Chapril
/
xmpp.chapril.org-ejabberd
mirror of https://github.com/processone/ejabberd.git
24
1
Fork 0
Code Releases Activity

IP based ACL / Access rules and sequential evaluation of rules

This commit is contained in:
Mickael Remond 2016-04-07 11:50:35 +02:00
parent 48a1d818d6
commit a938af4180
No known key found for this signature in database
GPG Key ID: E6F6045D79965AA3
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
test/acl_test.exs
View File

@ -34,9 +34,11 @@ defmodule ACLTest do
:acl.clear
end
test "simple user access rule matches" do
test "access rule match with user part ACL" do
:acl.add(:global, :basic_acl_1, {:user, "test1"})
:acl.add_access(:global, :basic_rule_1, [{:basic_acl_1, :allow}])
# JID can only be passes as jid record.
# => TODO: Support passing JID as binary.
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow
# We match on user part only for local domain. As an implicit rule remote domain are not matched
@ -48,6 +50,26 @@ defmodule ACLTest do
assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain1")) == :allow
assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain2")) == :deny
assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@otherdomain")) == :deny
assert :acl.match_rule(:global, :basic_rule_2, {127,0,0,1}) == :deny
end
test "IP based ACL" do
:acl.add(:global, :ip_acl_1, {:ip, "127.0.0.0/24"})
:acl.add_access(:global, :ip_rule_1, [{:ip_acl_1, :allow}])
# IP must be expressed as a tuple when calling match rule
assert :acl.match_rule(:global, :ip_rule_1, {127,0,0,1}) == :allow
assert :acl.match_rule(:global, :ip_rule_1, {127,0,1,1}) == :deny
assert :acl.match_rule(:global, :ip_rule_1, :jid.from_string("test1@domain1")) == :deny
end
test "Access rule are evaluated sequentially" do
:acl.add(:global, :user_acl_1, {:user, {"test1", "domain2"}})
:acl.add(:global, :user_acl_2, {:user, "test1"})
:acl.add_access(:global, :user_rule_1, [{:user_acl_1, :deny}, {:user_acl_2, :allow}])
assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain1")) == :allow
assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain2")) == :deny
end
# At the moment IP and user rules to no go well together: TODO
end