4 files changed, 96 insertions, 6 deletions

diff --git a/perl/t/data/acl-command b/perl/t/data/acl-command
new file mode 100755
index 0000000..e368118
--- /dev/null
+++ b/perl/t/data/acl-command
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# An external ACL implementation.  Checks that the first argument is
+# eagle@eyrie.org, the second argument is "test", and then returns success,
+# failure, or reports an error based on whether the second argument is
+# success, failure, or error.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+#
+# See LICENSE for licensing terms.
+
+set -e
+
+# Check the initial principal argument.
+if [ "$1" != 'eagle@eyrie.org' ]; then
+    echo 'incorrect principal' >&2
+    exit 1
+fi
+
+# Check that the second argument is test.
+if [ "$2" != 'test' ]; then
+    echo 'incorrect second argument' >&2
+    exit 1
+fi
+
+# Process the third argument.
+case $3 in
+    success)
+        exit 0
+        ;;
+    failure)
+        exit 1
+        ;;
+    error)
+        echo 'some error' >&2
+        exit 1
+        ;;
+    *)
+        echo 'unknown third argument' >&2
+        exit 1
+        ;;
+esac
diff --git a/perl/t/object/keytab.t b/perl/t/object/keytab.t
index 69db438..111b7d0 100755
--- a/perl/t/object/keytab.t
+++ b/perl/t/object/keytab.t
@@ -12,7 +12,7 @@ use strict;
 use warnings;
 
 use POSIX qw(strftime);
-use Test::More tests => 141;
+use Test::More tests => 142;
 
 BEGIN { $Wallet::Config::KEYTAB_TMP = '.' }
 
@@ -25,15 +25,28 @@ use Wallet::Object::Keytab;
 use lib 't/lib';
 use Util;
 
-# Mapping of klist -ke encryption type names to the strings that Kerberos uses
-# internally.  It's very annoying to have to maintain this, and it probably
-# breaks with Heimdal.
+# Mapping of klist -ke output from old MIT Kerberos implementations to to the
+# strings that Kerberos uses internally.  It's very annoying to have to
+# maintain this, and it probably breaks with Heimdal.
+#
+# Newer versions of MIT Kerberos just print out the canonical enctype names
+# and don't need this logic, but the current test requires that they still
+# have entries.  That's why the second set where the key and value are the
+# same.
 my %enctype =
     ('triple des cbc mode with hmac/sha1'      => 'des3-cbc-sha1',
      'des cbc mode with crc-32'                => 'des-cbc-crc',
      'des cbc mode with rsa-md5'               => 'des-cbc-md5',
+     'aes-128 cts mode with 96-bit sha-1 hmac' => 'aes128-cts-hmac-sha1-96',
      'aes-256 cts mode with 96-bit sha-1 hmac' => 'aes256-cts-hmac-sha1-96',
-     'arcfour with hmac/md5'                   => 'rc4-hmac');
+     'arcfour with hmac/md5'                   => 'rc4-hmac',
+
+     'des3-cbc-sha1'                           => 'des3-cbc-sha1',
+     'des-cbc-crc'                             => 'des-cbc-crc',
+     'des-cbc-md5'                             => 'des-cbc-md5',
+     'aes128-cts-hmac-sha1-96'                 => 'aes128-cts-hmac-sha1-96',
+     'aes256-cts-hmac-sha1-96'                 => 'aes256-cts-hmac-sha1-96',
+     'rc4-hmac'                                => 'rc4-hmac');
 
 # Some global defaults to use.
 my $user = 'admin@EXAMPLE.COM';
@@ -159,7 +172,7 @@ my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]);
 
 # Basic keytab creation and manipulation tests.
 SKIP: {
-    skip 'no keytab configuration', 52 unless -f 't/data/test.keytab';
+    skip 'no keytab configuration', 53 unless -f 't/data/test.keytab';
 
     # Set up our configuration.
     $Wallet::Config::KEYTAB_FILE      = 't/data/test.keytab';
@@ -296,6 +309,7 @@ EOO
                                         @trace)
       };
     ok (defined ($object), 'Creating good principal succeeds');
+    is ($@, '', ' with no error');
     ok (created ('wallet/one'), ' and the principal was created');
   SKIP: {
         skip 'no kadmin program test for Heimdal', 2
diff --git a/perl/t/object/password.t b/perl/t/object/password.t
index 4fe6b50..306d82b 100644
--- a/perl/t/object/password.t
+++ b/perl/t/object/password.t
@@ -120,5 +120,6 @@ like ($pwd, qr{^.{$Wallet::Config::PWD_LENGTH_MIN}$},
 # Clean up.
 $admin->destroy;
 END {
+    system ('rm -r test-files') == 0 or die "cannot remove test-files\n";
     unlink ('wallet-db');
 }
diff --git a/perl/t/verifier/external.t b/perl/t/verifier/external.t
new file mode 100755
index 0000000..3e7e776
--- /dev/null
+++ b/perl/t/verifier/external.t
@@ -0,0 +1,32 @@
+#!/usr/bin/perl
+#
+# Tests for the external wallet ACL verifier.
+#
+# Written by Russ Allbery <eagle@eyrie.org>
+# Copyright 2016 Russ Allbery <eagle@eyrie.org>
+#
+# See LICENSE for licensing terms.
+
+use strict;
+use warnings;
+
+use Test::More tests => 9;
+
+use Wallet::ACL::External;
+use Wallet::Config;
+
+# Configure the external ACL verifier.
+$Wallet::Config::EXTERNAL_COMMAND = 't/data/acl-command';
+
+# Check a few verifications.
+my $verifier = Wallet::ACL::External->new;
+ok (defined $verifier, 'Wallet::ACL::External creation');
+ok ($verifier->isa ('Wallet::ACL::External'), ' and class verification');
+is ($verifier->check ('eagle@eyrie.org', 'test success'), 1, 'Success');
+is ($verifier->check ('eagle@eyrie.org', 'test failure'), 0, 'Failure');
+is ($verifier->error, undef, 'No error set');
+is ($verifier->check ('eagle@eyrie.org', 'test error'), undef, 'Error');
+is ($verifier->error, 'some error', ' and right error');
+is ($verifier->check (undef, 'eagle@eyrie.org'), undef,
+    'Undefined principal');
+is ($verifier->error, 'no principal specified', ' and right error');