class LdapAuthorizationBasicTests in Lightweight Directory Access Protocol (LDAP) 8.2
Same name and namespace in other branches
- 7.2 ldap_authorization/tests/BasicTests.test \LdapAuthorizationBasicTests
- 7 ldap_authorization/tests/BasicTests/BasicTests.test \LdapAuthorizationBasicTests
Hierarchy
- class \LdapTestCase extends \DrupalWebTestCase
- class \LdapAuthorizationBasicTests
Expanded class hierarchy of LdapAuthorizationBasicTests
File
- ldap_authorization/
tests/ BasicTests.test, line 10
View source
class LdapAuthorizationBasicTests extends LdapTestCase {
public static function getInfo() {
return array(
'name' => 'LDAP Authorization Basic Tests',
'description' => 'Test ldap authorization.',
'group' => 'LDAP Authorization',
);
}
function __construct($test_id = NULL) {
parent::__construct($test_id);
}
public $module_name = 'ldap_authorization';
protected $ldap_test_data;
function setUp() {
parent::setUp(array(
'ldap_authentication',
'ldap_authorization',
'ldap_authorization_drupal_role',
'ldap_test',
));
// don't need any real servers, configured, just ldap_servers code base
variable_set('ldap_simpletest', 2);
}
function tearDown() {
parent::tearDown();
variable_del('ldap_help_watchdog_detail');
variable_del('ldap_simpletest');
}
/**
* test install, api functions, and simple authorizations granted on logon
*/
function testSimpleStuff() {
// just to give warning if setup doesn't succeed. may want to take these out at some point.
$setup_success = module_exists('ldap_authentication') && module_exists('ldap_servers') && module_exists('ldap_authorization') && module_exists('ldap_authorization_drupal_role') && config('ldap_test.settings')
->get('simpletest') > 0;
$this
->assertTrue($setup_success, ' ldap_authorizations setup successful', 'LDAP Authorization: Test Setup Success');
$api_functions = array(
'ldap_authorization_get_consumer_object' => array(
1,
1,
),
'ldap_authorization_get_consumers' => array(
3,
0,
),
'ldap_authorizations_user_authorizations' => array(
4,
1,
),
);
foreach ($api_functions as $api_function_name => $param_count) {
$reflector = new ReflectionFunction($api_function_name);
$this
->assertTrue(function_exists($api_function_name) && $param_count[1] == $reflector
->getNumberOfRequiredParameters() && $param_count[0] == $reflector
->getNumberOfParameters(), ' api function ' . $api_function_name . ' parameters and required parameters count unchanged.', 'LDAP Server: API Functions');
}
// make sure ldap authorization doesn't break cron.
$this
->assertTrue(drupal_cron_run(), t('Cron can run with ldap authorization enabled.'), 'LDAP Authorization: Cron Test');
/**
* this is geared toward testing logon functionality
*/
$sid = 'activedirectory1';
$testid = 'ExclusiveModeUserLogon3';
$sids = array(
$sid,
);
$this
->prepTestData(LDAP_TEST_LDAP_NAME, $sids, 'provisionToDrupal', 'default', 'drupal_role_default');
$hpotter_logon_edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $hpotter_logon_edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP Authorization: Test Logon');
$this
->assertTrue($this->testFunctions
->ldapUserIsAuthmapped('hpotter'), 'Ldap user properly authmapped.', 'LDAP Authorization: Test Logon');
$hpotter = $this->testFunctions
->userByNameFlushingCache('hpotter');
$roles = array_values($hpotter->roles);
$desired_roles = array(
'students',
'authenticated user',
'cn=gryffindor,ou=groups,dc=hogwarts,dc=edu',
'cn=honors students,ou=groups,dc=hogwarts,dc=edu',
);
$diff1 = array_diff($roles, $desired_roles);
$diff2 = array_diff($desired_roles, $roles);
$correct_roles = count($diff1) == 0 && count($diff2) == 0;
$roles_display = join(', ', $roles);
if (!$correct_roles) {
debug('hpotter roles');
debug($roles);
debug('desired roles');
debug($desired_roles);
}
$this
->assertTrue($correct_roles, t('hpotter granted correct roles on actual logon: %roles', array(
'%roles' => $roles_display,
)), 'LDAP Authorization: Test Logon for roles');
$this
->drupalGet('user/logout');
/**
* test revoking of no longer deserved roles when revokeLdapProvisioned=1
*/
$this->consumerAdminConf['drupal_role']->revokeLdapProvisioned = 1;
$this->consumerAdminConf['drupal_role']
->save();
// setup: remove hpotter from honors members
$test_data_pre_test = variable_get('ldap_test_server__' . $sid, NULL);
$test_data = variable_get('ldap_test_server__' . $sid, NULL);
$this
->removeUserFromGroup($test_data, 'cn=hpotter,ou=people,dc=hogwarts,dc=edu', 'cn=honors students,ou=groups,dc=hogwarts,dc=edu', "dc=hogwarts,dc=edu");
variable_set('ldap_test_server__' . $sid, $test_data);
$hpotter_dn = 'cn=hpotter,ou=people,dc=hogwarts,dc=edu';
$this
->drupalPost('user', $hpotter_logon_edit, t('Log in'));
$hpotter = $this->testFunctions
->userByNameFlushingCache('hpotter');
$roles = array_values($hpotter->roles);
$this
->assertFalse(in_array('cn=honors students,ou=groups,dc=hogwarts,dc=edu', $roles), 'when revokeLdapProvisioned=1, removed role from user', 'LDAP Authorization: Test Logon');
$this
->assertTrue(empty($hpotter->data['ldap_authorizations']['drupal_role']['cn=honors students,ou=groups,dc=hogwarts,dc=edu']), 'when revokeLdapProvisioned=1, removed user->data[ldap_authorizations][drupal_role][<role>]', 'LDAP Authorization: Test Logon');
// return test data to original state
variable_set('ldap_test_server__' . $sid, $test_data_pre_test);
$this
->drupalGet('user/logout');
/**
* test regranting of removed roles (regrantLdapProvisioned = 0)
*/
$hpotter = $this->testFunctions
->userByNameFlushingCache('hpotter');
$roles = array_values($hpotter->roles);
$this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 0;
$this->consumerAdminConf['drupal_role']
->save();
$this->testFunctions
->removeRoleFromUser($hpotter, "cn=gryffindor,ou=groups,dc=hogwarts,dc=edu");
$this
->drupalPost('user', $hpotter_logon_edit, t('Log in'));
$hpotter = $this->testFunctions
->userByNameFlushingCache('hpotter');
$roles = array_values($hpotter->roles);
$this
->assertFalse(in_array("cn=gryffindor,ou=groups,dc=hogwarts,dc=edu", $roles), 'when regrantLdapProvisioned=0, did not regrant role on logon', 'LDAP Authorization: Test Logon');
$this
->assertTrue(!empty($hpotter->data['ldap_authorizations']['drupal_role']['cn=gryffindor,ou=groups,dc=hogwarts,dc=edu']), 'when regrantLdapProvisioned=0, role is not regranted, but initial grant still remains in user->data[ldap_authorizations][drupal_role][<role>]', 'LDAP Authorization: Test Logon');
$this
->drupalGet('user/logout');
/**
* test regranting of removed roles (regrantLdapProvisioned = 1)
*/
$this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 1;
$this->consumerAdminConf['drupal_role']
->save();
$this
->drupalPost('user', $hpotter_logon_edit, t('Log in'));
$hpotter = $this->testFunctions
->userByNameFlushingCache('hpotter');
$roles = array_values($hpotter->roles);
$this
->assertTrue(in_array("cn=gryffindor,ou=groups,dc=hogwarts,dc=edu", $roles), 'when regrantLdapProvisioned=0, did not regrant role on logon', 'LDAP Authorization: Test Logon');
$this
->drupalGet('user/logout');
}
/**
* authorization configuration flags tests clumped together
*/
function testFlags() {
$sid = 'activedirectory1';
$this
->prepTestData(LDAP_TEST_LDAP_NAME, array(
$sid,
), 'provisionToDrupal', 'default', 'drupal_role_default');
/**
* LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed
*/
$user = $this
->drupalCreateUser(array());
$hpotter = $this->testFunctions
->drupalLdapUpdateUser(array(
'name' => 'hpotter',
'mail' => 'hpotter@hogwarts.edu',
), TRUE, $user);
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query');
// just see if the correct ones are derived.
$roles1 = $new_authorizations['drupal_role'];
// $consumer_conf_admin = ldap_authorization_get_consumer_admin_object('drupal_role', FALSE);
$this->consumerAdminConf['drupal_role']->status = 0;
$this->consumerAdminConf['drupal_role']
->save();
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'drupal_role');
// just see if the correct ones are derived.
$roles2 = isset($new_authorizations['drupal_role']) ? $new_authorizations['drupal_role'] : array();
$correct_roles = count($roles1) > 0 && count($roles2) == 0;
// not worried about which roles here, just that some are granted
$this
->assertTrue($correct_roles, 'disable consumer configuration disallows authorizations.', 'LDAP_authorz.Flags.status.0');
if (!$correct_roles) {
debug('LDAP_authorz.Flags.enable.0 roles with enabled');
debug($roles1);
debug('LDAP_authorz.Flags.enable.0 roles with disabled');
debug($roles2);
}
/**
* LDAP_authorz.onlyLdapAuthenticated=1: create normal user and
* apply authorization query. should return no roles
*/
$this->consumerAdminConf['drupal_role']->onlyApplyToLdapAuthenticated = 1;
$this->consumerAdminConf['drupal_role']->status = 1;
$this->consumerAdminConf['drupal_role']
->save();
$user = $this
->drupalCreateUser(array());
$hgrainger = $this->testFunctions
->drupalLdapUpdateUser(array(
'name' => 'hgrainger',
'mail' => 'hgrainger@hogwarts.edu',
), TRUE, $user);
// remove authmap in case it exists so test will work
db_delete('authmap')
->condition('uid', $user->uid)
->condition('module', 'ldap_user')
->execute();
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query');
// just see if the correct ones are derived.
$roles = isset($new_authorizations['drupal_role']) ? $new_authorizations['drupal_role'] : array();
$success = count($roles) == 0;
$this
->assertTrue($success, ' only apply to ldap authenticated grants no roles for non ldap user.', 'LDAP_authorz.onlyLdapAuthenticated.1');
if (!$success) {
debug('LDAP_authorz.onlyLdapAuthenticated.1');
debug($roles);
debug($this->testFunctions
->ldapUserIsAuthmapped('hgrainger'));
debug($new_authorizations);
debug($notifications);
}
/**
* LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled
*/
$this->consumerAdminConf['drupal_role']->synchOnLogon = 0;
$this->consumerAdminConf['drupal_role']
->save();
$edit = array(
'name' => 'hgrainger',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon.0');
$this
->assertTrue($this->testFunctions
->ldapUserIsAuthmapped('hgrainger'), 'Ldap user properly authmapped.', 'LDAP_authorz.Flags.synchOnLogon.0');
$hgrainger = user_load_by_name('hgrainger');
$this
->drupalGet('user/logout');
$this->consumerAdminConf['drupal_role']->synchOnLogon = 1;
$this->consumerAdminConf['drupal_role']
->save();
$edit = array(
'name' => 'hgrainger',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon=1');
$hgrainger = user_load_by_name('hgrainger');
$this
->drupalGet('user/logout');
// create a couple roles for next 2 tests
$troublemaker = new stdClass();
$troublemaker->name = 'troublemaker';
user_role_save($troublemaker);
$troublemaker = user_role_load_by_name('troublemaker');
$superadmin = new stdClass();
$superadmin->name = 'superadmin';
user_role_save($superadmin);
$superadmin = user_role_load_by_name('superadmin');
/**
* LDAP_authorz.Flags.revokeLdapProvisioned: test flag for
* removing manually granted roles
*
* $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid.
*
* grant roles via ldap and some not vai ldap manually,
* then alter ldap so they are no longer valid,
* then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked
*
*/
$this->consumerAdminConf['drupal_role']->onlyApplyToLdapAuthenticated = 0;
$this->consumerAdminConf['drupal_role']->revokeLdapProvisioned = 1;
$this->consumerAdminConf['drupal_role']->createConsumers = 1;
$this->consumerAdminConf['drupal_role']
->save();
// set correct roles manually
$hpotter = user_load_by_name('hpotter');
user_delete($hpotter->uid);
$user = $this
->drupalCreateUser(array());
$hpotter = $this->testFunctions
->drupalLdapUpdateUser(array(
'name' => 'hpotter',
'mail' => 'hpotter@hogwarts.edu',
), TRUE, $user);
$edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1');
$hpotter = user_load_by_name('hpotter');
// add an underserved, ldap granted drupal role superadmin
// and an undeserved, non ldap granted role troublemaker
$hpotter = user_load($hpotter->uid, TRUE);
$roles = $hpotter->roles;
$roles[$troublemaker->rid] = $troublemaker->name;
$roles[$superadmin->rid] = $superadmin->name;
$data = array(
'roles' => $roles,
'data' => array(
'ldap_authorizations' => array(
'drupal_role' => array(
$superadmin->name => array(
'date_granted' => 1304216778,
),
),
),
),
);
$hpotter = user_save($hpotter, $data);
// apply correct authorizations. should remove the administrator role but not the manually created 'troublemaker' role
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'drupal_role', 'logon');
$hpotter = user_load($hpotter->uid, TRUE);
$this
->assertTrue(!isset($new_authorizations['drupal_role'][$superadmin->rid]), ' revoke superadmin ldap granted roles when no longer deserved.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1');
/**
* LDAP_authorz.Flags.regrantLdapProvisioned
* $this->regrantLdapProvisioned == 1 :
* Re grant !consumer_namePlural previously granted
* by LDAP Authorization but removed manually.
*
* - manually remove ldap granted role
* - logon
* - check if regranted
*/
$this
->drupalGet('user/logout');
$this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 1;
$this->consumerAdminConf['drupal_role']
->save();
$hpotter = user_load($hpotter->uid, TRUE);
$roles = $hpotter->roles;
unset($roles[$superadmin->rid]);
user_save($hpotter, array(
'roles' => $roles,
));
$hpotter = user_load($hpotter->uid, TRUE);
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'drupal_role', 'logon');
$hpotter = user_load($hpotter->uid, TRUE);
$success = !in_array('administrator', array_values($hpotter->roles));
$this
->assertTrue($success, 'regrant Ldap Provisioned roles that were manually revoked', 'LDAP_authorz.Flags.regrantLdapProvisioned=1');
if (!$success) {
debug('LDAP_authorz.Flags.regrantLdapProvisioned=1');
debug('hpotter roles');
debug($hpotter->roles);
debug('new_authorizations');
debug($new_authorizations);
}
/**
* LDAP_authorz.Flags.createConsumers=1
*/
//add new mapping to and enable create consumers
$this
->prepTestData(LDAP_TEST_LDAP_NAME, array(
$sid,
), 'provisionToDrupal', 'default', 'drupal_role_default');
$this
->drupalGet('user/logout');
$new_role = 'oompa-loompas';
$this->consumerAdminConf['drupal_role']->createConsumers = 1;
$this->consumerAdminConf['drupal_role']->mappings[] = array(
'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu',
'user_entered' => $new_role,
'normalized' => $new_role,
'simplified' => $new_role,
'valid' => TRUE,
'error_message' => '',
);
$this->consumerAdminConf['drupal_role']
->save();
// debug('mappings'); debug($this->consumerAdminConf['drupal_role']->mappings);
$edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$new_role_created = in_array($new_role, array_values(user_roles()));
// debug("roles"); debug(user_roles());
$roles_by_name = array_flip(user_roles());
$hpotter = user_load_by_name('hpotter');
$hpotter = user_load($hpotter->uid, TRUE);
$role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]);
$this
->assertTrue($new_role_created && $role_granted, 'create consumers (e.g. roles)', 'LDAP_authorz.Flags.createConsumers=1');
if (!($new_role_created && $role_granted)) {
debug('roles');
debug(user_roles());
debug('roles by name');
debug($roles_by_name);
debug('hpotter->roles');
debug($hpotter->roles);
debug("new role desired: {$new_role}");
debug("{$new_role_created} AND {$role_granted}");
}
}
public function testUIForms() {
$ldap_simpletest_initial = config('ldap_test.settings')
->get('simpletest');
variable_del('ldap_simpletest');
// need to be out of fake server mode to test ui.
$sid = 'activedirectory1';
$this
->prepTestData(LDAP_TEST_LDAP_NAME, array(
$sid,
), 'provisionToDrupal', 'default');
ldap_servers_module_load_include('php', 'ldap_servers', 'LdapServerAdmin.class');
$ldap_server = new LdapServerAdmin($sid);
$server_properties = $this->testFunctions->data['ldap_servers'][$sid]['properties'];
foreach ($server_properties as $property => $value) {
$ldap_server->{$property} = $value;
}
$ldap_server
->save('add');
$consumer_form_data = array(
'sid' => array(
'activedirectory1',
'activedirectory1',
),
'status' => array(
TRUE,
TRUE,
),
'only_ldap_authenticated' => array(
FALSE,
TRUE,
),
'use_first_attr_as_groupid' => array(
FALSE,
TRUE,
),
'mappings' => array(
"a|b",
"a|b",
),
'use_filter' => array(
FALSE,
TRUE,
),
'synchronization_modes[user_logon]' => array(
TRUE,
FALSE,
),
'synchronization_actions[revoke_ldap_provisioned]' => array(
TRUE,
FALSE,
),
'synchronization_actions[regrant_ldap_provisioned]' => array(
FALSE,
TRUE,
),
'synchronization_actions[create_consumers]' => array(
TRUE,
FALSE,
),
);
$this->privileged_user = $this
->drupalCreateUser(array(
'administer site configuration',
));
$this
->drupalLogin($this->privileged_user);
$ldap_server = ldap_servers_get_servers('activedirectory1', NULL, TRUE, TRUE);
$this
->drupalGet('admin/config/people/ldap/servers/edit/activedirectory1');
// this is just for debugging to show the server.
$ldap_server_admin = new LdapServerAdmin($sid);
if (!is_array($ldap_server_admin->basedn)) {
$ldap_server_admin->basedn = @unserialize($ldap_server_admin->basedn);
$ldap_server_admin
->save('update');
$ldap_server_admin = new LdapServerAdmin($sid);
}
$this
->drupalGet('admin/config/people/ldap/servers/edit/activedirectory1');
foreach (array(
0,
) as $i) {
foreach (array(
'drupal_role',
) as $consumer_type) {
foreach (array(
1,
) as $ctools_enabled) {
// may want to put this back in after ctools requirement is fixed
$this->ldapTestId = "testUIForms.{$i}.{$consumer_type}.ctools.{$ctools_enabled}";
if ($ctools_enabled) {
module_enable(array(
'ctools',
));
}
else {
module_disable(array(
'ctools',
));
}
$lcase_transformed = array();
/** add server conf test **/
$this
->drupalGet('admin/config/people/ldap/authorization/add/' . $consumer_type);
$edit = array();
foreach ($consumer_form_data as $input_name => $input_values) {
$edit[$input_name] = $input_values[$i];
}
$this
->drupalPost('admin/config/people/ldap/authorization/add/' . $consumer_type, $edit, t('Add'));
$field_to_prop_map = LdapAuthorizationConsumerConf::field_to_properties_map();
$ldap_consumer = ldap_authorization_get_consumer_object($consumer_type);
$this
->assertTrue(is_object($ldap_consumer), 'ldap consumer conf loaded after add-save', $this->ldapTestId . ' Add consumer configuration');
// assert one ldap server exists in db table
// assert load of server has correct properties for each input
$mismatches = $this
->compareFormToProperties($ldap_consumer, $consumer_form_data, $i, $field_to_prop_map, $lcase_transformed);
if (count($mismatches)) {
debug('mismatches between ldap server properties and form submitted values');
debug($mismatches);
// debug($ldap_consumer); // throw recursion
debug($consumer_form_data);
}
$this
->assertTrue(count($mismatches) == 0, 'Add form for ldap consumer properties match values submitted.', $this->ldapTestId . ' Add consumer conf');
/** update server conf test **/
$this
->drupalGet('admin/config/people/ldap/authorization/edit/' . $consumer_type);
$edit = array();
foreach ($consumer_form_data as $input_name => $input_values) {
if ($input_values[$i] !== NULL) {
$edit[$input_name] = $input_values[$i];
}
}
unset($edit['sid']);
$this
->drupalPost('admin/config/people/ldap/authorization/edit/' . $consumer_type, $edit, t('Save'));
$ldap_consumer = ldap_authorization_get_consumer_object($consumer_type);
$this
->assertTrue(is_object($ldap_consumer), 'ldap consumer conf loaded after edit-save', $this->ldapTestId . ' update consumer configuration');
$mismatches = $this
->compareFormToProperties($ldap_consumer, $consumer_form_data, $i, $field_to_prop_map, $lcase_transformed);
if (count($mismatches)) {
debug('mismatches between ldap server properties and form submitted values');
debug($mismatches);
// debug($ldap_consumer); // throw recursion
debug($consumer_form_data);
}
$this
->assertTrue(count($mismatches) == 0, 'Update form for ldap server properties match values submitted.', $this->ldapTestId . '.Update consumer conf');
/** delete server conf test **/
$this
->drupalGet('admin/config/people/ldap/authorization/delete/' . $consumer_type);
$this
->drupalPost('admin/config/people/ldap/authorization/delete/' . $consumer_type, array(), t('Delete'));
ctools_include('export');
ctools_export_load_object_reset('ldap_authorization');
$consumer_conf = ldap_authorization_get_consumer_conf($consumer_type);
//
$pass = is_object($consumer_conf) && $consumer_conf->inDatabase === FALSE;
$this
->assertTrue($pass, 'Delete form for consumer conf deleted conf.', $this->ldapTestId . '.Delete consumer conf');
if (!$pass) {
debug('ldap consumer after delete. is_object=' . is_object($consumer_conf));
debug('inDatabase?' . is_object($ldap_consumer) ? $consumer_conf->inDatabase : '?');
debug("numericConsumerConfId" . $consumer_conf->numericConsumerConfId);
debug("status" . $consumer_conf->status);
debug("sid" . $consumer_conf->sid);
}
}
}
}
variable_set('ldap_simpletest', $ldap_simpletest_initial);
// return to fake server mode
}
}