1
|
<?php
|
2
|
|
3
|
/**
|
4
|
* @file
|
5
|
* Simpletest for Ldap Authorization OG Module, for og 7.x-2.x.
|
6
|
*/
|
7
|
|
8
|
drupal_load('module', 'ldap_test');
|
9
|
module_load_include('php', 'ldap_test', 'LdapTestCase.class');
|
10
|
require_once drupal_get_path('module', 'ldap_authorization_og') . '/LdapAuthorizationConsumerOG.class.php';
|
11
|
|
12
|
/**
|
13
|
* Simpletest for Ldap Authorization OG Module, for og 7.x-2.x.
|
14
|
*
|
15
|
* Manual testing to accompany simpletests:
|
16
|
* - logon with og authorization disabled and make sure nothing happens
|
17
|
* - logon with og authorization enabled and make sure admin and member group memberships granted
|
18
|
* - change mappings so no roles granted
|
19
|
* - logon and make sure memberships revoked.
|
20
|
*/
|
21
|
class LdapAuthorizationOg2Tests extends LdapTestCase {
|
22
|
|
23
|
public $groupEntityType = 'node';
|
24
|
public $groupBundle = 'group';
|
25
|
public $groupType = 'node';
|
26
|
public $group_content_type = NULL;
|
27
|
public $group_nodes = [];
|
28
|
public $user1;
|
29
|
public $consumerType = 'og_group';
|
30
|
public $module_name = 'ldap_authorization_og';
|
31
|
protected $ldap_test_data;
|
32
|
public $customOgRoles = [
|
33
|
'dungeon-master' => ['entity_type' => 'node', 'bundle_type' => 'group'],
|
34
|
'time-keeper' => ['entity_type' => 'node', 'bundle_type' => 'group'],
|
35
|
];
|
36
|
|
37
|
/**
|
38
|
*
|
39
|
*/
|
40
|
public static function getInfo() {
|
41
|
return [
|
42
|
'group' => 'LDAP Authorization',
|
43
|
'name' => 'OG 7.x-2.x Tests.',
|
44
|
'description' => 'Test ldap authorization og 2.',
|
45
|
];
|
46
|
}
|
47
|
|
48
|
/**
|
49
|
*
|
50
|
*/
|
51
|
public function __construct($test_id = NULL) {
|
52
|
parent::__construct($test_id);
|
53
|
}
|
54
|
|
55
|
/**
|
56
|
*
|
57
|
*/
|
58
|
public function setUp($addl_modules = []) {
|
59
|
parent::setUp(['ldap_authentication', 'ldap_authorization', 'ldap_authorization_og']);
|
60
|
variable_set('ldap_simpletest', 2);
|
61
|
|
62
|
$this->user1 = $this->drupalCreateUser();
|
63
|
$this->groups = [];
|
64
|
$this->prepTestData(LDAP_TEST_LDAP_NAME, ['activedirectory1']);
|
65
|
|
66
|
// Create group and group content node types.
|
67
|
$this->groupBundle = $this->drupalCreateContentType([
|
68
|
'type' => 'group',
|
69
|
'name' => 'OG Group',
|
70
|
])->type;
|
71
|
|
72
|
og_create_field(OG_GROUP_FIELD, $this->groupEntityType, $this->groupBundle);
|
73
|
og_create_field(OG_AUDIENCE_FIELD, $this->groupEntityType, $this->groupBundle);
|
74
|
|
75
|
// Create og group for each group in group csv.
|
76
|
$this->testFunctions->populateFakeLdapServerData(LDAP_TEST_LDAP_NAME, 'activedirectory1');
|
77
|
$this->testFunctions->getCsvLdapData(LDAP_TEST_LDAP_NAME);
|
78
|
foreach ($this->testFunctions->csvTables['groups'] as $guid => $group) {
|
79
|
$label = $group['cn'];
|
80
|
$settings = [];
|
81
|
$settings['type'] = $this->groupBundle;
|
82
|
$settings[OG_GROUP_FIELD][LANGUAGE_NONE][0]['value'] = 1;
|
83
|
$settings['uid'] = $this->user1->uid;
|
84
|
$settings['title'] = $label;
|
85
|
$settings['type'] = 'group';
|
86
|
$this->group_nodes[$label] = $this->drupalCreateNode($settings);
|
87
|
}
|
88
|
|
89
|
}
|
90
|
|
91
|
/**
|
92
|
*
|
93
|
*/
|
94
|
public function createCustomRoles() {
|
95
|
|
96
|
foreach ($this->customOgRoles as $og_role_name => $og_role) {
|
97
|
$role = new stdClass();
|
98
|
$role->gid = 0;
|
99
|
$role->group_type = $og_role['entity_type'];
|
100
|
$role->group_bundle = $og_role['bundle_type'];
|
101
|
$role->name = $og_role_name;
|
102
|
$status = og_role_save($role);
|
103
|
}
|
104
|
|
105
|
}
|
106
|
|
107
|
/**
|
108
|
* Get test data in convenient format, so tests are easier to read and write.
|
109
|
*/
|
110
|
public function getTestData($debug = FALSE) {
|
111
|
$group_nodes = [];
|
112
|
$group_nids = [];
|
113
|
$group_entity_ids = [];
|
114
|
$roles = [];
|
115
|
$roles_by_name = [];
|
116
|
$consumer_ids = [];
|
117
|
foreach (['gryffindor', 'students', 'faculty', 'users', 'hufflepuff', 'slytherin'] as $i => $group_name) {
|
118
|
list($group_nodes[$group_name], $group_entity_ids[$group_name]) = ldap_authorization_og2_get_group_from_name($this->groupEntityType, $group_name);
|
119
|
$nid = $group_nodes[$group_name]->nid;
|
120
|
$group_nids[$group_name] = $nid;
|
121
|
$roles[$group_name] = og_roles($this->groupEntityType, $this->groupBundle, $nid, FALSE, TRUE);
|
122
|
$roles_by_name[$group_name] = array_flip($roles[$group_name]);
|
123
|
foreach ($roles[$group_name] as $rid => $role_name) {
|
124
|
$consumer_ids[$group_name][$role_name] = ldap_authorization_og_authorization_id($nid, $rid, 'node');
|
125
|
$consumer_ids[$group_name][$rid] = ldap_authorization_og_authorization_id($nid, $rid, 'node');
|
126
|
}
|
127
|
}
|
128
|
if ($debug) {
|
129
|
debug("group_nids"); debug($group_nids); debug("group_entity_ids"); debug($group_entity_ids); debug("roles"); debug($roles); debug("roles_by_name"); debug($roles_by_name);
|
130
|
}
|
131
|
return [$group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids];
|
132
|
}
|
133
|
|
134
|
/**
|
135
|
* Just make sure install succeeds and.
|
136
|
*/
|
137
|
public function testBasicFunctionsAndApi() {
|
138
|
// TODO: Fix failing tests, excluding to make branch pass.
|
139
|
return;
|
140
|
|
141
|
$this->createCustomRoles();
|
142
|
$all_roles = og_roles($this->groupEntityType, $this->groupBundle, 0, FALSE, TRUE);
|
143
|
|
144
|
$this->ldapTestId = $this->module_name . ': setup success';
|
145
|
// Just to give warning if setup doesn't succeed. may want to take these out at some point.
|
146
|
$setup_success = (
|
147
|
module_exists('ldap_authentication') &&
|
148
|
module_exists('ldap_servers') &&
|
149
|
module_exists('ldap_user') &&
|
150
|
module_exists('ldap_authorization') &&
|
151
|
module_exists('ldap_authorization_og') &&
|
152
|
(variable_get('ldap_simpletest', 0) == 2)
|
153
|
);
|
154
|
$this->assertTrue($setup_success, ' ldap_authorizations og setup successful', $this->ldapTestId);
|
155
|
|
156
|
$this->ldapTestId = $this->module_name . ': cron test';
|
157
|
$this->assertTrue(drupal_cron_run(), t('Cron can run with ldap authorization og enabled.'), $this->ldapTestId);
|
158
|
|
159
|
/***
|
160
|
* I. some basic tests to make sure og module's apis are working before testing ldap_authorization_og
|
161
|
* if these aren't working as expected, no ldap authorization og functionality will work.
|
162
|
*/
|
163
|
|
164
|
$web_user = $this->drupalCreateUser();
|
165
|
$this->ldapTestId = $this->module_name . ': og2 functions';
|
166
|
list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this->getTestData(TRUE);
|
167
|
|
168
|
/**
|
169
|
* II.0 basic granting tests to make sure og_role_grant, ldap_authorization_og_rid_from_role_name,
|
170
|
* and ldap_authorization_og2_get_group functions work
|
171
|
* og_is_member($group_type, $gid, $entity_type = 'user', $entity = NULL, $states = array(OG_STATE_ACTIVE))
|
172
|
*/
|
173
|
|
174
|
$values = [
|
175
|
'entity_type' => 'user',
|
176
|
'entity' => $web_user->uid,
|
177
|
'field_name' => FALSE,
|
178
|
'state' => OG_STATE_ACTIVE,
|
179
|
];
|
180
|
$og_gryffindor_membership = og_group($this->groupType, $group_nids['gryffindor'], $values);
|
181
|
$og_faculty_membership = og_group($this->groupType, $group_nids['faculty'], $values);
|
182
|
|
183
|
og_role_grant($this->groupType, $group_nids['gryffindor'], $web_user->uid, $roles_by_name['gryffindor'][OG_AUTHENTICATED_ROLE]);
|
184
|
og_role_grant($this->groupType, $group_nids['faculty'], $web_user->uid, $roles_by_name['faculty'][OG_ADMINISTRATOR_ROLE]);
|
185
|
og_role_grant($this->groupType, $group_nids['faculty'], $web_user->uid, $roles_by_name['faculty']['dungeon-master']);
|
186
|
og_role_grant($this->groupType, $group_nids['faculty'], $web_user->uid, $roles_by_name['faculty'][OG_AUTHENTICATED_ROLE]);
|
187
|
|
188
|
// Need to reload because of issue with og_group and og_role_grant.
|
189
|
$web_user = user_load($web_user->uid, TRUE);
|
190
|
$ids = [$web_user->uid];
|
191
|
$user_entity = entity_load('user', $ids);
|
192
|
|
193
|
$this->assertTrue(og_is_member($this->groupType, $group_nids['gryffindor'], 'user', $web_user),
|
194
|
'User is member of Group gryffindor without LDAP (based on og_is_member() function)', $this->ldapTestId);
|
195
|
|
196
|
$this->assertTrue(og_is_member($this->groupType, $group_nids['faculty'], 'user', $web_user),
|
197
|
'User is member of Group faculty without LDAP (based on og_is_member() function)', $this->ldapTestId);
|
198
|
|
199
|
$this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['gryffindor'], $web_user->uid, OG_AUTHENTICATED_ROLE),
|
200
|
'User is member of Group gryffindor without LDAP (based on dap_authorization_og_has_role() function)', $this->ldapTestId);
|
201
|
|
202
|
$this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['faculty'], $web_user->uid, OG_AUTHENTICATED_ROLE),
|
203
|
'User is member of Group faculty without LDAP (based on ldap_authorization_og2_has_role() function)', $this->ldapTestId);
|
204
|
|
205
|
$this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['faculty'], $web_user->uid, OG_ADMINISTRATOR_ROLE),
|
206
|
'User is administrator member of Group faculty without LDAP (based on dap_authorization_og_has_role() function)', $this->ldapTestId);
|
207
|
|
208
|
/***
|
209
|
* II.A. construct ldapauthorization og object and test methods.
|
210
|
* (unit tests for methods and class without any ldap user context).
|
211
|
*/
|
212
|
// .
|
213
|
$this->ldapTestId = $this->module_name . ': LdapAuthorizationConsumerOG class';
|
214
|
$og_auth = new LdapAuthorizationConsumerOG('og_group');
|
215
|
$this->assertTrue(is_object($og_auth), 'Successfully instantiated LdapAuthorizationConsumerOG', $this->ldapTestId);
|
216
|
$this->assertTrue($og_auth->consumerType == 'og_group',
|
217
|
'LdapAuthorizationConsumerOG ConsumerType set properly', $this->ldapTestId);
|
218
|
|
219
|
$this->assertTrue($og_auth->hasAuthorization($web_user, ldap_authorization_og_authorization_id($group_nids['faculty'], $roles_by_name['faculty'][OG_ADMINISTRATOR_ROLE], 'node')),
|
220
|
'hasAuthorization() method works for non LDAP provisioned og authorization, faculty admin role', $this->ldapTestId);
|
221
|
|
222
|
$should_haves = [
|
223
|
$consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE] => 'gryffindor member',
|
224
|
$consumer_ids['faculty'][OG_AUTHENTICATED_ROLE] => 'faculty member',
|
225
|
$consumer_ids['faculty'][OG_ADMINISTRATOR_ROLE] => 'faculty admin',
|
226
|
$consumer_ids['faculty']['dungeon-master'] => 'faculty dungeon master',
|
227
|
];
|
228
|
|
229
|
foreach ($should_haves as $consumer_id => $descriptor) {
|
230
|
$this->assertTrue(ldap_authorization_og2_has_consumer_id($consumer_id, $web_user->uid),
|
231
|
"LdapAuthorizationConsumerOG usersAuthorizations() for $descriptor - $consumer_id", $this->ldapTestId);
|
232
|
}
|
233
|
|
234
|
$ldap_entry = NULL;
|
235
|
$user_data = [];
|
236
|
$web_user = user_load($web_user->uid, TRUE);
|
237
|
|
238
|
$this->assertTrue(ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid),
|
239
|
"LdapAuthorizationConsumerOG has faculty member role BEFORE authorizationRevoke() test revoke on member role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId);
|
240
|
|
241
|
$web_user = user_load($web_user->uid, TRUE);
|
242
|
$consumers = [$consumer_ids['faculty']['dungeon-master'] => $og_auth->emptyConsumer];
|
243
|
$og_auth->authorizationRevoke($web_user, $user_data, $consumers, $ldap_entry, TRUE);
|
244
|
$result = ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid);
|
245
|
$this->assertFalse($result,
|
246
|
"LdapAuthorizationConsumerOG authorizationRevoke() test revoke on member role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId);
|
247
|
|
248
|
$web_user = user_load($web_user->uid, TRUE);
|
249
|
$consumers = [$consumer_ids['faculty']['dungeon-master'] => $og_auth->emptyConsumer];
|
250
|
$og_auth->authorizationRevoke($web_user, $user_data, $consumers, $ldap_entry, TRUE);
|
251
|
$this->assertFalse(ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid),
|
252
|
"LdapAuthorizationConsumerOG authorizationRevoke() test revoke on custom member role role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId);
|
253
|
|
254
|
$web_user = user_load($web_user->uid, TRUE);
|
255
|
$initial_user_authorizations = $og_auth->usersAuthorizations($web_user, TRUE, TRUE);
|
256
|
debug("initial_user_authorizations authorizations:"); debug($initial_user_authorizations);
|
257
|
debug("initial_user data:"); debug($web_user->data);
|
258
|
$og_auth->authorizationGrant($web_user, $user_data, [$consumer_ids['students'][OG_AUTHENTICATED_ROLE] => $og_auth->emptyConsumer], $ldap_entry, TRUE);
|
259
|
$success = ldap_authorization_og2_has_consumer_id($consumer_ids['students'][OG_AUTHENTICATED_ROLE], $web_user->uid);
|
260
|
$this->assertTrue($success, "LdapAuthorizationConsumerOG authorizationGrant() test grant on member role " . $consumer_ids['students'][OG_AUTHENTICATED_ROLE], $this->ldapTestId);
|
261
|
if (!$success) {
|
262
|
debug([$user_data, [$consumer_ids['students'][OG_AUTHENTICATED_ROLE] => $og_auth->emptyConsumer]]);
|
263
|
debug("user authorizations:"); debug($og_auth->usersAuthorizations($web_user, TRUE));
|
264
|
}
|
265
|
$web_user = user_load($web_user->uid, TRUE);
|
266
|
$result = $og_auth->authorizationRevoke($web_user, $user_data, ['node:454:44334' => $og_auth->emptyConsumer], $ldap_entry, TRUE);
|
267
|
$this->assertFalse($result,
|
268
|
'LdapAuthorizationConsumerOG authorizationRevoke() test revoke of bogus authorization', $this->ldapTestId);
|
269
|
|
270
|
$web_user = user_load($web_user->uid, TRUE);
|
271
|
$result = $og_auth->authorizationGrant($web_user, $user_data, ['node:454:44334' => $og_auth->emptyConsumer], $ldap_entry, TRUE);
|
272
|
$this->assertFalse($result,
|
273
|
'LdapAuthorizationConsumerOG authorizationGrant() test grant of bogus authorization', $this->ldapTestId);
|
274
|
|
275
|
$web_user = user_load($web_user->uid, TRUE);
|
276
|
$result = $og_auth->authorizationRevoke($web_user, $user_data, ['bogusformat'], $ldap_entry, TRUE);
|
277
|
$this->assertFalse($result,
|
278
|
'LdapAuthorizationConsumerOG authorizationRevoke() test revoke malformed params', $this->ldapTestId);
|
279
|
|
280
|
$web_user = user_load($web_user->uid, TRUE);
|
281
|
$result = $og_auth->authorizationGrant($web_user, $user_data, ['bogusformat'], $ldap_entry, TRUE);
|
282
|
$this->assertFalse($result,
|
283
|
'LdapAuthorizationConsumerOG authorizationGrant() test grant malformed params', $this->ldapTestId);
|
284
|
|
285
|
/***
|
286
|
* II.B. Also test function in ldap_authorization_og.module
|
287
|
*/
|
288
|
|
289
|
list($students_group, $group_entity_id) = ldap_authorization_og2_get_group_from_name('node', 'students');
|
290
|
$this->assertTrue($students_group->title == 'students', 'ldap_authorization_og2_get_group_from_name() function works', $this->ldapTestId);
|
291
|
|
292
|
$test = ldap_authorization_og2_has_role($this->groupType, $group_nids['gryffindor'], $web_user->uid, OG_ADMINISTRATOR_ROLE);
|
293
|
$this->assertTrue($test, 'ldap_authorization_og2_has_role() function works', $this->ldapTestId);
|
294
|
|
295
|
$test = ldap_authorization_og2_has_role($this->groupType, $group_nids['students'], $web_user->uid, OG_ADMINISTRATOR_ROLE);
|
296
|
$this->assertTrue($test === FALSE, 'ldap_authorization_og2_has_role() function fails with FALSE', $this->ldapTestId);
|
297
|
|
298
|
}
|
299
|
|
300
|
/**
|
301
|
* Authorization configuration flags tests clumped together.
|
302
|
*/
|
303
|
public function testFlags() {
|
304
|
// TODO: Fix failing tests, excluding to make branch pass.
|
305
|
return;
|
306
|
|
307
|
$sid = 'activedirectory1';
|
308
|
$this->prepTestData(
|
309
|
LDAP_TEST_LDAP_NAME,
|
310
|
[$sid],
|
311
|
'provisionToDrupal',
|
312
|
'default',
|
313
|
'og_group2'
|
314
|
);
|
315
|
|
316
|
$og_group_consumer = ldap_authorization_get_consumers('og_group', TRUE, TRUE);
|
317
|
/**
|
318
|
* LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed
|
319
|
*/
|
320
|
|
321
|
list($props_set_display, $props_set_correctly) = $this->checkConsumerConfSetup('og_group2');
|
322
|
$this->assertTrue(
|
323
|
$props_set_correctly,
|
324
|
'Authorization Configuration set correctly in test setup',
|
325
|
'LDAP_authorz.Flags.setup.0'
|
326
|
);
|
327
|
if (!$props_set_correctly) {
|
328
|
debug('LDAP_authorz.Flags.setup.0 properties not set correctly'); debug($props_set_display);
|
329
|
}
|
330
|
|
331
|
$this->consumerAdminConf['og_group']->useFirstAttrAsGroupId = 0;
|
332
|
$this->consumerAdminConf['og_group']->status = 0;
|
333
|
$this->consumerAdminConf['og_group']->save();
|
334
|
|
335
|
$user = $this->drupalCreateUser([]);
|
336
|
$hpotter = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'], TRUE, $user);
|
337
|
|
338
|
// Just see if the correct ones are derived.
|
339
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query');
|
340
|
$groups1 = $new_authorizations['og_group'];
|
341
|
$this->assertTrue(
|
342
|
count($new_authorizations['og_group']) == 0,
|
343
|
'disabled consumer configuration disallows authorizations.',
|
344
|
'LDAP_authorz.Flags.status.0'
|
345
|
);
|
346
|
|
347
|
list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this->getTestData(TRUE);
|
348
|
|
349
|
$this->consumerAdminConf['og_group']->status = 1;
|
350
|
$this->consumerAdminConf['og_group']->save();
|
351
|
// Just see if the correct ones are derived.
|
352
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'og_group');
|
353
|
|
354
|
$correct_groups = !empty($new_authorizations['og_group'][$consumer_ids['students'][OG_AUTHENTICATED_ROLE]]) &&
|
355
|
!empty($new_authorizations['og_group'][$consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE]]);
|
356
|
$this->assertTrue($correct_groups, 'enabled consumer configuration allows authorizations.', 'LDAP_authorz.Flags.status.1');
|
357
|
if (!$correct_groups) {
|
358
|
debug('LDAP_authorz.Flags.enable.1 roles with enabled'); debug($new_authorizations);
|
359
|
}
|
360
|
|
361
|
/**
|
362
|
* LDAP_authorz.onlyLdapAuthenticated=1: create normal user and
|
363
|
* apply authorization query. should return no roles
|
364
|
*/
|
365
|
$this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 1;
|
366
|
$this->consumerAdminConf['og_group']->status = 1;
|
367
|
$this->consumerAdminConf['og_group']->save();
|
368
|
|
369
|
$user = $this->drupalCreateUser([]);
|
370
|
$hgrainger = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hgrainger', 'mail' => 'hgrainger@hogwarts.edu'], TRUE, $user);
|
371
|
|
372
|
// Remove old authmap in case it exists so test will work.
|
373
|
db_delete('authmap')
|
374
|
->condition('uid', $user->uid)
|
375
|
->condition('module', 'ldap_user')
|
376
|
->execute();
|
377
|
|
378
|
// Just see if the correct ones are derived.
|
379
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query');
|
380
|
$success = (isset($new_authorizations['og_group']) && count($new_authorizations['og_group']) == 0);
|
381
|
$this->assertTrue($success, ' only apply to ldap authenticated grants no roles for non ldap user.', 'LDAP_authorz.onlyLdapAuthenticated.1');
|
382
|
if (!$success) {
|
383
|
debug('LDAP_authorz.onlyLdapAuthenticated.1');
|
384
|
debug($new_authorizations);
|
385
|
debug($this->testFunctions->ldapUserIsAuthmapped('hgrainger'));
|
386
|
debug($notifications);
|
387
|
}
|
388
|
|
389
|
/**
|
390
|
* LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled
|
391
|
*/
|
392
|
|
393
|
$this->consumerAdminConf['og_group']->synchOnLogon = 0;
|
394
|
$this->consumerAdminConf['og_group']->save();
|
395
|
$edit = [
|
396
|
'name' => 'hgrainger',
|
397
|
'pass' => 'goodpwd',
|
398
|
];
|
399
|
$this->drupalPost('user', $edit, t('Log in'));
|
400
|
$this->assertText(
|
401
|
t('Member for'),
|
402
|
'New Ldap user with good password authenticated.',
|
403
|
'LDAP_authorz.Flags.synchOnLogon.0'
|
404
|
);
|
405
|
$this->assertTrue(
|
406
|
$this->testFunctions->ldapUserIsAuthmapped('hgrainger'),
|
407
|
'Ldap user properly authmapped.',
|
408
|
'LDAP_authorz.Flags.synchOnLogon.0'
|
409
|
);
|
410
|
|
411
|
$hgrainger = user_load_by_name('hgrainger');
|
412
|
$this->drupalGet('user/logout');
|
413
|
|
414
|
$this->consumerAdminConf['og_group']->synchOnLogon = 1;
|
415
|
$this->consumerAdminConf['og_group']->save();
|
416
|
$edit = [
|
417
|
'name' => 'hgrainger',
|
418
|
'pass' => 'goodpwd',
|
419
|
];
|
420
|
$this->drupalPost('user', $edit, t('Log in'));
|
421
|
$this->assertText(t('Member for'), 'New Ldap user with good password authenticated.',
|
422
|
'LDAP_authorz.Flags.synchOnLogon=1');
|
423
|
$hgrainger = user_load_by_name('hgrainger');
|
424
|
$this->drupalGet('user/logout');
|
425
|
|
426
|
// Create a couple roles for next 2 tests.
|
427
|
$troublemaker = new stdClass();
|
428
|
$troublemaker->name = 'troublemaker';
|
429
|
user_role_save($troublemaker);
|
430
|
$troublemaker = user_role_load_by_name('troublemaker');
|
431
|
|
432
|
$superadmin = new stdClass();
|
433
|
$superadmin->name = 'superadmin';
|
434
|
user_role_save($superadmin);
|
435
|
$superadmin = user_role_load_by_name('superadmin');
|
436
|
|
437
|
/**
|
438
|
* LDAP_authorz.Flags.revokeLdapProvisioned: test flag for
|
439
|
* removing manually granted roles
|
440
|
*
|
441
|
* $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid.
|
442
|
*
|
443
|
* grant roles via ldap and some not vai ldap manually,
|
444
|
* then alter ldap so they are no longer valid,
|
445
|
* then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked
|
446
|
*
|
447
|
*/
|
448
|
|
449
|
$this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 0;
|
450
|
$this->consumerAdminConf['og_group']->revokeLdapProvisioned = 1;
|
451
|
$this->consumerAdminConf['og_group']->createConsumers = 1;
|
452
|
$this->consumerAdminConf['og_group']->save();
|
453
|
// Set correct roles manually.
|
454
|
$hpotter = user_load_by_name('hpotter');
|
455
|
user_delete($hpotter->uid);
|
456
|
$user = $this->drupalCreateUser([]);
|
457
|
$hpotter = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'], TRUE, $user);
|
458
|
$edit = [
|
459
|
'name' => 'hpotter',
|
460
|
'pass' => 'goodpwd',
|
461
|
];
|
462
|
$this->drupalPost('user', $edit, t('Log in'));
|
463
|
$this->assertText(
|
464
|
t('Member for'),
|
465
|
'New Ldap user with good password authenticated.',
|
466
|
'LDAP_authorz.Flags.revokeLdapProvisioned=1'
|
467
|
);
|
468
|
$hpotter = user_load_by_name('hpotter');
|
469
|
|
470
|
// Add an underserved, ldap granted drupal role superadmin
|
471
|
// and an undeserved, non ldap granted role troublemaker.
|
472
|
$hpotter = user_load($hpotter->uid, TRUE);
|
473
|
$roles = $hpotter->roles;
|
474
|
$roles[$troublemaker->rid] = $troublemaker->name;
|
475
|
$roles[$superadmin->rid] = $superadmin->name;
|
476
|
|
477
|
$data = [
|
478
|
'roles' => $roles,
|
479
|
'data' => [
|
480
|
'ldap_authorizations' =>
|
481
|
[
|
482
|
'og_group' =>
|
483
|
[
|
484
|
$superadmin->name =>
|
485
|
['date_granted' => 1304216778],
|
486
|
],
|
487
|
],
|
488
|
],
|
489
|
];
|
490
|
$hpotter = user_save($hpotter, $data);
|
491
|
|
492
|
// Apply correct authorizations. should remove the administrator role but not the manually created 'troublemaker' role.
|
493
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon');
|
494
|
|
495
|
$hpotter = user_load($hpotter->uid, TRUE);
|
496
|
$this->assertTrue(
|
497
|
(!isset($new_authorizations['og_group'][$superadmin->rid])),
|
498
|
' revoke superadmin ldap granted roles when no longer deserved.',
|
499
|
'LDAP_authorz.Flags.revokeLdapProvisioned=1'
|
500
|
);
|
501
|
|
502
|
/**
|
503
|
* LDAP_authorz.Flags.regrantLdapProvisioned
|
504
|
* $this->regrantLdapProvisioned == 1 :
|
505
|
* Re grant !consumer_namePlural previously granted
|
506
|
* by LDAP Authorization but removed manually.
|
507
|
*
|
508
|
* - manually remove ldap granted role
|
509
|
* - logon
|
510
|
* - check if regranted
|
511
|
*/
|
512
|
$this->drupalGet('user/logout');
|
513
|
$this->consumerAdminConf['og_group']->regrantLdapProvisioned = 1;
|
514
|
$this->consumerAdminConf['og_group']->save();
|
515
|
$hpotter = user_load($hpotter->uid, TRUE);
|
516
|
$roles = $hpotter->roles;
|
517
|
unset($roles[$superadmin->rid]);
|
518
|
user_save($hpotter, ['roles' => $roles]);
|
519
|
$hpotter = user_load($hpotter->uid, TRUE);
|
520
|
list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon');
|
521
|
$hpotter = user_load($hpotter->uid, TRUE);
|
522
|
$success = !in_array('administrator', array_values($hpotter->roles));
|
523
|
|
524
|
$this->assertTrue(
|
525
|
$success,
|
526
|
'regrant Ldap Provisioned roles that were manually revoked',
|
527
|
'LDAP_authorz.Flags.regrantLdapProvisioned=1'
|
528
|
);
|
529
|
if (!$success) {
|
530
|
debug('LDAP_authorz.Flags.regrantLdapProvisioned=1');
|
531
|
debug('hpotter roles'); debug($hpotter->roles);
|
532
|
debug('new_authorizations'); debug($new_authorizations);
|
533
|
}
|
534
|
|
535
|
/**
|
536
|
* LDAP_authorz.Flags.createConsumers=1
|
537
|
*/
|
538
|
|
539
|
if (!empty($og_group_consumer['allowConsumerObjectCreation']) && $og_group_consumer['allowConsumerObjectCreation']) {
|
540
|
// @todo. this needs to be finished when creation of og groups is added to ldap authorization og functionality
|
541
|
|
542
|
// Add new mapping to and enable create consumers.
|
543
|
$this->prepTestData('hogwarts', [$sid], 'provisionToDrupal', 'default', 'drupal_role_default');
|
544
|
$this->drupalGet('user/logout');
|
545
|
$new_role = 'oompa-loompas';
|
546
|
$this->consumerAdminConf['og_group']->createConsumers = 1;
|
547
|
$this->consumerAdminConf['og_group']->mappings[] = [
|
548
|
'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu',
|
549
|
'user_entered' => $new_role,
|
550
|
'normalized' => 'node:' . $new_role . ':' . OG_AUTHENTICATED_ROLE,
|
551
|
'simplified' => $new_role,
|
552
|
'valid' => TRUE,
|
553
|
'error_message' => '',
|
554
|
];
|
555
|
|
556
|
$this->consumerAdminConf['og_group']->save();
|
557
|
|
558
|
$edit = [
|
559
|
'name' => 'hpotter',
|
560
|
'pass' => 'goodpwd',
|
561
|
];
|
562
|
$this->drupalPost('user', $edit, t('Log in'));
|
563
|
|
564
|
$new_role_created = in_array($new_role, array_values(user_roles()));
|
565
|
$roles_by_name = array_flip(user_roles());
|
566
|
$hpotter = user_load_by_name('hpotter');
|
567
|
$hpotter = user_load($hpotter->uid, TRUE);
|
568
|
$role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]);
|
569
|
debug('roles'); debug(user_roles());
|
570
|
debug('roles by name'); debug($roles_by_name);
|
571
|
debug('hpotter->roles'); debug($hpotter->roles);
|
572
|
debug("$new_role_created AND $role_granted");
|
573
|
|
574
|
$this->assertTrue(
|
575
|
($new_role_created && $role_granted),
|
576
|
'create consumers (e.g. roles)',
|
577
|
'LDAP_authorz.Flags.createConsumers=1'
|
578
|
);
|
579
|
}
|
580
|
|
581
|
}
|
582
|
|
583
|
}
|