking for nonexistent user fails");
+    is ($verifier->error, undef, '...with no error');
+
+    # Then also test the root version.
+    $verifier = eval { Wallet::ACL::LDAP::Attribute::Root->new };
+    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute::Root');
+    is ($verifier->check ($user, "$attr=$value"), 0,
+        "Checking as a non /root user fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($rootuser, "$attr=$value"), 1,
+        "Checking $attr=$value succeeds");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($rootuser, "$attr=BOGUS"), 0,
+        "Checking $attr=BOGUS fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($rootuser, "BOGUS=$value"), undef,
+        "Checking BOGUS=$value fails with error");
+    is ($verifier->error,
+        'cannot check LDAP attribute BOGUS for jonrober: Undefined attribute type',
         '...with correct error');
     is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
         "Checking for nonexistent user fails");
diff --git a/perl/t/verifier/nested.t b/perl/t/verifier/nested.t
new file mode 100755
index 0000000..ec7ce40
--- /dev/null
+++ b/perl/t/verifier/nested.t
@@ -0,0 +1,84 @@
+#!/usr/bin/perl
+#
+# Tests for the wallet ACL nested verifier.
+#
+# Written by Jon Robertson <jonrober@stanford.edu>
+# Copyright 2015
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More tests => 22;
+
+use Wallet::ACL::Base;
+use Wallet::ACL::Nested;
+use Wallet::Admin;
+use Wallet::Config;
+
+use lib 't/lib';
+use Util;
+
+# Some global defaults to use.
+my $admin = 'admin@EXAMPLE.COM';
+my $user1 = 'alice@EXAMPLE.COM';
+my $user2 = 'bob@EXAMPLE.COM';
+my $user3 = 'jack@EXAMPLE.COM';
+my $host = 'localhost';
+my @trace = ($admin, $host, time);
+
+# Use Wallet::Admin to set up the database.
+db_setup;
+my $setup = eval { Wallet::Admin->new };
+is ($@, '', 'Database connection succeeded');
+is ($setup->reinitialize ($setup), 1, 'Database initialization succeeded');
+my $schema = $setup->schema;
+
+# Create a few ACLs for later testing.
+my $acl = eval { Wallet::ACL->create ('test', $schema, @trace) };
+ok (defined ($acl), 'ACL creation');
+my $acl_nesting = eval { Wallet::ACL->create ('nesting', $schema, @trace) };
+ok (defined ($acl), ' and another');
+my $acl_deep = eval { Wallet::ACL->create ('deepnesting', $schema, @trace) };
+ok (defined ($acl), ' and another');
+
+# Create an verifier to make sure that works
+my $verifier = Wallet::ACL::Nested->new ('test', $schema);
+ok (defined $verifier, 'Wallet::ACL::Nested creation');
+ok ($verifier->isa ('Wallet::ACL::Nested'), ' and class verification');
+is ($verifier->syntax_check ('notcreated'), 0,
+    ' and it rejects a nested name that is not already an ACL');
+is ($verifier->syntax_check ('test'), 1,
+    ' and accepts one that already exists');
+
+# Add a few entries to one ACL and then see if they validate.
+ok ($acl->add ('krb5', $user1, @trace), 'Added test scheme');
+ok ($acl->add ('krb5', $user2, @trace), ' and another');
+ok ($acl_nesting->add ('nested', 'test', @trace), ' and then nested it');
+ok ($acl_nesting->add ('krb5', $user3, @trace),
+    ' and added a non-nesting user');
+is ($acl_nesting->check ($user1), 1, ' so check of nested succeeds');
+is ($acl_nesting->check ($user3), 1, ' so check of non-nested succeeds');
+is (scalar ($acl_nesting->list), 2,
+    ' and the acl has the right number of items');
+
+# Add a recursive nesting to make sure it doesn't send us into loop.
+ok ($acl_deep->add ('nested', 'test', @trace),
+    'Adding deep nesting for one nest succeeds');
+ok ($acl_deep->add ('nested', 'nesting', @trace), ' and another');
+ok ($acl_deep->add ('krb5', $user3, @trace),
+    ' and added a non-nesting user');
+is ($acl_deep->check ($user1), 1, ' so check of nested succeeds');
+is ($acl_deep->check ($user3), 1, ' so check of non-nested succeeds');
+
+# Test getting an error in adding an invalid group to an ACL object itself.
+isnt ($acl->add ('nested', 'doesnotexist', @trace), 1,
+      'Adding bad nested acl fails');
+
+# Clean up.
+$setup->destroy;
+END {
+    unlink 'wallet-db';
+}