diff options
| author | Mickael Remond <mremond@process-one.net> | 2016-04-07 11:50:35 +0200 |
|---|---|---|
| committer | Mickael Remond <mremond@process-one.net> | 2016-04-07 12:06:30 +0200 |
| commit | a938af41803b30df4c7c8c5b2b1511e9842ebf7a (patch) | |
| tree | 6f1a151c00455da7f9e9a42cf19ba51e5dc0103f /test | |
| parent | Rebase master (diff) | |
IP based ACL / Access rules and sequential evaluation of rules
Diffstat (limited to 'test')
| -rw-r--r-- | test/acl_test.exs | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/test/acl_test.exs b/test/acl_test.exs index 663d3bb6..00c04ed6 100644 --- a/test/acl_test.exs +++ b/test/acl_test.exs @@ -34,9 +34,11 @@ defmodule ACLTest do :acl.clear end - test "simple user access rule matches" do + test "access rule match with user part ACL" do :acl.add(:global, :basic_acl_1, {:user, "test1"}) :acl.add_access(:global, :basic_rule_1, [{:basic_acl_1, :allow}]) + # JID can only be passes as jid record. + # => TODO: Support passing JID as binary. assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow # We match on user part only for local domain. As an implicit rule remote domain are not matched @@ -48,6 +50,26 @@ defmodule ACLTest do assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain1")) == :allow assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain2")) == :deny assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@otherdomain")) == :deny + assert :acl.match_rule(:global, :basic_rule_2, {127,0,0,1}) == :deny end + test "IP based ACL" do + :acl.add(:global, :ip_acl_1, {:ip, "127.0.0.0/24"}) + :acl.add_access(:global, :ip_rule_1, [{:ip_acl_1, :allow}]) + # IP must be expressed as a tuple when calling match rule + assert :acl.match_rule(:global, :ip_rule_1, {127,0,0,1}) == :allow + assert :acl.match_rule(:global, :ip_rule_1, {127,0,1,1}) == :deny + assert :acl.match_rule(:global, :ip_rule_1, :jid.from_string("test1@domain1")) == :deny + end + + test "Access rule are evaluated sequentially" do + :acl.add(:global, :user_acl_1, {:user, {"test1", "domain2"}}) + :acl.add(:global, :user_acl_2, {:user, "test1"}) + :acl.add_access(:global, :user_rule_1, [{:user_acl_1, :deny}, {:user_acl_2, :allow}]) + assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain1")) == :allow + assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain2")) == :deny + end + + # At the moment IP and user rules to no go well together: TODO + end |