#!/usr/bin/perl
#
# Tests for the Stanford naming policy.
#
# The naming policy code is included primarily an example for non-Stanford
# sites, but it's used at Stanford and this test suite is used to verify
# behavior at Stanford.
#
# Written by Russ Allbery <eagle@eyrie.org>
# Copyright 2013, 2014
#     The Board of Trustees of the Leland Stanford Junior University
#
# See LICENSE for licensing terms.

use 5.008;
use strict;
use warnings;

use Test::More tests => 130;

use lib 't/lib';
use Util;

# Load the naming policy module.
BEGIN {
    use_ok('Wallet::Admin');
    use_ok('Wallet::Policy::Stanford',
           qw(default_owner verify_name is_for_host));
    use_ok('Wallet::Server');
}

# Set up our configuration for netdb, needed for the netdb verifier.
$Wallet::Config::NETDB_REALM        = 'stanford.edu';
$Wallet::Config::NETDB_REMCTL_CACHE = $ENV{KRB5CCNAME};
$Wallet::Config::NETDB_REMCTL_HOST  = 'netdb-node-roles-rc.stanford.edu';

# Various valid keytab names.
my @VALID_KEYTABS = qw(host/example.stanford.edu HTTP/example.stanford.edu
    service/example example/cgi class-example01/cgi dept-01example/cgi
    group-example-01/cgi afs/testcell.stanford.edu);

# Various invalid keytab names.
my @INVALID_KEYTABS = qw(example host/example service/example.stanford.edu
    thisistoolong/cgi not-valid/cgi unknown/example.stanford.edu
    afs/testcell);

# Various valid file names.
my @VALID_FILES = qw(htpasswd/example.stanford.edu/web
    password-ipmi/example.stanford.edu
    password-root/example.stanford.edu
    password-tivoli/example.stanford.edu
    ssh-dsa/example.stanford.edu
    ssh-rsa/example.stanford.edu
    ssl-key/example.stanford.edu
    ssl-key/example.stanford.edu/mysql
    ssl-keypair/example.stanford.edu
    ssl-keypair/example.stanford.edu/mysql
    tivoli-key/example.stanford.edu
    config/its-idg/example/foo
    db/its-idg/example/s_foo
    gpg-key/its-idg/debian
    password/its-idg/example/backup
    properties/its-idg/accounts
    properties/its-idg/accounts/sponsorship
    ssl-keystore/its-idg/accounts
    ssl-keystore/its-idg/accounts/sponsorship
    ssl-pkcs12/its-idg/accounts
    ssl-pkcs12/its-idg/accounts/sponsorship);

# Various valid legacy file names.
my @VALID_LEGACY_FILES = qw(apps-example-config-file crcsg-example-db-s_example
    idg-debian-gpg-key idg-devnull-password-root sulair-accounts-properties
    idg-accounts-ssl-keystore idg-accounts-ssl-pkcs12
    crcsg-example-htpasswd-web sulair-example-password-ipmi
    sulair-example-password-root sulair-example-password-tivoli
    sulair-example-ssh-dsa sulair-example-ssh-rsa idg-mdm-ssl-key
    idg-openafs-tivoli-key);

# Various invalid file names.
my @INVALID_FILES = qw(unknown foo-example-ssh-rsa idg-accounts-foo !!bad
    htpasswd/example.stanford.edu htpasswd/example password-root/example
    password-root/example.stanford.edu/foo ssh-foo/example.stanford.edu
    tivoli-key/example.stanford.edu/foo tivoli-key config config/its-idg
    config/its-idg/example db/its-idg/example password/its-idg/example
    its-idg/password/example properties//accounts properties/its-idg/
    ssl-keystore/idg/accounts);

# Global variables for the wallet server setup.
my $ADMIN = 'admin@EXAMPLE.COM';
my $HOST = 'localhost';
my @TRACE = ($ADMIN, $HOST);

# Start by testing lots of straightforward naming validity.
for my $name (@VALID_KEYTABS) {
    is(verify_name('keytab', $name), undef, "Valid keytab $name");
}
for my $name (@INVALID_KEYTABS) {
    isnt(verify_name('keytab', $name), undef, "Invalid keytab $name");
}
for my $name (@VALID_FILES) {
    is(verify_name('file', $name), undef, "Valid file $name");
}
for my $name (@VALID_LEGACY_FILES) {
    is(verify_name('file', $name), undef, "Valid file $name");
}
for my $name (@INVALID_FILES) {
    isnt(verify_name('file', $name), undef, "Invalid file $name");
}

# Now test a few cases for checking to see if a file is host-based.  We don't
# test the legacy examples because they're more complicated and less obvious.
for my $name (@VALID_KEYTABS) {
    my $hostname = 'example.stanford.edu';
    if ($name =~ m{\b$hostname\b}) {
        is(is_for_host('keytab', $name, $hostname), 1,
           "Keytab $name belongs to $hostname");
    } else {
        is(is_for_host('keytab', $name, $hostname), 0,
           "Keytab $name doesn't belong to $hostname");
    }
}
for my $name (@VALID_FILES) {
    my $hostname = 'example.stanford.edu';
    if ($name =~ m{\b$hostname\b}) {
        is(is_for_host('file', $name, $hostname), 1,
           "File $name belongs to $hostname");
    } else {
        is(is_for_host('file', $name, $hostname), 0,
           "File $name doesn't belong to $hostname");
    }
}

# Now we need an actual database.  Use Wallet::Admin to set it up.  These
# remaining tests require creating NetDB ACLs, so need a Stanford Kerberos
# principal currently.
my $klist = `klist 2>&1` || '';
SKIP: {
    skip "tests useful only with Stanford Kerberos tickets", 27
        unless ($klist =~ /^(Default p|\s+P)rincipal: \S+\@stanford\.edu$/m);

    db_setup;
    my $setup = eval { Wallet::Admin->new };
    is($@, q{}, 'Database initialization did not die');
    is($setup->reinitialize($ADMIN), 1, 'Database initialization succeeded');
    my $server = eval { Wallet::Server->new(@TRACE) };
    is($@, q{}, 'Server creation did not die');

    # Create a host/example.stanford.edu ACL that uses the netdb ACL type.
    is(
        $server->acl_create('host/example.stanford.edu'),
        1,
        'Created netdb ACL'
    );
    is($server->error, undef, ' with no error');
    is(
        $server->acl_add('host/example.stanford.edu', 'netdb',
                         'example.stanford.edu'),
        1,
        '...with netdb ACL line'
    );
    is($server->error, undef, ' with no error');
    is(
        $server->acl_add('host/example.stanford.edu', 'krb5',
                         'host/example.stanford.edu@stanford.edu'),
        1,
        '...and krb5 ACL line'
    );
    is($server->error, undef, ' with no error');

    # Likewise for host/foo.example.edu with the netdb-root ACL type.
    is(
        $server->acl_create('host/foo.stanford.edu'),
        1,
        'Created netdb-root ACL'
    );
    is(
        $server->acl_add('host/foo.stanford.edu', 'netdb-root',
                         'foo.stanford.edu'),
        1,
        '...with netdb-root ACL line'
    );
    is(
        $server->acl_add('host/foo.stanford.edu', 'krb5',
                         'host/foo.stanford.edu@stanford.edu'),
        1,
        '...and krb5 ACL line'
    );

    # Create a group/its-idg ACL, which will be used for autocreation of file
    # objects.
    is($server->acl_create('group/its-idg'), 1, 'Created group/its-idg ACL');
    is($server->acl_add('group/its-idg', 'krb5', $ADMIN), 1, '...with member');

    # Now we can test default ACLs.  First, without a root instance.
    local $ENV{REMOTE_USER} = $ADMIN;
    is_deeply(
        [default_owner('keytab', 'host/bar.stanford.edu')],
        [
            'host/bar.stanford.edu',
            ['netdb', 'bar.stanford.edu'],
            ['krb5', 'host/bar.stanford.edu@stanford.edu']
        ],
        'Correct default owner for host-based keytab'
    );
    is_deeply(
        [default_owner('keytab', 'HTTP/example.stanford.edu')],
        [
            'host/example.stanford.edu',
            ['netdb', 'example.stanford.edu'],
            ['krb5', 'host/example.stanford.edu@stanford.edu']
        ],
        '...and when netdb ACL already exists'
    );
    is_deeply(
        [default_owner('keytab', 'webauth/foo.stanford.edu')],
        [
            'host/foo.stanford.edu',
            ['netdb-root', 'foo.stanford.edu'],
            ['krb5', 'host/foo.stanford.edu@stanford.edu']
        ],
        '...and when netdb-root ACL already exists'
    );

    # Now with a root instance.
    local $ENV{REMOTE_USER} = 'admin/root@stanford.edu';
    is_deeply(
        [default_owner('keytab', 'host/bar.stanford.edu')],
        [
            'host/bar.stanford.edu',
            ['netdb-root', 'bar.stanford.edu'],
            ['krb5', 'host/bar.stanford.edu@stanford.edu']
        ],
        'Correct default owner for host-based keytab for /root'
    );
    is_deeply(
        [default_owner('keytab', 'HTTP/example.stanford.edu')],
        [
            'host/example.stanford.edu',
            ['netdb-root', 'example.stanford.edu'],
            ['krb5', 'host/example.stanford.edu@stanford.edu']
        ],
        '...and when netdb ACL already exists'
    );
    is_deeply(
        [default_owner('keytab', 'webauth/foo.stanford.edu')],
        [
            'host/foo.stanford.edu',
            ['netdb-root', 'foo.stanford.edu'],
            ['krb5', 'host/foo.stanford.edu@stanford.edu']
        ],
        '...and when netdb-root ACL already exists'
    );

    # Check for a type that isn't host-based.
    is(
        default_owner('keytab', 'service/foo'),
        undef,
        'No default owner for service/foo'
    );

    # Check for an unknown object type.
    is(
        default_owner('unknown', 'foo'),
        undef,
        'No default owner for unknown type'
    );

    # Check for autocreation mappings for host-based file objects.
    is_deeply(
        [default_owner('file', 'ssl-key/example.stanford.edu')],
        [
            'host/example.stanford.edu',
            ['netdb-root', 'example.stanford.edu'],
            ['krb5', 'host/example.stanford.edu@stanford.edu']
        ],
        'Default owner for file ssl-key/example.stanford.edu',
    );
    is_deeply(
        [default_owner('file', 'ssl-key/example.stanford.edu/mysql')],
        [
            'host/example.stanford.edu',
            ['netdb-root', 'example.stanford.edu'],
            ['krb5', 'host/example.stanford.edu@stanford.edu']
        ],
        'Default owner for file ssl-key/example.stanford.edu/mysql',
    );

    # Check for a file object that isn't host-based.
    is_deeply(
        [default_owner('file', 'config/its-idg/example/foo')],
        ['group/its-idg', ['krb5', $ADMIN]],
        'Default owner for file config/its-idg/example/foo',
    );

    # Check for legacy autocreation mappings for file objects.
    for my $type (qw(htpasswd ssh-rsa ssh-dsa ssl-key tivoli-key)) {
        my $name = "idg-example-$type";
        is_deeply(
            [default_owner('file', $name)],
            [
                'host/example.stanford.edu',
                ['netdb-root', 'example.stanford.edu'],
                ['krb5', 'host/example.stanford.edu@stanford.edu']
            ],
            "Default owner for file $name",
        );
    }

    # Clean up.
    $setup->destroy;
}

END {
    unlink 'wallet-db';
}