From f1eab726c10be66e94f6984418babfa9d68993b0 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 3 Apr 2012 20:40:01 -0700
Subject: Add initial LDAP attribute ACL verifier

A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
supported.  This ACL type grants access if the LDAP entry
corresponding to the principal contains the attribute name and value
specified in the ACL.  The Net::LDAP and Authen::SASL Perl modules are
required to use this ACL type.  New configuration settings are
required as well; see Wallet::Config for more information.  To enable
this ACL type for an existing wallet database, use wallet-admin to
register the new verifier.
---
 perl/t/verifier-ldap-attr.t | 66 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100755 perl/t/verifier-ldap-attr.t

(limited to 'perl/t/verifier-ldap-attr.t')

diff --git a/perl/t/verifier-ldap-attr.t b/perl/t/verifier-ldap-attr.t
new file mode 100755
index 0000000..1c84fac
--- /dev/null
+++ b/perl/t/verifier-ldap-attr.t
@@ -0,0 +1,66 @@
+#!/usr/bin/perl -w
+#
+# Tests for the LDAP attribute ACL verifier.
+#
+# This test can only be run by someone local to Stanford with appropriate
+# access to the LDAP server and will be skipped in all other environments.
+#
+# Written by Russ Allbery <rra@stanford.edu>
+# Copyright 2012
+#     The Board of Trustees of the Leland Stanford Junior University
+#
+# See LICENSE for licensing terms.
+
+use Test::More tests => 10;
+
+use lib 't/lib';
+use Util;
+
+BEGIN { use_ok ('Wallet::ACL::LDAP::Attribute') };
+
+my $host   = 'ldap.stanford.edu';
+my $base   = 'cn=people,dc=stanford,dc=edu';
+my $filter = 'uid';
+my $user   = 'rra@stanford.edu';
+my $attr   = 'suPrivilegeGroup';
+my $value  = 'stanford:stanford';
+
+# Remove the realm from principal names.
+package Wallet::Config;
+sub ldap_map_principal {
+    my ($principal) = @_;
+    $principal =~ s/\@.*//;
+    return $principal;
+}
+package main;
+
+# Determine the local principal.
+my $klist = `klist 2>&1` || '';
+SKIP: {
+    skip "tests useful only with Stanford Kerberos tickets", 4
+        unless ($klist =~ /[Pp]rincipal: \S+\@stanford\.edu$/m);
+
+    # Set up our configuration.
+    $Wallet::Config::LDAP_HOST        = $host;
+    $Wallet::Config::LDAP_CACHE       = $ENV{KRB5CCNAME};
+    $Wallet::Config::LDAP_BASE        = $base;
+    $Wallet::Config::LDAP_FILTER_ATTR = $filter;
+
+    # Finally, we can test.
+    my $verifier = eval { Wallet::ACL::LDAP::Attribute->new };
+    isa_ok ($verifier, 'Wallet::ACL::LDAP::Attribute');
+    is ($verifier->check ($user, "$attr=$value"), 1,
+        "Checking $attr=$value succeeds");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($user, "$attr=BOGUS"), 0,
+        "Checking $attr=BOGUS fails");
+    is ($verifier->error, undef, '...with no error');
+    is ($verifier->check ($user, "BOGUS=$value"), undef,
+        "Checking BOGUS=$value fails with error");
+    is ($verifier->error,
+        'cannot check LDAP attribute BOGUS for rra: Undefined attribute type',
+        '...with correct error');
+    is ($verifier->check ('user-does-not-exist', "$attr=$value"), 0,
+        "Checking for nonexistent user fails");
+    is ($verifier->error, undef, '...with no error');
+}
-- 
cgit v1.2.3


From 9ae4e978acd8d36b39e52087806b00acdf7837ad Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Wed, 27 Feb 2013 15:17:50 -0800
Subject: Mark the LDAP verifier test as maintainer-only

This currently requires global read access to the Stanford LDAP
directory, so even other people at Stanford can't run it.  Will
revisit when we have a chance to write mock LDAP classes.

Change-Id: I0e944b8019744b14a62e60d5dcc662b417108722
Reviewed-on: https://gerrit.stanford.edu/844
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
---
 perl/t/verifier-ldap-attr.t | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'perl/t/verifier-ldap-attr.t')

diff --git a/perl/t/verifier-ldap-attr.t b/perl/t/verifier-ldap-attr.t
index 1c84fac..41d6737 100755
--- a/perl/t/verifier-ldap-attr.t
+++ b/perl/t/verifier-ldap-attr.t
@@ -6,17 +6,24 @@
 # access to the LDAP server and will be skipped in all other environments.
 #
 # Written by Russ Allbery <rra@stanford.edu>
-# Copyright 2012
+# Copyright 2012, 2013
 #     The Board of Trustees of the Leland Stanford Junior University
 #
 # See LICENSE for licensing terms.
 
-use Test::More tests => 10;
+use Test::More;
 
 use lib 't/lib';
 use Util;
 
-BEGIN { use_ok ('Wallet::ACL::LDAP::Attribute') };
+# Skip all spelling tests unless the maintainer environment variable is set.
+plan skip_all => 'LDAP verifier tests only run for maintainer'
+    unless $ENV{RRA_MAINTAINER_TESTS};
+
+# Declare a plan.
+plan tests => 10;
+
+require_ok ('Wallet::ACL::LDAP::Attribute');
 
 my $host   = 'ldap.stanford.edu';
 my $base   = 'cn=people,dc=stanford,dc=edu';
-- 
cgit v1.2.3