From 1575d5c34a2c6235bbf6a5010f8a8c142fe47079 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 11 Jul 2014 21:39:23 -0700 Subject: Switch to Module::Build for the Perl module The wallet server now requires Perl 5.8 or later (instead of 5.006 in previous versions) and is now built with Module::Build instead of ExtUtils::MakeMaker. This should be transparent to anyone not working with the source code, since Perl 5.8 was released in 2002, but Module::Build is now required to build the wallet server. It is included in some versions of Perl, or can be installed separately from CPAN, distribution packages, or other sources. Also reorganize the test suite to use subdirectories. Change-Id: Id06120ba2bad1ebbfee3d8a48ca2f25869463165 Reviewed-on: https://gerrit.stanford.edu/1530 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- perl/t/general/server.t | 1040 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1040 insertions(+) create mode 100755 perl/t/general/server.t (limited to 'perl/t/general/server.t') diff --git a/perl/t/general/server.t b/perl/t/general/server.t new file mode 100755 index 0000000..9026439 --- /dev/null +++ b/perl/t/general/server.t @@ -0,0 +1,1040 @@ +#!/usr/bin/perl -w +# +# Tests for the wallet server API. +# +# Written by Russ Allbery +# Copyright 2007, 2008, 2010, 2011, 2012, 2013, 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use Test::More tests => 382; + +use POSIX qw(strftime); +use Wallet::Admin; +use Wallet::Config; +use Wallet::Schema; +use Wallet::Server; + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $admin = 'admin@EXAMPLE.COM'; +my $user1 = 'alice@EXAMPLE.COM'; +my $user2 = 'bob@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($admin, $host); + +# Use Wallet::Admin to set up the database. +db_setup; +my $setup = eval { Wallet::Admin->new }; +is ($@, '', 'Database initialization did not die'); +is ($setup->reinitialize ($admin), 1, 'Database initialization succeeded'); + +# Now test the new method. +$server = eval { Wallet::Server->new (@trace) }; +is ($@, '', 'Reopening with new did not die'); +ok ($server->isa ('Wallet::Server'), ' and returned the right class'); +my $schema = $server->schema; +ok (defined ($schema), ' and returns a defined schema object'); + +# Allow creation of base objects for testing purposes. +$setup->register_object ('base', 'Wallet::Object::Base'); + +# We're currently running as the administrator, so everything should succeed. +# Set up a bunch of data for us to test with, starting with some ACLs. Test +# the error handling while we're at it. +is ($server->acl_show ('ADMIN'), + "Members of ACL ADMIN (id: 1) are:\n krb5 $admin\n", + 'Showing the ADMIN ACL works'); +is ($server->acl_show (1), + "Members of ACL ADMIN (id: 1) are:\n krb5 $admin\n", + ' including by number'); +my $history = <<"EOO"; +DATE create + by $admin from $host +DATE add krb5 $admin + by $admin from $host +EOO +my $result = $server->acl_history ('ADMIN'); +$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($result, $history, ' and displaying history works'); +$result = $server->acl_history (1); +$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($result, $history, ' including by number'); +is ($server->acl_create (3), undef, 'Cannot create ACL with a numeric name'); +is ($server->error, 'ACL name may not be all numbers', + ' and returns the right error'); +is ($server->acl_check ('user1'), 0, 'user1 ACL does not exist'); +is ($server->acl_create ('user1'), 1, 'Can create regular ACL'); +is ($server->acl_check ('user1'), 1, 'user1 now exists'); +is ($server->acl_show ('user1'), "Members of ACL user1 (id: 2) are:\n", + ' and show works'); +is ($server->acl_create ('user1'), undef, ' but not twice'); +like ($server->error, qr/^cannot create ACL user1: /, + ' and returns a good error'); +is ($server->acl_create ('ADMIN'), undef, ' and cannot create ADMIN'); +like ($server->error, qr/^cannot create ACL ADMIN: /, + ' and returns a good error'); +is ($server->acl_create ('user2'), 1, 'Create another ACL'); +is ($server->acl_create ('both'), 1, ' and one for both users'); +is ($server->acl_create ('test2'), 1, ' and an empty one'); +is ($server->acl_create ('test'), 1, ' and another test one'); +is ($server->acl_rename ('empty', 'test'), undef, + 'Cannot rename nonexistent ACL'); +is ($server->error, 'ACL empty not found', ' and returns the right error'); +is ($server->acl_rename ('test', 'test2'), undef, + ' and cannot rename to an existing name'); +like ($server->error, qr/^cannot rename ACL 6 to test2: /, + ' and returns the right error'); +is ($server->acl_rename ('test', 'empty'), 1, 'Renaming does work'); +is ($server->acl_rename ('test', 'empty'), undef, ' but not twice'); +is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_show ('test'), undef, ' and show fails'); +is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_history ('test'), undef, ' and history fails'); +is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_destroy ('test'), undef, 'Destroying the old name fails'); +is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_check ('test2'), 1, ' but the other ACL exists'); +is ($server->acl_destroy ('test2'), 1, ' and destroying it works'); +is ($server->acl_destroy ('test2'), undef, ' but not twice'); +is ($server->acl_check ('test2'), 0, ' and now it does not exist'); +is ($server->error, 'ACL test2 not found', ' and returns the right error'); +is ($server->acl_add ('user1', 'krb4', $user1), undef, + 'Adding with a bad scheme fails'); +is ($server->error, 'unknown ACL scheme krb4', ' with the right error'); +is ($server->acl_add ('user1', 'krb5', $user1), 1, + ' but works with the right scheme'); +is ($server->acl_add ('user2', 'krb5', $user2), 1, 'Add another entry'); +is ($server->acl_add ('both', 'krb5', $user1), 1, ' and another'); +is ($server->acl_add ('both', 'krb5', $user2), 1, + ' and another to the same ACL'); +is ($server->acl_show ('both'), + "Members of ACL both (id: 4) are:\n krb5 $user1\n krb5 $user2\n", + ' and show returns the correct result'); +$history = <<"EOO"; +DATE create + by $admin from $host +DATE add krb5 $user1 + by $admin from $host +DATE add krb5 $user2 + by $admin from $host +EOO +$result = $server->acl_history ('both'); +$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($result, $history, ' as does history'); +is ($server->acl_add ('empty', 'krb5', $user1), 1, ' and another to empty'); +is ($server->acl_add ('test', 'krb5', $user1), undef, + ' but adding to an unknown ACL fails'); +is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_remove ('test', 'krb5', $user1), undef, + 'Removing from a nonexistent ACL fails'); +is ($server->error, 'ACL test not found', ' and returns the right error'); +is ($server->acl_remove ('empty', 'krb5', $user2), undef, + ' and removing an entry not there fails'); +is ($server->error, + "cannot remove krb5:$user2 from 6: entry not found in ACL", + ' and returns the right error'); +is ($server->acl_show ('empty'), + "Members of ACL empty (id: 6) are:\n krb5 $user1\n", + ' and show returns the correct status'); +is ($server->acl_remove ('empty', 'krb5', $user1), 1, + ' but removing a good one works'); +is ($server->acl_remove ('empty', 'krb5', $user1), undef, + ' but does not work twice'); +is ($server->error, + "cannot remove krb5:$user1 from 6: entry not found in ACL", + ' and returns the right error'); +is ($server->acl_show ('empty'), "Members of ACL empty (id: 6) are:\n", + ' and show returns the correct status'); + +# Make sure we can't cripple the ADMIN ACL. +is ($server->acl_destroy ('ADMIN'), undef, 'Cannot destroy the ADMIN ACL'); +is ($server->error, 'cannot destroy the ADMIN ACL', ' with the right error'); +is ($server->acl_rename ('ADMIN', 'foo'), undef, ' or rename it'); +is ($server->error, 'cannot rename the ADMIN ACL', ' with the right error'); +is ($server->acl_remove ('ADMIN', 'krb5', $admin), undef, + ' or remove its last entry'); +is ($server->error, 'cannot remove last ADMIN ACL entry', + ' with the right error'); +is ($server->acl_add ('ADMIN', 'krb5', $user1), 1, + ' but we can add another entry'); +is ($server->acl_remove ('ADMIN', 'krb5', $user1), 1, ' and then remove it'); +is ($server->acl_remove ('ADMIN', 'krb5', $user1), undef, + ' and remove a user not on it'); +is ($server->error, + "cannot remove krb5:$user1 from 1: entry not found in ACL", + ' and get the right error'); + +# Now, create a few objects to use for testing and test the object API while +# we're at it. +is ($server->create ('base', 'service/admin'), 1, + 'Creating an object works'); +is ($server->create ('base', 'service/admin'), undef, ' but not twice'); +like ($server->error, qr{^cannot create object base:service/admin: }, + ' and returns the right error'); +is ($server->check ('base', 'service/admin'), 1, ' and check works'); +is ($server->create ('srvtab', 'service.admin'), undef, + 'Creating an unknown object fails'); +is ($server->error, 'unknown object type srvtab', ' with the right error'); +is ($server->check ('srvtab', 'service.admin'), undef, ' and check fails'); +is ($server->error, 'unknown object type srvtab', ' with the right error'); +is ($server->create ('', 'service.admin'), undef, + ' and likewise with an empty type'); +is ($server->error, 'unknown object type ', ' with the right error'); +is ($server->create ('base', 'service/user1'), 1, + ' but we can create a base object'); +is ($server->create ('base', 'service/user2'), 1, ' and another'); +is ($server->create ('base', 'service/both'), 1, ' and another'); +is ($server->create ('base', 'service/test'), 1, ' and another'); +is ($server->create ('base', ''), undef, ' but not with an empty name'); +is ($server->error, 'invalid object name', ' with the right error'); +is ($server->destroy ('base', 'service/none'), undef, + 'Destroying an unknown object fails'); +is ($server->error, 'cannot find base:service/none', ' with the right error'); +is ($server->destroy ('srvtab', 'service/test'), undef, + ' and destroying an unknown type fails'); +is ($server->error, 'unknown object type srvtab', ' with a different error'); +is ($server->destroy ('base', 'service/test'), 1, + ' but destroying a good object works'); +is ($server->check ('base', 'service/test'), 0, + ' and now check says it is not there'); +is ($server->destroy ('base', 'service/test'), undef, ' but not twice'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); + +# Test manipulating comments. +is ($server->comment ('base', 'service/test'), undef, + 'Retrieving comment on an unknown object fails'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->comment ('base', 'service/test', 'this is a comment'), undef, + ' and setting it also fails'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->comment ('base', 'service/admin'), undef, + 'Retrieving comment for the right object returns undef'); +is ($server->error, undef, ' but there is no error'); +is ($server->comment ('base', 'service/admin', 'this is a comment'), 1, + ' and we can set it'); +is ($server->comment ('base', 'service/admin'), 'this is a comment', + ' and get the value back'); +is ($server->comment ('base', 'service/admin', ''), 1, ' and clear it'); +is ($server->comment ('base', 'service/admin'), undef, ' and now it is gone'); +is ($server->error, undef, ' and still no error'); + +# Test manipulating expires. +my $now = strftime ('%Y-%m-%d %T', localtime time); +is ($server->expires ('base', 'service/test'), undef, + 'Retrieving expires on an unknown object fails'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->expires ('base', 'service/test', $now), undef, + ' and setting it also fails'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->expires ('base', 'service/admin'), undef, + 'Retrieving expires for the right object returns undef'); +is ($server->error, undef, ' but there is no error'); +is ($server->expires ('base', 'service/admin', $now), 1, + ' and we can set it'); +is ($server->expires ('base', 'service/admin'), $now, + ' and get the value back'); +is ($server->expires ('base', 'service/admin', ''), 1, ' and clear it'); +is ($server->expires ('base', 'service/admin'), undef, ' and now it is gone'); +is ($server->error, undef, ' and still no error'); + +# Test attributes. +is ($server->attr ('base', 'service/admin', 'foo'), undef, + 'Getting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' but called the method'); +is ($server->attr ('base', 'service/admin', 'foo', 'foo'), undef, + ' and setting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' and called the method'); + +# Because we're admin, we should be able to show one of these objects, but we +# still shouldn't be able to get or store since there are no ACLs. +is ($server->show ('base', 'service/test'), undef, + 'Cannot show nonexistent object'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +my $show = $server->show ('base', 'service/admin'); +$show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/; +my $expected = <<"EOO"; + Type: base + Name: service/admin + Created by: $admin + Created from: $host + Created on: 0 +EOO +is ($show, $expected, ' but showing an existing object works'); +is ($server->get ('base', 'service/admin'), undef, 'Getting an object fails'); +is ($server->error, "$admin not authorized to get base:service/admin", + ' with the right error'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and storing the object also fails'); +is ($server->error, "$admin not authorized to store base:service/admin", + ' with the right error'); + +# Grant only the get ACL, which should give us partial permissions. +is ($server->acl ('base', 'service/test', 'get', 'ADMIN'), undef, + 'Setting ACL on unknown object fails'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->acl ('base', 'service/admin', 'foo', 'ADMIN'), undef, + ' as does setting an unknown ACL'); +is ($server->error, 'invalid ACL type foo', ' with the right error'); +is ($server->acl ('base', 'service/admin', 'get', 'test2'), undef, + ' as does setting it to an unknown ACL'); +is ($server->error, 'ACL test2 not found', ' with the right error'); +is ($server->acl ('base', 'service/admin', 'get', 'ADMIN'), 1, + ' but setting the right ACL works'); +$result = eval { $server->get ('base', 'service/admin') }; +is ($result, undef, 'Get still fails'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' but the method is called'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and storing the object still fails'); +is ($server->error, "$admin not authorized to store base:service/admin", + ' with the right error'); +is ($server->acl ('base', 'service/admin', 'get', ''), 1, + 'Clearing the ACL works'); +is ($server->get ('base', 'service/admin'), undef, ' and now get fails'); +is ($server->error, "$admin not authorized to get base:service/admin", + ' with the right error'); +is ($server->acl ('base', 'service/admin', 'store', 'ADMIN'), 1, + 'Setting the store ACL works'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and now store fails'); +is ($server->error, + "cannot store base:service/admin: object type is immutable", + ' with a different error message'); +is ($server->get ('base', 'service/admin'), undef, ' and get still fails'); +is ($server->error, "$admin not authorized to get base:service/admin", + ' with the right error'); +is ($server->acl ('base', 'service/admin', 'store', ''), 1, + 'Clearing the ACL works'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and storing the object now fails'); +is ($server->error, "$admin not authorized to store base:service/admin", + ' with the right error'); + +# Test manipulating the owner. +is ($server->owner ('base', 'service/test'), undef, + 'Owner of nonexistent object fails'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->owner ('base', 'service/test', 'ADMIN'), undef, + ' as does setting it'); +is ($server->error, 'cannot find base:service/test', ' with the right error'); +is ($server->owner ('base', 'service/admin'), undef, + 'Owner of existing object is also undef'); +is ($server->error, undef, ' but there is no error'); +is ($server->owner ('base', 'service/admin', 'test2'), undef, + 'Setting it to an unknown ACL fails'); +is ($server->error, 'ACL test2 not found', ' with the right error'); +is ($server->owner ('base', 'service/admin', 'ADMIN'), 1, + 'Setting it to ADMIN works'); +$result = eval { $server->get ('base', 'service/admin') }; +is ($result, undef, ' and get still fails'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' but the method is called'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and now store fails'); +is ($server->error, + "cannot store base:service/admin: object type is immutable", + ' with a different error message'); +is ($server->acl ('base', 'service/admin', 'get', 'empty'), 1, + 'Setting the get ACL succeeds'); +is ($server->get ('base', 'service/admin'), undef, ' and get now fails'); +is ($server->error, "$admin not authorized to get base:service/admin", + ' with the right error'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' but store fails'); +is ($server->error, + "cannot store base:service/admin: object type is immutable", + ' with the same error message'); +is ($server->acl ('base', 'service/admin', 'store', 'empty'), 1, + ' until we do the same thing with store'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and now store fails'); +is ($server->error, "$admin not authorized to store base:service/admin", + ' due to permissions'); +is ($server->acl ('base', 'service/admin', 'store', ''), 1, + 'Clearing the store ACL works'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and fixes that'); +is ($server->error, + "cannot store base:service/admin: object type is immutable", + ' since we are back to immutable'); +is ($server->owner ('base', 'service/admin', ''), 1, + ' but clearing the owner works'); +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' and now store fails'); +is ($server->error, "$admin not authorized to store base:service/admin", + ' due to permissions again'); +is ($server->owner ('base', 'service/admin', 'ADMIN'), 1, + ' and setting the owner again works'); + +# Test manipulating flags. +is ($server->flag_clear ('base', 'service/admin', 'locked'), undef, + 'Clearing an unset flag fails'); +is ($server->error, + "cannot clear flag locked on base:service/admin: flag not set", + ' with the right error'); +if ($server->flag_set ('base', 'service/admin', 'locked')) { + ok (1, ' but setting it works'); +} else { + is ($server->error, '', ' but setting it works'); +} +is ($server->store ('base', 'service/admin', 'stuff'), undef, + ' now store fails'); +is ($server->error, 'cannot store base:service/admin: object is locked', + ' because the object is locked'); +is ($server->expires ('base', 'service/admin', ''), undef, + ' and expires fails'); +is ($server->error, 'cannot modify base:service/admin: object is locked', + ' because the object is locked'); +is ($server->owner ('base', 'service/admin', ''), undef, ' and owner fails'); +is ($server->error, 'cannot modify base:service/admin: object is locked', + ' because the object is locked'); +for my $acl (qw/get store show destroy flags/) { + is ($server->acl ('base', 'service/admin', $acl, ''), undef, + " and setting $acl ACL fails"); + is ($server->error, 'cannot modify base:service/admin: object is locked', + ' for the same reason'); +} +is ($server->flag_clear ('base', 'service/admin', 'locked'), 1, + ' and then clearing it works'); +is ($server->owner ('base', 'service/admin', ''), 1, + ' and then clearing owner works'); +is ($server->flag_set ('base', 'service/admin', 'unchanging'), 1, + ' and setting unchanging works'); +is ($server->flag_clear ('base', 'service/admin', 'locked'), undef, + ' and clearing locked still does not'); +is ($server->error, + "cannot clear flag locked on base:service/admin: flag not set", + ' with the right error'); +is ($server->flag_clear ('base', 'service/admin', 'unchanging'), 1, + ' and clearing unchanging works'); + +# Test history. +$history = <<"EOO"; +DATE create + by $admin from $host +DATE set comment to this is a comment + by $admin from $host +DATE unset comment (was this is a comment) + by $admin from $host +DATE set expires to $now + by $admin from $host +DATE unset expires (was $now) + by $admin from $host +DATE set acl_get to ADMIN (1) + by $admin from $host +DATE unset acl_get (was ADMIN (1)) + by $admin from $host +DATE set acl_store to ADMIN (1) + by $admin from $host +DATE unset acl_store (was ADMIN (1)) + by $admin from $host +DATE set owner to ADMIN (1) + by $admin from $host +DATE set acl_get to empty (6) + by $admin from $host +DATE set acl_store to empty (6) + by $admin from $host +DATE unset acl_store (was empty (6)) + by $admin from $host +DATE unset owner (was ADMIN (1)) + by $admin from $host +DATE set owner to ADMIN (1) + by $admin from $host +DATE set flag locked + by $admin from $host +DATE clear flag locked + by $admin from $host +DATE unset owner (was ADMIN (1)) + by $admin from $host +DATE set flag unchanging + by $admin from $host +DATE clear flag unchanging + by $admin from $host +EOO +my $seen = $server->history ('base', 'service/admin'); +$seen =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($seen, $history, 'History for service/admin is correct'); + +# Now let's set up some additional ACLs for future tests. +is ($server->owner ('base', 'service/user1', 'user1'), 1, 'Set user1 owner'); +is ($server->owner ('base', 'service/user2', 'user2'), 1, 'Set user2 owner'); +is ($server->owner ('base', 'service/both', 'both'), 1, 'Set both owner'); +is ($server->acl ('base', 'service/both', 'show', 'user1'), 1, ' and show'); +is ($server->acl ('base', 'service/both', 'destroy', 'user2'), 1, + ' and destroy'); +is ($server->acl ('base', 'service/both', 'flags', 'user1'), 1, ' and flags'); +is ($server->acl ('base', 'service/admin', 'store', 'user1'), 1, + 'Set admin store'); + +# Okay, now we can switch users and be sure we don't have admin rights. +$server = eval { Wallet::Server->new ($user1, $host) }; +is ($@, '', 'Switching users works'); +is ($server->acl_create ('new'), undef, ' and now we cannot create ACLs'); +is ($server->error, "$user1 not authorized to create ACL", ' with error'); +is ($server->acl_rename ('user1', 'alice'), undef, ' or rename ACLs'); +is ($server->error, "$user1 not authorized to rename ACL user1", + ' with error'); +is ($server->acl_show ('user1'), undef, ' or show ACLs'); +is ($server->error, "$user1 not authorized to show ACL user1", ' with error'); +is ($server->acl_history ('user1'), undef, ' or see history for ACLs'); +is ($server->error, "$user1 not authorized to see history of ACL user1", + ' with error'); +is ($server->acl_destroy ('user2'), undef, ' or destroy ACLs'); +is ($server->error, "$user1 not authorized to destroy ACL user2", + ' with error'); +is ($server->acl_add ('user1', 'krb5', $user2), undef, ' or add to ACLs'); +is ($server->error, "$user1 not authorized to add to ACL user1", + ' with error'); +is ($server->acl_remove ('user1', 'krb5', $user1), undef, + ' or remove from ACLs'); +is ($server->error, "$user1 not authorized to remove from ACL user1", + ' with error'); +is ($server->create ('base', 'service/test'), undef, + ' nor can we create objects'); +is ($server->error, "$user1 not authorized to create base:service/test", + ' with error'); +is ($server->owner ('base', 'service/user1', 'user2'), undef, + ' or set the owner'); +is ($server->error, + "$user1 not authorized to set owner for base:service/user1", + ' with error'); +is ($server->expires ('base', 'service/user1', $now), undef, + ' or set expires'); +is ($server->error, + "$user1 not authorized to set expires for base:service/user1", + ' with error'); +is ($server->acl ('base', 'service/user1', 'get', 'user1'), undef, + ' or set an ACL'); +is ($server->error, + "$user1 not authorized to set ACL for base:service/user1", + ' with error'); +is ($server->flag_set ('base', 'service/user1', 'unchanging'), undef, + ' or set flags'); +is ($server->error, + "$user1 not authorized to set flags for base:service/user1", + ' with error'); +is ($server->flag_clear ('base', 'service/user1', 'unchanging'), undef, + ' or clear flags'); +is ($server->error, + "$user1 not authorized to set flags for base:service/user1", + ' with error'); + +# However, we can perform object actions on things we own. +$result = eval { $server->get ('base', 'service/user1') }; +is ($result, undef, 'We can get an object we own'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' and the method is called'); +is ($server->store ('base', 'service/user1', 'stuff'), undef, + ' or store an object we own'); +is ($server->error, + "cannot store base:service/user1: object type is immutable", + ' and the method is called'); +is ($server->comment ('base', 'service/user1', 'this is a comment'), 1, + ' and set a comment'); +$show = $server->show ('base', 'service/user1'); +$show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/m; +$expected = <<"EOO"; + Type: base + Name: service/user1 + Owner: user1 + Comment: this is a comment + Created by: $admin + Created from: $host + Created on: 0 + +Members of ACL user1 (id: 2) are: + krb5 $user1 +EOO +is ($show, $expected, ' and show an object we own'); +$history = <<"EOO"; +DATE create + by $admin from $host +DATE set owner to user1 (2) + by $admin from $host +DATE set comment to this is a comment + by $user1 from $host +EOO +$seen = $server->history ('base', 'service/user1'); +$seen =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($seen, $history, ' and see history for an object we own'); +is ($server->attr ('base', 'service/user1', 'foo'), undef, + ' and getting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' but calls the method'); +is ($server->attr ('base', 'service/user1', 'foo', 'foo'), undef, + ' and setting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' but calls the method'); + +# But not on things we don't own. +is ($server->get ('base', 'service/user2'), undef, + 'But we cannot get an object we do not own'); +is ($server->error, "$user1 not authorized to get base:service/user2", + ' with the right error'); +is ($server->store ('base', 'service/user2', 'stuff'), undef, + ' or store it'); +is ($server->error, "$user1 not authorized to store base:service/user2", + ' with the right error'); +is ($server->show ('base', 'service/user2'), undef, ' or show it'); +is ($server->error, "$user1 not authorized to show base:service/user2", + ' with the right error'); +is ($server->history ('base', 'service/user2'), undef, + ' or see history for it'); +is ($server->error, "$user1 not authorized to show base:service/user2", + ' with the right error'); +is ($server->attr ('base', 'service/user2', 'foo'), undef, + ' or get attributes'); +is ($server->error, + "$user1 not authorized to get attributes for base:service/user2", + ' with the right error'); +is ($server->attr ('base', 'service/user2', 'foo', ''), undef, + ' and set attributes'); +is ($server->error, + "$user1 not authorized to set attributes for base:service/user2", + ' with the right error'); +is ($server->comment ('base', 'service/user2', 'this is a comment'), undef, + ' and set comment'); +is ($server->error, + "$user1 not authorized to set comment for base:service/user2", + ' with the right error'); + +# And only some things on an object we own with some ACLs. +$result = eval { $server->get ('base', 'service/both') }; +is ($result, undef, 'We can get an object we jointly own'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' and the method is called'); +is ($server->store ('base', 'service/both', 'stuff'), undef, + ' or store an object we jointly own'); +is ($server->error, + "cannot store base:service/both: object type is immutable", + ' and the method is called'); +is ($server->flag_set ('base', 'service/both', 'unchanging'), 1, + ' and set flags on an object we have an ACL'); +is ($server->flag_set ('base', 'service/both', 'locked'), 1, ' both flags'); +$show = $server->show ('base', 'service/both'); +$show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/m; +$expected = <<"EOO"; + Type: base + Name: service/both + Owner: both + Show ACL: user1 + Destroy ACL: user2 + Flags ACL: user1 + Flags: locked unchanging + Created by: $admin + Created from: $host + Created on: 0 + +Members of ACL both (id: 4) are: + krb5 $user1 + krb5 $user2 + +Members of ACL user1 (id: 2) are: + krb5 $user1 + +Members of ACL user2 (id: 3) are: + krb5 $user2 +EOO +is ($show, $expected, ' and show an object we jointly own'); +$history = <<"EOO"; +DATE create + by $admin from $host +DATE set owner to both (4) + by $admin from $host +DATE set acl_show to user1 (2) + by $admin from $host +DATE set acl_destroy to user2 (3) + by $admin from $host +DATE set acl_flags to user1 (2) + by $admin from $host +DATE set flag unchanging + by $user1 from $host +DATE set flag locked + by $user1 from $host +EOO +$seen = $server->history ('base', 'service/both'); +$seen =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($seen, $history, ' and see history for an object we jointly own'); +is ($server->store ('base', 'service/both', 'stuff'), undef, + ' but not store data'); +is ($server->error, 'cannot store base:service/both: object is locked', + ' when the object is locked'); +is ($server->flag_clear ('base', 'service/both', 'locked'), 1, + ' and clear flags'); +is ($server->destroy ('base', 'service/both'), undef, + ' but not destroy it'); +is ($server->error, "$user1 not authorized to destroy base:service/both", + ' due to permissions'); +is ($server->attr ('base', 'service/both', 'foo'), undef, + 'Getting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' but calls the method'); +is ($server->attr ('base', 'service/both', 'foo', ''), undef, + ' and setting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' but calls the method'); +is ($server->attr ('base', 'service/admin', 'foo', ''), undef, + ' but setting an attribute on service/admin fails'); +is ($server->error, 'unknown attribute foo', ' and calls the method'); +is ($server->attr ('base', 'service/admin', 'foo'), undef, + ' while getting an attribute on service/admin fails'); +is ($server->error, + "$user1 not authorized to get attributes for base:service/admin", + ' with a permission error'); + +# Now switch to the other user and make sure we can do things on objects we +# own. +$server = eval { Wallet::Server->new ($user2, $host) }; +is ($@, '', 'Switching users works'); +$result = eval { $server->get ('base', 'service/user2') }; +is ($result, undef, 'We can get an object we own'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' and the method is called'); +is ($server->store ('base', 'service/user2', 'stuff'), undef, + ' or store an object we own'); +is ($server->error, + "cannot store base:service/user2: object type is immutable", + ' and the method is called'); +$show = $server->show ('base', 'service/user2'); +$show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/m; +$expected = <<"EOO"; + Type: base + Name: service/user2 + Owner: user2 + Created by: $admin + Created from: $host + Created on: 0 + +Members of ACL user2 (id: 3) are: + krb5 $user2 +EOO +is ($show, $expected, ' and show an object we own'); +$history = <<"EOO"; +DATE create + by $admin from $host +DATE set owner to user2 (3) + by $admin from $host +EOO +$seen = $server->history ('base', 'service/user2'); +$seen =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; +is ($seen, $history, ' and see history for an object we own'); + +# But not on things we don't own. +is ($server->get ('base', 'service/user1'), undef, + 'But we cannot get an object we do not own'); +is ($server->error, "$user2 not authorized to get base:service/user1", + ' with the right error'); +is ($server->store ('base', 'service/user1', 'stuff'), undef, + ' or store it'); +is ($server->error, "$user2 not authorized to store base:service/user1", + ' with the right error'); +is ($server->show ('base', 'service/user1'), undef, ' or show it'); +is ($server->error, "$user2 not authorized to show base:service/user1", + ' with the right error'); +is ($server->history ('base', 'service/user1'), undef, + ' or see history for it'); +is ($server->error, "$user2 not authorized to show base:service/user1", + ' with the right error'); +is ($server->comment ('base', 'service/user1', 'this is a comment'), undef, + ' or set a comment for it'); +is ($server->error, + "$user2 not authorized to set comment for base:service/user1", + ' with the right error'); + +# Test that setting a comment is controlled by the owner but retrieving it is +# controlled by the show ACL. +$result = eval { $server->get ('base', 'service/both') }; +is ($result, undef, 'We can get an object we jointly own'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' and the method is called'); +is ($server->comment ('base', 'service/both', 'this is a comment'), 1, + ' and can set a comment on it'); +is ($server->error, undef, ' with no error'); +is ($server->comment ('base', 'service/both'), undef, + ' but cannot see the comment on it'); +is ($server->error, "$user2 not authorized to show base:service/both", + ' with the right error'); + +# And can only do some things on an object we own with some ACLs. +$result = eval { $server->get ('base', 'service/both') }; +is ($result, undef, 'We can get an object we jointly own'); +is ($@, "Do not instantiate Wallet::Object::Base directly\n", + ' and the method is called'); +is ($server->store ('base', 'service/both', 'stuff'), undef, + ' or store an object we jointly own'); +is ($server->error, + "cannot store base:service/both: object type is immutable", + ' and the method is called'); +is ($server->show ('base', 'service/both'), undef, ' but we cannot show it'); +is ($server->error, "$user2 not authorized to show base:service/both", + ' with the right error'); +is ($server->history ('base', 'service/both'), undef, + ' or see history for it'); +is ($server->error, "$user2 not authorized to show base:service/both", + ' with the right error'); +is ($server->flag_set ('base', 'service/both', 'locked'), undef, + ' or set flags on it'); +is ($server->error, + "$user2 not authorized to set flags for base:service/both", + ' with the right error'); +is ($server->flag_clear ('base', 'service/both', 'unchanging'), undef, + ' or clear flags on it'); +is ($server->error, + "$user2 not authorized to set flags for base:service/both", + ' with the right error'); +is ($server->attr ('base', 'service/both', 'foo'), undef, + ' or getting an attribute'); +is ($server->error, + "$user2 not authorized to get attributes for base:service/both", + ' with the right error'); +is ($server->attr ('base', 'service/both', 'foo', 'foo'), undef, + ' but setting an attribute fails'); +is ($server->error, 'unknown attribute foo', ' but calls the method'); +is ($server->destroy ('base', 'service/both'), 1, ' and we can destroy it'); +is ($server->get ('base', 'service/both'), undef, ' and now cannot get it'); +is ($server->error, 'cannot find base:service/both', ' because it is gone'); +is ($server->store ('base', 'service/both', 'stuff'), undef, + ' or store it'); +is ($server->error, 'cannot find base:service/both', ' because it is gone'); + +# Switch back to user1 and test destroy. +$server = eval { Wallet::Server->new ($user1, $host) }; +is ($@, '', 'Switching users works'); +is ($server->destroy ('base', 'service/user1'), 1, + 'Destroy of an object we own with no destroy ACLs works'); + +# Test default ACLs on object creation. +# +# Create a default_acl sub that permits $user2 to create service/default with +# a default owner of default (the same as the both ACL), $user1 to create +# service/default-both with a default owner of both (but a different +# definition than the existing ACL), and $user2 to create service/default-2 +# with a default owner of user2 (with the same definition as the existing +# ACL). +# +# Also add service/default-get and service/default-store to test auto-creation +# on get and store, and service/default-admin to test auto-creation when one +# is an admin. +package Wallet::Config; +sub default_owner { + my ($type, $name) = @_; + if ($type eq 'base' and $name eq 'service/default') { + return ('default', [ 'krb5', $user1 ], [ 'krb5', $user2 ]); + } elsif ($type eq 'base' and $name eq 'service/default-both') { + return ('both', [ 'krb5', $user1 ]); + } elsif ($type eq 'base' and $name eq 'service/default-2') { + return ('user2', [ 'krb5', $user2 ]); + } elsif ($type eq 'base' and $name eq 'service/default-get') { + return ('user2', [ 'krb5', $user2 ]); + } elsif ($type eq 'base' and $name eq 'service/default-store') { + return ('user2', [ 'krb5', $user2 ]); + } elsif ($type eq 'base' and $name eq 'service/default-admin') { + return ('auto-admin', [ 'krb5', $admin ]); + } elsif ($type eq 'base' and $name eq 'host/default') { + return ('auto-host', [ 'krb5', $admin ]); + } else { + return; + } +} +package main; + +# Switch back to user2, so we should now be able to create service/default. +# Make sure we can and that the ACLs all look good. +$server = eval { Wallet::Server->new ($user2, $host) }; +is ($@, '', 'Switching users works'); +is ($server->create ('base', 'service/default'), undef, + 'Creating an object with the default ACL fails'); +is ($server->error, "$user2 not authorized to create base:service/default", + ' due to lack of authorization'); +is ($server->autocreate ('base', 'service/default'), 1, + ' but autocreation succeeds'); +is ($server->autocreate ('base', 'service/foo'), undef, + ' but not any object'); +is ($server->error, "$user2 not authorized to create base:service/foo", + ' with the right error'); +$show = $server->show ('base', 'service/default'); +if (defined $show) { + $show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/m; + $expected = <<"EOO"; + Type: base + Name: service/default + Owner: default + Created by: $user2 + Created from: $host + Created on: 0 + +Members of ACL default (id: 7) are: + krb5 $user1 + krb5 $user2 +EOO + is ($show, $expected, ' and the created object and ACL are correct'); +} else { + is ($server->error, undef, ' and the created object and ACL are correct'); +} + +# Try the other basic cases in default_owner. +is ($server->autocreate ('base', 'service/default-both'), undef, + 'Creating an object with an ACL mismatch fails'); +is ($server->error, "ACL both exists and doesn't match default", + ' with the right error'); +is ($server->autocreate ('base', 'service/default-2'), 1, + 'Creating an object with an existing ACL works'); +$show = $server->show ('base', 'service/default-2'); +$show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/m; +$expected = <<"EOO"; + Type: base + Name: service/default-2 + Owner: user2 + Created by: $user2 + Created from: $host + Created on: 0 + +Members of ACL user2 (id: 3) are: + krb5 $user2 +EOO +is ($show, $expected, ' and the created object and ACL are correct'); + +# Auto-creation does not work on get or store; this is done by the client. +$result = eval { $server->get ('base', 'service/default-get') }; +is ($result, undef, 'Auto-creation on get fails'); +is ($@, '', ' does not die'); +is ($server->error, 'cannot find base:service/default-get', + ' and fails with the right error'); +is ($server->store ('base', 'service/default-store', 'stuff'), undef, + 'Auto-creation on store fails'); +is ($server->error, 'cannot find base:service/default-store', + ' with the right error'); + +# Switch back to admin to test auto-creation. +$server = eval { Wallet::Server->new ($admin, $host) }; +is ($@, '', 'Switching users back to admin works'); +is ($server->autocreate ('base', 'service/default-admin'), 1, + 'Autocreation works for admin'); +$show = $server->show ('base', 'service/default-admin'); +$show =~ s/(Created on:) [\d-]+ [\d:]+$/$1 0/m; +$expected = <<"EOO"; + Type: base + Name: service/default-admin + Owner: auto-admin + Created by: $admin + Created from: $host + Created on: 0 + +Members of ACL auto-admin (id: 8) are: + krb5 $admin +EOO +is ($show, $expected, ' and the created object and ACL are correct'); +is ($server->destroy ('base', 'service/default-admin'), 1, + ' and we can destroy it'); + +# Test naming enforcement. Permit any base service/* name, but only permit +# base host/* if the host is fully qualified and ends in .example.edu. +package Wallet::Config; +sub verify_name { + my ($type, $name) = @_; + if ($type eq 'base' and $name =~ m,^service/,) { + return; + } elsif ($type eq 'base' and $name =~ m,^host/(.*),) { + my $host = $1; + return "host $host must be fully qualified (add .example.edu)" + unless $host =~ /\./; + return "host $host not in .example.edu domain" + unless $host =~ /\.example\.edu$/; + return; + } else { + return; + } +} +package main; + +# Recreate service/default-admin, which should succeed, and then try the +# various host/* principals. +is ($server->create ('base', 'service/default-admin'), 1, + 'Creating default/admin succeeds'); +if ($server->create ('base', 'host/default.example.edu')) { + ok (1, ' as does creating host/default.example.edu'); +} else { + is ($server->error, '', ' as does creating host/default.example.edu'); +} +is ($server->destroy ('base', 'service/default-admin'), 1, + ' and destroying default-admin works'); +is ($server->destroy ('base', 'host/default.example.edu'), 1, + ' and destroying host/default.example.edu works'); +is ($server->create ('base', 'host/default'), undef, + ' but an unqualified host fails'); +is ($server->error, 'base:host/default rejected: host default must be fully' + . ' qualified (add .example.edu)', ' with the right error'); +is ($server->create ('base', 'host/default.stanford.edu'), undef, + ' and a host in the wrong domain fails'); +is ($server->error, 'base:host/default.stanford.edu rejected: host' + . ' default.stanford.edu not in .example.edu domain', + ' with the right error'); +is ($server->autocreate ('base', 'service/default-admin'), 1, + 'Creating default/admin succeeds'); +is ($server->autocreate ('base', 'host/default'), undef, + ' but an unqualified host fails'); +is ($server->error, 'base:host/default rejected: host default must be fully' + . ' qualified (add .example.edu)', ' with the right error'); +is ($server->acl_show ('auto-host'), undef, ' and the ACL is not present'); +is ($server->error, 'ACL auto-host not found', ' with the right error'); +is ($server->autocreate ('base', 'host/default.stanford.edu'), undef, + ' and a host in the wrong domain fails'); +is ($server->error, 'base:host/default.stanford.edu rejected: host' + . ' default.stanford.edu not in .example.edu domain', + ' with the right error'); + +# Ensure that we can't destroy an ACL that's in use. +is ($server->acl_create ('test-destroy'), 1, 'Creating an ACL works'); +is ($server->create ('base', 'service/acl-user'), 1, 'Creating object works'); +is ($server->owner ('base', 'service/acl-user', 'test-destroy'), 1, + ' and setting owner'); +is ($server->acl_destroy ('test-destroy'), undef, + ' and now we cannot destroy that ACL'); +is ($server->error, + 'cannot destroy ACL 9: ACL in use by base:service/acl-user', + ' with the right error'); +is ($server->owner ('base', 'service/acl-user', ''), 1, + ' but after we clear the owner'); +is ($server->acl_destroy ('test-destroy'), 1, ' now we can destroy the ACL'); +is ($server->destroy ('base', 'service/acl-user'), 1, ' and the object'); + +# Test ACL naming enforcement. Require that ACL names not contain a slash. +package Wallet::Config; +sub verify_acl_name { + my ($name, $user) = @_; + return 'ACL names may not contain slash' if $name =~ m,/,; + return; +} +package main; +is ($server->acl_create ('test/naming'), undef, + 'Creating an ACL with a disallowed name fails'); +is ($server->error, 'test/naming rejected: ACL names may not contain slash', + ' with the right error message'); +is ($server->acl_create ('test-naming'), 1, + 'Creating test-naming succeeds'); +is ($server->acl_rename ('test-naming', 'test/naming'), undef, + ' but renaming it fails'); +is ($server->error, 'test/naming rejected: ACL names may not contain slash', + ' with the right error message'); +is ($server->acl_destroy ('test-naming'), 1, 'Destroying it succeeds'); + +# Clean up. +$setup->destroy; +END { + unlink 'wallet-db'; +} + +# Now test handling of some configuration errors. +undef $Wallet::Config::DB_DRIVER; +$server = eval { Wallet::Server->new ($user2, $host) }; +is ($@, "database connection information not configured\n", + 'Fail if DB_DRIVER is not set'); +$Wallet::Config::DB_DRIVER = 'SQLite'; +undef $Wallet::Config::DB_INFO; +$server = eval { Wallet::Server->new ($user2, $host) }; +is ($@, "database connection information not configured\n", + ' or if DB_INFO is not set'); +$Wallet::Config::DB_INFO = 't'; +$server = eval { Wallet::Server->new ($user2, $host) }; +like ($@, qr/unable to open database file/, + ' or if the database connection fails'); -- cgit v1.2.3 From 1329e6db944a6fce5578b249de08a8250a920877 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Fri, 11 Jul 2014 22:36:11 -0700 Subject: Test for Perl strict and minimum version Fix strictness issues across the whole code base, and ensure that all Perl scripts enable warnings. (Hopefully enabling warnings won't cause problems for the server.) Change-Id: I4dee49f7a6bcbeeee21d74bf61a1fd26514f832c Reviewed-on: https://gerrit.stanford.edu/1532 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- Makefile.am | 8 ++-- README | 34 ++++++++++++----- contrib/wallet-summary | 33 +++++++++-------- contrib/wallet-unknown-hosts | 36 ++++++++++-------- perl/lib/Wallet/ACL.pm | 3 +- perl/lib/Wallet/ACL/Base.pm | 3 +- perl/lib/Wallet/ACL/Krb5.pm | 3 +- perl/lib/Wallet/ACL/Krb5/Regex.pm | 3 +- perl/lib/Wallet/ACL/LDAP/Attribute.pm | 3 +- perl/lib/Wallet/ACL/NetDB.pm | 3 +- perl/lib/Wallet/ACL/NetDB/Root.pm | 3 +- perl/lib/Wallet/Admin.pm | 3 +- perl/lib/Wallet/Config.pm | 1 + perl/lib/Wallet/Database.pm | 3 +- perl/lib/Wallet/Kadmin.pm | 3 +- perl/lib/Wallet/Kadmin/Heimdal.pm | 1 + perl/lib/Wallet/Kadmin/MIT.pm | 3 +- perl/lib/Wallet/Object/Base.pm | 3 +- perl/lib/Wallet/Object/Duo.pm | 1 + perl/lib/Wallet/Object/File.pm | 3 +- perl/lib/Wallet/Object/Keytab.pm | 3 +- perl/lib/Wallet/Object/WAKeyring.pm | 3 +- perl/lib/Wallet/Report.pm | 3 +- perl/lib/Wallet/Server.pm | 3 +- perl/t/data/perl.conf | 7 ++++ perl/t/general/acl.t | 5 ++- perl/t/general/admin.t | 7 +++- perl/t/general/config.t | 7 +++- perl/t/general/init.t | 5 ++- perl/t/general/report.t | 7 +++- perl/t/general/server.t | 7 +++- perl/t/lib/Util.pm | 3 +- perl/t/object/base.t | 5 ++- perl/t/object/file.t | 7 +++- perl/t/object/keytab.t | 11 ++++-- perl/t/style/minimum-version.t | 47 ++++++++++++++++++++++++ perl/t/style/strict.t | 56 ++++++++++++++++++++++++++++ perl/t/util/kadmin.t | 7 +++- perl/t/verifier/basic.t | 5 ++- perl/t/verifier/ldap-attr.t | 5 ++- perl/t/verifier/netdb.t | 7 +++- server/keytab-backend | 1 + server/wallet-backend | 1 + tests/TESTS | 2 + tests/client/full-t.in | 12 +++--- tests/client/prompt-t.in | 14 ++++--- tests/data/fake-kadmin | 7 +++- tests/perl/minimum-version-t | 69 +++++++++++++++++++++++++++++++++++ tests/perl/strict-t | 66 +++++++++++++++++++++++++++++++++ 49 files changed, 437 insertions(+), 98 deletions(-) create mode 100644 perl/t/data/perl.conf create mode 100755 perl/t/style/minimum-version.t create mode 100755 perl/t/style/strict.t create mode 100755 tests/perl/minimum-version-t create mode 100755 tests/perl/strict-t (limited to 'perl/t/general/server.t') diff --git a/Makefile.am b/Makefile.am index 19dbe11..8e65151 100644 --- a/Makefile.am +++ b/Makefile.am @@ -66,6 +66,7 @@ PERL_FILES = perl/Build.PL perl/MANIFEST perl/MANIFEST.SKIP \ perl/t/general/server.t perl/t/lib/Util.pm perl/t/object/base.t \ perl/t/object/duo.t perl/t/object/file.t perl/t/object/keytab.t \ perl/t/object/wa-keyring.t perl/t/policy/stanford.t \ + perl/t/style/minimum-version.t perl/t/style/strict.t \ perl/t/util/kadmin.t perl/t/verifier/basic.t \ perl/t/verifier/ldap-attr.t perl/t/verifier/netdb.t @@ -99,9 +100,10 @@ EXTRA_DIST = .gitignore LICENSE autogen client/wallet.pod \ tests/data/fake-keytab-partial-result tests/data/fake-keytab-rekey \ tests/data/fake-keytab-unknown tests/data/fake-srvtab \ tests/data/full.conf tests/data/perl.conf tests/data/wallet.conf \ - tests/docs/pod-spelling-t tests/docs/pod-t tests/server/admin-t \ - tests/server/backend-t tests/server/keytab-t tests/server/report-t \ - tests/tap/kerberos.sh tests/tap/libtap.sh \ + tests/docs/pod-spelling-t tests/docs/pod-t \ + tests/perl/minimum-version-t tests/perl/strict-t \ + tests/server/admin-t tests/server/backend-t tests/server/keytab-t \ + tests/server/report-t tests/tap/kerberos.sh tests/tap/libtap.sh \ tests/tap/perl/Test/RRA.pm tests/tap/perl/Test/RRA/Automake.pm \ tests/tap/perl/Test/RRA/Config.pm tests/tap/remctl.sh \ tests/util/xmalloc-t $(PERL_FILES) diff --git a/README b/README index e72bc80..ef910bd 100644 --- a/README +++ b/README @@ -118,16 +118,30 @@ REQUIREMENTS server. To run the full test suite, all of the above software requirements must - be met. Tests requiring some bit of software that's not installed - should be skipped, but not all the permutations have been checked. The - full test suite also requires the Test::Pod Perl module (available from - CPAN), that remctld be installed and available on the user's path or in - /usr/local/sbin or /usr/sbin, that sqlite3 be installed and available on - the user's path, that test cases can run services on and connect to port - 14373 on 127.0.0.1, and that kinit and either kvno or kgetcred (which - come with Kerberos) be installed and available on the user's path. The - full test suite also requires a local keytab and some additional - configuration. + be met. The full test suite also requires that remctld be installed and + available on the user's path or in /usr/local/sbin or /usr/sbin, that + sqlite3 be installed and available on the user's path, that test cases + can run services on and connect to port 14373 on 127.0.0.1, and that + kinit and either kvno or kgetcred (which come with Kerberos) be + installed and available on the user's path. The full test suite also + requires a local keytab and some additional configuration. + + The following additional Perl modules will be used if present: + + Test::MinimumVersion + Test::Pod + Test::Spelling + Test::Strict + + All are available on CPAN. Those tests will be skipped if the modules + are not available. + + To enable tests that don't detect functionality problems but are used to + sanity-check the release, set the environment variable RELEASE_TESTING + to a true value. To enable tests that may be sensitive to the local + environment or that produce a lot of false positives without uncovering + many problems, set the environment variable AUTHOR_TESTING to a true + value. To bootstrap from a Git checkout, or if you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.11 or diff --git a/contrib/wallet-summary b/contrib/wallet-summary index 55501ad..5cbf6e0 100755 --- a/contrib/wallet-summary +++ b/contrib/wallet-summary @@ -1,7 +1,22 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Summarize keytabs in the wallet database. +############################################################################## +# Modules and declarations +############################################################################## + +require 5.005; + +use strict; +use vars qw($ADDRESS $DUMPFILE @PATTERNS $REPORTS); +use warnings; + +use Getopt::Long qw(GetOptions); +use File::Path qw(mkpath); +use POSIX qw(strftime); +use Wallet::Report (); + ############################################################################## # Site configuration ############################################################################## @@ -29,20 +44,6 @@ $ADDRESS = 'nobody@example.com'; [qr(^webauth/), 'webauth/*', 'WebAuth v3'], [qr(^service/), 'service/*', 'Service principals']); -############################################################################## -# Modules and declarations -############################################################################## - -require 5.005; - -use strict; -use vars qw($ADDRESS $DUMPFILE @PATTERNS $REPORTS); - -use Getopt::Long qw(GetOptions); -use File::Path qw(mkpath); -use POSIX qw(strftime); -use Wallet::Report (); - ############################################################################## # Database queries ############################################################################## @@ -145,7 +146,7 @@ if ($mail) { } # Run the report. -my @principals = read_dump; +my @principals = read_dump (); report_principals (@principals); # If -m was given, take the saved report and mail it as well. diff --git a/contrib/wallet-unknown-hosts b/contrib/wallet-unknown-hosts index 339983d..50b5a04 100755 --- a/contrib/wallet-unknown-hosts +++ b/contrib/wallet-unknown-hosts @@ -1,7 +1,20 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Report host keytabs in wallet for unknown hosts. +############################################################################## +# Modules and declarations +############################################################################## + +require 5.006; + +use strict; +use warnings; + +use DB_File (); +use Wallet::Report (); +use Wallet::Server (); + ############################################################################## # Site configuration ############################################################################## @@ -22,9 +35,10 @@ our $MIN = 3; our $THRESHOLD = time - 30 * 24 * 60 * 60; # Set up a Net::DNS resolver that will be used by local_check_keytab. +my $DNS; BEGIN { use Net::DNS; - our $DNS = Net::DNS::Resolver->new; + $DNS = Net::DNS::Resolver->new; } # Pre-filter. This is called for all host-based keytabs and is the place to @@ -54,18 +68,6 @@ sub local_check_keytab { return; } -############################################################################## -# Modules and declarations -############################################################################## - -require 5.006; - -use strict; - -use DB_File (); -use Wallet::Report (); -use Wallet::Server (); - ############################################################################## # Utility functions ############################################################################## @@ -97,6 +99,7 @@ sub check_host { # Do a scan of all host-based keytabs in wallet and record those that are not # found in DNS or which should not be used according to site configuration. sub check { + my %history; tie %history, 'DB_File', $HISTORY; my @keytabs = list_keytabs; for my $keytab (@keytabs) { @@ -124,6 +127,7 @@ sub check { # list (given as a threshold time in seconds since epoch). sub report { my ($min, $threshold) = @_; + my %history; tie %history, 'DB_File', $HISTORY; for my $keytab (sort keys %history) { my ($count, $time) = split (',', $history{$keytab}); @@ -142,6 +146,7 @@ sub report { sub purge { my ($user, $min, $threshold) = @_; my $wallet = Wallet::Server->new ($user, 'localhost'); + my %history; tie %history, 'DB_File', $HISTORY; for my $keytab (sort keys %history) { my ($count, $time) = split (',', $history{$keytab}); @@ -161,7 +166,7 @@ sub purge { my $command = shift or die "Usage: $0 (check | report | purge)\n"; if ($command eq 'check') { - check; + check (); } elsif ($command eq 'report') { my ($min, $threshold) = @_; $min = $MIN unless defined ($min); @@ -170,6 +175,7 @@ if ($command eq 'check') { report ($min, $threshold); } elsif ($command eq 'purge') { my $user = $ENV{REMOTE_USER} or die "$0: REMOTE_USER must be set\n"; + my ($min, $threshold) = @_; $min = $MIN unless defined ($min); die "$0: minimum count must be at least 1\n" if $min < 1; $threshold = $THRESHOLD unless defined ($threshold); diff --git a/perl/lib/Wallet/ACL.pm b/perl/lib/Wallet/ACL.pm index 808be3c..9507c64 100644 --- a/perl/lib/Wallet/ACL.pm +++ b/perl/lib/Wallet/ACL.pm @@ -1,7 +1,7 @@ # Wallet::ACL -- Implementation of ACLs in the wallet system. # # Written by Russ Allbery -# Copyright 2007, 2008, 2010, 2013 +# Copyright 2007, 2008, 2010, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL; require 5.006; use strict; +use warnings; use vars qw($VERSION); use DBI; diff --git a/perl/lib/Wallet/ACL/Base.pm b/perl/lib/Wallet/ACL/Base.pm index b6e4ce3..a2b07cc 100644 --- a/perl/lib/Wallet/ACL/Base.pm +++ b/perl/lib/Wallet/ACL/Base.pm @@ -1,7 +1,7 @@ # Wallet::ACL::Base -- Parent class for wallet ACL verifiers. # # Written by Russ Allbery -# Copyright 2007, 2010 +# Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL::Base; require 5.006; use strict; +use warnings; use vars qw($VERSION); # This version should be increased on any code change to this module. Always diff --git a/perl/lib/Wallet/ACL/Krb5.pm b/perl/lib/Wallet/ACL/Krb5.pm index ed0b7df..80d32bd 100644 --- a/perl/lib/Wallet/ACL/Krb5.pm +++ b/perl/lib/Wallet/ACL/Krb5.pm @@ -1,7 +1,7 @@ # Wallet::ACL::Krb5 -- Wallet Kerberos v5 principal ACL verifier. # # Written by Russ Allbery -# Copyright 2007, 2010 +# Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL::Krb5; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::ACL::Base; diff --git a/perl/lib/Wallet/ACL/Krb5/Regex.pm b/perl/lib/Wallet/ACL/Krb5/Regex.pm index 30f5527..4934cfc 100644 --- a/perl/lib/Wallet/ACL/Krb5/Regex.pm +++ b/perl/lib/Wallet/ACL/Krb5/Regex.pm @@ -1,7 +1,7 @@ # Wallet::ACL::Krb5::Regex -- Wallet Kerberos v5 principal regex ACL verifier # # Written by Russ Allbery -# Copyright 2007, 2010 +# Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL::Krb5::Regex; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::ACL::Krb5; diff --git a/perl/lib/Wallet/ACL/LDAP/Attribute.pm b/perl/lib/Wallet/ACL/LDAP/Attribute.pm index aea8a72..c27729e 100644 --- a/perl/lib/Wallet/ACL/LDAP/Attribute.pm +++ b/perl/lib/Wallet/ACL/LDAP/Attribute.pm @@ -1,7 +1,7 @@ # Wallet::ACL::LDAP::Attribute -- Wallet LDAP attribute ACL verifier. # # Written by Russ Allbery -# Copyright 2012, 2013 +# Copyright 2012, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL::LDAP::Attribute; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Authen::SASL (); diff --git a/perl/lib/Wallet/ACL/NetDB.pm b/perl/lib/Wallet/ACL/NetDB.pm index b76d4ed..ad2164b 100644 --- a/perl/lib/Wallet/ACL/NetDB.pm +++ b/perl/lib/Wallet/ACL/NetDB.pm @@ -1,7 +1,7 @@ # Wallet::ACL::NetDB -- Wallet NetDB role ACL verifier. # # Written by Russ Allbery -# Copyright 2007, 2010 +# Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL::NetDB; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::ACL::Base; diff --git a/perl/lib/Wallet/ACL/NetDB/Root.pm b/perl/lib/Wallet/ACL/NetDB/Root.pm index 6c95c6e..34163e7 100644 --- a/perl/lib/Wallet/ACL/NetDB/Root.pm +++ b/perl/lib/Wallet/ACL/NetDB/Root.pm @@ -1,7 +1,7 @@ # Wallet::ACL::NetDB::Root -- Wallet NetDB role ACL verifier (root instances). # # Written by Russ Allbery -# Copyright 2007, 2010 +# Copyright 2007, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::ACL::NetDB::Root; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::ACL::NetDB; diff --git a/perl/lib/Wallet/Admin.pm b/perl/lib/Wallet/Admin.pm index 3a05284..d39c272 100644 --- a/perl/lib/Wallet/Admin.pm +++ b/perl/lib/Wallet/Admin.pm @@ -1,7 +1,7 @@ # Wallet::Admin -- Wallet system administrative interface. # # Written by Russ Allbery -# Copyright 2008, 2009, 2010, 2011, 2012, 2013 +# Copyright 2008, 2009, 2010, 2011, 2012, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Admin; require 5.006; use strict; +use warnings; use vars qw($VERSION); use Wallet::ACL; diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm index 5b0ab1c..527658c 100644 --- a/perl/lib/Wallet/Config.pm +++ b/perl/lib/Wallet/Config.pm @@ -10,6 +10,7 @@ package Wallet::Config; require 5.006; use strict; +use warnings; use vars qw($PATH $VERSION); # This version should be increased on any code change to this module. Always diff --git a/perl/lib/Wallet/Database.pm b/perl/lib/Wallet/Database.pm index 031be9e..3a4e130 100644 --- a/perl/lib/Wallet/Database.pm +++ b/perl/lib/Wallet/Database.pm @@ -6,7 +6,7 @@ # like DBIx::Class objects in the rest of the code. # # Written by Russ Allbery -# Copyright 2008, 2009, 2010, 2012, 2013 +# Copyright 2008, 2009, 2010, 2012, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -19,6 +19,7 @@ package Wallet::Database; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::Schema; diff --git a/perl/lib/Wallet/Kadmin.pm b/perl/lib/Wallet/Kadmin.pm index 4ea7920..65a5700 100644 --- a/perl/lib/Wallet/Kadmin.pm +++ b/perl/lib/Wallet/Kadmin.pm @@ -1,7 +1,7 @@ # Wallet::Kadmin -- Kerberos administration API for wallet keytab backend. # # Written by Jon Robertson -# Copyright 2009, 2010 +# Copyright 2009, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Kadmin; require 5.006; use strict; +use warnings; use vars qw($VERSION); use Wallet::Config (); diff --git a/perl/lib/Wallet/Kadmin/Heimdal.pm b/perl/lib/Wallet/Kadmin/Heimdal.pm index 42de8e0..1208801 100644 --- a/perl/lib/Wallet/Kadmin/Heimdal.pm +++ b/perl/lib/Wallet/Kadmin/Heimdal.pm @@ -14,6 +14,7 @@ package Wallet::Kadmin::Heimdal; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Heimdal::Kadm5 qw(KRB5_KDB_DISALLOW_ALL_TIX); diff --git a/perl/lib/Wallet/Kadmin/MIT.pm b/perl/lib/Wallet/Kadmin/MIT.pm index 1ae01bf..ac45265 100644 --- a/perl/lib/Wallet/Kadmin/MIT.pm +++ b/perl/lib/Wallet/Kadmin/MIT.pm @@ -2,7 +2,7 @@ # # Written by Russ Allbery # Pulled into a module by Jon Robertson -# Copyright 2007, 2008, 2009, 2010 +# Copyright 2007, 2008, 2009, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -15,6 +15,7 @@ package Wallet::Kadmin::MIT; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::Config (); diff --git a/perl/lib/Wallet/Object/Base.pm b/perl/lib/Wallet/Object/Base.pm index 8debac9..a009d76 100644 --- a/perl/lib/Wallet/Object/Base.pm +++ b/perl/lib/Wallet/Object/Base.pm @@ -1,7 +1,7 @@ # Wallet::Object::Base -- Parent class for any object stored in the wallet. # # Written by Russ Allbery -# Copyright 2007, 2008, 2010, 2011 +# Copyright 2007, 2008, 2010, 2011, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Object::Base; require 5.006; use strict; +use warnings; use vars qw($VERSION); use DBI; diff --git a/perl/lib/Wallet/Object/Duo.pm b/perl/lib/Wallet/Object/Duo.pm index e5773c8..e3fe2da 100644 --- a/perl/lib/Wallet/Object/Duo.pm +++ b/perl/lib/Wallet/Object/Duo.pm @@ -14,6 +14,7 @@ package Wallet::Object::Duo; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use JSON; diff --git a/perl/lib/Wallet/Object/File.pm b/perl/lib/Wallet/Object/File.pm index 4afef04..1ff1288 100644 --- a/perl/lib/Wallet/Object/File.pm +++ b/perl/lib/Wallet/Object/File.pm @@ -1,7 +1,7 @@ # Wallet::Object::File -- File object implementation for the wallet. # # Written by Russ Allbery -# Copyright 2008, 2010 +# Copyright 2008, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Object::File; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Digest::MD5 qw(md5_hex); diff --git a/perl/lib/Wallet/Object/Keytab.pm b/perl/lib/Wallet/Object/Keytab.pm index 24c3302..975179b 100644 --- a/perl/lib/Wallet/Object/Keytab.pm +++ b/perl/lib/Wallet/Object/Keytab.pm @@ -1,7 +1,7 @@ # Wallet::Object::Keytab -- Keytab object implementation for the wallet. # # Written by Russ Allbery -# Copyright 2007, 2008, 2009, 2010, 2013 +# Copyright 2007, 2008, 2009, 2010, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Object::Keytab; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Wallet::Config (); diff --git a/perl/lib/Wallet/Object/WAKeyring.pm b/perl/lib/Wallet/Object/WAKeyring.pm index f8bd0f7..3e80300 100644 --- a/perl/lib/Wallet/Object/WAKeyring.pm +++ b/perl/lib/Wallet/Object/WAKeyring.pm @@ -1,7 +1,7 @@ # Wallet::Object::WAKeyring -- WebAuth keyring object implementation. # # Written by Russ Allbery -# Copyright 2012, 2013 +# Copyright 2012, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Object::WAKeyring; require 5.006; use strict; +use warnings; use vars qw(@ISA $VERSION); use Digest::MD5 qw(md5_hex); diff --git a/perl/lib/Wallet/Report.pm b/perl/lib/Wallet/Report.pm index 1085546..bf48308 100644 --- a/perl/lib/Wallet/Report.pm +++ b/perl/lib/Wallet/Report.pm @@ -1,7 +1,7 @@ # Wallet::Report -- Wallet system reporting interface. # # Written by Russ Allbery -# Copyright 2008, 2009, 2010, 2013 +# Copyright 2008, 2009, 2010, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Report; require 5.006; use strict; +use warnings; use vars qw($VERSION); use Wallet::ACL; diff --git a/perl/lib/Wallet/Server.pm b/perl/lib/Wallet/Server.pm index 3266928..2765d34 100644 --- a/perl/lib/Wallet/Server.pm +++ b/perl/lib/Wallet/Server.pm @@ -1,7 +1,7 @@ # Wallet::Server -- Wallet system server implementation. # # Written by Russ Allbery -# Copyright 2007, 2008, 2010, 2011, 2013 +# Copyright 2007, 2008, 2010, 2011, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -14,6 +14,7 @@ package Wallet::Server; require 5.006; use strict; +use warnings; use vars qw(%MAPPING $VERSION); use Wallet::ACL; diff --git a/perl/t/data/perl.conf b/perl/t/data/perl.conf new file mode 100644 index 0000000..ca05568 --- /dev/null +++ b/perl/t/data/perl.conf @@ -0,0 +1,7 @@ +# Configuration for Perl tests. -*- perl -*- + +# Default minimum version requirement. +$MINIMUM_VERSION = '5.008'; + +# File must end with this line. +1; diff --git a/perl/t/general/acl.t b/perl/t/general/acl.t index e633f46..01b4801 100755 --- a/perl/t/general/acl.t +++ b/perl/t/general/acl.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the wallet ACL API. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use POSIX qw(strftime); use Test::More tests => 101; diff --git a/perl/t/general/admin.t b/perl/t/general/admin.t index 41bc33a..7c62932 100755 --- a/perl/t/general/admin.t +++ b/perl/t/general/admin.t @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 26; use Wallet::Admin; @@ -44,7 +47,7 @@ is ($admin->register_object ('base', 'Wallet::Object::Base'), 1, 'Registering Wallet::Object::Base works'); is ($admin->register_object ('base', 'Wallet::Object::Base'), undef, ' and cannot be registered twice'); -$server = eval { Wallet::Server->new ('admin@EXAMPLE.COM', 'localhost') }; +my $server = eval { Wallet::Server->new ('admin@EXAMPLE.COM', 'localhost') }; is ($@, '', 'Creating a server instance did not die'); is ($server->create ('base', 'service/admin'), 1, ' and creating base:service/admin succeeds'); @@ -83,7 +86,7 @@ SKIP: { is ($retval, 1, ' and performing an upgrade to 0.08 succeeds'); my $sql = "select version from dbix_class_schema_versions order by" . " version DESC"; - $version = $admin->dbh->selectall_arrayref ($sql); + my $version = $admin->dbh->selectall_arrayref ($sql); is (@$version, 2, ' and versions table has correct number of rows'); is (@{ $version->[0] }, 1, ' and correct number of columns'); is ($version->[0][0], '0.08', ' and the schema version is correct'); diff --git a/perl/t/general/config.t b/perl/t/general/config.t index 881f2bd..bc200de 100755 --- a/perl/t/general/config.t +++ b/perl/t/general/config.t @@ -1,13 +1,16 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the wallet server configuration. # # Written by Russ Allbery -# Copyright 2008, 2010 +# Copyright 2008, 2010, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 6; # Silence warnings since we're not using use. diff --git a/perl/t/general/init.t b/perl/t/general/init.t index b8ec3c9..58b9a4c 100755 --- a/perl/t/general/init.t +++ b/perl/t/general/init.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for database initialization. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 18; use Wallet::ACL; diff --git a/perl/t/general/report.t b/perl/t/general/report.t index 9563362..8d348ed 100755 --- a/perl/t/general/report.t +++ b/perl/t/general/report.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the wallet reporting interface. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 197; use Wallet::Admin; @@ -39,7 +42,7 @@ is ($acls[0][0], 1, ' and that is ACL ID 1'); is ($acls[0][1], 'ADMIN', ' with the right name'); # Create an object. -$server = eval { Wallet::Server->new ('admin@EXAMPLE.COM', 'localhost') }; +my $server = eval { Wallet::Server->new ('admin@EXAMPLE.COM', 'localhost') }; is ($@, '', 'Creating a server instance did not die'); is ($server->create ('base', 'service/admin'), 1, ' and creating base:service/admin succeeds'); diff --git a/perl/t/general/server.t b/perl/t/general/server.t index 9026439..0a527a5 100755 --- a/perl/t/general/server.t +++ b/perl/t/general/server.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the wallet server API. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 382; use POSIX qw(strftime); @@ -33,7 +36,7 @@ is ($@, '', 'Database initialization did not die'); is ($setup->reinitialize ($admin), 1, 'Database initialization succeeded'); # Now test the new method. -$server = eval { Wallet::Server->new (@trace) }; +my $server = eval { Wallet::Server->new (@trace) }; is ($@, '', 'Reopening with new did not die'); ok ($server->isa ('Wallet::Server'), ' and returned the right class'); my $schema = $server->schema; diff --git a/perl/t/lib/Util.pm b/perl/t/lib/Util.pm index 9e5b95e..187e483 100644 --- a/perl/t/lib/Util.pm +++ b/perl/t/lib/Util.pm @@ -1,7 +1,7 @@ # Utility class for wallet tests. # # Written by Russ Allbery -# Copyright 2007, 2008 +# Copyright 2007, 2008, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. @@ -10,6 +10,7 @@ package Util; require 5.006; use strict; +use warnings; use vars qw(@ISA @EXPORT $VERSION); use Wallet::Config; diff --git a/perl/t/object/base.t b/perl/t/object/base.t index 0432a23..11f18b7 100755 --- a/perl/t/object/base.t +++ b/perl/t/object/base.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the basic object implementation. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use POSIX qw(strftime); use Test::More tests => 137; diff --git a/perl/t/object/file.t b/perl/t/object/file.t index 0aecd9d..201f46d 100755 --- a/perl/t/object/file.t +++ b/perl/t/object/file.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the file object implementation. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use POSIX qw(strftime); use Test::More tests => 56; @@ -39,7 +42,7 @@ my $history = ''; my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); # Test error handling in the absence of configuration. -$object = eval { +my $object = eval { Wallet::Object::File->create ('file', 'test', $schema, @trace) }; ok (defined ($object), 'Creating a basic file object succeeds'); diff --git a/perl/t/object/keytab.t b/perl/t/object/keytab.t index 127762a..0f4a8b8 100755 --- a/perl/t/object/keytab.t +++ b/perl/t/object/keytab.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the keytab object implementation. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use POSIX qw(strftime); use Test::More tests => 141; @@ -117,7 +120,7 @@ sub enctypes { next unless /^ *\d+ /; my ($string) = /\((.*)\)\s*$/; next unless $string; - $enctype = $enctype{lc $string} || 'UNKNOWN'; + my $enctype = $enctype{lc $string} || 'UNKNOWN'; push (@enctypes, $enctype); } close KLIST; @@ -174,7 +177,7 @@ SKIP: { # Test that object creation without KEYTAB_TMP fails. undef $Wallet::Config::KEYTAB_TMP; - $object = eval { + my $object = eval { Wallet::Object::Keytab->create ('keytab', 'wallet/one', $schema, @trace) }; @@ -634,7 +637,7 @@ EOO is ("@values", "@enctypes", ' and we get back the right enctype list'); my $eshow = join ("\n" . (' ' x 17), @enctypes); $eshow =~ s/\s+\z/\n/; - $expected = <<"EOO"; + my $expected = <<"EOO"; Type: keytab Name: wallet/one Enctypes: $eshow diff --git a/perl/t/style/minimum-version.t b/perl/t/style/minimum-version.t new file mode 100755 index 0000000..e4eeafd --- /dev/null +++ b/perl/t/style/minimum-version.t @@ -0,0 +1,47 @@ +#!/usr/bin/perl +# +# Check that too-new features of Perl are not being used. +# +# The canonical version of this file is maintained in the rra-c-util package, +# which can be found at . +# +# Written by Russ Allbery +# Copyright 2013, 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. + +use 5.006; +use strict; +use warnings; + +use lib 't/lib'; + +use Test::More; +use Test::RRA qw(skip_unless_automated use_prereq); +use Test::RRA::Config qw($MINIMUM_VERSION); + +# Skip for normal user installs since this doesn't affect functionality. +skip_unless_automated('Minimum version tests'); + +# Load prerequisite modules. +use_prereq('Test::MinimumVersion'); + +# Check all files in the Perl distribution. +all_minimum_version_ok($MINIMUM_VERSION); diff --git a/perl/t/style/strict.t b/perl/t/style/strict.t new file mode 100755 index 0000000..7137b15 --- /dev/null +++ b/perl/t/style/strict.t @@ -0,0 +1,56 @@ +#!/usr/bin/perl +# +# Test Perl code for strict, warnings, and syntax. +# +# The canonical version of this file is maintained in the rra-c-util package, +# which can be found at . +# +# Written by Russ Allbery +# Copyright 2013, 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. + +use 5.006; +use strict; +use warnings; + +use lib 't/lib'; + +use File::Spec; +use Test::RRA qw(skip_unless_automated use_prereq); + +# Skip for normal user installs since this doesn't affect functionality. +skip_unless_automated('Strictness tests'); + +# Load prerequisite modules. +use_prereq('Test::Strict'); + +# Test everything in the distribution directory except the Build and +# Makefile.PL scripts generated by Module::Build. We also want to check use +# warnings. +$Test::Strict::TEST_SKIP = ['Build', 'Makefile.PL']; +$Test::Strict::TEST_WARNINGS = 1; +all_perl_files_ok(File::Spec->curdir); + +# Hack to suppress "used only once" warnings. +END { + $Test::Strict::TEST_SKIP = []; + $Test::Strict::TEST_WARNINGS = 0; +} diff --git a/perl/t/util/kadmin.t b/perl/t/util/kadmin.t index 8eabc6b..2a3d984 100755 --- a/perl/t/util/kadmin.t +++ b/perl/t/util/kadmin.t @@ -1,13 +1,16 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the kadmin object implementation. # # Written by Jon Robertson -# Copyright 2009, 2010, 2012, 2013 +# Copyright 2009, 2010, 2012, 2013, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. +use strict; +use warnings; + use POSIX qw(strftime); use Test::More tests => 34; diff --git a/perl/t/verifier/basic.t b/perl/t/verifier/basic.t index 5697ae6..ce44d44 100755 --- a/perl/t/verifier/basic.t +++ b/perl/t/verifier/basic.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the basic wallet ACL verifiers. # @@ -8,6 +8,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 57; use Wallet::ACL::Base; diff --git a/perl/t/verifier/ldap-attr.t b/perl/t/verifier/ldap-attr.t index d8e416b..3c132e2 100755 --- a/perl/t/verifier/ldap-attr.t +++ b/perl/t/verifier/ldap-attr.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the LDAP attribute ACL verifier. # @@ -11,6 +11,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More; use lib 't/lib'; diff --git a/perl/t/verifier/netdb.t b/perl/t/verifier/netdb.t index d8fe561..7048ef9 100755 --- a/perl/t/verifier/netdb.t +++ b/perl/t/verifier/netdb.t @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Tests for the NetDB wallet ACL verifiers. # @@ -12,6 +12,9 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + use Test::More tests => 5; use Wallet::ACL::NetDB; @@ -35,7 +38,7 @@ SKIP: { $Wallet::Config::NETDB_REMCTL_HOST = $netdb; # Finally, we can test. - $verifier = eval { Wallet::ACL::NetDB->new }; + my $verifier = eval { Wallet::ACL::NetDB->new }; ok (defined $verifier, ' and now creation succeeds'); is ($@, q{}, ' with no errors'); ok ($verifier->isa ('Wallet::ACL::NetDB'), ' and returns the right class'); diff --git a/server/keytab-backend b/server/keytab-backend index cf283bb..bd5a3f9 100755 --- a/server/keytab-backend +++ b/server/keytab-backend @@ -21,6 +21,7 @@ ############################################################################## use strict; +use warnings; use Sys::Syslog qw(openlog syslog); diff --git a/server/wallet-backend b/server/wallet-backend index 0b6a3fa..a97c8ce 100755 --- a/server/wallet-backend +++ b/server/wallet-backend @@ -7,6 +7,7 @@ ############################################################################## use strict; +use warnings; use Getopt::Long qw(GetOptions); use Sys::Syslog qw(openlog syslog); diff --git a/tests/TESTS b/tests/TESTS index 807d944..d947e97 100644 --- a/tests/TESTS +++ b/tests/TESTS @@ -4,6 +4,8 @@ client/prompt client/rekey docs/pod docs/pod-spelling +perl/minimum-version +perl/strict portable/asprintf portable/mkstemp portable/setenv diff --git a/tests/client/full-t.in b/tests/client/full-t.in index 9822b37..4861723 100644 --- a/tests/client/full-t.in +++ b/tests/client/full-t.in @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # End-to-end tests for the wallet client. # @@ -8,12 +8,14 @@ # # See LICENSE for licensing terms. +use strict; +use warnings; + # Point to our server configuration. This must be done before Wallet::Config # is loaded, and it's pulled in as a prerequisite for Wallet::Admin. BEGIN { $ENV{WALLET_CONFIG} = "$ENV{SOURCE}/data/wallet.conf" } -BEGIN { our $total = 59 } -use Test::More tests => $total; +use Test::More tests => 59; use lib "$ENV{SOURCE}/../perl/lib"; use Wallet::Admin; @@ -56,10 +58,10 @@ sub wallet { chdir "$ENV{SOURCE}" or die "Cannot chdir to $ENV{SOURCE}: $!\n"; SKIP: { - skip 'no keytab configuration', $total + skip 'no keytab configuration', 59 unless -f "$ENV{BUILD}/config/keytab"; my $remctld = '@REMCTLD@'; - skip 'remctld not found', $total unless $remctld; + skip 'remctld not found', 59 unless $remctld; # Spawn remctld and get local tickets. Don't destroy the user's Kerberos # ticket cache. diff --git a/tests/client/prompt-t.in b/tests/client/prompt-t.in index 8467411..686cc88 100644 --- a/tests/client/prompt-t.in +++ b/tests/client/prompt-t.in @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Password prompting tests for the wallet client. # @@ -8,8 +8,10 @@ # # See LICENSE for licensing terms. -BEGIN { our $total = 5 } -use Test::More tests => $total; +use strict; +use warnings; + +use Test::More tests => 5; use lib "$ENV{SOURCE}/../perl/lib"; use Wallet::Admin; @@ -21,12 +23,12 @@ use Util; chdir "$ENV{SOURCE}" or die "Cannot chdir to $ENV{SOURCE}: $!\n"; SKIP: { - skip 'no password configuration', $total + skip 'no password configuration', 5 unless -f "$ENV{BUILD}/config/password"; my $remctld = '@REMCTLD@'; - skip 'remctld not found', $total unless $remctld; + skip 'remctld not found', 5 unless $remctld; eval { require Expect }; - skip 'Expect module not found', $total if $@; + skip 'Expect module not found', 5 if $@; # Disable sending of wallet's output to our standard output. Do this # twice to avoid Perl warnings. diff --git a/tests/data/fake-kadmin b/tests/data/fake-kadmin index 57f9c97..ff90f88 100755 --- a/tests/data/fake-kadmin +++ b/tests/data/fake-kadmin @@ -1,13 +1,16 @@ -#!/usr/bin/perl -w +#!/usr/bin/perl # # Fake kadmin.local used to test the keytab backend. # # Written by Russ Allbery -# Copyright 2007 +# Copyright 2007, 2014 # The Board of Trustees of the Leland Stanford Junior University # # See LICENSE for licensing terms. +use strict; +use warnings; + unless ($ARGV[0] eq '-q' && @ARGV == 2) { die "invalid arguments\n"; } diff --git a/tests/perl/minimum-version-t b/tests/perl/minimum-version-t new file mode 100755 index 0000000..8c49327 --- /dev/null +++ b/tests/perl/minimum-version-t @@ -0,0 +1,69 @@ +#!/usr/bin/perl +# +# Check that too-new features of Perl are not being used. +# +# This version of the check script supports mapping various directories to +# different version numbers. This allows a newer version of Perl to be +# required for internal tools than for public code. +# +# The canonical version of this file is maintained in the rra-c-util package, +# which can be found at . +# +# Written by Russ Allbery +# Copyright 2012, 2013, 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. + +use 5.006; +use strict; +use warnings; + +use lib "$ENV{SOURCE}/tap/perl"; + +use Test::More; +use Test::RRA qw(skip_unless_automated use_prereq); +use Test::RRA::Automake qw(automake_setup perl_dirs); +use Test::RRA::Config qw($MINIMUM_VERSION %MINIMUM_VERSION); + +# Skip for normal user installs since this doesn't affect functionality. +skip_unless_automated('Minimum version tests'); + +# Load prerequisite modules. +use_prereq('Test::MinimumVersion'); + +# Set up Automake testing. +automake_setup(); + +# For each exception case in %MINIMUM_VERSION, check the files that should +# have that minium version. Sort for reproducible test order. Also +# accumulate the list of directories we've already tested. +my @tested; +for my $version (sort keys %MINIMUM_VERSION) { + my $paths_ref = $MINIMUM_VERSION{$version}; + all_minimum_version_ok($version, { paths => $paths_ref, no_plan => 1 }); + push(@tested, @{$paths_ref}); +} + +# Now, check anything that's left against the default minimum version. +my @paths = perl_dirs({ skip => [@tested] }); +all_minimum_version_ok($MINIMUM_VERSION, { paths => \@paths, no_plan => 1 }); + +# Tell the TAP harness that we're done. +done_testing(); diff --git a/tests/perl/strict-t b/tests/perl/strict-t new file mode 100755 index 0000000..2df6d58 --- /dev/null +++ b/tests/perl/strict-t @@ -0,0 +1,66 @@ +#!/usr/bin/perl +# +# Check Perl scripts for strict, warnings, and syntax. +# +# Checks all Perl scripts in the tree for problems uncovered by Test::Strict. +# This includes using strict and warnings for every script and ensuring they +# all pass a syntax check. Currently, test suite coverage is not checked. +# +# The canonical version of this file is maintained in the rra-c-util package, +# which can be found at . +# +# Written by Russ Allbery +# Copyright 2012, 2013, 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +# DEALINGS IN THE SOFTWARE. + +use 5.006; +use strict; +use warnings; + +use lib "$ENV{SOURCE}/tap/perl"; + +use Test::More; +use Test::RRA qw(skip_unless_automated use_prereq); +use Test::RRA::Automake qw(automake_setup perl_dirs); +use Test::RRA::Config qw(@STRICT_IGNORE @STRICT_PREREQ); + +# Skip for normal user installs since this doesn't affect functionality. +skip_unless_automated('Strictness tests'); + +# Load prerequisite modules. +use_prereq('Test::Strict'); + +# Check whether all prerequisites are available, and skip the test if any of +# them are not. +for my $module (@STRICT_PREREQ) { + use_prereq($module); +} + +# Set up Automake testing. This must be done after loading Test::Strict, +# since it wants to use FindBin to locate this script. +automake_setup(); + +# Run the actual tests. We also want to check warnings. +$Test::Strict::TEST_WARNINGS = 1; +all_perl_files_ok(perl_dirs({ skip => [@STRICT_IGNORE] })); + +# Suppress "used only once" warnings. +END { $Test::Strict::TEST_WARNINGS = 0 } -- cgit v1.2.3 From b1bd88daea1dde6de9e6a8688c6190cdc0b5c617 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Tue, 15 Jul 2014 20:29:19 -0700 Subject: Record the ACL name in the acl_history table Store the current name of the ACL with each history row, and index the name. This will eventually allow retrieval of history by name for ACLs that have been deleted, although the rest of the code is not yet in place. The initial creation and membership of the ADMIN ACL during database initialization or reinitialization is no longer recorded in the acl_history table, since otherwise it produces errors due to the missing ah_name field when building the database with schema 0.07. There should be some better solution to this, but this will be okay for the time being. Change-Id: I015a00c972e0c2730c3d449952fcfe9b79c6e54f Reviewed-on: https://gerrit.stanford.edu/1553 Reviewed-by: Russ Allbery Tested-by: Russ Allbery --- NEWS | 5 +++++ perl/lib/Wallet/ACL.pm | 5 ++++- perl/lib/Wallet/Admin.pm | 19 ++++++++++++++----- perl/lib/Wallet/Schema/Result/AclHistory.pm | 10 ++++++++++ perl/sql/Wallet-Schema-0.08-0.09-MySQL.sql | 4 +++- perl/sql/Wallet-Schema-0.08-0.09-PostgreSQL.sql | 4 ++++ perl/sql/Wallet-Schema-0.08-0.09-SQLite.sql | 4 ++++ perl/sql/Wallet-Schema-0.09-MySQL.sql | 4 +++- perl/sql/Wallet-Schema-0.09-PostgreSQL.sql | 4 +++- perl/sql/Wallet-Schema-0.09-SQLite.sql | 5 ++++- perl/t/general/server.t | 18 ++++-------------- 11 files changed, 58 insertions(+), 24 deletions(-) (limited to 'perl/t/general/server.t') diff --git a/NEWS b/NEWS index beddf7f..f6e3fdd 100644 --- a/NEWS +++ b/NEWS @@ -46,6 +46,11 @@ wallet 1.1 (unreleased) the DateTime::Format::* module corresponding to the DBD::* module used for the server database. + The initial creation and membership of the ADMIN ACL during database + initialization or reinitialization is no longer recorded in the + acl_history table. (This is fallout from making a specific type of + upgrade testable, and may be fixed in the future.) + The wallet server now requires Perl 5.8 or later (instead of 5.006 in previous versions) and is now built with Module::Build instead of ExtUtils::MakeMaker. This should be transparent to anyone not working diff --git a/perl/lib/Wallet/ACL.pm b/perl/lib/Wallet/ACL.pm index 57097c0..6f5172a 100644 --- a/perl/lib/Wallet/ACL.pm +++ b/perl/lib/Wallet/ACL.pm @@ -80,6 +80,7 @@ sub create { # Add to the history table. my $date = DateTime->from_epoch (epoch => $time); %record = (ah_acl => $id, + ah_name => $name, ah_action => 'create', ah_by => $user, ah_from => $host, @@ -165,6 +166,7 @@ sub log_acl { } my $date = DateTime->from_epoch (epoch => $time); my %record = (ah_acl => $self->{id}, + ah_name => $self->{name}, ah_action => $action, ah_scheme => $scheme, ah_identifier => $identifier, @@ -243,7 +245,8 @@ sub destroy { # Create new history line for the deletion. my $date = DateTime->from_epoch (epoch => $time); - my %record = (ah_acl => $self->{id}, + my %record = (ah_acl => $self->{id}, + ah_name => $self->{name}, ah_action => 'destroy', ah_by => $user, ah_from => $host, diff --git a/perl/lib/Wallet/Admin.pm b/perl/lib/Wallet/Admin.pm index 29b2f21..b07c7d1 100644 --- a/perl/lib/Wallet/Admin.pm +++ b/perl/lib/Wallet/Admin.pm @@ -98,13 +98,22 @@ sub initialize { $self->default_data; # Create a default admin ACL. - my $acl = Wallet::ACL->create ('ADMIN', $self->{schema}, $user, - 'localhost'); - unless ($acl->add ('krb5', $user, $user, 'localhost')) { - $self->error ($acl->error); + eval { + my $guard = $self->{schema}->txn_scope_guard; + $self->{schema}->resultset ('Acl')->populate ([ + [ qw/ac_id ac_name/ ], + [ 1, 'ADMIN' ], + ]); + $self->{schema}->resultset ('AclEntry')->populate ([ + [ qw/ae_id ae_scheme ae_identifier/ ], + [ 1, 'krb5', $user ], + ]); + $guard->commit; + }; + if ($@) { + $self->error ("cannot add ADMIN ACL: $@"); return; } - return 1; } diff --git a/perl/lib/Wallet/Schema/Result/AclHistory.pm b/perl/lib/Wallet/Schema/Result/AclHistory.pm index 11593b7..82e18a9 100644 --- a/perl/lib/Wallet/Schema/Result/AclHistory.pm +++ b/perl/lib/Wallet/Schema/Result/AclHistory.pm @@ -41,6 +41,12 @@ __PACKAGE__->table("acl_history"); data_type: 'integer' is_nullable: 0 +=head2 ah_name + + data_type: 'varchar' + is_nullable: 1 + size: 255 + =head2 ah_action data_type: 'varchar' @@ -84,6 +90,8 @@ __PACKAGE__->add_columns( { data_type => "integer", is_auto_increment => 1, is_nullable => 0 }, "ah_acl", { data_type => "integer", is_nullable => 0 }, + "ah_name", + { data_type => "varchar", is_nullable => 1, size => 255 }, "ah_action", { data_type => "varchar", is_nullable => 0, size => 16 }, "ah_scheme", @@ -108,6 +116,8 @@ sub sqlt_deploy_hook { my ($self, $sqlt_table) = @_; my $name = 'acl_history_idx_ah_acl'; $sqlt_table->add_index (name => $name, fields => [qw(ah_acl)]); + $name = 'acl_history_idx_ah_name'; + $sqlt_table->add_index (name => $name, fields => [qw(ah_name)]); } 1; diff --git a/perl/sql/Wallet-Schema-0.08-0.09-MySQL.sql b/perl/sql/Wallet-Schema-0.08-0.09-MySQL.sql index 8127613..f6b1abe 100644 --- a/perl/sql/Wallet-Schema-0.08-0.09-MySQL.sql +++ b/perl/sql/Wallet-Schema-0.08-0.09-MySQL.sql @@ -12,7 +12,9 @@ CREATE TABLE duo ( SET foreign_key_checks=1; -ALTER TABLE acl_history ADD INDEX acl_history_idx_ah_acl (ah_acl); +ALTER TABLE acl_history ADD COLUMN ah_name varchar(255) NULL, + ADD INDEX acl_history_idx_ah_acl (ah_acl), + ADD INDEX acl_history_idx_ah_name (ah_name); ALTER TABLE object_history DROP FOREIGN KEY object_history_fk_oh_type_oh_name, ALTER TABLE object_history; diff --git a/perl/sql/Wallet-Schema-0.08-0.09-PostgreSQL.sql b/perl/sql/Wallet-Schema-0.08-0.09-PostgreSQL.sql index 66603f7..a1d3fa3 100644 --- a/perl/sql/Wallet-Schema-0.08-0.09-PostgreSQL.sql +++ b/perl/sql/Wallet-Schema-0.08-0.09-PostgreSQL.sql @@ -8,8 +8,12 @@ CREATE TABLE "duo" ( PRIMARY KEY ("du_name") ); +ALTER TABLE acl_history ADD COLUMN ah_name character varying(255); + CREATE INDEX acl_history_idx_ah_acl on acl_history (ah_acl); +CREATE INDEX acl_history_idx_ah_name on acl_history (ah_name); + COMMIT; diff --git a/perl/sql/Wallet-Schema-0.08-0.09-SQLite.sql b/perl/sql/Wallet-Schema-0.08-0.09-SQLite.sql index 42f4ea5..df0fa09 100644 --- a/perl/sql/Wallet-Schema-0.08-0.09-SQLite.sql +++ b/perl/sql/Wallet-Schema-0.08-0.09-SQLite.sql @@ -8,6 +8,10 @@ CREATE TABLE duo ( PRIMARY KEY (du_name) ); +ALTER TABLE acl_history ADD ah_name varchar(255) default null; + CREATE INDEX acl_history_idx_ah_acl ON acl_history (ah_acl); +CREATE INDEX acl_history_idx_ah_name ON acl_history (ah_name); + COMMIT; diff --git a/perl/sql/Wallet-Schema-0.09-MySQL.sql b/perl/sql/Wallet-Schema-0.09-MySQL.sql index 86eeec4..200b941 100644 --- a/perl/sql/Wallet-Schema-0.09-MySQL.sql +++ b/perl/sql/Wallet-Schema-0.09-MySQL.sql @@ -1,6 +1,6 @@ -- -- Created by SQL::Translator::Producer::MySQL --- Created on Fri Jul 11 19:17:16 2014 +-- Created on Tue Jul 15 17:41:01 2014 -- SET foreign_key_checks=0; @@ -12,6 +12,7 @@ DROP TABLE IF EXISTS `acl_history`; CREATE TABLE `acl_history` ( `ah_id` integer NOT NULL auto_increment, `ah_acl` integer NOT NULL, + `ah_name` varchar(255) NULL, `ah_action` varchar(16) NOT NULL, `ah_scheme` varchar(32) NULL, `ah_identifier` varchar(255) NULL, @@ -19,6 +20,7 @@ CREATE TABLE `acl_history` ( `ah_from` varchar(255) NOT NULL, `ah_on` datetime NOT NULL, INDEX `acl_history_idx_ah_acl` (`ah_acl`), + INDEX `acl_history_idx_ah_name` (`ah_name`), PRIMARY KEY (`ah_id`) ); diff --git a/perl/sql/Wallet-Schema-0.09-PostgreSQL.sql b/perl/sql/Wallet-Schema-0.09-PostgreSQL.sql index 38fc6ca..a66f0b1 100644 --- a/perl/sql/Wallet-Schema-0.09-PostgreSQL.sql +++ b/perl/sql/Wallet-Schema-0.09-PostgreSQL.sql @@ -1,6 +1,6 @@ -- -- Created by SQL::Translator::Producer::PostgreSQL --- Created on Fri Jul 11 19:17:17 2014 +-- Created on Tue Jul 15 17:41:03 2014 -- -- -- Table: duo. @@ -19,6 +19,7 @@ DROP TABLE "acl_history" CASCADE; CREATE TABLE "acl_history" ( "ah_id" serial NOT NULL, "ah_acl" integer NOT NULL, + "ah_name" character varying(255), "ah_action" character varying(16) NOT NULL, "ah_scheme" character varying(32), "ah_identifier" character varying(255), @@ -28,6 +29,7 @@ CREATE TABLE "acl_history" ( PRIMARY KEY ("ah_id") ); CREATE INDEX "acl_history_idx_ah_acl" on "acl_history" ("ah_acl"); +CREATE INDEX "acl_history_idx_ah_name" on "acl_history" ("ah_name"); -- -- Table: acl_schemes. diff --git a/perl/sql/Wallet-Schema-0.09-SQLite.sql b/perl/sql/Wallet-Schema-0.09-SQLite.sql index 97db821..19a77c2 100644 --- a/perl/sql/Wallet-Schema-0.09-SQLite.sql +++ b/perl/sql/Wallet-Schema-0.09-SQLite.sql @@ -1,6 +1,6 @@ -- -- Created by SQL::Translator::Producer::SQLite --- Created on Fri Jul 11 19:17:16 2014 +-- Created on Tue Jul 15 17:41:02 2014 -- BEGIN TRANSACTION; @@ -24,6 +24,7 @@ DROP TABLE IF EXISTS acl_history; CREATE TABLE acl_history ( ah_id INTEGER PRIMARY KEY NOT NULL, ah_acl integer NOT NULL, + ah_name varchar(255), ah_action varchar(16) NOT NULL, ah_scheme varchar(32), ah_identifier varchar(255), @@ -34,6 +35,8 @@ CREATE TABLE acl_history ( CREATE INDEX acl_history_idx_ah_acl ON acl_history (ah_acl); +CREATE INDEX acl_history_idx_ah_name ON acl_history (ah_name); + -- -- Table: acl_schemes -- diff --git a/perl/t/general/server.t b/perl/t/general/server.t index 0a527a5..b270733 100755 --- a/perl/t/general/server.t +++ b/perl/t/general/server.t @@ -54,18 +54,8 @@ is ($server->acl_show ('ADMIN'), is ($server->acl_show (1), "Members of ACL ADMIN (id: 1) are:\n krb5 $admin\n", ' including by number'); -my $history = <<"EOO"; -DATE create - by $admin from $host -DATE add krb5 $admin - by $admin from $host -EOO -my $result = $server->acl_history ('ADMIN'); -$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; -is ($result, $history, ' and displaying history works'); -$result = $server->acl_history (1); -$result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; -is ($result, $history, ' including by number'); +is ($server->acl_history ('ADMIN'), '', ' and initial history is empty'); +is ($server->acl_history (1), '', ' including by number'); is ($server->acl_create (3), undef, 'Cannot create ACL with a numeric name'); is ($server->error, 'ACL name may not be all numbers', ' and returns the right error'); @@ -117,7 +107,7 @@ is ($server->acl_add ('both', 'krb5', $user2), 1, is ($server->acl_show ('both'), "Members of ACL both (id: 4) are:\n krb5 $user1\n krb5 $user2\n", ' and show returns the correct result'); -$history = <<"EOO"; +my $history = <<"EOO"; DATE create by $admin from $host DATE add krb5 $user1 @@ -125,7 +115,7 @@ DATE add krb5 $user1 DATE add krb5 $user2 by $admin from $host EOO -$result = $server->acl_history ('both'); +my $result = $server->acl_history ('both'); $result =~ s/^\d{4}-\d\d-\d\d \d\d:\d\d:\d\d/DATE/gm; is ($result, $history, ' as does history'); is ($server->acl_add ('empty', 'krb5', $user1), 1, ' and another to empty'); -- cgit v1.2.3