From 9f4b1bcf315f09fd6d302ad187281ec4ed443f04 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 17 Oct 2013 12:05:26 +0200
Subject: blacklist system logins for aliases and logins

We blacklist based on three things:
* blacklist in APP_CONFIG[:handle_blacklist]
* emails in RFC 2142
* usernames in /etc/passwd

The latter two can be allowed by explicitly whitelisting them in APP_CONFIG[:handle_whitelist].

We stick to blocking names that have been configured as both blacklisted and whitelisted - better be save than sorry.
---
 users/test/unit/local_email_test.rb | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

(limited to 'users/test/unit')

diff --git a/users/test/unit/local_email_test.rb b/users/test/unit/local_email_test.rb
index b25f46f..20ee7f1 100644
--- a/users/test/unit/local_email_test.rb
+++ b/users/test/unit/local_email_test.rb
@@ -24,6 +24,37 @@ class LocalEmailTest < ActiveSupport::TestCase
     assert_equal ["needs to end in @#{LocalEmail.domain}"], local.errors[:email]
   end
 
+  test "blacklists rfc2142" do
+    black_listed = LocalEmail.new('hostmaster')
+    assert !black_listed.valid?
+  end
+
+  test "blacklists etc passwd" do
+    black_listed = LocalEmail.new('nobody')
+    assert !black_listed.valid?
+  end
+
+  test "whitelist overwrites automatic blacklists" do
+    with_config handle_whitelist: ['nobody', 'hostmaster'] do
+      white_listed = LocalEmail.new('nobody')
+      assert white_listed.valid?
+      white_listed = LocalEmail.new('hostmaster')
+      assert white_listed.valid?
+    end
+  end
+
+  test "blacklists from config" do
+    black_listed = LocalEmail.new('www-data')
+    assert !black_listed.valid?
+  end
+
+  test "blacklist from config overwrites whitelist" do
+    with_config handle_whitelist: ['www-data'] do
+      black_listed = LocalEmail.new('www-data')
+      assert !black_listed.valid?
+    end
+  end
+
   def handle
     @handle ||= Faker::Internet.user_name
   end
-- 
cgit v1.2.3