You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 7 » ldap_authentication.test » LdapAuthenticationTestCase

function LdapAuthenticationTestCase::testAuthenticationWhitelistTests in Lightweight Directory Access Protocol (LDAP) 7

Same name and namespace in other branches
  1. 8.2 ldap_authentication/tests/ldap_authentication.test \LdapAuthenticationTestCase::testAuthenticationWhitelistTests()
  2. 7.2 ldap_authentication/tests/ldap_authentication.test \LdapAuthenticationTestCase::testAuthenticationWhitelistTests()

File

ldap_authentication/tests/ldap_authentication.test, line 332

Class

LdapAuthenticationTestCase

Code

function testAuthenticationWhitelistTests() {

  // TODO: Fix failing tests, excluding to make branch pass.
  return;
  require_once drupal_get_path('module', 'ldap_authentication') . '/LdapAuthenticationConfAdmin.class.php';
  $sid = 'ldapauthen1';
  $this->sid = $sid;
  $testid = 'WL1';
  $this
    ->prepTestData($sid, $testid);
  $ldap_servers = ldap_servers_get_servers($sid, 'enabled');
  $this
    ->assertTrue(count($ldap_servers) == 1, ' ldap_authentication test server setup successful', $testid);

  // these 2 modules are configured in setup, but disabled for most authentication tests
  module_disable(array(
    'ldap_authorization_drupal_role',
    'ldap_authorization',
  ));

  /**
   * LDAP_authen.WL.user1  test for user 1 being excluded from white and black list tests
   */
  $user1 = user_load(1);
  $password = $this
    ->randomString(20);
  require_once DRUPAL_ROOT . '/includes/password.inc';
  $account = array(
    'name' => $user1->name,
    'pass' => user_hash_password(trim($password)),
  );
  db_update('users')
    ->fields($account)
    ->condition('uid', 1)
    ->execute();
  $edit = array(
    'name' => $user1->name,
    'pass' => $password,
  );
  $this
    ->drupalPost('user', $edit, t('Log in'));
  $this
    ->assertText(t('Member for'), 'User 1 successfully authenticated in LDAP_authen.WL.user1', $testid);
  $this
    ->drupalGet('user/logout');
  module_enable(array(
    'ldap_authorization',
  ));
  module_enable(array(
    'ldap_authorization_drupal_role',
  ));

  /**
   * prep LDAP_authen.WL.allow
   */
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->allowOnlyIfTextInDn = array(
    'ou=guest accounts',
  );
  $authenticationConf
    ->save();

  /**
   * LDAP_authen.WL.allow.match -- desirect_result: authenticate success
   */
  $this
    ->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Member for'), 'User able to authenticate because in white list (allowOnlyIfTextInDn).', $testid);

  /**
   *  LDAP_authen.WL.allow.miss -- desirect_result: authenticate fail
   */
  $this
    ->attemptLogon('cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Sorry, unrecognized username or password'), 'User unable to authenticate because not in white list (allowOnlyIfTextInDn).', $testid);

  /**
   * undo LDAP_authen.WL.allow settings
   */
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->allowOnlyIfTextInDn = array();
  $authenticationConf
    ->save();

  /**
   * prep LDAP_authen.WL.exclude
   */
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->excludeIfTextInDn = array(
    'cn=unkool',
  );
  $authenticationConf
    ->save();

  /**
   * LDAP_authen.WL.exclude.match -- desirect_result: authenticate fail
   */
  $this
    ->attemptLogon('cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Sorry, unrecognized username or password'), 'User unable to authenticate in exclude list (excludeIfTextInDn).', $testid);

  /**
   *  LDAP_authen.WL.exclude.miss-- desirect_result: authenticate success
   */
  $this
    ->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Member for'), 'Able to authenticate because not in exclude list (allowOnlyIfTextInDn).', $testid);

  /**
   * undo LDAP_authen.WL.allow settings
   */
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->excludeIfTextInDn = array();
  $authenticationConf
    ->save();

  /**
   * prep LDAP_authen.WL.php
   */
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->allowTestPhp = "\n\n      //exclude users with guests.myuniversity.edu email address \n\n      if (strpos(\$_ldap_user_entry['attr']['mail'][0], '@guests.myuniversity.edu') === FALSE) {\n\n        print 1;\n\n      }\n\n      else {\n        print 0;\n\n      }\n      ";
  $authenticationConf
    ->save();

  /**
   * LDAP_authen.WL.php.php disabled -- desired result: authenticate fail with warning the authentication disabled
   */
  module_disable(array(
    'php',
  ));
  $this
    ->attemptLogon('cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG, 'With php disabled and php code in whitelist, refuse authentication. (allowTestPhp).', $testid);
  module_enable(array(
    'php',
  ));

  /**
   * LDAP_authen.WL.php.true -- desired result: authenticate success
   */
  $this
    ->attemptLogon('cn=verykool,ou=special guests,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Member for'), 'Able to authenticate because php returned true (allowTestPhp).', $testid);

  /**
   *  LDAP_authen.WL.php.false-- desired result: authenticate fail
   */
  $this
    ->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('User disallowed'), 'User unable to authenticate  because php returned false (allowTestPhp).', $testid);

  /**
   * clear LDAP_authen.WL.php
   */
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->allowTestPhp = '';
  $authenticationConf
    ->save();

  /***  multiple options used in whitelist **/

  /**
   * LDAP_authen.WL.allow[match].exclude[match] -- desired result: authenticate fail
   */

  /**
   *  LDAP_authen.WL.allow[match].exclude[miss] -- desired result: authenticate success
   */

  /**
   * LDAP_authen.WL.exclude[match].*-- desirect_result: authenticate fail
   */

  /**
   *  LDAP_authen.WL.exclude[match].php[false] -- desired result: authenticate fail
   */

  /**
   * LDAP_authen.WL1.excludeIfNoAuthorizations.hasAuthorizations
   * test for excludeIfNoAuthorizations set to true and consumer granted authorizations
   */

  // these 2 modules are configured in setup, but disabled for most authentication tests
  module_disable(array(
    'ldap_authorization_drupal_role',
    'ldap_authorization',
  ));
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->excludeIfNoAuthorizations = 1;
  $authenticationConf
    ->save();

  /**
   * LDAP_authen.WL1.excludeIfNoAuthorizations.failsafe
   * test for excludeIfNoAuthorizations set to true and ldap_authorization disabled
   * to make sure authentication fails completely
   */
  $this
    ->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG, t('Authentication prohibited when excludeIfNoAuthorizations = true and LDAP Authorization disabled. LDAP_authen.WL1.excludeIfNoAuthorizations.failsafe'), $testid);
  module_enable(array(
    'ldap_authorization_drupal_role',
  ), TRUE);
  $this
    ->attemptLogon('cn=jkool,ou=guest accounts,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Member for'), 'User able to authenticate because of excludeIfNoAuthorizations setting.', $testid);

  /**
   * LDAP_authen.WL1.excludeIfNoAuthorizations.hasNoAuthorizations
   * test for excludeIfNoAuthorizations set to true and No consumer granted authorizations
   */
  $this
    ->attemptLogon('cn=unkool,ou=lost,dc=ad,dc=myuniversity,dc=edu');
  $this
    ->assertText(t('Sorry, unrecognized username or password'), 'User unable to authenticate because of excludeIfNoAuthorizations setting.', $testid);
  $authenticationConf = new LdapAuthenticationConfAdmin();
  $authenticationConf->excludeIfNoAuthorizations = 0;
  $authenticationConf
    ->save();
  module_disable(array(
    'ldap_authorization_drupal_role',
    'ldap_authorization',
  ));
}