From 9df0def5c5d518f5415ea5fbae737c16670a8249 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Sat, 1 Sep 2007 00:34:23 +0000
Subject: Add some additional safeguards to ensure that users cannot destroy,
 rename, or remove the last entry from the ADMIN ACL.  Add full documentation
 for Wallet::Server.

---
 perl/t/server.t | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'perl/t')

diff --git a/perl/t/server.t b/perl/t/server.t
index bca035e..5265c2d 100755
--- a/perl/t/server.t
+++ b/perl/t/server.t
@@ -3,7 +3,7 @@
 #
 # t/server.t -- Tests for the wallet server API.
 
-use Test::More tests => 201;
+use Test::More tests => 207;
 
 use Wallet::Config;
 use Wallet::Server;
@@ -96,6 +96,16 @@ is ($server->error,
     "cannot remove krb5:$user1 from 5: entry not found in ACL",
     ' and returns the right error');
 
+# Make sure we can't cripple the ADMIN ACL.
+is ($server->acl_destroy ('ADMIN'), undef, 'Cannot destroy the ADMIN ACL');
+is ($server->error, 'cannot destroy the ADMIN ACL', ' with the right error');
+is ($server->acl_rename ('ADMIN', 'foo'), undef, ' or rename it');
+is ($server->error, 'cannot rename the ADMIN ACL', ' with the right error');
+is ($server->acl_remove ('ADMIN', 'krb5', $admin), undef,
+    ' or remove its last entry');
+is ($server->error, 'cannot remove last ADMIN ACL entry',
+    ' with the right error');
+
 # Now, create a few objects to use for testing and test the object API while
 # we're at it.
 is ($server->create ('base', 'service/admin'), 1,
-- 
cgit v1.2.3