1 |
85ad3d82
|
Assos Assos
|
<?php
|
2 |
|
|
|
3 |
|
|
/**
|
4 |
|
|
* @file
|
5 |
bc175c27
|
Assos Assos
|
* Ldap_authentication simpletests.
|
6 |
85ad3d82
|
Assos Assos
|
*/
|
7 |
|
|
|
8 |
bc175c27
|
Assos Assos
|
module_load_include('php', 'ldap_test', 'LdapTestCase.class');
|
9 |
|
|
/**
|
10 |
|
|
*
|
11 |
|
|
*/
|
12 |
85ad3d82
|
Assos Assos
|
class LdapAuthorizationBasicTests extends LdapTestCase {
|
13 |
bc175c27
|
Assos Assos
|
|
14 |
|
|
/**
|
15 |
|
|
*
|
16 |
|
|
*/
|
17 |
85ad3d82
|
Assos Assos
|
public static function getInfo() {
|
18 |
32700c57
|
Assos Assos
|
return [
|
19 |
85ad3d82
|
Assos Assos
|
'name' => 'LDAP Authorization Basic Tests',
|
20 |
|
|
'description' => 'Test ldap authorization.',
|
21 |
bc175c27
|
Assos Assos
|
'group' => 'LDAP Authorization',
|
22 |
32700c57
|
Assos Assos
|
];
|
23 |
85ad3d82
|
Assos Assos
|
}
|
24 |
|
|
|
25 |
bc175c27
|
Assos Assos
|
/**
|
26 |
|
|
*
|
27 |
|
|
*/
|
28 |
|
|
public function __construct($test_id = NULL) {
|
29 |
85ad3d82
|
Assos Assos
|
parent::__construct($test_id);
|
30 |
|
|
}
|
31 |
|
|
|
32 |
|
|
public $module_name = 'ldap_authorization';
|
33 |
|
|
protected $ldap_test_data;
|
34 |
|
|
|
35 |
bc175c27
|
Assos Assos
|
/**
|
36 |
|
|
*
|
37 |
|
|
*/
|
38 |
|
|
public function setUp() {
|
39 |
32700c57
|
Assos Assos
|
parent::setUp([
|
40 |
85ad3d82
|
Assos Assos
|
'ldap_authentication',
|
41 |
|
|
'ldap_authorization',
|
42 |
|
|
'ldap_authorization_drupal_role',
|
43 |
bc175c27
|
Assos Assos
|
// don't need any real servers, configured, just ldap_servers code base.
|
44 |
|
|
'ldap_test',
|
45 |
32700c57
|
Assos Assos
|
]);
|
46 |
85ad3d82
|
Assos Assos
|
variable_set('ldap_simpletest', 2);
|
47 |
|
|
}
|
48 |
|
|
|
49 |
bc175c27
|
Assos Assos
|
/**
|
50 |
|
|
*
|
51 |
|
|
*/
|
52 |
|
|
public function tearDown() {
|
53 |
85ad3d82
|
Assos Assos
|
parent::tearDown();
|
54 |
|
|
variable_del('ldap_help_watchdog_detail');
|
55 |
|
|
variable_del('ldap_simpletest');
|
56 |
|
|
}
|
57 |
|
|
|
58 |
|
|
/**
|
59 |
bc175c27
|
Assos Assos
|
* Test install, api functions, and simple authorizations granted on logon.
|
60 |
85ad3d82
|
Assos Assos
|
*/
|
61 |
bc175c27
|
Assos Assos
|
public function testSimpleStuff() {
|
62 |
85ad3d82
|
Assos Assos
|
|
63 |
bc175c27
|
Assos Assos
|
// Just to give warning if setup doesn't succeed. may want to take these out at some point.
|
64 |
85ad3d82
|
Assos Assos
|
$setup_success = (
|
65 |
|
|
module_exists('ldap_authentication') &&
|
66 |
|
|
module_exists('ldap_servers') &&
|
67 |
|
|
module_exists('ldap_authorization') &&
|
68 |
|
|
module_exists('ldap_authorization_drupal_role') &&
|
69 |
|
|
(variable_get('ldap_simpletest', 2) > 0)
|
70 |
|
|
);
|
71 |
|
|
$this->assertTrue($setup_success, ' ldap_authorizations setup successful', 'LDAP Authorization: Test Setup Success');
|
72 |
|
|
|
73 |
32700c57
|
Assos Assos
|
$api_functions = [
|
74 |
|
|
'ldap_authorization_get_consumer_object' => [1, 1],
|
75 |
|
|
'ldap_authorization_get_consumers' => [3, 0],
|
76 |
|
|
'ldap_authorizations_user_authorizations' => [4, 1],
|
77 |
|
|
];
|
78 |
85ad3d82
|
Assos Assos
|
|
79 |
|
|
foreach ($api_functions as $api_function_name => $param_count) {
|
80 |
|
|
$reflector = new ReflectionFunction($api_function_name);
|
81 |
|
|
$this->assertTrue(
|
82 |
|
|
function_exists($api_function_name) &&
|
83 |
|
|
$param_count[1] == $reflector->getNumberOfRequiredParameters() &&
|
84 |
bc175c27
|
Assos Assos
|
$param_count[0] == $reflector->getNumberOfParameters(), ' api function ' . $api_function_name . ' parameters and required parameters count unchanged.', 'LDAP Server: API Functions');
|
85 |
85ad3d82
|
Assos Assos
|
}
|
86 |
|
|
|
87 |
bc175c27
|
Assos Assos
|
// Make sure ldap authorization doesn't break cron.
|
88 |
85ad3d82
|
Assos Assos
|
$this->assertTrue(
|
89 |
|
|
drupal_cron_run(),
|
90 |
|
|
t('Cron can run with ldap authorization enabled.'),
|
91 |
|
|
'LDAP Authorization: Cron Test'
|
92 |
|
|
);
|
93 |
|
|
|
94 |
|
|
/**
|
95 |
|
|
* this is geared toward testing logon functionality
|
96 |
|
|
*/
|
97 |
|
|
|
98 |
|
|
$sid = 'activedirectory1';
|
99 |
|
|
$testid = 'ExclusiveModeUserLogon3';
|
100 |
32700c57
|
Assos Assos
|
$sids = [$sid];
|
101 |
85ad3d82
|
Assos Assos
|
$this->prepTestData(LDAP_TEST_LDAP_NAME, $sids, 'provisionToDrupal', 'default', 'drupal_role_default');
|
102 |
|
|
|
103 |
32700c57
|
Assos Assos
|
$hpotter_logon_edit = [
|
104 |
85ad3d82
|
Assos Assos
|
'name' => 'hpotter',
|
105 |
|
|
'pass' => 'goodpwd',
|
106 |
32700c57
|
Assos Assos
|
];
|
107 |
85ad3d82
|
Assos Assos
|
$this->drupalPost('user', $hpotter_logon_edit, t('Log in'));
|
108 |
|
|
$this->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP Authorization: Test Logon');
|
109 |
|
|
$this->assertTrue(
|
110 |
|
|
$this->testFunctions->ldapUserIsAuthmapped('hpotter'),
|
111 |
|
|
'Ldap user properly authmapped.',
|
112 |
|
|
'LDAP Authorization: Test Logon'
|
113 |
|
|
);
|
114 |
|
|
|
115 |
|
|
$hpotter = $this->testFunctions->userByNameFlushingCache('hpotter');
|
116 |
|
|
$roles = array_values($hpotter->roles);
|
117 |
32700c57
|
Assos Assos
|
$desired_roles = ['students', 'authenticated user', 'cn=gryffindor,ou=groups,dc=hogwarts,dc=edu', 'cn=honors students,ou=groups,dc=hogwarts,dc=edu'];
|
118 |
85ad3d82
|
Assos Assos
|
$diff1 = array_diff($roles, $desired_roles);
|
119 |
|
|
$diff2 = array_diff($desired_roles, $roles);
|
120 |
|
|
$correct_roles = (count($diff1) == 0 && count($diff2) == 0);
|
121 |
|
|
$roles_display = join(', ', $roles);
|
122 |
|
|
if (!$correct_roles) {
|
123 |
|
|
debug('hpotter roles'); debug($roles); debug('desired roles'); debug($desired_roles);
|
124 |
|
|
}
|
125 |
|
|
$this->assertTrue(
|
126 |
|
|
$correct_roles,
|
127 |
32700c57
|
Assos Assos
|
t('hpotter granted correct roles on actual logon: %roles', ['%roles' => $roles_display]),
|
128 |
85ad3d82
|
Assos Assos
|
'LDAP Authorization: Test Logon for roles'
|
129 |
|
|
);
|
130 |
|
|
|
131 |
|
|
$this->drupalGet('user/logout');
|
132 |
|
|
|
133 |
|
|
/**
|
134 |
|
|
* test revoking of no longer deserved roles when revokeLdapProvisioned=1
|
135 |
|
|
*/
|
136 |
|
|
$this->consumerAdminConf['drupal_role']->revokeLdapProvisioned = 1;
|
137 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
138 |
|
|
|
139 |
bc175c27
|
Assos Assos
|
// setup: remove hpotter from honors members.
|
140 |
85ad3d82
|
Assos Assos
|
$test_data_pre_test = variable_get('ldap_test_server__' . $sid, NULL);
|
141 |
|
|
$test_data = variable_get('ldap_test_server__' . $sid, NULL);
|
142 |
|
|
|
143 |
|
|
$this->removeUserFromGroup($test_data, 'cn=hpotter,ou=people,dc=hogwarts,dc=edu', 'cn=honors students,ou=groups,dc=hogwarts,dc=edu', "dc=hogwarts,dc=edu");
|
144 |
|
|
|
145 |
|
|
variable_set('ldap_test_server__' . $sid, $test_data);
|
146 |
|
|
|
147 |
|
|
$hpotter_dn = 'cn=hpotter,ou=people,dc=hogwarts,dc=edu';
|
148 |
|
|
$this->drupalPost('user', $hpotter_logon_edit, t('Log in'));
|
149 |
|
|
$hpotter = $this->testFunctions->userByNameFlushingCache('hpotter');
|
150 |
|
|
$roles = array_values($hpotter->roles);
|
151 |
|
|
|
152 |
|
|
$this->assertFalse(
|
153 |
|
|
in_array('cn=honors students,ou=groups,dc=hogwarts,dc=edu', $roles),
|
154 |
|
|
'when revokeLdapProvisioned=1, removed role from user',
|
155 |
|
|
'LDAP Authorization: Test Logon'
|
156 |
|
|
);
|
157 |
|
|
|
158 |
|
|
$this->assertTrue(
|
159 |
|
|
empty($hpotter->data['ldap_authorizations']['drupal_role']['cn=honors students,ou=groups,dc=hogwarts,dc=edu']),
|
160 |
|
|
'when revokeLdapProvisioned=1, removed user->data[ldap_authorizations][drupal_role][<role>]',
|
161 |
|
|
'LDAP Authorization: Test Logon'
|
162 |
|
|
);
|
163 |
|
|
|
164 |
bc175c27
|
Assos Assos
|
// Return test data to original state.
|
165 |
85ad3d82
|
Assos Assos
|
variable_set('ldap_test_server__' . $sid, $test_data_pre_test);
|
166 |
|
|
$this->drupalGet('user/logout');
|
167 |
|
|
|
168 |
|
|
/**
|
169 |
|
|
* test regranting of removed roles (regrantLdapProvisioned = 0)
|
170 |
|
|
*/
|
171 |
|
|
$hpotter = $this->testFunctions->userByNameFlushingCache('hpotter');
|
172 |
|
|
$roles = array_values($hpotter->roles);
|
173 |
|
|
$this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 0;
|
174 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
175 |
|
|
$this->testFunctions->removeRoleFromUser($hpotter, "cn=gryffindor,ou=groups,dc=hogwarts,dc=edu");
|
176 |
|
|
$this->drupalPost('user', $hpotter_logon_edit, t('Log in'));
|
177 |
|
|
$hpotter = $this->testFunctions->userByNameFlushingCache('hpotter');
|
178 |
|
|
$roles = array_values($hpotter->roles);
|
179 |
|
|
|
180 |
|
|
$this->assertFalse(
|
181 |
|
|
in_array("cn=gryffindor,ou=groups,dc=hogwarts,dc=edu", $roles),
|
182 |
|
|
'when regrantLdapProvisioned=0, did not regrant role on logon',
|
183 |
|
|
'LDAP Authorization: Test Logon'
|
184 |
|
|
);
|
185 |
|
|
$this->assertTrue(
|
186 |
|
|
!empty($hpotter->data['ldap_authorizations']['drupal_role']['cn=gryffindor,ou=groups,dc=hogwarts,dc=edu']),
|
187 |
|
|
'when regrantLdapProvisioned=0, role is not regranted, but initial grant still remains in user->data[ldap_authorizations][drupal_role][<role>]',
|
188 |
|
|
'LDAP Authorization: Test Logon'
|
189 |
|
|
);
|
190 |
|
|
$this->drupalGet('user/logout');
|
191 |
|
|
|
192 |
|
|
/**
|
193 |
|
|
* test regranting of removed roles (regrantLdapProvisioned = 1)
|
194 |
|
|
*/
|
195 |
|
|
$this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 1;
|
196 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
197 |
|
|
$this->drupalPost('user', $hpotter_logon_edit, t('Log in'));
|
198 |
|
|
$hpotter = $this->testFunctions->userByNameFlushingCache('hpotter');
|
199 |
|
|
$roles = array_values($hpotter->roles);
|
200 |
|
|
$this->assertTrue(
|
201 |
|
|
in_array("cn=gryffindor,ou=groups,dc=hogwarts,dc=edu", $roles),
|
202 |
|
|
'when regrantLdapProvisioned=0, did not regrant role on logon',
|
203 |
|
|
'LDAP Authorization: Test Logon'
|
204 |
|
|
);
|
205 |
|
|
$this->drupalGet('user/logout');
|
206 |
|
|
|
207 |
bc175c27
|
Assos Assos
|
}
|
208 |
85ad3d82
|
Assos Assos
|
|
209 |
bc175c27
|
Assos Assos
|
/**
|
210 |
|
|
* Authorization configuration flags tests clumped together.
|
211 |
|
|
*/
|
212 |
|
|
public function testFlags() {
|
213 |
85ad3d82
|
Assos Assos
|
|
214 |
bc175c27
|
Assos Assos
|
$sid = 'activedirectory1';
|
215 |
|
|
$this->prepTestData(
|
216 |
85ad3d82
|
Assos Assos
|
LDAP_TEST_LDAP_NAME,
|
217 |
32700c57
|
Assos Assos
|
[$sid],
|
218 |
85ad3d82
|
Assos Assos
|
'provisionToDrupal',
|
219 |
|
|
'default',
|
220 |
|
|
'drupal_role_default'
|
221 |
bc175c27
|
Assos Assos
|
);
|
222 |
85ad3d82
|
Assos Assos
|
|
223 |
bc175c27
|
Assos Assos
|
/**
|
224 |
85ad3d82
|
Assos Assos
|
* LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed
|
225 |
|
|
*/
|
226 |
|
|
|
227 |
32700c57
|
Assos Assos
|
$user = $this->drupalCreateUser([]);
|
228 |
|
|
$hpotter = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'], TRUE, $user);
|
229 |
bc175c27
|
Assos Assos
|
// Just see if the correct ones are derived.
|
230 |
|
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query');
|
231 |
|
|
$roles1 = $new_authorizations['drupal_role'];
|
232 |
85ad3d82
|
Assos Assos
|
|
233 |
bc175c27
|
Assos Assos
|
$this->consumerAdminConf['drupal_role']->status = 0;
|
234 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
235 |
85ad3d82
|
Assos Assos
|
|
236 |
bc175c27
|
Assos Assos
|
// Just see if the correct ones are derived.
|
237 |
|
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'drupal_role');
|
238 |
32700c57
|
Assos Assos
|
$roles2 = isset($new_authorizations['drupal_role']) ? $new_authorizations['drupal_role'] : [];
|
239 |
bc175c27
|
Assos Assos
|
// Not worried about which roles here, just that some are granted.
|
240 |
|
|
$correct_roles = (count($roles1) > 0 && count($roles2) == 0);
|
241 |
|
|
|
242 |
|
|
/** @FIXME: Broken test
|
243 |
|
|
* $this->assertTrue(
|
244 |
|
|
* $correct_roles,
|
245 |
|
|
* 'disable consumer configuration disallows authorizations.',
|
246 |
|
|
* 'LDAP_authorz.Flags.status.0'
|
247 |
|
|
* );
|
248 |
|
|
*/
|
249 |
|
|
if (!$correct_roles) {
|
250 |
|
|
debug('LDAP_authorz.Flags.enable.0 roles with enabled'); debug($roles1);
|
251 |
|
|
debug('LDAP_authorz.Flags.enable.0 roles with disabled'); debug($roles2);
|
252 |
|
|
}
|
253 |
|
|
|
254 |
|
|
/**
|
255 |
85ad3d82
|
Assos Assos
|
* LDAP_authorz.onlyLdapAuthenticated=1: create normal user and
|
256 |
|
|
* apply authorization query. should return no roles
|
257 |
|
|
*/
|
258 |
bc175c27
|
Assos Assos
|
$this->consumerAdminConf['drupal_role']->onlyApplyToLdapAuthenticated = 1;
|
259 |
|
|
$this->consumerAdminConf['drupal_role']->status = 1;
|
260 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
261 |
85ad3d82
|
Assos Assos
|
|
262 |
32700c57
|
Assos Assos
|
$user = $this->drupalCreateUser([]);
|
263 |
|
|
$hgrainger = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hgrainger', 'mail' => 'hgrainger@hogwarts.edu'], TRUE, $user);
|
264 |
85ad3d82
|
Assos Assos
|
|
265 |
bc175c27
|
Assos Assos
|
// Remove authmap in case it exists so test will work.
|
266 |
|
|
db_delete('authmap')
|
267 |
|
|
->condition('uid', $user->uid)
|
268 |
|
|
->condition('module', 'ldap_user')
|
269 |
|
|
->execute();
|
270 |
|
|
|
271 |
|
|
// Just see if the correct ones are derived.
|
272 |
|
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query');
|
273 |
32700c57
|
Assos Assos
|
$roles = isset($new_authorizations['drupal_role']) ? $new_authorizations['drupal_role'] : [];
|
274 |
bc175c27
|
Assos Assos
|
$success = (count($roles) == 0);
|
275 |
|
|
$this->assertTrue(
|
276 |
|
|
$success,
|
277 |
|
|
' only apply to ldap authenticated grants no roles for non ldap user.',
|
278 |
|
|
'LDAP_authorz.onlyLdapAuthenticated.1'
|
279 |
|
|
);
|
280 |
|
|
if (!$success) {
|
281 |
|
|
debug('LDAP_authorz.onlyLdapAuthenticated.1');
|
282 |
|
|
debug($roles);
|
283 |
|
|
debug($this->testFunctions->ldapUserIsAuthmapped('hgrainger'));
|
284 |
|
|
debug($new_authorizations);
|
285 |
|
|
debug($notifications);
|
286 |
|
|
}
|
287 |
|
|
|
288 |
|
|
/**
|
289 |
85ad3d82
|
Assos Assos
|
* LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled
|
290 |
|
|
*/
|
291 |
|
|
|
292 |
bc175c27
|
Assos Assos
|
$this->consumerAdminConf['drupal_role']->synchOnLogon = 0;
|
293 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
294 |
32700c57
|
Assos Assos
|
$edit = [
|
295 |
bc175c27
|
Assos Assos
|
'name' => 'hgrainger',
|
296 |
|
|
'pass' => 'goodpwd',
|
297 |
32700c57
|
Assos Assos
|
];
|
298 |
bc175c27
|
Assos Assos
|
$this->drupalPost('user', $edit, t('Log in'));
|
299 |
|
|
$this->assertText(
|
300 |
|
|
t('Member for'),
|
301 |
|
|
'New Ldap user with good password authenticated.',
|
302 |
|
|
'LDAP_authorz.Flags.synchOnLogon.0'
|
303 |
|
|
);
|
304 |
|
|
$this->assertTrue(
|
305 |
|
|
$this->testFunctions->ldapUserIsAuthmapped('hgrainger'),
|
306 |
|
|
'Ldap user properly authmapped.',
|
307 |
|
|
'LDAP_authorz.Flags.synchOnLogon.0'
|
308 |
|
|
);
|
309 |
|
|
|
310 |
|
|
$hgrainger = user_load_by_name('hgrainger');
|
311 |
|
|
$this->drupalGet('user/logout');
|
312 |
|
|
|
313 |
|
|
$this->consumerAdminConf['drupal_role']->synchOnLogon = 1;
|
314 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
315 |
32700c57
|
Assos Assos
|
$edit = [
|
316 |
bc175c27
|
Assos Assos
|
'name' => 'hgrainger',
|
317 |
|
|
'pass' => 'goodpwd',
|
318 |
32700c57
|
Assos Assos
|
];
|
319 |
bc175c27
|
Assos Assos
|
$this->drupalPost('user', $edit, t('Log in'));
|
320 |
|
|
$this->assertText(t('Member for'), 'New Ldap user with good password authenticated.',
|
321 |
|
|
'LDAP_authorz.Flags.synchOnLogon=1');
|
322 |
|
|
$hgrainger = user_load_by_name('hgrainger');
|
323 |
|
|
$this->drupalGet('user/logout');
|
324 |
|
|
|
325 |
|
|
// Create a couple roles for next 2 tests.
|
326 |
|
|
$troublemaker = new stdClass();
|
327 |
|
|
$troublemaker->name = 'troublemaker';
|
328 |
|
|
user_role_save($troublemaker);
|
329 |
|
|
$troublemaker = user_role_load_by_name('troublemaker');
|
330 |
|
|
|
331 |
|
|
$superadmin = new stdClass();
|
332 |
|
|
$superadmin->name = 'superadmin';
|
333 |
|
|
user_role_save($superadmin);
|
334 |
|
|
$superadmin = user_role_load_by_name('superadmin');
|
335 |
|
|
|
336 |
|
|
/**
|
337 |
85ad3d82
|
Assos Assos
|
* LDAP_authorz.Flags.revokeLdapProvisioned: test flag for
|
338 |
|
|
* removing manually granted roles
|
339 |
|
|
*
|
340 |
|
|
* $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid.
|
341 |
|
|
*
|
342 |
|
|
* grant roles via ldap and some not vai ldap manually,
|
343 |
|
|
* then alter ldap so they are no longer valid,
|
344 |
|
|
* then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked
|
345 |
|
|
*
|
346 |
|
|
*/
|
347 |
|
|
|
348 |
bc175c27
|
Assos Assos
|
$this->consumerAdminConf['drupal_role']->onlyApplyToLdapAuthenticated = 0;
|
349 |
|
|
$this->consumerAdminConf['drupal_role']->revokeLdapProvisioned = 1;
|
350 |
|
|
$this->consumerAdminConf['drupal_role']->createConsumers = 1;
|
351 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
352 |
|
|
// Set correct roles manually.
|
353 |
|
|
$hpotter = user_load_by_name('hpotter');
|
354 |
|
|
user_delete($hpotter->uid);
|
355 |
32700c57
|
Assos Assos
|
$user = $this->drupalCreateUser([]);
|
356 |
|
|
$hpotter = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'], TRUE, $user);
|
357 |
|
|
$edit = [
|
358 |
bc175c27
|
Assos Assos
|
'name' => 'hpotter',
|
359 |
|
|
'pass' => 'goodpwd',
|
360 |
32700c57
|
Assos Assos
|
];
|
361 |
bc175c27
|
Assos Assos
|
$this->drupalPost('user', $edit, t('Log in'));
|
362 |
|
|
$this->assertText(
|
363 |
|
|
t('Member for'),
|
364 |
|
|
'New Ldap user with good password authenticated.',
|
365 |
|
|
'LDAP_authorz.Flags.revokeLdapProvisioned=1'
|
366 |
|
|
);
|
367 |
|
|
$hpotter = user_load_by_name('hpotter');
|
368 |
|
|
|
369 |
|
|
// Add an underserved, ldap granted drupal role superadmin
|
370 |
|
|
// and an undeserved, non ldap granted role troublemaker.
|
371 |
|
|
$hpotter = user_load($hpotter->uid, TRUE);
|
372 |
|
|
$roles = $hpotter->roles;
|
373 |
|
|
$roles[$troublemaker->rid] = $troublemaker->name;
|
374 |
|
|
$roles[$superadmin->rid] = $superadmin->name;
|
375 |
|
|
|
376 |
32700c57
|
Assos Assos
|
$data = [
|
377 |
bc175c27
|
Assos Assos
|
'roles' => $roles,
|
378 |
32700c57
|
Assos Assos
|
'data' => [
|
379 |
bc175c27
|
Assos Assos
|
'ldap_authorizations' =>
|
380 |
32700c57
|
Assos Assos
|
[
|
381 |
85ad3d82
|
Assos Assos
|
'drupal_role' =>
|
382 |
32700c57
|
Assos Assos
|
[
|
383 |
85ad3d82
|
Assos Assos
|
$superadmin->name =>
|
384 |
32700c57
|
Assos Assos
|
['date_granted' => 1304216778],
|
385 |
|
|
],
|
386 |
|
|
],
|
387 |
|
|
],
|
388 |
|
|
];
|
389 |
bc175c27
|
Assos Assos
|
$hpotter = user_save($hpotter, $data);
|
390 |
85ad3d82
|
Assos Assos
|
|
391 |
bc175c27
|
Assos Assos
|
// Apply correct authorizations. should remove the administrator role but not the manually created 'troublemaker' role.
|
392 |
|
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'drupal_role', 'logon');
|
393 |
85ad3d82
|
Assos Assos
|
|
394 |
bc175c27
|
Assos Assos
|
$hpotter = user_load($hpotter->uid, TRUE);
|
395 |
|
|
$this->assertTrue(
|
396 |
|
|
(!isset($new_authorizations['drupal_role'][$superadmin->rid])),
|
397 |
|
|
' revoke superadmin ldap granted roles when no longer deserved.',
|
398 |
|
|
'LDAP_authorz.Flags.revokeLdapProvisioned=1'
|
399 |
|
|
);
|
400 |
85ad3d82
|
Assos Assos
|
|
401 |
bc175c27
|
Assos Assos
|
/**
|
402 |
85ad3d82
|
Assos Assos
|
* LDAP_authorz.Flags.regrantLdapProvisioned
|
403 |
|
|
* $this->regrantLdapProvisioned == 1 :
|
404 |
|
|
* Re grant !consumer_namePlural previously granted
|
405 |
|
|
* by LDAP Authorization but removed manually.
|
406 |
|
|
*
|
407 |
|
|
* - manually remove ldap granted role
|
408 |
|
|
* - logon
|
409 |
|
|
* - check if regranted
|
410 |
|
|
*/
|
411 |
bc175c27
|
Assos Assos
|
$this->drupalGet('user/logout');
|
412 |
|
|
$this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 1;
|
413 |
|
|
$this->consumerAdminConf['drupal_role']->save();
|
414 |
|
|
$hpotter = user_load($hpotter->uid, TRUE);
|
415 |
|
|
$roles = $hpotter->roles;
|
416 |
|
|
unset($roles[$superadmin->rid]);
|
417 |
32700c57
|
Assos Assos
|
user_save($hpotter, ['roles' => $roles]);
|
418 |
bc175c27
|
Assos Assos
|
$hpotter = user_load($hpotter->uid, TRUE);
|
419 |
|
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'drupal_role', 'logon');
|
420 |
|
|
$hpotter = user_load($hpotter->uid, TRUE);
|
421 |
|
|
$success = !in_array('administrator', array_values($hpotter->roles));
|
422 |
85ad3d82
|
Assos Assos
|
|
423 |
bc175c27
|
Assos Assos
|
$this->assertTrue(
|
424 |
|
|
$success,
|
425 |
|
|
'regrant Ldap Provisioned roles that were manually revoked',
|
426 |
|
|
'LDAP_authorz.Flags.regrantLdapProvisioned=1'
|
427 |
|
|
);
|
428 |
|
|
if (!$success) {
|
429 |
|
|
debug('LDAP_authorz.Flags.regrantLdapProvisioned=1');
|
430 |
|
|
debug('hpotter roles'); debug($hpotter->roles);
|
431 |
|
|
debug('new_authorizations'); debug($new_authorizations);
|
432 |
|
|
}
|
433 |
|
|
|
434 |
|
|
/**
|
435 |
85ad3d82
|
Assos Assos
|
* LDAP_authorz.Flags.createConsumers=1
|
436 |
|
|
*/
|
437 |
|
|
|
438 |
bc175c27
|
Assos Assos
|
// Add new mapping to and enable create consumers.
|
439 |
32700c57
|
Assos Assos
|
$this->prepTestData(LDAP_TEST_LDAP_NAME, [$sid], 'provisionToDrupal', 'default', 'drupal_role_default');
|
440 |
bc175c27
|
Assos Assos
|
$this->drupalGet('user/logout');
|
441 |
|
|
$new_role = 'oompa-loompas';
|
442 |
|
|
$this->consumerAdminConf['drupal_role']->createConsumers = 1;
|
443 |
32700c57
|
Assos Assos
|
$this->consumerAdminConf['drupal_role']->mappings[] = [
|
444 |
85ad3d82
|
Assos Assos
|
'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu',
|
445 |
|
|
'user_entered' => $new_role,
|
446 |
|
|
'normalized' => $new_role,
|
447 |
|
|
'simplified' => $new_role,
|
448 |
|
|
'valid' => TRUE,
|
449 |
|
|
'error_message' => '',
|
450 |
32700c57
|
Assos Assos
|
];
|
451 |
bc175c27
|
Assos Assos
|
$this->consumerAdminConf['drupal_role']->save();
|
452 |
|
|
|
453 |
32700c57
|
Assos Assos
|
$edit = [
|
454 |
bc175c27
|
Assos Assos
|
'name' => 'hpotter',
|
455 |
|
|
'pass' => 'goodpwd',
|
456 |
32700c57
|
Assos Assos
|
];
|
457 |
bc175c27
|
Assos Assos
|
$this->drupalPost('user', $edit, t('Log in'));
|
458 |
|
|
|
459 |
|
|
$new_role_created = in_array($new_role, array_values(user_roles()));
|
460 |
|
|
$roles_by_name = array_flip(user_roles());
|
461 |
|
|
$hpotter = user_load_by_name('hpotter');
|
462 |
|
|
$hpotter = user_load($hpotter->uid, TRUE);
|
463 |
|
|
$role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]);
|
464 |
|
|
|
465 |
|
|
$this->assertTrue(
|
466 |
|
|
($new_role_created && $role_granted),
|
467 |
|
|
'create consumers (e.g. roles)',
|
468 |
|
|
'LDAP_authorz.Flags.createConsumers=1'
|
469 |
85ad3d82
|
Assos Assos
|
);
|
470 |
|
|
|
471 |
bc175c27
|
Assos Assos
|
if (!($new_role_created && $role_granted)) {
|
472 |
|
|
debug('roles'); debug(user_roles());
|
473 |
|
|
debug('roles by name'); debug($roles_by_name);
|
474 |
|
|
debug('hpotter->roles'); debug($hpotter->roles);
|
475 |
|
|
debug("new role desired: $new_role");
|
476 |
|
|
debug("$new_role_created AND $role_granted");
|
477 |
|
|
}
|
478 |
|
|
|
479 |
|
|
}
|
480 |
85ad3d82
|
Assos Assos
|
|
481 |
bc175c27
|
Assos Assos
|
/**
|
482 |
|
|
*
|
483 |
|
|
*/
|
484 |
85ad3d82
|
Assos Assos
|
public function testUIForms() {
|
485 |
7547bb19
|
Assos Assos
|
// TODO: Fix failing tests, excluding to make branch pass.
|
486 |
|
|
return;
|
487 |
85ad3d82
|
Assos Assos
|
|
488 |
|
|
$ldap_simpletest_initial = variable_get('ldap_simpletest', 2);
|
489 |
bc175c27
|
Assos Assos
|
// Need to be out of fake server mode to test ui.
|
490 |
|
|
variable_del('ldap_simpletest');
|
491 |
85ad3d82
|
Assos Assos
|
|
492 |
|
|
$sid = 'activedirectory1';
|
493 |
32700c57
|
Assos Assos
|
$this->prepTestData(LDAP_TEST_LDAP_NAME, [$sid], 'provisionToDrupal', 'default');
|
494 |
85ad3d82
|
Assos Assos
|
|
495 |
|
|
ldap_servers_module_load_include('php', 'ldap_servers', 'LdapServerAdmin.class');
|
496 |
|
|
$ldap_server = new LdapServerAdmin($sid);
|
497 |
|
|
|
498 |
|
|
$server_properties = $this->testFunctions->data['ldap_servers'][$sid]['properties'];
|
499 |
|
|
foreach ($server_properties as $property => $value) {
|
500 |
|
|
$ldap_server->{$property} = $value;
|
501 |
|
|
}
|
502 |
|
|
$ldap_server->save('add');
|
503 |
|
|
|
504 |
32700c57
|
Assos Assos
|
$consumer_form_data = [
|
505 |
|
|
'sid' => ['activedirectory1', 'activedirectory1'],
|
506 |
|
|
'status' => [TRUE, TRUE],
|
507 |
|
|
'only_ldap_authenticated' => [FALSE, TRUE],
|
508 |
|
|
'use_first_attr_as_groupid' => [FALSE, TRUE],
|
509 |
|
|
'mappings' => ["a|b", "a|b"],
|
510 |
|
|
'use_filter' => [FALSE, TRUE],
|
511 |
|
|
'synchronization_modes[user_logon]' => [TRUE, FALSE],
|
512 |
|
|
'synchronization_actions[revoke_ldap_provisioned]' => [TRUE, FALSE],
|
513 |
|
|
'synchronization_actions[regrant_ldap_provisioned]' => [FALSE, TRUE],
|
514 |
|
|
'synchronization_actions[create_consumers]' => [TRUE, FALSE],
|
515 |
|
|
];
|
516 |
|
|
|
517 |
|
|
$this->privileged_user = $this->drupalCreateUser(['administer site configuration']);
|
518 |
85ad3d82
|
Assos Assos
|
$this->drupalLogin($this->privileged_user);
|
519 |
|
|
$ldap_server = ldap_servers_get_servers('activedirectory1', NULL, TRUE, TRUE);
|
520 |
bc175c27
|
Assos Assos
|
// This is just for debugging to show the server.
|
521 |
|
|
$this->drupalGet('admin/config/people/ldap/servers/edit/activedirectory1');
|
522 |
85ad3d82
|
Assos Assos
|
$ldap_server_admin = new LdapServerAdmin($sid);
|
523 |
|
|
|
524 |
|
|
if (!is_array($ldap_server_admin->basedn)) {
|
525 |
|
|
$ldap_server_admin->basedn = @unserialize($ldap_server_admin->basedn);
|
526 |
|
|
$ldap_server_admin->save('update');
|
527 |
|
|
$ldap_server_admin = new LdapServerAdmin($sid);
|
528 |
|
|
}
|
529 |
|
|
$this->drupalGet('admin/config/people/ldap/servers/edit/activedirectory1');
|
530 |
|
|
|
531 |
32700c57
|
Assos Assos
|
foreach ([0] as $i) {
|
532 |
|
|
foreach (['drupal_role'] as $consumer_type) {
|
533 |
bc175c27
|
Assos Assos
|
// May want to put this back in after ctools requirement is fixed.
|
534 |
32700c57
|
Assos Assos
|
foreach ([1] as $ctools_enabled) {
|
535 |
85ad3d82
|
Assos Assos
|
$this->ldapTestId = "testUIForms.$i.$consumer_type.ctools.$ctools_enabled";
|
536 |
|
|
if ($ctools_enabled) {
|
537 |
32700c57
|
Assos Assos
|
module_enable(['ctools']);
|
538 |
85ad3d82
|
Assos Assos
|
}
|
539 |
|
|
else {
|
540 |
32700c57
|
Assos Assos
|
module_disable(['ctools']);
|
541 |
85ad3d82
|
Assos Assos
|
}
|
542 |
|
|
|
543 |
32700c57
|
Assos Assos
|
$lcase_transformed = [];
|
544 |
85ad3d82
|
Assos Assos
|
|
545 |
|
|
/** add server conf test **/
|
546 |
|
|
$this->drupalGet('admin/config/people/ldap/authorization/add/' . $consumer_type);
|
547 |
|
|
|
548 |
32700c57
|
Assos Assos
|
$edit = [];
|
549 |
85ad3d82
|
Assos Assos
|
foreach ($consumer_form_data as $input_name => $input_values) {
|
550 |
|
|
$edit[$input_name] = $input_values[$i];
|
551 |
|
|
}
|
552 |
|
|
|
553 |
|
|
$this->drupalPost('admin/config/people/ldap/authorization/add/' . $consumer_type, $edit, t('Add'));
|
554 |
|
|
$field_to_prop_map = LdapAuthorizationConsumerConf::field_to_properties_map();
|
555 |
|
|
$ldap_consumer = ldap_authorization_get_consumer_object($consumer_type);
|
556 |
bc175c27
|
Assos Assos
|
$this->assertTrue(is_object($ldap_consumer), 'ldap consumer conf loaded after add-save', $this->ldapTestId . ' Add consumer configuration');
|
557 |
|
|
// Assert one ldap server exists in db table
|
558 |
|
|
// Assert load of server has correct properties for each input.
|
559 |
85ad3d82
|
Assos Assos
|
$mismatches = $this->compareFormToProperties($ldap_consumer, $consumer_form_data, $i, $field_to_prop_map, $lcase_transformed);
|
560 |
|
|
if (count($mismatches)) {
|
561 |
|
|
debug('mismatches between ldap server properties and form submitted values');
|
562 |
|
|
debug($mismatches);
|
563 |
|
|
debug($consumer_form_data);
|
564 |
|
|
}
|
565 |
bc175c27
|
Assos Assos
|
$this->assertTrue(count($mismatches) == 0, 'Add form for ldap consumer properties match values submitted.', $this->ldapTestId . ' Add consumer conf');
|
566 |
85ad3d82
|
Assos Assos
|
|
567 |
|
|
/** update server conf test **/
|
568 |
|
|
|
569 |
|
|
$this->drupalGet('admin/config/people/ldap/authorization/edit/' . $consumer_type);
|
570 |
|
|
|
571 |
32700c57
|
Assos Assos
|
$edit = [];
|
572 |
85ad3d82
|
Assos Assos
|
foreach ($consumer_form_data as $input_name => $input_values) {
|
573 |
|
|
if ($input_values[$i] !== NULL) {
|
574 |
|
|
$edit[$input_name] = $input_values[$i];
|
575 |
|
|
}
|
576 |
|
|
}
|
577 |
|
|
|
578 |
|
|
unset($edit['sid']);
|
579 |
|
|
$this->drupalPost('admin/config/people/ldap/authorization/edit/' . $consumer_type, $edit, t('Save'));
|
580 |
|
|
$ldap_consumer = ldap_authorization_get_consumer_object($consumer_type);
|
581 |
bc175c27
|
Assos Assos
|
$this->assertTrue(is_object($ldap_consumer), 'ldap consumer conf loaded after edit-save', $this->ldapTestId . ' update consumer configuration');
|
582 |
85ad3d82
|
Assos Assos
|
|
583 |
|
|
$mismatches = $this->compareFormToProperties($ldap_consumer, $consumer_form_data, $i, $field_to_prop_map, $lcase_transformed);
|
584 |
|
|
if (count($mismatches)) {
|
585 |
|
|
debug('mismatches between ldap server properties and form submitted values');
|
586 |
|
|
debug($mismatches);
|
587 |
|
|
debug($consumer_form_data);
|
588 |
|
|
}
|
589 |
bc175c27
|
Assos Assos
|
$this->assertTrue(count($mismatches) == 0, 'Update form for ldap server properties match values submitted.', $this->ldapTestId . '.Update consumer conf');
|
590 |
85ad3d82
|
Assos Assos
|
|
591 |
|
|
/** delete server conf test **/
|
592 |
|
|
$this->drupalGet('admin/config/people/ldap/authorization/delete/' . $consumer_type);
|
593 |
32700c57
|
Assos Assos
|
$this->drupalPost('admin/config/people/ldap/authorization/delete/' . $consumer_type, [], t('Delete'));
|
594 |
85ad3d82
|
Assos Assos
|
ctools_include('export');
|
595 |
|
|
ctools_export_load_object_reset('ldap_authorization');
|
596 |
bc175c27
|
Assos Assos
|
$consumer_conf = ldap_authorization_get_consumer_conf($consumer_type);
|
597 |
85ad3d82
|
Assos Assos
|
$pass = (is_object($consumer_conf) && $consumer_conf->inDatabase === FALSE);
|
598 |
bc175c27
|
Assos Assos
|
$this->assertTrue($pass, 'Delete form for consumer conf deleted conf.', $this->ldapTestId . '.Delete consumer conf');
|
599 |
85ad3d82
|
Assos Assos
|
if (!$pass) {
|
600 |
|
|
debug('ldap consumer after delete. is_object=' . is_object($consumer_conf));
|
601 |
|
|
debug('inDatabase?' . is_object($ldap_consumer) ? $consumer_conf->inDatabase : '?');
|
602 |
|
|
debug("numericConsumerConfId" . $consumer_conf->numericConsumerConfId);
|
603 |
|
|
debug("status" . $consumer_conf->status);
|
604 |
|
|
debug("sid" . $consumer_conf->sid);
|
605 |
|
|
}
|
606 |
|
|
}
|
607 |
|
|
}
|
608 |
|
|
}
|
609 |
bc175c27
|
Assos Assos
|
// Return to fake server mode.
|
610 |
|
|
variable_set('ldap_simpletest', $ldap_simpletest_initial);
|
611 |
85ad3d82
|
Assos Assos
|
}
|
612 |
|
|
|
613 |
|
|
} |