1 files changed, 47 insertions, 3 deletions

diff --git a/cpp/src/tests/cluster_tests.py b/cpp/src/tests/cluster_tests.py
index 3fb184c282..974c00b4dc 100755
--- a/cpp/src/tests/cluster_tests.py
+++ b/cpp/src/tests/cluster_tests.py
@@ -105,14 +105,58 @@ class ShortTests(BrokerTest):
     def test_sasl(self):
         """Test SASL authentication and encryption in a cluster"""
         sasl_config=os.path.join(self.rootdir, "sasl_config")
-        cluster = self.cluster(3, ["--auth", "yes", "--sasl-config", sasl_config])
-        # Try a bad user ID
+        acl=os.path.join(os.getcwd(), "policy.acl")
+        aclf=file(acl,"w")
+        aclf.write("""
+acl deny zag@QPID create queue
+acl allow all all
+""")
+        aclf.close()
+        cluster = self.cluster(2, args=["--auth", "yes",
+                                        "--sasl-config", sasl_config,
+                                        "--load-module", os.getenv("ACL_LIB"),
+                                        "--acl-file", acl])
+
+        # Valid user/password, ensure queue is created.
+        c = cluster[0].connect(username="zig", password="zig")
+        c.session().sender("ziggy;{create:always}")
+        c.close()
+        c = cluster[1].connect(username="zig", password="zig")
+        c.session().receiver("ziggy;{assert:always}")
+        c.close()
+        for b in cluster: b.ready()     # Make sure all brokers still running.
+
+        # Valid user, bad password
+        try:
+            cluster[0].connect(username="zig", password="foo").close()
+            self.fail("Expected exception")
+        except messaging.exceptions.ConnectionError: pass
+        for b in cluster: b.ready()     # Make sure all brokers still running.
+
+        # Bad user ID
         try:
-            c = messaging.Connection.establish("nosuch/user@%s"%(cluster[0].host_port()))
+            cluster[0].connect(username="foo", password="bar").close()
             self.fail("Expected exception")
         except messaging.exceptions.ConnectionError: pass
         for b in cluster: b.ready()     # Make sure all brokers still running.
 
+        # Action disallowed by ACL
+        c = cluster[0].connect(username="zag", password="zag")
+        try:
+            s = c.session()
+            s.sender("zaggy;{create:always}")
+            s.close()
+            self.fail("Expected exception")
+        except messaging.exceptions.UnauthorizedAccess: pass
+        # make sure the queue was not created at the other node.
+        c = cluster[0].connect(username="zag", password="zag")
+        try:
+            s = c.session()
+            s.sender("zaggy;{assert:always}")
+            s.close()
+            self.fail("Expected exception")
+        except messaging.exceptions.NotFound: pass
+
         
 class LongTests(BrokerTest):
     """Tests that can run for a long time if -DDURATION=<minutes> is set"""