source: web/old/remctl-2.14/tests/server/acl-t.c @ f6f3e91

web
Last change on this file since f6f3e91 was f6f3e91, checked in by Jessica B. Hamrick <jhamrick@…>, 15 years ago

Preserve directory hierarchy (not sure what happened to it)
  • Property mode set to 100644
File size: 8.5 KB
Line 
1/*
2 * Test suite for the server ACL checking.
3 *
4 * Written by Russ Allbery <rra@stanford.edu>
5 * Copyright 2007, 2008, 2009
6 *     Board of Trustees, Leland Stanford Jr. University
7 * Copyright 2008 Carnegie Mellon University
8 *
9 * See LICENSE for licensing terms.
10 */
11
12#include <config.h>
13#include <portable/system.h>
14
15#include <server/internal.h>
16#include <tests/tap/basic.h>
17#include <tests/tap/messages.h>
18#include <util/util.h>
19
20
21int
22main(void)
23{
24    struct confline confline = {
25        NULL, 0, NULL, NULL, NULL, NULL, NULL, 0, NULL
26    };
27    const char *acls[5];
28
29    plan(56);
30    if (chdir(getenv("SOURCE")) < 0)
31        sysbail("can't chdir to SOURCE");
32
33    confline.file = (char *) "TEST";
34    confline.acls = (char **) acls;
35    acls[0] = "data/acl-simple";
36    acls[1] = NULL;
37    acls[2] = NULL;
38    acls[3] = NULL;
39    acls[4] = NULL;
40
41    ok(server_config_acl_permit(&confline, "rra@example.org"), "simple 1");
42    ok(server_config_acl_permit(&confline, "rra@EXAMPLE.COM"), "simple 2");
43    ok(server_config_acl_permit(&confline, "cindy@EXAMPLE.COM"), "simple 3");
44    ok(server_config_acl_permit(&confline, "test@EXAMPLE.COM"), "simple 4");
45    ok(server_config_acl_permit(&confline, "test2@EXAMPLE.COM"), "simple 5");
46
47    ok(!server_config_acl_permit(&confline, "rra@EXAMPLE.ORG"), "no 1");
48    ok(!server_config_acl_permit(&confline, "rra@example.com"), "no 2");
49    ok(!server_config_acl_permit(&confline, "paul@EXAMPLE.COM"), "no 3");
50    ok(!server_config_acl_permit(&confline, "peter@EXAMPLE.COM"), "no 4");
51
52    /* Okay, now capture and check the errors. */
53    acls[0] = "data/acl-bad-include";
54    acls[1] = "data/acls/valid";
55    errors_capture();
56    ok(!server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
57       "included file not found");
58    is_string("data/acl-bad-include:1: included file data/acl-nosuchfile"
59              " not found\n", errors, "...and correct error message");
60    acls[0] = "data/acl-recursive";
61    errors_capture();
62    ok(!server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
63       "recursive ACL inclusion");
64    is_string("data/acl-recursive:3: data/acl-recursive recursively"
65              " included\n", errors, "...and correct error message");
66    acls[0] = "data/acls/valid-2";
67    acls[1] = "data/acl-too-long";
68    errors_capture();
69    ok(server_config_acl_permit(&confline, "test2@EXAMPLE.COM"),
70       "granted access based on first ACL file");
71    ok(errors == NULL, "...with no errors");
72    ok(!server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
73       "...but failed when we hit second file with long line");
74    is_string("data/acl-too-long:1: ACL file line too long\n", errors,
75              "...with correct error message");
76    acls[0] = "data/acl-no-such-file";
77    acls[1] = "data/acls/valid";
78    errors_capture();
79    ok(!server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
80       "no such ACL file");
81    is_string("TEST:0: included file data/acl-no-such-file not found\n",
82              errors, "...with correct error message");
83    errors_capture();
84    ok(!server_config_acl_permit(&confline, "test2@EXAMPLE.COM"),
85       "...even with a principal in an ACL file");
86    is_string("TEST:0: included file data/acl-no-such-file not found\n",
87              errors, "...still with right error message");
88    acls[0] = "data/acl-bad-syntax";
89    errors_capture();
90    ok(!server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
91       "incorrect syntax");
92    is_string("data/acl-bad-syntax:2: parse error\n", errors,
93              "...with correct error message");
94    errors_uncapture();
95
96    /* Check that file: works at the top level. */
97    acls[0] = "file:data/acl-simple";
98    acls[1] = NULL;
99    ok(server_config_acl_permit(&confline, "rra@example.org"),
100       "file: success");
101    ok(!server_config_acl_permit(&confline, "rra@EXAMPLE.ORG"),
102       "file: failure");
103
104    /* Check that include syntax works. */
105    ok(server_config_acl_permit(&confline, "incfile@EXAMPLE.ORG"),
106       "include 1");
107    ok(server_config_acl_permit(&confline, "incfdir@EXAMPLE.ORG"),
108       "include 2");
109    ok(server_config_acl_permit(&confline, "explicit@EXAMPLE.COM"),
110       "include 3");
111    ok(server_config_acl_permit(&confline, "direct@EXAMPLE.COM"),
112       "include 4");
113    ok(server_config_acl_permit(&confline, "good@EXAMPLE.ORG"),
114       "include 5");
115    ok(!server_config_acl_permit(&confline, "evil@EXAMPLE.ORG"),
116       "include failure");
117
118    /* Check that princ: works at the top level. */
119    acls[0] = "princ:direct@EXAMPLE.NET";
120    ok(server_config_acl_permit(&confline, "direct@EXAMPLE.NET"),
121       "princ: success");
122    ok(!server_config_acl_permit(&confline, "wrong@EXAMPLE.NET"),
123       "princ: failure");
124
125    /* Check that deny: works at the top level. */
126    acls[0] = "deny:princ:evil@EXAMPLE.NET";
127    acls[1] = "princ:good@EXAMPLE.NET";
128    acls[2] = "princ:evil@EXAMPLE.NET";
129    acls[3] = NULL;
130    ok(server_config_acl_permit(&confline, "good@EXAMPLE.NET"),
131       "deny: success");
132    ok(!server_config_acl_permit(&confline, "evil@EXAMPLE.NET"),
133       "deny: failure");
134
135    /* And make sure deny interacts correctly with files. */
136    acls[0] = "data/acl-simple";
137    acls[1] = "princ:evil@EXAMPLE.NET";
138    acls[2] = NULL;
139    ok(!server_config_acl_permit(&confline, "evil@EXAMPLE.NET"),
140       "deny in file beats later princ");
141    acls[0] = "deny:princ:rra@example.org";
142    acls[1] = "data/acl-simple";
143    ok(!server_config_acl_permit(&confline, "rra@example.org"),
144       "deny overrides later file");
145
146    /*
147     * Ensure deny never affirmatively grants access, so deny:deny: matches
148     * nothing.
149     */
150    acls[0] = "deny:deny:princ:rra@example.org";
151    acls[1] = "data/acl-simple";
152    ok(server_config_acl_permit(&confline, "rra@example.org"),
153       "deny:deny does nothing");
154    ok(server_config_acl_permit(&confline, "rra@EXAMPLE.COM"),
155       "deny:deny doesn't break anything");
156
157    /*
158     * Denying a file denies anything that would match the file, and nothing
159     * that wouldn't, including due to an embedded deny.
160     */
161    acls[0] = "deny:file:data/acl-simple";
162    acls[1] = "princ:explicit@EXAMPLE.COM";
163    acls[2] = "princ:evil@EXAMPLE.ORG";
164    acls[3] = "princ:evil@EXAMPLE.NET";
165    acls[4] = NULL;
166    ok(!server_config_acl_permit(&confline, "explicit@EXAMPLE.COM"),
167       "deny of a file works");
168    ok(server_config_acl_permit(&confline, "evil@EXAMPLE.ORG"),
169       "...and doesn't break anything");
170    ok(server_config_acl_permit(&confline, "evil@EXAMPLE.NET"),
171       "...and deny inside a denied file is ignored");
172
173    /* Check for an invalid ACL scheme. */
174    acls[0] = "ihateyou:verymuch";
175    acls[1] = "data/acls/valid";
176    errors_capture();
177    ok(!server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
178       "invalid ACL scheme");
179    is_string("TEST:0: invalid ACL scheme 'ihateyou'\n", errors,
180              "...with correct error");
181    errors_uncapture();
182
183    /*
184     * Check for GPUT ACLs and also make sure they behave sanely when GPUT
185     * support is not compiled.
186     */
187    server_config_set_gput_file((char *) "data/gput");
188    acls[0] = "gput:test";
189    acls[1] = NULL;
190#ifdef HAVE_GPUT
191    ok(server_config_acl_permit(&confline, "priv@EXAMPLE.ORG"), "GPUT 1");
192    ok(!server_config_acl_permit(&confline, "nonpriv@EXAMPLE.ORG"), "GPUT 2");
193    ok(!server_config_acl_permit(&confline, "priv@EXAMPLE.NET"), "GPUT 3");
194    acls[0] = "gput:test[%@EXAMPLE.NET]";
195    ok(server_config_acl_permit(&confline, "priv@EXAMPLE.NET"),
196       "GPUT with transform 1");
197    ok(!server_config_acl_permit(&confline, "nonpriv@EXAMPLE.NET"),
198       "GPUT with transform 2");
199    ok(!server_config_acl_permit(&confline, "priv@EXAMPLE.ORG"),
200       "GPUT with transform 3");
201#else
202    errors_capture();
203    ok(!server_config_acl_permit(&confline, "priv@EXAMPLE.ORG"), "GPUT");
204    is_string("TEST:0: ACL scheme 'gput' is not supported\n", errors,
205              "...with not supported error");
206    errors_uncapture();
207    skip_block(4, "GPUT support not configured");
208#endif
209
210    /* Test for valid characters in ACL files. */
211    acls[0] = "file:data/acls";
212    acls[1] = NULL;
213    ok(server_config_acl_permit(&confline, "upcase@EXAMPLE.ORG"),
214       "valid chars 1");
215    ok(server_config_acl_permit(&confline, "test@EXAMPLE.COM"),
216       "valid chars 2");
217    ok(server_config_acl_permit(&confline, "test2@EXAMPLE.COM"),
218       "valid chars 3");
219    ok(!server_config_acl_permit(&confline, "hash@EXAMPLE.ORG"),
220       "invalid chars 1");
221    ok(!server_config_acl_permit(&confline, "period@EXAMPLE.ORG"),
222       "invalid chars 2");
223    ok(!server_config_acl_permit(&confline, "tilde@EXAMPLE.ORG"),
224       "invalid chars 3");
225
226    return 0;
227}
Note: See TracBrowser for help on using the repository browser.