-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add preliminary tests on ACL module and prepare clean-up / refactor
- Loading branch information
Showing
2 changed files
with
162 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
# ---------------------------------------------------------------------- | ||
# | ||
# ejabberd, Copyright (C) 2002-2016 ProcessOne | ||
# | ||
# This program is free software; you can redistribute it and/or | ||
# modify it under the terms of the GNU General Public License as | ||
# published by the Free Software Foundation; either version 2 of the | ||
# License, or (at your option) any later version. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
# General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU General Public License along | ||
# with this program; if not, write to the Free Software Foundation, Inc., | ||
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
# | ||
# ---------------------------------------------------------------------- | ||
|
||
defmodule ACLTest do | ||
@author "mremond@process-one.net" | ||
|
||
use ExUnit.Case, async: false | ||
|
||
setup_all do | ||
:ok = :mnesia.start | ||
:ok = :jid.start | ||
:ok = :ejabberd_config.start(["domain1", "domain2"], []) | ||
:ok = :acl.start | ||
end | ||
|
||
setup do | ||
:acl.clear | ||
end | ||
|
||
test "access rule match with user part ACL" do | ||
:acl.add(:global, :basic_acl_1, {:user, "test1"}) | ||
:acl.add_access(:global, :basic_rule_1, [{:basic_acl_1, :allow}]) | ||
# JID can only be passes as jid record. | ||
# => TODO: Support passing JID as binary. | ||
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow | ||
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow | ||
# We match on user part only for local domain. As an implicit rule remote domain are not matched | ||
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@otherdomain")) == :deny | ||
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test11@domain1")) == :deny | ||
|
||
:acl.add(:global, :basic_acl_2, {:user, {"test2", "domain1"}}) | ||
:acl.add_access(:global, :basic_rule_2, [{:basic_acl_2, :allow}]) | ||
assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain1")) == :allow | ||
assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain2")) == :deny | ||
assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@otherdomain")) == :deny | ||
assert :acl.match_rule(:global, :basic_rule_2, {127,0,0,1}) == :deny | ||
end | ||
|
||
test "IP based ACL" do | ||
:acl.add(:global, :ip_acl_1, {:ip, "127.0.0.0/24"}) | ||
:acl.add_access(:global, :ip_rule_1, [{:ip_acl_1, :allow}]) | ||
# IP must be expressed as a tuple when calling match rule | ||
assert :acl.match_rule(:global, :ip_rule_1, {127,0,0,1}) == :allow | ||
assert :acl.match_rule(:global, :ip_rule_1, {127,0,1,1}) == :deny | ||
assert :acl.match_rule(:global, :ip_rule_1, :jid.from_string("test1@domain1")) == :deny | ||
end | ||
|
||
test "Access rule are evaluated sequentially" do | ||
:acl.add(:global, :user_acl_1, {:user, {"test1", "domain2"}}) | ||
:acl.add(:global, :user_acl_2, {:user, "test1"}) | ||
:acl.add_access(:global, :user_rule_1, [{:user_acl_1, :deny}, {:user_acl_2, :allow}]) | ||
assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain1")) == :allow | ||
assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain2")) == :deny | ||
end | ||
|
||
# Access rules are sometimes used to provide values (i.e.: max_s2s_connections, max_user_sessions) | ||
test "Access rules providing values" do | ||
:acl.add(:global, :user_acl, {:user_regexp, ""}) | ||
:acl.add(:global, :admin_acl, {:user, "admin"}) | ||
:acl.add_access(:global, :value_rule_1, [{:admin_acl, 10}, {:user_acl, 5}]) | ||
assert :acl.match_rule(:global, :value_rule_1, :jid.from_string("test1@domain1")) == 5 | ||
assert :acl.match_rule(:global, :value_rule_1, :jid.from_string("admin@domain1")) == 10 | ||
|
||
# If we have no match, :deny is still the default value | ||
# => TODO maybe we should have a match rule which allow passing custom default value ? | ||
assert :acl.match_rule(:global, :value_rule_1, :jid.from_string("user@otherdomain")) == :deny | ||
end | ||
|
||
|
||
# At the moment IP and user rules to no go well together: There is | ||
# no way to combine IP and user restrictions. | ||
# => TODO we need to implement access rules that implement both and will deny the access | ||
# if either IP or user returns deny | ||
test "mixing IP and user access rules" do | ||
:acl.add(:global, :user_acl_1, {:user, "test1"}) | ||
:acl.add(:global, :ip_acl_1, {:ip, "127.0.0.0/24"}) | ||
:acl.add_access(:global, :mixed_rule_1, [{:user_acl_1, :allow}, {:ip_acl_1, :allow}]) | ||
assert :acl.match_rule(:global, :mixed_rule_1, :jid.from_string("test1@domain1")) == :allow | ||
assert :acl.match_rule(:global, :mixed_rule_1, {127,0,0,1}) == :allow | ||
|
||
:acl.add_access(:global, :mixed_rule_2, [{:user_acl_1, :deny}, {:ip_acl_1, :allow}]) | ||
assert :acl.match_rule(:global, :mixed_rule_2, :jid.from_string("test1@domain1")) == :deny | ||
assert :acl.match_rule(:global, :mixed_rule_2, {127,0,0,1}) == :allow | ||
end | ||
|
||
test "acl:match_access can match directly on user pattern" do | ||
pattern = {:user, {"test1", "domain1"}} | ||
assert :acl.match_access(:global, pattern, :jid.from_string("test1@domain1"), :allow) == :allow | ||
assert :acl.match_access(:global, pattern, :jid.from_string("test2@domain1"), :allow) == :deny | ||
end | ||
|
||
## Checking ACL on both user pattern and IP | ||
## ======================================== | ||
|
||
# Typical example is mod_register | ||
|
||
# Deprecated approach | ||
test "module can test both IP and user through two independent :acl.match_rule check (deprecated)" do | ||
:acl.add(:global, :user_acl, {:user, {"test1", "domain1"}}) | ||
:acl.add(:global, :ip_acl, {:ip, "127.0.0.0/24"}) | ||
:acl.add_access(:global, :user_rule, [{:user_acl, :allow}]) | ||
:acl.add_access(:global, :ip_rule, [{:ip_acl, :allow}]) | ||
|
||
# acl module in 16.03 is not able to provide a function for compound result: | ||
assert :acl.match_rule(:global, :user_rule, :jid.from_string("test1@domain1")) == :allow | ||
assert :acl.match_rule(:global, :ip_rule, {127,0,0,1}) == :allow | ||
assert :acl.match_rule(:global, :user_rule, :jid.from_string("test2@domain1")) == :deny | ||
assert :acl.match_rule(:global, :ip_rule, {127,0,1,1}) == :deny | ||
end | ||
|
||
end |