function LdapAuthorizationOg1Tests::testLogons in Lightweight Directory Access Protocol (LDAP) 8.2
authorization configuration flags tests clumped together
File
- ldap_authorization/
tests/ Og1Tests.test, line 375
Class
Code
function testLogons() {
$sid = 'activedirectory1';
$this
->prepTestData(LDAP_TEST_LDAP_NAME, array(
$sid,
), 'provisionToDrupal', 'default', 'og_group15');
$og_group_consumer = ldap_authorization_get_consumers('og_group', TRUE, TRUE);
list($og_gryffindor_group, $og_gryffindor_node) = ldap_authorization_og1_get_group('gryffindor', 'group_name');
//1
list($og_students_group, $og_students_node) = ldap_authorization_og1_get_group('students', 'group_name');
//4
list($og_faculty_group, $og_faculty_node) = ldap_authorization_og1_get_group('faculty', 'group_name');
// 7
list($og_users_group, $og_users_node) = ldap_authorization_og1_get_group('users', 'group_name');
//9
list($og_hufflepuff_group, $og_hufflepuff_node) = ldap_authorization_og1_get_group('hufflepuff', 'group_name');
list($og_slytherin_group, $og_slytherin_node) = ldap_authorization_og1_get_group('slytherin', 'group_name');
$anonymous_rid = ldap_authorization_og_rid_from_role_name(OG_ANONYMOUS_ROLE);
$member_rid = ldap_authorization_og_rid_from_role_name(OG_AUTHENTICATED_ROLE);
$admin_rid = ldap_authorization_og_rid_from_role_name(OG_ADMINISTRATOR_ROLE);
$dungeon_master_rid = ldap_authorization_og_rid_from_role_name('dungeon-master');
$time_keeper = ldap_authorization_og_rid_from_role_name('time-keeper');
$students_membership_consumer_id = $og_students_group->gid . '-' . $member_rid;
$gryffindor_membership_consumer_id = $og_gryffindor_group->gid . '-' . $member_rid;
$slytherin_membership_consumer_id = $og_slytherin_group->gid . '-' . $member_rid;
$hufflepuff_membership_consumer_id = $og_hufflepuff_group->gid . '-' . $member_rid;
//debug(
// "students_membership_consumer_id = $students_membership_consumer_id
// gryffindor_membership_consumer_id = $gryffindor_membership_consumer_id
// slytherin_membership_consumer_id = $slytherin_membership_consumer_id
// hufflepuff_membership_consumer_id = = $hufflepuff_membership_consumer_id "
//);
list($props_set_display, $props_set_correctly) = $this
->checkConsumerConfSetup('og_group15');
$this
->assertTrue($props_set_correctly, 'Authorization Configuration set correctly in test setup', 'LDAP_authorz.Flags.setup.0');
if (!$props_set_correctly) {
debug('LDAP_authorz.Flags.setup.0 properties not set correctly');
debug($props_set_display);
}
$hpotter = $this
->deleteAndRecreateUser('hpotter');
/**
* LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled
*/
$test_id = 'LDAP_authorz.og.Flags.synchOnLogon.0';
$this->consumerAdminConf['og_group']->synchOnLogon = 0;
$this->consumerAdminConf['og_group']
->save();
$og_group_consumer = ldap_authorization_get_consumer_object('og_group');
$edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', $test_id);
$this
->assertTrue($this->testFunctions
->ldapUserIsAuthmapped('hpotter'), 'Ldap user properly authmapped.', $test_id);
$hpotter = user_load_by_name('hpotter');
$hpotter = user_load($hpotter->uid, TRUE);
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$this
->drupalGet('user/logout');
$success = count($authorizations) == 0;
$this
->assertTrue($success, 'No authorizations granted when synchOnLogon=0', $test_id);
if (!$success) {
debug($test_id . "authorizations:");
debug($authorizations);
debug($hpotter->data);
}
$test_id = 'LDAP_authorz.og.Flags.synchOnLogon.1';
$this->consumerAdminConf['og_group']->synchOnLogon = 1;
$this->consumerAdminConf['og_group']
->save();
$og_group_consumer = ldap_authorization_get_consumer_object('og_group');
// flushes object static cache
$hpotter = $this
->deleteAndRecreateUser('hpotter');
$edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', $test_id);
$hpotter = user_load_by_name('hpotter');
$hpotter = user_load($hpotter->uid, TRUE);
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$this
->UIGroupMembershipTest($hpotter, $og_students_node, $test_id);
$success = in_array($students_membership_consumer_id, $authorizations) && in_array($gryffindor_membership_consumer_id, $authorizations);
$this
->drupalGet('user/logout');
$this
->assertTrue($success, 'Correct Authorizations on user logon', $test_id);
if (!$success) {
debug($test_id . "authorizations {$gryffindor_membership_consumer_id} and {$students_membership_consumer_id} not found in:");
debug($authorizations);
debug("hpotter->data");
debug($hpotter->data);
}
$user_data = $hpotter->data['ldap_authorizations']['og_group'];
$success = isset($user_data[$students_membership_consumer_id]) && isset($user_data[$gryffindor_membership_consumer_id]) && isset($user_data[$students_membership_consumer_id]['date_granted']) && isset($user_data[$gryffindor_membership_consumer_id]['consumer_id_mixed_case']) && isset($user_data[$students_membership_consumer_id]['date_granted']) && isset($user_data[$gryffindor_membership_consumer_id]['consumer_id_mixed_case']) && $user_data[$gryffindor_membership_consumer_id]['consumer_id_mixed_case'] == $gryffindor_membership_consumer_id;
$this
->assertTrue($success, 'Correct User Data Authorization Records', $test_id);
/** test multiple logon scenario. this deals with a variety of concerns such as caching of
* user and og data
*/
$test_id = 'LDAP_authorz.og.mulitplelogons';
$this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 0;
$this->consumerAdminConf['og_group']->synchOnLogon = 1;
$this->consumerAdminConf['og_group']->status = 1;
$this->consumerAdminConf['og_group']
->save();
$hpotter = $this
->deleteAndRecreateUser('hpotter');
$og_group_consumer = ldap_authorization_get_consumer_object('og_group');
$this
->drupalGet('user/logout');
$pre_authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$this
->assertTrue(count($pre_authorizations) == 0, 'Setup correct for test ' . $test_id, $test_id);
foreach (array(
1,
2,
3,
) as $i) {
$this
->drupalGet('user/logout');
$edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), "Repeated logon grant test i={$i}", $test_id);
$hpotter = user_load_by_name('hpotter');
$hpotter = user_load($hpotter->uid, TRUE);
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$success = in_array($students_membership_consumer_id, $authorizations) && in_array($gryffindor_membership_consumer_id, $authorizations);
$this
->assertTrue($success, 'Correct Authorizations on user logon', $test_id);
if (!$success) {
debug("{$test_id} i={$i}");
debug($hpotter->data);
debug($og_group_consumer
->usersAuthorizations($hpotter), TRUE);
}
$this
->UIGroupMembershipTest($hpotter, $og_gryffindor_node, $test_id);
$this
->UIGroupMembershipTest($hpotter, $og_students_node, $test_id);
// also need to assert user->data['ldap_authorizations']['og_group'] array
$this
->assertTrue($success, 'Correct Authorizations on user logon', $test_id);
$user_data = $hpotter->data['ldap_authorizations']['og_group'];
$success = isset($user_data[$students_membership_consumer_id]) && isset($user_data[$gryffindor_membership_consumer_id]) && isset($user_data[$students_membership_consumer_id]['date_granted']) && isset($user_data[$gryffindor_membership_consumer_id]['consumer_id_mixed_case']) && isset($user_data[$students_membership_consumer_id]['date_granted']) && isset($user_data[$gryffindor_membership_consumer_id]['consumer_id_mixed_case']) && $user_data[$gryffindor_membership_consumer_id]['consumer_id_mixed_case'] == $gryffindor_membership_consumer_id;
$this
->assertTrue($success, 'Correct User Data Authorization Records', $test_id);
$this
->drupalGet('user/logout');
}
/**
* LDAP_authorz.Flags.revokeLdapProvisioned: test flag for
* removing manually granted roles
*
* $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid.
*
* grant groups via ldap and some not manually,
* then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked
*
*/
$test_id = 'LDAP_authorz.og.Flags.revokeLdapProvisioned.1';
$this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 0;
$this->consumerAdminConf['og_group']->revokeLdapProvisioned = 1;
$this->consumerAdminConf['og_group']->regrantLdapProvisioned = 1;
$this->consumerAdminConf['og_group']
->save();
$og_group_consumer = ldap_authorization_get_consumer_object('og_group');
$hpotter = $this
->deleteAndRecreateUser('hpotter');
$edit = array(
'name' => 'hpotter',
'pass' => 'goodpwd',
);
// group to 2 "undeserved" groups, but only ldap associate 1
$hpotter = $this
->manualOgGroup($hpotter, $og_slytherin_group->gid);
$hpotter = $this
->manualOgGroup($hpotter, $og_hufflepuff_group->gid);
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$this
->assertTrue(in_array($slytherin_membership_consumer_id, $authorizations) && in_array($hufflepuff_membership_consumer_id, $authorizations), "prep for {$test_id}", $test_id);
// debug(); debug("4.1 hpotter->data"); debug($hpotter->data);
// $undeserved_consumer_id = $og_slytherin_group->gid . '-' . $member_rid;
$user_edit['data'] = $hpotter->data;
$user_edit['data']['ldap_authorizations']['og_group'][$slytherin_membership_consumer_id] = array(
array(
'date_granted' => 1304216778,
),
array(
'consumer_id_mixed_case' => $slytherin_membership_consumer_id,
),
);
$hpotter = user_save($hpotter, $user_edit);
$this
->drupalPost('user', $edit, t('Log in'));
$this
->assertText(t('Member for'), 'New Ldap user with good password authenticated.', $test_id);
$hpotter = user_load_by_name('hpotter');
$hpotter = user_load($hpotter->uid, TRUE);
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$this
->UIGroupMembershipTest($hpotter, $og_hufflepuff_node, $test_id);
$this
->UIGroupMembershipTest($hpotter, $og_slytherin_node, $test_id, FALSE);
$this
->assertTrue(!in_array($slytherin_membership_consumer_id, $authorizations) && in_array($hufflepuff_membership_consumer_id, $authorizations), "Ldap granted og revoked when not deserved in ldap, manual og membership retained.", $test_id);
// assert that slytherin membership removed, but hufflepuff kept
//debug($authorizations);
//debug("4. hpotter->data"); debug($hpotter->data);
/**
* LDAP_authorz.Flags.regrantLdapProvisioned
* $this->regrantLdapProvisioned == 1 :
* Re grant !consumer_namePlural previously granted
* by LDAP Authorization but removed manually.
*
* - manually remove ldap granted og membership
* - logon
* - check if regranted
*/
$test_id = 'LDAP_authorz.Flags.regrantLdapProvisioned=1';
$this
->drupalGet('user/logout');
$this->consumerAdminConf['og_group']->regrantLdapProvisioned = 1;
$this->consumerAdminConf['og_group']->revokeLdapProvisioned = 1;
$this->consumerAdminConf['og_group']
->save();
$og_group_consumer = ldap_authorization_get_consumer_object('og_group');
$hpotter = user_load($hpotter->uid, TRUE);
// do not recreate hpotter user because using date from last test
// ungroup hpotter from students
$hpotter = og_ungroup($og_students_group->gid, 'user', $hpotter, TRUE);
// confirm doesn't have authorization
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$this
->assertTrue(!in_array($students_membership_consumer_id, $authorizations), 'hpotter student membership removed before testing regrant', $test_id);
/**
* logon
*/
$this
->drupalPost('user', $edit, t('Log in'));
// assert students membership regranted
$hpotter = user_load($hpotter->uid, TRUE);
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
module_load_include('php', 'og', 'module');
og_invalidate_cache();
$caches = array(
'og_get_entity_groups',
'og_get_membership',
'og_get_field_og_membership_properties',
);
foreach ($caches as $cache) {
drupal_static_reset($cache);
}
$authorizations = $og_group_consumer
->usersAuthorizations($hpotter, TRUE);
$success = in_array($students_membership_consumer_id, $authorizations);
$this
->UIGroupMembershipTest($hpotter, $og_students_node, $test_id);
$this
->assertTrue($success, "regrant Ldap Provisioned og groups ({$students_membership_consumer_id}) that were manually revoked", $test_id);
if (!$success) {
debug($test_id);
debug("students_membership_consumer_id={$students_membership_consumer_id}");
debug('hpotter->data');
debug($hpotter->data);
debug('current authorizations');
debug($authorizations);
}
//debug("5. hpotter->data"); debug($hpotter->data);
/**
* LDAP_authorz.onlyLdapAuthenticated=1: create normal user and
* apply authorization query. should return no og groups
*
* THIS NEEDS TO BE REWORKED. ITS A MEANINGLESS TEST IN CURRENT STATE
* should
* A. leave on mixed mode ldap authentication
* logon with non ldap password and receive no authorizations
*
* B. leave on mixed mode authentication and logon with ldap
* groups should be granted
*
*/
//$test_id = 'LDAP_authorz.onlyLdapAuthenticated.1';
//$this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 1;
//$this->consumerAdminConf['og_group']->status = 1;
//$this->consumerAdminConf['og_group']->save();
//$og_group_consumer = ldap_authorization_get_consumer_object('og_group');
//
//$hpotter = $this->deleteAndRecreateUser('hpotter');
//
//list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group'); // just see if the correct ones are derived.
//$success = (isset($new_authorizations['og_group']) && count($new_authorizations['og_group']) == 0);
//$this->assertTrue($success, ' only apply to ldap authenticated grants no roles for non ldap user.', $test_id);
//$hpotter = user_load($hpotter->uid, TRUE);
//if (!$success) {
// debug($test_id . "new_authorizations:"); debug($new_authorizations);
// debug($this->testFunctions->ldapUserIsAuthmapped('hpotter'));
// debug($notifications);
// debug($hpotter);
//}
}