From a938af41803b30df4c7c8c5b2b1511e9842ebf7a Mon Sep 17 00:00:00 2001
From: Mickael Remond <mremond@process-one.net>
Date: Thu, 7 Apr 2016 11:50:35 +0200
Subject: [PATCH] IP based ACL / Access rules and sequential evaluation of
 rules

---
 test/acl_test.exs | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/test/acl_test.exs b/test/acl_test.exs
index 663d3bb63..00c04ed63 100644
--- a/test/acl_test.exs
+++ b/test/acl_test.exs
@@ -34,9 +34,11 @@ defmodule ACLTest do
     :acl.clear
   end
 
-  test "simple user access rule matches" do
+  test "access rule match with user part ACL" do
     :acl.add(:global, :basic_acl_1, {:user, "test1"})
     :acl.add_access(:global, :basic_rule_1, [{:basic_acl_1, :allow}])
+    # JID can only be passes as jid record.
+    # => TODO: Support passing JID as binary.
     assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow
     assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow
     # We match on user part only for local domain. As an implicit rule remote domain are not matched
@@ -48,6 +50,26 @@ defmodule ACLTest do
     assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain1")) == :allow
     assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@domain2")) == :deny
     assert :acl.match_rule(:global, :basic_rule_2, :jid.from_string("test2@otherdomain")) == :deny
+    assert :acl.match_rule(:global, :basic_rule_2, {127,0,0,1}) == :deny
   end
 
+  test "IP based ACL" do
+    :acl.add(:global, :ip_acl_1, {:ip, "127.0.0.0/24"})
+    :acl.add_access(:global, :ip_rule_1, [{:ip_acl_1, :allow}])
+    # IP must be expressed as a tuple when calling match rule
+    assert :acl.match_rule(:global, :ip_rule_1, {127,0,0,1}) == :allow
+    assert :acl.match_rule(:global, :ip_rule_1, {127,0,1,1}) == :deny
+    assert :acl.match_rule(:global, :ip_rule_1, :jid.from_string("test1@domain1")) == :deny
+  end
+
+  test "Access rule are evaluated sequentially" do
+    :acl.add(:global, :user_acl_1, {:user, {"test1", "domain2"}})
+    :acl.add(:global, :user_acl_2, {:user, "test1"})
+    :acl.add_access(:global, :user_rule_1, [{:user_acl_1, :deny}, {:user_acl_2, :allow}])
+    assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain1")) == :allow
+    assert :acl.match_rule(:global, :user_rule_1, :jid.from_string("test1@domain2")) == :deny
+  end
+
+  # At the moment IP and user rules to no go well together: TODO
+
 end