diff options
Diffstat (limited to 'perl/t')
| -rwxr-xr-x | perl/t/data/acl-command | 47 | ||||
| -rwxr-xr-x | perl/t/general/acl.t | 155 | ||||
| -rwxr-xr-x | perl/t/general/report.t | 51 | ||||
| -rwxr-xr-x | perl/t/general/server.t | 10 | ||||
| -rwxr-xr-x | perl/t/object/base.t | 5 | ||||
| -rw-r--r-- | perl/t/object/duo-ldap.t | 21 | ||||
| -rw-r--r-- | perl/t/object/duo-pam.t | 20 | ||||
| -rw-r--r-- | perl/t/object/duo-radius.t | 21 | ||||
| -rw-r--r-- | perl/t/object/duo-rdp.t | 20 | ||||
| -rwxr-xr-x | perl/t/object/keytab.t | 26 | ||||
| -rw-r--r-- | perl/t/object/password.t | 125 | ||||
| -rwxr-xr-x | perl/t/policy/stanford.t | 329 | ||||
| -rwxr-xr-x | perl/t/verifier/external.t | 35 | ||||
| -rwxr-xr-x | perl/t/verifier/ldap-attr.t | 39 | ||||
| -rwxr-xr-x | perl/t/verifier/nested.t | 84 | 
15 files changed, 745 insertions, 243 deletions
| diff --git a/perl/t/data/acl-command b/perl/t/data/acl-command new file mode 100755 index 0000000..b7c3066 --- /dev/null +++ b/perl/t/data/acl-command @@ -0,0 +1,47 @@ +#!/bin/sh +# +# An external ACL implementation.  Checks that the first argument is +# eagle@eyrie.org, the second argument is "test", and then returns success, +# failure, or reports an error based on whether the second argument is +# success, failure, or error. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2016 Russ Allbery <eagle@eyrie.org> +# +# See LICENSE for licensing terms. + +set -e + +# Check the initial principal argument. +if [ "$1" != 'eagle@eyrie.org' ]; then +    echo 'incorrect principal' >&2 +    exit 1 +fi + +# Check that the second and third arguments are file test (the test object). +if [ "$2" != 'file' ]; then +    echo 'incorrect second argument' >&2 +    exit 1 +fi +if [ "$3" != 'test' ]; then +    echo 'incorrect third argument' >&2 +    exit 1 +fi + +# Process the fourth argument. +case $4 in +    'test success') +        exit 0 +        ;; +    'test failure') +        exit 1 +        ;; +    'test error') +        echo 'some error' >&2 +        exit 1 +        ;; +    *) +        echo 'unknown fourth argument' >&2 +        exit 1 +        ;; +esac diff --git a/perl/t/general/acl.t b/perl/t/general/acl.t index 1dd5c53..4de7493 100755 --- a/perl/t/general/acl.t +++ b/perl/t/general/acl.t @@ -12,11 +12,11 @@ use strict;  use warnings;  use POSIX qw(strftime); -use Test::More tests => 101; +use Test::More tests => 115;  use Wallet::ACL;  use Wallet::Admin; -use Wallet::Server; +use Wallet::Object::Base;  use lib 't/lib';  use Util; @@ -46,7 +46,7 @@ $acl = eval { Wallet::ACL->create (3, $schema, @trace) };  ok (!defined ($acl), 'Creating with a numeric name');  is ($@, "ACL name may not be all numbers\n", ' with the right error message');  $acl = eval { Wallet::ACL->create ('test', $schema, @trace) }; -ok (!defined ($acl), 'Creating a duplicate object'); +ok (!defined ($acl), 'Creating a duplicate acl');  like ($@, qr/^cannot create ACL test: /, ' with the right error message');  $acl = eval { Wallet::ACL->new ('test2', $schema) };  ok (!defined ($acl), 'Searching for a non-existent ACL'); @@ -62,32 +62,6 @@ is ($@, '', ' with no exceptions');  ok ($acl->isa ('Wallet::ACL'), ' and the right class');  is ($acl->name, 'test', ' and the right name'); -# Test rename. -if ($acl->rename ('example', @trace)) { -    ok (1, 'Renaming the ACL'); -} else { -    is ($acl->error, '', 'Renaming the ACL'); -} -is ($acl->name, 'example', ' and the new name is right'); -is ($acl->id, 2, ' and the ID did not change'); -$acl = eval { Wallet::ACL->new ('test', $schema) }; -ok (!defined ($acl), ' and it cannot be found under the old name'); -is ($@, "ACL test not found\n", ' with the right error message'); -$acl = eval { Wallet::ACL->new ('example', $schema) }; -ok (defined ($acl), ' and it can be found with the new name'); -is ($@, '', ' with no exceptions'); -is ($acl->name, 'example', ' and the right name'); -is ($acl->id, 2, ' and the right ID'); -$acl = eval { Wallet::ACL->new (2, $schema) }; -ok (defined ($acl), ' and it can still found by ID'); -is ($@, '', ' with no exceptions'); -is ($acl->name, 'example', ' and the right name'); -is ($acl->id, 2, ' and the right ID'); -ok (! $acl->rename ('ADMIN', @trace), -    ' but renaming to an existing name fails'); -like ($acl->error, qr/^cannot rename ACL 2 to ADMIN: /, -      ' with the right error'); -  # Test add, check, remove, list, and show.  my @entries = $acl->list;  is (scalar (@entries), 0, 'ACL starts empty'); @@ -124,14 +98,14 @@ is ($entries[0][1], $user1, ' and the right identifier for 1');  is ($entries[1][0], 'krb5', ' and the right scheme for 2');  is ($entries[1][1], $user2, ' and the right identifier for 2');  my $expected = <<"EOE"; -Members of ACL example (id: 2) are: +Members of ACL test (id: 2) are:    krb5 $user1    krb5 $user2  EOE  is ($acl->show, $expected, ' and show returns correctly');  ok (! $acl->remove ('krb5', $admin, @trace),      'Removing a nonexistent entry fails'); -is ($acl->error, "cannot remove krb5:$admin from 2: entry not found in ACL", +is ($acl->error, "cannot remove krb5:$admin from test: entry not found in ACL",      ' with the right error');  if ($acl->remove ('krb5', $user1, @trace)) {      ok (1, ' but removing the first user works'); @@ -145,7 +119,7 @@ is (scalar (@entries), 1, ' and now there is one entry');  is ($entries[0][0], 'krb5', ' with the right scheme');  is ($entries[0][1], $user2, ' and the right identifier');  ok (! $acl->add ('krb5', $user2), 'Adding the same entry again fails'); -like ($acl->error, qr/^cannot add \Qkrb5:$user2\E to 2: /, +like ($acl->error, qr/^cannot add \Qkrb5:$user2\E to test: /,        ' with the right error');  if ($acl->add ('krb5', '', @trace)) {      ok (1, 'Adding a bad entry works'); @@ -159,7 +133,7 @@ is ($entries[0][1], '', ' and the right identifier for 1');  is ($entries[1][0], 'krb5', ' and the right scheme for 2');  is ($entries[1][1], $user2, ' and the right identifier for 2');  $expected = <<"EOE"; -Members of ACL example (id: 2) are: +Members of ACL test (id: 2) are:    krb5     krb5 $user2  EOE @@ -187,17 +161,50 @@ if ($acl->remove ('krb5', '', @trace)) {  }  @entries = $acl->list;  is (scalar (@entries), 0, ' and now there are no entries'); -is ($acl->show, "Members of ACL example (id: 2) are:\n", ' and show concurs'); +is ($acl->show, "Members of ACL test (id: 2) are:\n", ' and show concurs');  is ($acl->check ($user2), 0, ' and the second user check fails');  is (scalar ($acl->check_errors), '', ' with no error message'); +# Test rename. +my $acl_nest = eval { Wallet::ACL->create ('test-nesting', $schema, @trace) }; +ok (defined ($acl_nest), 'ACL creation for setting up nested'); +if ($acl_nest->add ('nested', 'test', @trace)) { +    ok (1, ' and adding the nesting'); +} else { +    is ($acl_nest->error, '', ' and adding the nesting'); +} +if ($acl->rename ('example', @trace)) { +    ok (1, 'Renaming the ACL'); +} else { +    is ($acl->error, '', 'Renaming the ACL'); +} +is ($acl->name, 'example', ' and the new name is right'); +is ($acl->id, 2, ' and the ID did not change'); +$acl = eval { Wallet::ACL->new ('test', $schema) }; +ok (!defined ($acl), ' and it cannot be found under the old name'); +is ($@, "ACL test not found\n", ' with the right error message'); +$acl = eval { Wallet::ACL->new ('example', $schema) }; +ok (defined ($acl), ' and it can be found with the new name'); +is ($@, '', ' with no exceptions'); +is ($acl->name, 'example', ' and the right name'); +is ($acl->id, 2, ' and the right ID'); +$acl = eval { Wallet::ACL->new (2, $schema) }; +ok (defined ($acl), ' and it can still found by ID'); +is ($@, '', ' with no exceptions'); +is ($acl->name, 'example', ' and the right name'); +is ($acl->id, 2, ' and the right ID'); +ok (! $acl->rename ('ADMIN', @trace), +    ' but renaming to an existing name fails'); +like ($acl->error, qr/^cannot rename ACL example to ADMIN: /, +      ' with the right error'); +@entries = $acl_nest->list; +is ($entries[0][1], 'example', ' and the name in a nested ACL updated'); +  # Test history.  my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]);  my $history = <<"EOO";  $date  create      by $admin from $host -$date  rename from test -    by $admin from $host  $date  add krb5 $user1      by $admin from $host  $date  add krb5 $user2 @@ -210,14 +217,24 @@ $date  remove krb5 $user2      by $admin from $host  $date  remove krb5       by $admin from $host +$date  rename from test +    by $admin from $host  EOO  is ($acl->history, $history, 'History is correct');  # Test destroy. +$acl->destroy (@trace); +is ($acl->error, 'cannot destroy ACL example: ACL is nested in ACL test-nesting', +    'Destroying a nested ACL fails'); +if ($acl_nest->remove ('nested', 'example', @trace)) { +    ok (1, ' and removing the nesting succeeds'); +} else { +    is ($acl_nest->error, '', 'and removing the nesting succeeds'); +}  if ($acl->destroy (@trace)) { -    ok (1, 'Destroying the ACL works'); +    ok (1, ' and now destroying the ACL works');  } else { -    is ($acl->error, '', 'Destroying the ACL works'); +    is ($acl->error, '', ' and now destroying the ACL works');  }  $acl = eval { Wallet::ACL->new ('example', $schema) };  ok (!defined ($acl), ' and now cannot be found'); @@ -225,11 +242,71 @@ is ($@, "ACL example not found\n", ' with the right error message');  $acl = eval { Wallet::ACL->new (2, $schema) };  ok (!defined ($acl), ' or by ID');  is ($@, "ACL 2 not found\n", ' with the right error message'); +@entries = $acl_nest->list; +is (scalar (@entries), 0, ' and it is no longer a nested entry');  $acl = eval { Wallet::ACL->create ('example', $schema, @trace) };  ok (defined ($acl), ' and creating another with the same name works');  is ($@, '', ' with no exceptions');  is ($acl->name, 'example', ' and the right name'); -like ($acl->id, qr{\A[23]\z}, ' and an ID of 2 or 3'); +like ($acl->id, qr{\A[34]\z}, ' and an ID of 3 or 4'); + +# Test replace. by creating three acls, then assigning two objects to the +# first, one to the second, and another to the third.  Then replace the first +# acl with the second, so that we can verify that multiple objects are moved, +# that an object already belonging to the new acl is okay, and that the +# objects with unrelated ACL are unaffected. +my ($acl_old, $acl_new, $acl_other, $obj_old_one, $obj_old_two, $obj_new, +    $obj_unrelated); +eval { +    $acl_old   = Wallet::ACL->create ('example-old', $schema, @trace); +    $acl_new   = Wallet::ACL->create ('example-new', $schema, @trace); +    $acl_other = Wallet::ACL->create ('example-other', $schema, @trace); +}; +is ($@, '', 'ACLs needed for testing replace are created'); +eval { +    $obj_old_one   = Wallet::Object::Base->create ('keytab', +                                                   'service/test1@EXAMPLE.COM', +                                                   $schema, @trace); +    $obj_old_two   = Wallet::Object::Base->create ('keytab', +                                                   'service/test2@EXAMPLE.COM', +                                                   $schema, @trace); +    $obj_new       = Wallet::Object::Base->create ('keytab', +                                                   'service/test3@EXAMPLE.COM', +                                                   $schema, @trace); +    $obj_unrelated = Wallet::Object::Base->create ('keytab', +                                                   'service/test4@EXAMPLE.COM', +                                                   $schema, @trace); +}; +is ($@, '', ' and so were needed objects'); +if ($obj_old_one->owner ('example-old', @trace) +    && $obj_old_two->owner ('example-old', @trace) +    && $obj_new->owner ('example-new', @trace) +    && $obj_unrelated->owner ('example-other', @trace)) { + +    ok (1, ' and setting initial ownership on the objects succeeds'); +} +is ($acl_old->replace('example-new', @trace), 1, +    ' and replace ran successfully'); +eval { +    $obj_old_one   = Wallet::Object::Base->new ('keytab', +                                                'service/test1@EXAMPLE.COM', +                                                $schema); +    $obj_old_two   = Wallet::Object::Base->new ('keytab', +                                                'service/test2@EXAMPLE.COM', +                                                $schema); +    $obj_new       = Wallet::Object::Base->new ('keytab', +                                                'service/test3@EXAMPLE.COM', +                                                $schema); +    $obj_unrelated = Wallet::Object::Base->new ('keytab', +                                                'service/test4@EXAMPLE.COM', +                                                $schema); +}; +is ($obj_old_one->owner, 'example-new', ' and first replace is correct'); +is ($obj_old_two->owner, 'example-new', ' and second replace is correct'); +is ($obj_new->owner, 'example-new', +    ' and object already with new acl is correct'); +is ($obj_unrelated->owner, 'example-other', +    ' and unrelated object ownership is correct');  # Clean up.  $setup->destroy; diff --git a/perl/t/general/report.t b/perl/t/general/report.t index 8d348ed..e47cdc6 100755 --- a/perl/t/general/report.t +++ b/perl/t/general/report.t @@ -11,7 +11,7 @@  use strict;  use warnings; -use Test::More tests => 197; +use Test::More tests => 223;  use Wallet::Admin;  use Wallet::Report; @@ -41,6 +41,32 @@ is (scalar (@acls), 1, 'One ACL in the database');  is ($acls[0][0], 1, ' and that is ACL ID 1');  is ($acls[0][1], 'ADMIN', ' with the right name'); +# Check to see that we have all types that we expect. +my @types = $report->types; +is (scalar (@types), 10, 'There are ten types created'); +is ($types[0][0], 'base', ' and the first member is correct'); +is ($types[1][0], 'duo', ' and the second member is correct'); +is ($types[2][0], 'duo-ldap', ' and the third member is correct'); +is ($types[3][0], 'duo-pam', ' and the fourth member is correct'); +is ($types[4][0], 'duo-radius', ' and the fifth member is correct'); +is ($types[5][0], 'duo-rdp', ' and the sixth member is correct'); +is ($types[6][0], 'file', ' and the seventh member is correct'); +is ($types[7][0], 'keytab', ' and the eighth member is correct'); +is ($types[8][0], 'password', ' and the nineth member is correct'); +is ($types[9][0], 'wa-keyring', ' and the tenth member is correct'); + +# And that we have all schemes that we expect. +my @schemes = $report->acl_schemes; +is (scalar (@schemes), 8, 'There are seven acl schemes created'); +is ($schemes[0][0], 'base', ' and the first member is correct'); +is ($schemes[1][0], 'krb5', ' and the second member is correct'); +is ($schemes[2][0], 'krb5-regex', ' and the third member is correct'); +is ($schemes[3][0], 'ldap-attr', ' and the fourth member is correct'); +is ($schemes[4][0], 'ldap-attr-root', ' and the fifth member is correct'); +is ($schemes[5][0], 'nested', ' and the sixth member is correct'); +is ($schemes[6][0], 'netdb', ' and the seventh member is correct'); +is ($schemes[7][0], 'netdb-root', ' and the eighth member is correct'); +  # Create an object.  my $server = eval { Wallet::Server->new ('admin@EXAMPLE.COM', 'localhost') };  is ($@, '', 'Creating a server instance did not die'); @@ -257,6 +283,22 @@ is (scalar (@lines), 1, 'Searching for ACL naming violations finds one');  is ($lines[0][0], 3, ' and the first has the right ID');  is ($lines[0][1], 'second', ' and the right name'); +# Set a host-based object matching script so that we can test the host report. +# The deactivation trick isn't needed here. +package Wallet::Config; +sub is_for_host { +    my ($type, $name, $host) = @_; +    my ($service, $principal) = split ('/', $name, 2); +    return 0 unless $service && $principal; +    return 1 if $host eq $principal; +    return 0; +} +package main; +@lines = $report->objects_hostname ('host', 'admin'); +is (scalar (@lines), 1, 'Searching for host-based objects finds one'); +is ($lines[0][0], 'base', ' and the first has the right type'); +is ($lines[0][1], 'service/admin', ' and the right name'); +  # Set up a file bucket so that we can create an object we can retrieve.  system ('rm -rf test-files') == 0 or die "cannot remove test-files\n";  mkdir 'test-files' or die "cannot create test-files: $!\n"; @@ -325,6 +367,13 @@ is ($server->acl_add ('third', 'base', 'baz'), 1,  is (scalar (@acls), 0, 'There are no duplicate ACLs');  is ($report->error, undef, ' and no error'); +# See if the acl nesting report works correctly. +is ($server->acl_add ('fourth', 'nested', 'second'), 1, +    'Adding an ACL as a nested entry for another works'); +@acls = $report->acls ('nesting', 'second'); +is (scalar (@acls), 1, ' and the nested report shows one nesting'); +is ($acls[0][1], 'fourth', ' with the correct ACL nesting it'); +  # Clean up.  $admin->destroy;  system ('rm -r test-files') == 0 or die "cannot remove test-files\n"; diff --git a/perl/t/general/server.t b/perl/t/general/server.t index 0a527a5..8f4c16c 100755 --- a/perl/t/general/server.t +++ b/perl/t/general/server.t @@ -89,7 +89,7 @@ is ($server->acl_rename ('empty', 'test'), undef,  is ($server->error, 'ACL empty not found', ' and returns the right error');  is ($server->acl_rename ('test', 'test2'), undef,      ' and cannot rename to an existing name'); -like ($server->error, qr/^cannot rename ACL 6 to test2: /, +like ($server->error, qr/^cannot rename ACL test to test2: /,        ' and returns the right error');  is ($server->acl_rename ('test', 'empty'), 1, 'Renaming does work');  is ($server->acl_rename ('test', 'empty'), undef, ' but not twice'); @@ -138,7 +138,7 @@ is ($server->error, 'ACL test not found', ' and returns the right error');  is ($server->acl_remove ('empty', 'krb5', $user2), undef,      ' and removing an entry not there fails');  is ($server->error, -    "cannot remove krb5:$user2 from 6: entry not found in ACL", +    "cannot remove krb5:$user2 from empty: entry not found in ACL",      ' and returns the right error');  is ($server->acl_show ('empty'),      "Members of ACL empty (id: 6) are:\n  krb5 $user1\n", @@ -148,7 +148,7 @@ is ($server->acl_remove ('empty', 'krb5', $user1), 1,  is ($server->acl_remove ('empty', 'krb5', $user1), undef,      ' but does not work twice');  is ($server->error, -    "cannot remove krb5:$user1 from 6: entry not found in ACL", +    "cannot remove krb5:$user1 from empty: entry not found in ACL",      ' and returns the right error');  is ($server->acl_show ('empty'), "Members of ACL empty (id: 6) are:\n",      ' and show returns the correct status'); @@ -168,7 +168,7 @@ is ($server->acl_remove ('ADMIN', 'krb5', $user1), 1, ' and then remove it');  is ($server->acl_remove ('ADMIN', 'krb5', $user1), undef,      ' and remove a user not on it');  is ($server->error, -    "cannot remove krb5:$user1 from 1: entry not found in ACL", +    "cannot remove krb5:$user1 from ADMIN: entry not found in ACL",      ' and get the right error');  # Now, create a few objects to use for testing and test the object API while @@ -994,7 +994,7 @@ is ($server->owner ('base', 'service/acl-user', 'test-destroy'), 1,  is ($server->acl_destroy ('test-destroy'), undef,      ' and now we cannot destroy that ACL');  is ($server->error, -    'cannot destroy ACL 9: ACL in use by base:service/acl-user', +    'cannot destroy ACL test-destroy: ACL in use by base:service/acl-user',      ' with the right error');  is ($server->owner ('base', 'service/acl-user', ''), 1,      ' but after we clear the owner'); diff --git a/perl/t/object/base.t b/perl/t/object/base.t index ee9ff4b..8fedd64 100755 --- a/perl/t/object/base.t +++ b/perl/t/object/base.t @@ -12,7 +12,7 @@ use strict;  use warnings;  use POSIX qw(strftime); -use Test::More tests => 137; +use Test::More tests => 139;  use Wallet::ACL;  use Wallet::Admin; @@ -208,6 +208,9 @@ is ($object->flag_clear ('locked', @trace), 1, 'Clearing locked succeeds');  eval { $object->get (@trace) };  is ($@, "Do not instantiate Wallet::Object::Base directly\n",      'Get fails with the right error'); +ok (!$object->update (@trace), 'Update fails'); +is ($object->error, 'update is not supported for this type, use get instead', +    ' with the right error');  ok (! $object->store ("Some data", @trace), 'Store fails');  is ($object->error, "cannot store keytab:$princ: object type is immutable",      ' with the right error'); diff --git a/perl/t/object/duo-ldap.t b/perl/t/object/duo-ldap.t index 3648eba..8a00dbb 100644 --- a/perl/t/object/duo-ldap.t +++ b/perl/t/object/duo-ldap.t @@ -26,7 +26,7 @@ BEGIN {  BEGIN {      use_ok('Wallet::Admin');      use_ok('Wallet::Config'); -    use_ok('Wallet::Object::Duo::LDAPProxy'); +    use_ok('Wallet::Object::Duo');  }  use lib 't/lib'; @@ -53,15 +53,14 @@ my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' });  # Test error handling in the absence of configuration.  my $object = eval { -    Wallet::Object::Duo::LDAPProxy->new ('duo-ldap', 'test', $schema); +    Wallet::Object::Duo->new ('duo-ldap', 'test', $schema);  }; -is ($object, undef, 'Wallet::Object::Duo::LDAPProxy new with no config failed'); +is ($object, undef, 'Wallet::Object::Duo new with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  $object = eval { -    Wallet::Object::Duo::LDAPProxy->create ('duo-ldap', 'test', $schema, -                                            @trace); +    Wallet::Object::Duo->create ('duo-ldap', 'test', $schema, @trace);  }; -is ($object, undef, 'Wallet::Object::Duo::LDAPProxy creation with no config failed'); +is ($object, undef, 'Wallet::Object::Duo creation with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  # Set up the Duo configuration. @@ -83,9 +82,8 @@ $mock->expect (          response_file => 't/data/duo/integration.json',      }  ); -$object = Wallet::Object::Duo::LDAPProxy->create ('duo-ldap', 'test', $schema, -                                            @trace); -isa_ok ($object, 'Wallet::Object::Duo::LDAPProxy'); +$object = Wallet::Object::Duo->create ('duo-ldap', 'test', $schema, @trace); +isa_ok ($object, 'Wallet::Object::Duo');  # Check the metadata about the new wallet object.  $expected = <<"EOO"; @@ -127,7 +125,7 @@ is ($object->flag_clear ('locked', @trace), 1,      '...and clearing locked flag works');  # Create a new object by wallet type and name. -$object = Wallet::Object::Duo::LDAPProxy->new ('duo-ldap', 'test', $schema); +$object = Wallet::Object::Duo->new ('duo-ldap', 'test', $schema);  # Test deleting an integration.  We can't test this entirely properly because  # currently Net::Duo::Mock::Agent doesn't support stacking multiple expected @@ -144,8 +142,7 @@ TODO: {      local $TODO = 'Net::Duo::Mock::Agent not yet capable';      is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); -    $object = eval { Wallet::Object::Duo::LDAPProxy->new ('duo-ldap', 'test', -                                                          $schema) }; +    $object = eval { Wallet::Object::Duo->new ('duo-ldap', 'test', $schema) };      is ($object, undef, '...and now object cannot be retrieved');      is ($@, "cannot find duo:test\n", '...with correct error');  } diff --git a/perl/t/object/duo-pam.t b/perl/t/object/duo-pam.t index 7b88787..047343e 100644 --- a/perl/t/object/duo-pam.t +++ b/perl/t/object/duo-pam.t @@ -26,7 +26,7 @@ BEGIN {  BEGIN {      use_ok('Wallet::Admin');      use_ok('Wallet::Config'); -    use_ok('Wallet::Object::Duo::PAM'); +    use_ok('Wallet::Object::Duo');  }  use lib 't/lib'; @@ -53,14 +53,14 @@ my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' });  # Test error handling in the absence of configuration.  my $object = eval { -    Wallet::Object::Duo::PAM->new ('duo-pam', 'test', $schema); +    Wallet::Object::Duo->new ('duo-pam', 'test', $schema);  }; -is ($object, undef, 'Wallet::Object::Duo::PAM new with no config failed'); +is ($object, undef, 'Wallet::Object::Duo new with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  $object = eval { -    Wallet::Object::Duo::PAM->create ('duo-pam', 'test', $schema, @trace); +    Wallet::Object::Duo->create ('duo-pam', 'test', $schema, @trace);  }; -is ($object, undef, 'Wallet::Object::Duo::PAM creation with no config failed'); +is ($object, undef, 'Wallet::Object::Duo creation with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  # Set up the Duo configuration. @@ -82,9 +82,8 @@ $mock->expect (          response_file => 't/data/duo/integration.json',      }  ); -$object = Wallet::Object::Duo::PAM->create ('duo-pam', 'test', $schema, -                                            @trace); -isa_ok ($object, 'Wallet::Object::Duo::PAM'); +$object = Wallet::Object::Duo->create ('duo-pam', 'test', $schema, @trace); +isa_ok ($object, 'Wallet::Object::Duo');  # Check the metadata about the new wallet object.  $expected = <<"EOO"; @@ -126,7 +125,7 @@ is ($object->flag_clear ('locked', @trace), 1,      '...and clearing locked flag works');  # Create a new object by wallet type and name. -$object = Wallet::Object::Duo::PAM->new ('duo-pam', 'test', $schema); +$object = Wallet::Object::Duo->new ('duo-pam', 'test', $schema);  # Test deleting an integration.  We can't test this entirely properly because  # currently Net::Duo::Mock::Agent doesn't support stacking multiple expected @@ -143,8 +142,7 @@ TODO: {      local $TODO = 'Net::Duo::Mock::Agent not yet capable';      is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); -    $object = eval { Wallet::Object::Duo::PAM->new ('duo-pam', 'test', -                                                    $schema) }; +    $object = eval { Wallet::Object::Duo->new ('duo-pam', 'test', $schema) };      is ($object, undef, '...and now object cannot be retrieved');      is ($@, "cannot find duo:test\n", '...with correct error');  } diff --git a/perl/t/object/duo-radius.t b/perl/t/object/duo-radius.t index f258518..55cbb9d 100644 --- a/perl/t/object/duo-radius.t +++ b/perl/t/object/duo-radius.t @@ -26,7 +26,7 @@ BEGIN {  BEGIN {      use_ok('Wallet::Admin');      use_ok('Wallet::Config'); -    use_ok('Wallet::Object::Duo::RadiusProxy'); +    use_ok('Wallet::Object::Duo');  }  use lib 't/lib'; @@ -53,17 +53,16 @@ my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' });  # Test error handling in the absence of configuration.  my $object = eval { -    Wallet::Object::Duo::RadiusProxy->new ('duo-raduys', 'test', $schema); +    Wallet::Object::Duo->new ('duo-radius', 'test', $schema);  };  is ($object, undef, -    'Wallet::Object::Duo::RadiusProxy new with no config failed'); +    'Wallet::Object::Duo new with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  $object = eval { -    Wallet::Object::Duo::RadiusProxy->create ('duo-radius', 'test', $schema, -                                              @trace); +    Wallet::Object::Duo->create ('duo-radius', 'test', $schema, @trace);  };  is ($object, undef, -    'Wallet::Object::Duo::RadiusProxy creation with no config failed'); +    'Wallet::Object::Duo creation with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  # Set up the Duo configuration. @@ -85,9 +84,8 @@ $mock->expect (          response_file => 't/data/duo/integration-radius.json',      }  ); -$object = Wallet::Object::Duo::RadiusProxy->create ('duo-radius', 'test', -                                                    $schema, @trace); -isa_ok ($object, 'Wallet::Object::Duo::RadiusProxy'); +$object = Wallet::Object::Duo->create ('duo-radius', 'test', $schema, @trace); +isa_ok ($object, 'Wallet::Object::Duo');  # Check the metadata about the new wallet object.  $expected = <<"EOO"; @@ -130,8 +128,7 @@ is ($object->flag_clear ('locked', @trace), 1,      '...and clearing locked flag works');  # Create a new object by wallet type and name. -$object = Wallet::Object::Duo::RadiusProxy->new ('duo-radius', 'test', -                                                 $schema); +$object = Wallet::Object::Duo->new ('duo-radius', 'test', $schema);  # Test deleting an integration.  We can't test this entirely properly because  # currently Net::Duo::Mock::Agent doesn't support stacking multiple expected @@ -149,7 +146,7 @@ TODO: {      is ($object->destroy (@trace), 1, 'Duo object deletion succeeded');      $object = eval { -        Wallet::Object::Duo::RadiusProxy->new ('duo-radius', 'test', $schema); +        Wallet::Object::Duo->new ('duo-radius', 'test', $schema);      };      is ($object, undef, '...and now object cannot be retrieved');      is ($@, "cannot find duo:test\n", '...with correct error'); diff --git a/perl/t/object/duo-rdp.t b/perl/t/object/duo-rdp.t index 9b2d566..25060ac 100644 --- a/perl/t/object/duo-rdp.t +++ b/perl/t/object/duo-rdp.t @@ -26,7 +26,7 @@ BEGIN {  BEGIN {      use_ok('Wallet::Admin');      use_ok('Wallet::Config'); -    use_ok('Wallet::Object::Duo::RDP'); +    use_ok('Wallet::Object::Duo');  }  use lib 't/lib'; @@ -53,14 +53,14 @@ my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' });  # Test error handling in the absence of configuration.  my $object = eval { -    Wallet::Object::Duo::RDP->new ('duo-rdp', 'test', $schema); +    Wallet::Object::Duo->new ('duo-rdp', 'test', $schema);  }; -is ($object, undef, 'Wallet::Object::Duo::RDP new with no config failed'); +is ($object, undef, 'Wallet::Object::Duo new with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  $object = eval { -    Wallet::Object::Duo::RDP->create ('duo-rdp', 'test', $schema, @trace); +    Wallet::Object::Duo->create ('duo-rdp', 'test', $schema, @trace);  }; -is ($object, undef, 'Wallet::Object::Duo::RDP creation with no config failed'); +is ($object, undef, 'Wallet::Object::Duo creation with no config failed');  is ($@, "duo object implementation not configured\n", '...with correct error');  # Set up the Duo configuration. @@ -82,9 +82,8 @@ $mock->expect (          response_file => 't/data/duo/integration-rdp.json',      }  ); -$object = Wallet::Object::Duo::RDP->create ('duo-rdp', 'test', $schema, -                                            @trace); -isa_ok ($object, 'Wallet::Object::Duo::RDP'); +$object = Wallet::Object::Duo->create ('duo-rdp', 'test', $schema, @trace); +isa_ok ($object, 'Wallet::Object::Duo');  # Check the metadata about the new wallet object.  $expected = <<"EOO"; @@ -125,7 +124,7 @@ is ($object->flag_clear ('locked', @trace), 1,      '...and clearing locked flag works');  # Create a new object by wallet type and name. -$object = Wallet::Object::Duo::RDP->new ('duo-rdp', 'test', $schema); +$object = Wallet::Object::Duo->new ('duo-rdp', 'test', $schema);  # Test deleting an integration.  We can't test this entirely properly because  # currently Net::Duo::Mock::Agent doesn't support stacking multiple expected @@ -142,8 +141,7 @@ TODO: {      local $TODO = 'Net::Duo::Mock::Agent not yet capable';      is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); -    $object = eval { Wallet::Object::Duo::RDP->new ('duo-rdp', 'test', -                                                    $schema) }; +    $object = eval { Wallet::Object::Duo->new ('duo-rdp', 'test', $schema) };      is ($object, undef, '...and now object cannot be retrieved');      is ($@, "cannot find duo:test\n", '...with correct error');  } diff --git a/perl/t/object/keytab.t b/perl/t/object/keytab.t index 69db438..111b7d0 100755 --- a/perl/t/object/keytab.t +++ b/perl/t/object/keytab.t @@ -12,7 +12,7 @@ use strict;  use warnings;  use POSIX qw(strftime); -use Test::More tests => 141; +use Test::More tests => 142;  BEGIN { $Wallet::Config::KEYTAB_TMP = '.' } @@ -25,15 +25,28 @@ use Wallet::Object::Keytab;  use lib 't/lib';  use Util; -# Mapping of klist -ke encryption type names to the strings that Kerberos uses -# internally.  It's very annoying to have to maintain this, and it probably -# breaks with Heimdal. +# Mapping of klist -ke output from old MIT Kerberos implementations to to the +# strings that Kerberos uses internally.  It's very annoying to have to +# maintain this, and it probably breaks with Heimdal. +# +# Newer versions of MIT Kerberos just print out the canonical enctype names +# and don't need this logic, but the current test requires that they still +# have entries.  That's why the second set where the key and value are the +# same.  my %enctype =      ('triple des cbc mode with hmac/sha1'      => 'des3-cbc-sha1',       'des cbc mode with crc-32'                => 'des-cbc-crc',       'des cbc mode with rsa-md5'               => 'des-cbc-md5', +     'aes-128 cts mode with 96-bit sha-1 hmac' => 'aes128-cts-hmac-sha1-96',       'aes-256 cts mode with 96-bit sha-1 hmac' => 'aes256-cts-hmac-sha1-96', -     'arcfour with hmac/md5'                   => 'rc4-hmac'); +     'arcfour with hmac/md5'                   => 'rc4-hmac', + +     'des3-cbc-sha1'                           => 'des3-cbc-sha1', +     'des-cbc-crc'                             => 'des-cbc-crc', +     'des-cbc-md5'                             => 'des-cbc-md5', +     'aes128-cts-hmac-sha1-96'                 => 'aes128-cts-hmac-sha1-96', +     'aes256-cts-hmac-sha1-96'                 => 'aes256-cts-hmac-sha1-96', +     'rc4-hmac'                                => 'rc4-hmac');  # Some global defaults to use.  my $user = 'admin@EXAMPLE.COM'; @@ -159,7 +172,7 @@ my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]);  # Basic keytab creation and manipulation tests.  SKIP: { -    skip 'no keytab configuration', 52 unless -f 't/data/test.keytab'; +    skip 'no keytab configuration', 53 unless -f 't/data/test.keytab';      # Set up our configuration.      $Wallet::Config::KEYTAB_FILE      = 't/data/test.keytab'; @@ -296,6 +309,7 @@ EOO                                          @trace)        };      ok (defined ($object), 'Creating good principal succeeds'); +    is ($@, '', ' with no error');      ok (created ('wallet/one'), ' and the principal was created');    SKIP: {          skip 'no kadmin program test for Heimdal', 2 diff --git a/perl/t/object/password.t b/perl/t/object/password.t new file mode 100644 index 0000000..306d82b --- /dev/null +++ b/perl/t/object/password.t @@ -0,0 +1,125 @@ +#!/usr/bin/perl +# +# Tests for the password object implementation.  Only includes tests that are +# basic or different from the file object implementation. +# +# Written by Jon Robertson <jonrober@stanford.edu> +# Copyright 2015 +#     The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use POSIX qw(strftime); +use Test::More tests => 33; + +use Wallet::Admin; +use Wallet::Config; +use Wallet::Object::Password; + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $user = 'admin@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($user, $host, time); + +# Flush all output immediately. +$| = 1; + +# Use Wallet::Admin to set up the database. +system ('rm -rf test-files') == 0 or die "cannot remove test-files\n"; +db_setup; +my $admin = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($admin->reinitialize ($user), 1, 'Database initialization succeeded'); +my $schema = $admin->schema; + +# Use this to accumulate the history traces so that we can check history. +my $history = ''; +my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); + +$Wallet::Config::PWD_FILE_BUCKET = undef; + +# Test error handling in the absence of configuration. +my $object = eval { +    Wallet::Object::Password->create ('password', 'test', $schema, @trace) +  }; +ok (defined ($object), 'Creating a basic password object succeeds'); +ok ($object->isa ('Wallet::Object::Password'), ' and is the right class'); +is ($object->get (@trace), undef, ' and get fails'); +is ($object->error, 'password support not configured', +    ' with the right error'); +is ($object->store (@trace), undef, ' and store fails'); +is ($object->error, 'password support not configured', +    ' with the right error'); +is ($object->destroy (@trace), 1, ' but destroy succeeds'); + +# Set up our configuration. +mkdir 'test-files' or die "cannot create test-files: $!\n"; +$Wallet::Config::PWD_FILE_BUCKET = 'test-files'; +$Wallet::Config::PWD_LENGTH_MIN = 10; +$Wallet::Config::PWD_LENGTH_MAX = 10; + +# Okay, now we can test.  First, the basic object without store. +$object = eval { +    Wallet::Object::Password->create ('password', 'test', $schema, @trace) +  }; +ok (defined ($object), 'Creating a basic password object succeeds'); +ok ($object->isa ('Wallet::Object::Password'), ' and is the right class'); +my $pwd = $object->get (@trace); +like ($pwd, qr{^.{$Wallet::Config::PWD_LENGTH_MIN}$}, +      ' and get creates a random password string of the right length'); +ok (-d 'test-files/09', ' and the hash bucket was created'); +ok (-f 'test-files/09/test', ' and the file exists'); +is (contents ('test-files/09/test'), $pwd, ' with the right contents'); +my $pwd2 = $object->get (@trace); +is ($pwd, $pwd2, ' and getting again gives the same string'); +is ($object->destroy (@trace), 1, ' and destroying the object succeeds'); + +# Now check to see if the password length is adjusted. +$Wallet::Config::PWD_LENGTH_MIN = 20; +$Wallet::Config::PWD_LENGTH_MAX = 20; +$object = eval { +    Wallet::Object::Password->create ('password', 'test', $schema, @trace) +  }; +ok (defined ($object), 'Recreating the object succeeds'); +$pwd = $object->get (@trace); +like ($pwd, qr{^.{$Wallet::Config::PWD_LENGTH_MIN}$}, +      ' and get creates a random password string of a longer length'); +is ($object->destroy (@trace), 1, ' and destroying the object succeeds'); + +# Now store something and be sure that we get something reasonable. +$object = eval { +    Wallet::Object::Password->create ('password', 'test', $schema, @trace) +  }; +ok (defined ($object), 'Recreating the object succeeds'); +is ($object->store ("foo\n", @trace), 1, ' and storing data in it succeeds'); +ok (-f 'test-files/09/test', ' and the file exists'); +is (contents ('test-files/09/test'), 'foo', ' with the right contents'); +is ($object->get (@trace), "foo\n", ' and get returns correctly'); +unlink 'test-files/09/test'; +is ($object->get (@trace), undef, +    ' and get will not autocreate a password if there used to be data'); +is ($object->error, 'cannot get password:test: object has not been stored', +    ' as if it had not been stored'); +is ($object->store ("bar\n\0baz\n", @trace), 1, ' but storing again works'); +ok (-f 'test-files/09/test', ' and the file exists'); +is (contents ('test-files/09/test'), 'bar', ' with the right contents'); +is ($object->get (@trace), "bar\n\0baz\n", ' and get returns correctly'); + +# And check to make sure update changes the contents. +$pwd = $object->update (@trace); +isnt ($pwd, "bar\n\0baz\n", 'Update changes the contents'); +like ($pwd, qr{^.{$Wallet::Config::PWD_LENGTH_MIN}$}, +      ' to a random password string of the right length'); + +# Clean up. +$admin->destroy; +END { +    system ('rm -r test-files') == 0 or die "cannot remove test-files\n"; +    unlink ('wallet-db'); +} diff --git a/perl/t/policy/stanford.t b/perl/t/policy/stanford.t index 555086c..d2727c8 100755 --- a/perl/t/policy/stanford.t +++ b/perl/t/policy/stanford.t @@ -16,7 +16,7 @@ use 5.008;  use strict;  use warnings; -use Test::More tests => 101; +use Test::More tests => 130;  use lib 't/lib';  use Util; @@ -24,10 +24,16 @@ use Util;  # Load the naming policy module.  BEGIN {      use_ok('Wallet::Admin'); -    use_ok('Wallet::Policy::Stanford', qw(default_owner verify_name)); +    use_ok('Wallet::Policy::Stanford', +           qw(default_owner verify_name is_for_host));      use_ok('Wallet::Server');  } +# Set up our configuration for netdb, needed for the netdb verifier. +$Wallet::Config::NETDB_REALM        = 'stanford.edu'; +$Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME}; +$Wallet::Config::NETDB_REMCTL_HOST  = 'netdb-node-roles-rc.stanford.edu'; +  # Various valid keytab names.  my @VALID_KEYTABS = qw(host/example.stanford.edu HTTP/example.stanford.edu      service/example example/cgi class-example01/cgi dept-01example/cgi @@ -101,160 +107,209 @@ for my $name (@INVALID_FILES) {      isnt(verify_name('file', $name), undef, "Invalid file $name");  } -# Now we need an actual database.  Use Wallet::Admin to set it up. -db_setup; -my $setup = eval { Wallet::Admin->new }; -is($@, q{}, 'Database initialization did not die'); -is($setup->reinitialize($ADMIN), 1, 'Database initialization succeeded'); -my $server = eval { Wallet::Server->new(@TRACE) }; -is($@, q{}, 'Server creation did not die'); +# Now test a few cases for checking to see if a file is host-based.  We don't +# test the legacy examples because they're more complicated and less obvious. +for my $name (@VALID_KEYTABS) { +    my $hostname = 'example.stanford.edu'; +    if ($name =~ m{\b$hostname\b}) { +        is(is_for_host('keytab', $name, $hostname), 1, +           "Keytab $name belongs to $hostname"); +    } else { +        is(is_for_host('keytab', $name, $hostname), 0, +           "Keytab $name doesn't belong to $hostname"); +    } +} +for my $name (@VALID_FILES) { +    my $hostname = 'example.stanford.edu'; +    if ($name =~ m{\b$hostname\b}) { +        is(is_for_host('file', $name, $hostname), 1, +           "File $name belongs to $hostname"); +    } else { +        is(is_for_host('file', $name, $hostname), 0, +           "File $name doesn't belong to $hostname"); +    } +} -# Create a host/example.stanford.edu ACL that uses the netdb ACL type. -is($server->acl_create('host/example.stanford.edu'), 1, 'Created netdb ACL'); -is( -    $server->acl_add('host/example.stanford.edu', 'netdb', -      'example.stanford.edu'), -    1, -    '...with netdb ACL line' -); -is( -    $server->acl_add('host/example.stanford.edu', 'krb5', -      'host/example.stanford.edu@stanford.edu'), -    1, -    '...and krb5 ACL line' -); +# Now we need an actual database.  Use Wallet::Admin to set it up.  These +# remaining tests require creating NetDB ACLs, so need a Stanford Kerberos +# principal currently. +my $klist = `klist 2>&1` || ''; +SKIP: { +    skip "tests useful only with Stanford Kerberos tickets", 27 +        unless ($klist =~ /^(Default p|\s+P)rincipal: \S+\@stanford\.edu$/m); -# Likewise for host/foo.example.edu with the netdb-root ACL type. -is($server->acl_create('host/foo.stanford.edu'), 1, 'Created netdb-root ACL'); -is( -    $server->acl_add('host/foo.stanford.edu', 'netdb-root', -      'foo.stanford.edu'), -    1, -    '...with netdb-root ACL line' -); -is( -    $server->acl_add('host/foo.stanford.edu', 'krb5', -      'host/foo.stanford.edu@stanford.edu'), -    1, -    '...and krb5 ACL line' -); +    db_setup; +    my $setup = eval { Wallet::Admin->new }; +    is($@, q{}, 'Database initialization did not die'); +    is($setup->reinitialize($ADMIN), 1, 'Database initialization succeeded'); +    my $server = eval { Wallet::Server->new(@TRACE) }; +    is($@, q{}, 'Server creation did not die'); -# Create a group/its-idg ACL, which will be used for autocreation of file -# objects. -is($server->acl_create('group/its-idg'), 1, 'Created group/its-idg ACL'); -is($server->acl_add('group/its-idg', 'krb5', $ADMIN), 1, '...with member'); +    # Create a host/example.stanford.edu ACL that uses the netdb ACL type. +    is( +        $server->acl_create('host/example.stanford.edu'), +        1, +        'Created netdb ACL' +    ); +    is($server->error, undef, ' with no error'); +    is( +        $server->acl_add('host/example.stanford.edu', 'netdb', +                         'example.stanford.edu'), +        1, +        '...with netdb ACL line' +    ); +    is($server->error, undef, ' with no error'); +    is( +        $server->acl_add('host/example.stanford.edu', 'krb5', +                         'host/example.stanford.edu@stanford.edu'), +        1, +        '...and krb5 ACL line' +    ); +    is($server->error, undef, ' with no error'); -# Now we can test default ACLs.  First, without a root instance. -local $ENV{REMOTE_USER} = $ADMIN; -is_deeply( -    [default_owner('keytab', 'host/bar.stanford.edu')], -    [ -        'host/bar.stanford.edu', -        ['netdb', 'bar.stanford.edu'], -        ['krb5', 'host/bar.stanford.edu@stanford.edu'] -    ], -    'Correct default owner for host-based keytab' -); -is_deeply( -    [default_owner('keytab', 'HTTP/example.stanford.edu')], -    [ -        'host/example.stanford.edu', -        ['netdb', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    '...and when netdb ACL already exists' -); -is_deeply( -    [default_owner('keytab', 'webauth/foo.stanford.edu')], -    [ -        'host/foo.stanford.edu', -        ['netdb-root', 'foo.stanford.edu'], -        ['krb5', 'host/foo.stanford.edu@stanford.edu'] -    ], -    '...and when netdb-root ACL already exists' -); +    # Likewise for host/foo.example.edu with the netdb-root ACL type. +    is( +        $server->acl_create('host/foo.stanford.edu'), +        1, +        'Created netdb-root ACL' +    ); +    is( +        $server->acl_add('host/foo.stanford.edu', 'netdb-root', +                         'foo.stanford.edu'), +        1, +        '...with netdb-root ACL line' +    ); +    is( +        $server->acl_add('host/foo.stanford.edu', 'krb5', +                         'host/foo.stanford.edu@stanford.edu'), +        1, +        '...and krb5 ACL line' +    ); -# Now with a root instance. -local $ENV{REMOTE_USER} = 'admin/root@stanford.edu'; -is_deeply( -    [default_owner('keytab', 'host/bar.stanford.edu')], -    [ -        'host/bar.stanford.edu', -        ['netdb-root', 'bar.stanford.edu'], -        ['krb5', 'host/bar.stanford.edu@stanford.edu'] -    ], -    'Correct default owner for host-based keytab for /root' -); -is_deeply( -    [default_owner('keytab', 'HTTP/example.stanford.edu')], -    [ -        'host/example.stanford.edu', -        ['netdb-root', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    '...and when netdb ACL already exists' -); -is_deeply( -    [default_owner('keytab', 'webauth/foo.stanford.edu')], -    [ -        'host/foo.stanford.edu', -        ['netdb-root', 'foo.stanford.edu'], -        ['krb5', 'host/foo.stanford.edu@stanford.edu'] -    ], -    '...and when netdb-root ACL already exists' -); +    # Create a group/its-idg ACL, which will be used for autocreation of file +    # objects. +    is($server->acl_create('group/its-idg'), 1, 'Created group/its-idg ACL'); +    is($server->acl_add('group/its-idg', 'krb5', $ADMIN), 1, '...with member'); -# Check for a type that isn't host-based. -is(default_owner('keytab', 'service/foo'), undef, -    'No default owner for service/foo'); +    # Now we can test default ACLs.  First, without a root instance. +    local $ENV{REMOTE_USER} = $ADMIN; +    is_deeply( +        [default_owner('keytab', 'host/bar.stanford.edu')], +        [ +            'host/bar.stanford.edu', +            ['netdb', 'bar.stanford.edu'], +            ['krb5', 'host/bar.stanford.edu@stanford.edu'] +        ], +        'Correct default owner for host-based keytab' +    ); +    is_deeply( +        [default_owner('keytab', 'HTTP/example.stanford.edu')], +        [ +            'host/example.stanford.edu', +            ['netdb', 'example.stanford.edu'], +            ['krb5', 'host/example.stanford.edu@stanford.edu'] +        ], +        '...and when netdb ACL already exists' +    ); +    is_deeply( +        [default_owner('keytab', 'webauth/foo.stanford.edu')], +        [ +            'host/foo.stanford.edu', +            ['netdb-root', 'foo.stanford.edu'], +            ['krb5', 'host/foo.stanford.edu@stanford.edu'] +        ], +        '...and when netdb-root ACL already exists' +    ); -# Check for an unknown object type. -is(default_owner('unknown', 'foo'), undef, -    'No default owner for unknown type'); +    # Now with a root instance. +    local $ENV{REMOTE_USER} = 'admin/root@stanford.edu'; +    is_deeply( +        [default_owner('keytab', 'host/bar.stanford.edu')], +        [ +            'host/bar.stanford.edu', +            ['netdb-root', 'bar.stanford.edu'], +            ['krb5', 'host/bar.stanford.edu@stanford.edu'] +        ], +        'Correct default owner for host-based keytab for /root' +    ); +    is_deeply( +        [default_owner('keytab', 'HTTP/example.stanford.edu')], +        [ +            'host/example.stanford.edu', +            ['netdb-root', 'example.stanford.edu'], +            ['krb5', 'host/example.stanford.edu@stanford.edu'] +        ], +        '...and when netdb ACL already exists' +    ); +    is_deeply( +        [default_owner('keytab', 'webauth/foo.stanford.edu')], +        [ +            'host/foo.stanford.edu', +            ['netdb-root', 'foo.stanford.edu'], +            ['krb5', 'host/foo.stanford.edu@stanford.edu'] +        ], +        '...and when netdb-root ACL already exists' +    ); -# Check for autocreation mappings for host-based file objects. -is_deeply( -    [default_owner('file', 'ssl-key/example.stanford.edu')], -    [ -        'host/example.stanford.edu', -        ['netdb-root', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    'Default owner for file ssl-key/example.stanford.edu', -); -is_deeply( -    [default_owner('file', 'ssl-key/example.stanford.edu/mysql')], -    [ -        'host/example.stanford.edu', -        ['netdb-root', 'example.stanford.edu'], -        ['krb5', 'host/example.stanford.edu@stanford.edu'] -    ], -    'Default owner for file ssl-key/example.stanford.edu/mysql', -); +    # Check for a type that isn't host-based. +    is( +        default_owner('keytab', 'service/foo'), +        undef, +        'No default owner for service/foo' +    ); -# Check for a file object that isn't host-based. -is_deeply( -    [default_owner('file', 'config/its-idg/example/foo')], -    ['group/its-idg', ['krb5', $ADMIN]], -    'Default owner for file config/its-idg/example/foo', -); +    # Check for an unknown object type. +    is( +        default_owner('unknown', 'foo'), +        undef, +        'No default owner for unknown type' +    ); -# Check for legacy autocreation mappings for file objects. -for my $type (qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key)) { -    my $name = "idg-example-$type"; +    # Check for autocreation mappings for host-based file objects.      is_deeply( -        [default_owner('file', $name)], +        [default_owner('file', 'ssl-key/example.stanford.edu')],          [              'host/example.stanford.edu',              ['netdb-root', 'example.stanford.edu'],              ['krb5', 'host/example.stanford.edu@stanford.edu']          ], -        "Default owner for file $name", +        'Default owner for file ssl-key/example.stanford.edu',      ); +    is_deeply( +        [default_owner('file', 'ssl-key/example.stanford.edu/mysql')], +        [ +            'host/example.stanford.edu', +            ['netdb-root', 'example.stanford.edu'], +            ['krb5', 'host/example.stanford.edu@stanford.edu'] +        ], +        'Default owner for file ssl-key/example.stanford.edu/mysql', +    ); + +    # Check for a file object that isn't host-based. +    is_deeply( +        [default_owner('file', 'config/its-idg/example/foo')], +        ['group/its-idg', ['krb5', $ADMIN]], +        'Default owner for file config/its-idg/example/foo', +    ); + +    # Check for legacy autocreation mappings for file objects. +    for my $type (qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key)) { +        my $name = "idg-example-$type"; +        is_deeply( +            [default_owner('file', $name)], +            [ +                'host/example.stanford.edu', +                ['netdb-root', 'example.stanford.edu'], +                ['krb5', 'host/example.stanford.edu@stanford.edu'] +            ], +            "Default owner for file $name", +        ); +    } + +    # Clean up. +    $setup->destroy;  } -# Clean up. -$setup->destroy;  END {      unlink 'wallet-db';  } diff --git a/perl/t/verifier/external.t b/perl/t/verifier/external.t new file mode 100755 index 0000000..d1438de --- /dev/null +++ b/perl/t/verifier/external.t @@ -0,0 +1,35 @@ +#!/usr/bin/perl +# +# Tests for the external wallet ACL verifier. +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2016 Russ Allbery <eagle@eyrie.org> +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use Test::More tests => 9; + +use Wallet::ACL::External; +use Wallet::Config; + +# Configure the external ACL verifier. +$Wallet::Config::EXTERNAL_COMMAND = 't/data/acl-command'; + +# Check a few verifications. +my $verifier = Wallet::ACL::External->new; +ok (defined $verifier, 'Wallet::ACL::External creation'); +ok ($verifier->isa ('Wallet::ACL::External'), ' and class verification'); +is ($verifier->check ('eagle@eyrie.org', 'test success', 'file', 'test'), +    1, 'Success'); +is ($verifier->check ('eagle@eyrie.org', 'test failure', 'file', 'test'), +    0, 'Failure'); +is ($verifier->error, undef, 'No error set'); +is ($verifier->check ('eagle@eyrie.org', 'test error', 'file', 'test'), +    undef, 'Error'); +is ($verifier->error, 'some error', ' and right error'); +is ($verifier->check (undef, 'eagle@eyrie.org', 'file', 'test'), undef, +    'Undefined principal'); +is ($verifier->error, 'no principal specified', ' and right error'); diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t index 3c132e2..cff3b63 100755 --- a/perl/t/verifier/ldap-attr.t +++ b/perl/t/verifier/ldap-attr.t @@ -24,16 +24,18 @@ plan skip_all => 'LDAP verifier tests only run for maintainer'      unless $ENV{RRA_MAINTAINER_TESTS};  # Declare a plan. -plan tests => 10; +plan tests => 22;  require_ok ('Wallet::ACL::LDAP::Attribute'); +require_ok ('Wallet::ACL::LDAP::Attribute::Root'); -my $host   = 'ldap.stanford.edu'; -my $base   = 'cn=people,dc=stanford,dc=edu'; -my $filter = 'uid'; -my $user   = 'rra@stanford.edu'; -my $attr   = 'suPrivilegeGroup'; -my $value  = 'stanford:stanford'; +my $host     = 'ldap.stanford.edu'; +my $base     = 'cn=people,dc=stanford,dc=edu'; +my $filter   = 'uid'; +my $user     = 'jonrober@stanford.edu'; +my $rootuser = 'jonrober/root@stanford.edu'; +my $attr     = 'suPrivilegeGroup'; +my $value    = 'stanford:stanford';  # Remove the realm from principal names.  package Wallet::Config; @@ -68,7 +70,28 @@ SKIP: {      is ($verifier->check ($user, "BOGUS=$value"), undef,          "Checking BOGUS=$value fails with error");      is ($verifier->error, -        'cannot check LDAP attribute BOGUS for rra: Undefined attribute type', +        'cannot check LDAP attribute BOGUS for jonrober: Undefined attribute type', +        '...with correct error'); +    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0, +        "Checking for nonexistent user fails"); +    is ($verifier->error, undef, '...with no error'); + +    # Then also test the root version. +    $verifier = eval { Wallet::ACL::LDAP::Attribute::Root->new }; +    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute::Root'); +    is ($verifier->check ($user, "$attr=$value"), 0, +        "Checking as a non /root user fails"); +    is ($verifier->error, undef, '...with no error'); +    is ($verifier->check ($rootuser, "$attr=$value"), 1, +        "Checking $attr=$value succeeds"); +    is ($verifier->error, undef, '...with no error'); +    is ($verifier->check ($rootuser, "$attr=BOGUS"), 0, +        "Checking $attr=BOGUS fails"); +    is ($verifier->error, undef, '...with no error'); +    is ($verifier->check ($rootuser, "BOGUS=$value"), undef, +        "Checking BOGUS=$value fails with error"); +    is ($verifier->error, +        'cannot check LDAP attribute BOGUS for jonrober: Undefined attribute type',          '...with correct error');      is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,          "Checking for nonexistent user fails"); diff --git a/perl/t/verifier/nested.t b/perl/t/verifier/nested.t new file mode 100755 index 0000000..ec7ce40 --- /dev/null +++ b/perl/t/verifier/nested.t @@ -0,0 +1,84 @@ +#!/usr/bin/perl +# +# Tests for the wallet ACL nested verifier. +# +# Written by Jon Robertson <jonrober@stanford.edu> +# Copyright 2015 +#     The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use Test::More tests => 22; + +use Wallet::ACL::Base; +use Wallet::ACL::Nested; +use Wallet::Admin; +use Wallet::Config; + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $admin = 'admin@EXAMPLE.COM'; +my $user1 = 'alice@EXAMPLE.COM'; +my $user2 = 'bob@EXAMPLE.COM'; +my $user3 = 'jack@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($admin, $host, time); + +# Use Wallet::Admin to set up the database. +db_setup; +my $setup = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($setup->reinitialize ($setup), 1, 'Database initialization succeeded'); +my $schema = $setup->schema; + +# Create a few ACLs for later testing. +my $acl = eval { Wallet::ACL->create ('test', $schema, @trace) }; +ok (defined ($acl), 'ACL creation'); +my $acl_nesting = eval { Wallet::ACL->create ('nesting', $schema, @trace) }; +ok (defined ($acl), ' and another'); +my $acl_deep = eval { Wallet::ACL->create ('deepnesting', $schema, @trace) }; +ok (defined ($acl), ' and another'); + +# Create an verifier to make sure that works +my $verifier = Wallet::ACL::Nested->new ('test', $schema); +ok (defined $verifier, 'Wallet::ACL::Nested creation'); +ok ($verifier->isa ('Wallet::ACL::Nested'), ' and class verification'); +is ($verifier->syntax_check ('notcreated'), 0, +    ' and it rejects a nested name that is not already an ACL'); +is ($verifier->syntax_check ('test'), 1, +    ' and accepts one that already exists'); + +# Add a few entries to one ACL and then see if they validate. +ok ($acl->add ('krb5', $user1, @trace), 'Added test scheme'); +ok ($acl->add ('krb5', $user2, @trace), ' and another'); +ok ($acl_nesting->add ('nested', 'test', @trace), ' and then nested it'); +ok ($acl_nesting->add ('krb5', $user3, @trace), +    ' and added a non-nesting user'); +is ($acl_nesting->check ($user1), 1, ' so check of nested succeeds'); +is ($acl_nesting->check ($user3), 1, ' so check of non-nested succeeds'); +is (scalar ($acl_nesting->list), 2, +    ' and the acl has the right number of items'); + +# Add a recursive nesting to make sure it doesn't send us into loop. +ok ($acl_deep->add ('nested', 'test', @trace), +    'Adding deep nesting for one nest succeeds'); +ok ($acl_deep->add ('nested', 'nesting', @trace), ' and another'); +ok ($acl_deep->add ('krb5', $user3, @trace), +    ' and added a non-nesting user'); +is ($acl_deep->check ($user1), 1, ' so check of nested succeeds'); +is ($acl_deep->check ($user3), 1, ' so check of non-nested succeeds'); + +# Test getting an error in adding an invalid group to an ACL object itself. +isnt ($acl->add ('nested', 'doesnotexist', @trace), 1, +      'Adding bad nested acl fails'); + +# Clean up. +$setup->destroy; +END { +    unlink 'wallet-db'; +} | 
