You are here

Home » API reference » Lightweight Directory Access Protocol (LDAP) 8.2 » Og2Tests.test » LdapAuthorizationOg2Tests

function LdapAuthorizationOg2Tests::testFlags in Lightweight Directory Access Protocol (LDAP) 8.2

Same name and namespace in other branches
  1. 7.2 ldap_authorization/tests/Og2Tests.test \LdapAuthorizationOg2Tests::testFlags()

authorization configuration flags tests clumped together

File

ldap_authorization/tests/Og2Tests.test, line 301

Class

LdapAuthorizationOg2Tests

Code

function testFlags() {
  $sid = 'activedirectory1';
  $this
    ->prepTestData(LDAP_TEST_LDAP_NAME, array(
    $sid,
  ), 'provisionToDrupal', 'default', 'og_group2');
  $og_group_consumer = ldap_authorization_get_consumers('og_group', TRUE, TRUE);

  /**
   * LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed
   */
  list($props_set_display, $props_set_correctly) = $this
    ->checkConsumerConfSetup('og_group2');
  $this
    ->assertTrue($props_set_correctly, 'Authorization Configuration set correctly in test setup', 'LDAP_authorz.Flags.setup.0');
  if (!$props_set_correctly) {
    debug('LDAP_authorz.Flags.setup.0 properties not set correctly');
    debug($props_set_display);
  }
  $this->consumerAdminConf['og_group']->useFirstAttrAsGroupId = 0;
  $this->consumerAdminConf['og_group']->status = 0;
  $this->consumerAdminConf['og_group']
    ->save();
  $user = $this
    ->drupalCreateUser(array());
  $hpotter = $this->testFunctions
    ->drupalLdapUpdateUser(array(
    'name' => 'hpotter',
    'mail' => 'hpotter@hogwarts.edu',
  ), TRUE, $user);
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query');

  // just see if the correct ones are derived.
  $groups1 = $new_authorizations['og_group'];

  // debug('ldap_authorizations_user_authorizations disabled:'); debug($new_authorizations);  debug($notifications);
  $this
    ->assertTrue(count($new_authorizations['og_group']) == 0, 'disabled consumer configuration disallows authorizations.', 'LDAP_authorz.Flags.status.0');
  list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this
    ->getTestData(TRUE);
  $this->consumerAdminConf['og_group']->status = 1;
  $this->consumerAdminConf['og_group']
    ->save();
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'og_group');

  // just see if the correct ones are derived.

  //debug('ldap_authorizations_user_authorizations enabled: '); debug($new_authorizations);  debug($notifications);
  $correct_groups = !empty($new_authorizations['og_group'][$consumer_ids['students'][OG_AUTHENTICATED_ROLE]]) && !empty($new_authorizations['og_group'][$consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE]]);
  $this
    ->assertTrue($correct_groups, 'enabled consumer configuration allows authorizations.', 'LDAP_authorz.Flags.status.1');
  if (!$correct_groups) {
    debug('LDAP_authorz.Flags.enable.1 roles with enabled');
    debug($new_authorizations);
  }

  /**
   * LDAP_authorz.onlyLdapAuthenticated=1: create normal user and
   * apply authorization query.  should return no roles
   */
  $this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 1;
  $this->consumerAdminConf['og_group']->status = 1;
  $this->consumerAdminConf['og_group']
    ->save();
  $user = $this
    ->drupalCreateUser(array());
  $hgrainger = $this->testFunctions
    ->drupalLdapUpdateUser(array(
    'name' => 'hgrainger',
    'mail' => 'hgrainger@hogwarts.edu',
  ), TRUE, $user);

  // remove old authmap in case it exists so test will work
  db_delete('authmap')
    ->condition('uid', $user->uid)
    ->condition('module', 'ldap_user')
    ->execute();
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query');

  // just see if the correct ones are derived.
  $success = isset($new_authorizations['og_group']) && count($new_authorizations['og_group']) == 0;
  $this
    ->assertTrue($success, ' only apply to ldap authenticated grants no roles for non ldap user.', 'LDAP_authorz.onlyLdapAuthenticated.1');
  if (!$success) {
    debug('LDAP_authorz.onlyLdapAuthenticated.1');
    debug($new_authorizations);
    debug($this->testFunctions
      ->ldapUserIsAuthmapped('hgrainger'));
    debug($notifications);
  }

  /**
   * LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled
   */
  $this->consumerAdminConf['og_group']->synchOnLogon = 0;
  $this->consumerAdminConf['og_group']
    ->save();
  $edit = array(
    'name' => 'hgrainger',
    'pass' => 'goodpwd',
  );
  $this
    ->drupalPost('user', $edit, t('Log in'));
  $this
    ->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon.0');
  $this
    ->assertTrue($this->testFunctions
    ->ldapUserIsAuthmapped('hgrainger'), 'Ldap user properly authmapped.', 'LDAP_authorz.Flags.synchOnLogon.0');
  $hgrainger = user_load_by_name('hgrainger');
  $this
    ->drupalGet('user/logout');
  $this->consumerAdminConf['og_group']->synchOnLogon = 1;
  $this->consumerAdminConf['og_group']
    ->save();
  $edit = array(
    'name' => 'hgrainger',
    'pass' => 'goodpwd',
  );
  $this
    ->drupalPost('user', $edit, t('Log in'));
  $this
    ->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon=1');
  $hgrainger = user_load_by_name('hgrainger');
  $this
    ->drupalGet('user/logout');

  // create a couple roles for next 2 tests
  $troublemaker = new stdClass();
  $troublemaker->name = 'troublemaker';
  user_role_save($troublemaker);
  $troublemaker = user_role_load_by_name('troublemaker');
  $superadmin = new stdClass();
  $superadmin->name = 'superadmin';
  user_role_save($superadmin);
  $superadmin = user_role_load_by_name('superadmin');

  /**
   * LDAP_authorz.Flags.revokeLdapProvisioned: test flag for
   *   removing manually granted roles
   *
   *   $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid.
   *
   *   grant roles via ldap and some not vai ldap manually,
   *   then alter ldap so they are no longer valid,
   *   then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked
   *
   */
  $this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 0;
  $this->consumerAdminConf['og_group']->revokeLdapProvisioned = 1;
  $this->consumerAdminConf['og_group']->createConsumers = 1;
  $this->consumerAdminConf['og_group']
    ->save();

  // set correct roles manually
  $hpotter = user_load_by_name('hpotter');
  user_delete($hpotter->uid);
  $user = $this
    ->drupalCreateUser(array());
  $hpotter = $this->testFunctions
    ->drupalLdapUpdateUser(array(
    'name' => 'hpotter',
    'mail' => 'hpotter@hogwarts.edu',
  ), TRUE, $user);
  $edit = array(
    'name' => 'hpotter',
    'pass' => 'goodpwd',
  );
  $this
    ->drupalPost('user', $edit, t('Log in'));
  $this
    ->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1');
  $hpotter = user_load_by_name('hpotter');

  // add an underserved, ldap granted drupal role superadmin
  // and an undeserved, non ldap granted role troublemaker
  $hpotter = user_load($hpotter->uid, TRUE);
  $roles = $hpotter->roles;
  $roles[$troublemaker->rid] = $troublemaker->name;
  $roles[$superadmin->rid] = $superadmin->name;
  $data = array(
    'roles' => $roles,
    'data' => array(
      'ldap_authorizations' => array(
        'og_group' => array(
          $superadmin->name => array(
            'date_granted' => 1304216778,
          ),
        ),
      ),
    ),
  );
  $hpotter = user_save($hpotter, $data);

  // apply correct authorizations.  should remove the administrator role but not the manually created 'troublemaker' role
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon');
  $hpotter = user_load($hpotter->uid, TRUE);
  $this
    ->assertTrue(!isset($new_authorizations['og_group'][$superadmin->rid]), ' revoke superadmin ldap granted roles when no longer deserved.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1');

  /**
   * LDAP_authorz.Flags.regrantLdapProvisioned
   * $this->regrantLdapProvisioned == 1 :
   *   Re grant !consumer_namePlural previously granted
   *   by LDAP Authorization but removed manually.
   *
   * - manually remove ldap granted role
   * - logon
   * - check if regranted
   */
  $this
    ->drupalGet('user/logout');
  $this->consumerAdminConf['og_group']->regrantLdapProvisioned = 1;
  $this->consumerAdminConf['og_group']
    ->save();
  $hpotter = user_load($hpotter->uid, TRUE);
  $roles = $hpotter->roles;
  unset($roles[$superadmin->rid]);
  user_save($hpotter, array(
    'roles' => $roles,
  ));
  $hpotter = user_load($hpotter->uid, TRUE);
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon');
  $hpotter = user_load($hpotter->uid, TRUE);
  $success = !in_array('administrator', array_values($hpotter->roles));
  $this
    ->assertTrue($success, 'regrant Ldap Provisioned roles that were manually revoked', 'LDAP_authorz.Flags.regrantLdapProvisioned=1');
  if (!$success) {
    debug('LDAP_authorz.Flags.regrantLdapProvisioned=1');
    debug('hpotter roles');
    debug($hpotter->roles);
    debug('new_authorizations');
    debug($new_authorizations);
  }

  /**
   * LDAP_authorz.Flags.createConsumers=1
   */
  if (!empty($og_group_consumer['allowConsumerObjectCreation']) && $og_group_consumer['allowConsumerObjectCreation']) {

    //@todo.  this needs to be finished when creation of og groups is added to ldap authorization og functionality

    //add new mapping to and enable create consumers
    $this
      ->prepTestData('hogwarts', array(
      $sid,
    ), 'provisionToDrupal', 'default', 'drupal_role_default');
    $this
      ->drupalGet('user/logout');
    $new_role = 'oompa-loompas';
    $this->consumerAdminConf['og_group']->createConsumers = 1;
    $this->consumerAdminConf['og_group']->mappings[] = array(
      'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu',
      'user_entered' => $new_role,
      'normalized' => 'node:' . $new_role . ':' . OG_AUTHENTICATED_ROLE,
      'simplified' => $new_role,
      'valid' => TRUE,
      'error_message' => '',
    );
    $this->consumerAdminConf['og_group']
      ->save();
    $edit = array(
      'name' => 'hpotter',
      'pass' => 'goodpwd',
    );
    $this
      ->drupalPost('user', $edit, t('Log in'));
    $new_role_created = in_array($new_role, array_values(user_roles()));
    $roles_by_name = array_flip(user_roles());
    $hpotter = user_load_by_name('hpotter');
    $hpotter = user_load($hpotter->uid, TRUE);
    $role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]);
    debug('roles');
    debug(user_roles());
    debug('roles by name');
    debug($roles_by_name);
    debug('hpotter->roles');
    debug($hpotter->roles);
    debug("{$new_role_created} AND {$role_granted}");
    $this
      ->assertTrue($new_role_created && $role_granted, 'create consumers (e.g. roles)', 'LDAP_authorz.Flags.createConsumers=1');
  }
}