Projet

Général

Profil

Paste
Télécharger (25,2 ko) Statistiques
| Branche: | Révision:

root / htmltest / sites / all / modules / ldap / ldap_authorization / tests / Og2Tests.test @ dd54aff9

1
<?php
2

    
3
/**
4
 * @file simpletest for Ldap Authorization OG Module, for og 7.x-2.x
5
 *
6
 * Manual testing to accompany simpletests:
7
 *  - logon with og authorization disabled and make sure nothing happens
8
 *  - logon with og authorization enabled and make sure admin and member group memberships granted
9
 *  - change mappings so no roles granted
10
 *  - logon and make sure memberships revoked
11
 */
12

    
13
module_load_include('php', 'ldap_test', 'LdapTestCase.class');
14
require_once(drupal_get_path('module', 'ldap_authorization_og') . '/LdapAuthorizationConsumerOG.class.php');
15

    
16
class LdapAuthorizationOg2Tests extends LdapTestCase {
17

    
18
  public $groupEntityType = 'node';
19
  public $groupBundle = 'group';
20
  public $groupType = 'node';
21
  public $group_content_type = NULL;
22
  public $group_nodes = array();
23
  public $user1;
24
  public $consumerType = 'og_group';
25
  public $module_name = 'ldap_authorization_og';
26
  protected $ldap_test_data;
27
  public $customOgRoles = array(
28
    'dungeon-master' => array('entity_type' => 'node', 'bundle_type' => 'group'),
29
    'time-keeper' => array('entity_type' => 'node', 'bundle_type' => 'group'),
30
    );
31

    
32
  public static function getInfo() {
33
    return array(
34
      'group' => 'LDAP Authorization',
35
      'name' => 'OG 7.x-2.x Tests.',
36
      'description' => 'Test ldap authorization og 2.',
37
    );
38
  }
39

    
40
  function __construct($test_id = NULL) {
41
    parent::__construct($test_id);
42
  }
43

    
44
  function setUp($addl_modules = array()) {
45
    parent::setUp(array('ldap_authentication', 'ldap_authorization', 'ldap_authorization_og'));
46
    variable_set('ldap_simpletest', 2);
47

    
48
    if (ldap_authorization_og_og_version() != 2) {
49
      debug('LdapAuthorizationOg2Tests must be run with OG 7.x-2.x');
50
      return;
51
    }
52

    
53
    $this->user1 = $this->drupalCreateUser();
54
    $this->groups = array();
55
    $this->prepTestData(LDAP_TEST_LDAP_NAME, array('activedirectory1'));
56

    
57

    
58

    
59
    // Create group and group content node types.
60
    $this->groupBundle = $this->drupalCreateContentType(array(
61
      'type' => 'group',
62
      'name' => 'OG Group',
63
      ))->type;
64

    
65
    og_create_field(OG_GROUP_FIELD, $this->groupEntityType, $this->groupBundle);
66
    og_create_field(OG_AUDIENCE_FIELD, $this->groupEntityType,  $this->groupBundle);
67

    
68
    // create og group for each group in group csv
69

    
70
    $this->testFunctions->populateFakeLdapServerData(LDAP_TEST_LDAP_NAME, 'activedirectory1');
71
    $this->testFunctions->getCsvLdapData(LDAP_TEST_LDAP_NAME);
72
    foreach ($this->testFunctions->csvTables['groups'] as $guid => $group) {
73
      $label = $group['cn'];
74
      $settings = array();
75
      $settings['type'] = $this->groupBundle;
76
      $settings[OG_GROUP_FIELD][LANGUAGE_NONE][0]['value'] = 1;
77
      $settings['uid'] = $this->user1->uid;
78
      $settings['title'] = $label;
79
      $settings['type'] = 'group';
80
      $this->group_nodes[$label] = $this->drupalCreateNode($settings);
81
    }
82

    
83
  }
84

    
85
  public function createCustomRoles() {
86

    
87
    foreach ($this->customOgRoles as $og_role_name => $og_role) {
88
      $role = new stdClass;
89
      $role->gid = 0;
90
      $role->group_type = $og_role['entity_type'];
91
      $role->group_bundle = $og_role['bundle_type'];
92
      $role->name = $og_role_name;
93
      $status = og_role_save($role);
94
    }
95

    
96
  }
97

    
98
  /**
99
   * get test data in convenient format, so tests are easier to read and write
100
   */
101
  public function getTestData($debug = FALSE) {
102
    $group_nodes = array();
103
    $group_nids = array();
104
    $group_entity_ids = array();
105
    $roles = array();
106
    $roles_by_name = array();
107
    $consumer_ids = array();
108
    foreach (array('gryffindor', 'students', 'faculty', 'users', 'hufflepuff', 'slytherin') as $i => $group_name) {
109
      list($group_nodes[$group_name], $group_entity_ids[$group_name]) =  ldap_authorization_og2_get_group_from_name($this->groupEntityType, $group_name);
110
      $nid = $group_nodes[$group_name]->nid;
111
      $group_nids[$group_name] = $nid;
112
      $roles[$group_name] = og_roles($this->groupEntityType, $this->groupBundle, $nid, FALSE, TRUE);
113
      $roles_by_name[$group_name] = array_flip( $roles[$group_name] );
114
      foreach ($roles[$group_name] as $rid => $role_name) {
115
        $consumer_ids[$group_name][$role_name] = ldap_authorization_og_authorization_id($nid, $rid, 'node');
116
        $consumer_ids[$group_name][$rid] = ldap_authorization_og_authorization_id($nid, $rid, 'node');
117
      }
118
    }
119
    if ($debug) {
120
      debug("group_nids"); debug($group_nids); debug("group_entity_ids"); debug($group_entity_ids); debug("roles"); debug($roles); debug("roles_by_name"); debug($roles_by_name);
121
    }
122
    return array($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids);
123
  }
124

    
125
  /**
126
   * just make sure install succeeds and
127
   */
128
  function testBasicFunctionsAndApi() {
129

    
130
    if (ldap_authorization_og_og_version() != 2) {
131
      debug('LdapAuthorizationOg2Tests must be run with OG 7.x-2.x');
132
      return;
133
    }
134

    
135
    $this->createCustomRoles();
136
    $all_roles = og_roles($this->groupEntityType, $this->groupBundle, 0, FALSE, TRUE);
137

    
138
    $this->ldapTestId = $this->module_name . ': setup success';
139
    // just to give warning if setup doesn't succeed.  may want to take these out at some point.
140
    $setup_success = (
141
        module_exists('ldap_authentication') &&
142
        module_exists('ldap_servers') &&
143
        module_exists('ldap_user') &&
144
        module_exists('ldap_authorization') &&
145
        module_exists('ldap_authorization_og') &&
146
        (variable_get('ldap_simpletest', 0) == 2)
147
      );
148
    $this->assertTrue($setup_success, ' ldap_authorizations og setup successful', $this->ldapTestId);
149

    
150
    $this->ldapTestId = $this->module_name . ': cron test';
151
    $this->assertTrue(drupal_cron_run(), t('Cron can run with ldap authorization og enabled.'), $this->ldapTestId);
152

    
153
    /***
154
     * I. some basic tests to make sure og module's apis are working before testing ldap_authorization_og
155
     * if these aren't working as expected, no ldap authorization og functionality will work.
156
     */
157

    
158
    $web_user = $this->drupalCreateUser();
159
    $this->ldapTestId = $this->module_name . ': og2 functions';
160
    list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this->getTestData(TRUE);
161

    
162

    
163
    /**
164
     * II.0 basic granting tests to make sure og_role_grant, ldap_authorization_og_rid_from_role_name,
165
     *   and ldap_authorization_og2_get_group functions work
166
     *   og_is_member($group_type, $gid, $entity_type = 'user', $entity = NULL, $states = array(OG_STATE_ACTIVE))
167
     */
168

    
169
    $values = array(
170
      'entity_type' => 'user',
171
      'entity' => $web_user->uid,
172
      'field_name' => FALSE,
173
      'state' => OG_STATE_ACTIVE,
174
    );
175
    $og_gryffindor_membership = og_group($this->groupType, $group_nids['gryffindor'], $values);
176
    $og_faculty_membership = og_group($this->groupType, $group_nids['faculty'], $values);
177

    
178
    og_role_grant($this->groupType, $group_nids['gryffindor'], $web_user->uid, $roles_by_name['gryffindor'][OG_AUTHENTICATED_ROLE]);
179
    og_role_grant($this->groupType, $group_nids['faculty'],    $web_user->uid, $roles_by_name['faculty'][OG_ADMINISTRATOR_ROLE]);
180
    og_role_grant($this->groupType, $group_nids['faculty'],    $web_user->uid, $roles_by_name['faculty']['dungeon-master']);
181
    og_role_grant($this->groupType, $group_nids['faculty'],    $web_user->uid, $roles_by_name['faculty'][OG_AUTHENTICATED_ROLE]);
182

    
183
    $web_user = user_load($web_user->uid, TRUE); // need to reload because of issue with og_group and og_role_grant
184
    $ids = array($web_user->uid);
185
    $user_entity = entity_load('user', $ids);
186

    
187
    $this->assertTrue(og_is_member($this->groupType, $group_nids['gryffindor'], 'user', $web_user),
188
       'User is member of Group gryffindor without LDAP (based on og_is_member() function)', $this->ldapTestId);
189

    
190
    $this->assertTrue(og_is_member($this->groupType, $group_nids['faculty'], 'user', $web_user),
191
       'User is member of Group faculty without LDAP (based on og_is_member() function)', $this->ldapTestId);
192

    
193
    $this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['gryffindor'], $web_user->uid, OG_AUTHENTICATED_ROLE),
194
      'User is member of Group gryffindor without LDAP (based on dap_authorization_og_has_role() function)', $this->ldapTestId);
195

    
196
    $this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['faculty'], $web_user->uid, OG_AUTHENTICATED_ROLE),
197
      'User is member of Group faculty without LDAP (based on ldap_authorization_og2_has_role() function)', $this->ldapTestId);
198

    
199
    $this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['faculty'], $web_user->uid, OG_ADMINISTRATOR_ROLE),
200
      'User is administrator member of Group faculty without LDAP (based on dap_authorization_og_has_role() function)', $this->ldapTestId);
201

    
202
    /***
203
     * II.A. construct ldapauthorization og object and test methods.
204
     * (unit tests for methods and class without any ldap user context).
205
     */
206
    //
207
    $this->ldapTestId = $this->module_name . ': LdapAuthorizationConsumerOG class';
208
    $og_auth = new LdapAuthorizationConsumerOG('og_group');
209
    $this->assertTrue(is_object($og_auth), 'Successfully instantiated LdapAuthorizationConsumerOG', $this->ldapTestId);
210
    $this->assertTrue($og_auth->consumerType == 'og_group',
211
      'LdapAuthorizationConsumerOG ConsumerType set properly', $this->ldapTestId);
212

    
213
    $this->assertTrue($og_auth->hasAuthorization($web_user, ldap_authorization_og_authorization_id($group_nids['faculty'], $roles_by_name['faculty'][OG_ADMINISTRATOR_ROLE], 'node')),
214
      'hasAuthorization() method works for non LDAP provisioned og authorization, faculty admin role', $this->ldapTestId);
215

    
216

    
217
    $should_haves = array(
218
      $consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE] => 'gryffindor member',
219
      $consumer_ids['faculty'][OG_AUTHENTICATED_ROLE] =>  'faculty member',
220
      $consumer_ids['faculty'][OG_ADMINISTRATOR_ROLE] => 'faculty admin',
221
      $consumer_ids['faculty']['dungeon-master'] => 'faculty dungeon master',
222
    );
223

    
224
    foreach ($should_haves as $consumer_id => $descriptor) {
225
      $this->assertTrue(ldap_authorization_og2_has_consumer_id($consumer_id, $web_user->uid),
226
         "LdapAuthorizationConsumerOG usersAuthorizations() for $descriptor - $consumer_id", $this->ldapTestId);
227
    }
228

    
229
    $ldap_entry = NULL;
230
    $user_data = array();
231
    $web_user = user_load($web_user->uid, TRUE);
232

    
233
    $this->assertTrue(ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid),
234
      "LdapAuthorizationConsumerOG has faculty member role BEFORE authorizationRevoke() test revoke on member role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId);
235

    
236
    $web_user = user_load($web_user->uid, TRUE);
237
    $consumers = array($consumer_ids['faculty']['dungeon-master'] => $og_auth->emptyConsumer);
238
    $og_auth->authorizationRevoke($web_user, $user_data, $consumers, $ldap_entry, TRUE);
239
    $result = ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid);
240
    $this->assertFalse($result,
241
      "LdapAuthorizationConsumerOG authorizationRevoke() test revoke on member role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId);
242

    
243
    $web_user = user_load($web_user->uid, TRUE);
244
    $consumers =  array($consumer_ids['faculty']['dungeon-master'] => $og_auth->emptyConsumer);
245
    $og_auth->authorizationRevoke($web_user, $user_data, $consumers, $ldap_entry, TRUE);
246
    $this->assertFalse(ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid),
247
      "LdapAuthorizationConsumerOG authorizationRevoke() test revoke on custom member role role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId);
248

    
249
    $web_user = user_load($web_user->uid, TRUE);
250
    $initial_user_authorizations = $og_auth->usersAuthorizations($web_user, TRUE, TRUE);
251
    debug("initial_user_authorizations authorizations:"); debug($initial_user_authorizations);
252
    debug("initial_user data:"); debug($web_user->data);
253
    $og_auth->authorizationGrant($web_user, $user_data, array($consumer_ids['students'][OG_AUTHENTICATED_ROLE] =>  $og_auth->emptyConsumer), $ldap_entry, TRUE);
254
    $success = ldap_authorization_og2_has_consumer_id($consumer_ids['students'][OG_AUTHENTICATED_ROLE], $web_user->uid);
255
    $this->assertTrue($success, "LdapAuthorizationConsumerOG authorizationGrant() test grant on member role " . $consumer_ids['students'][OG_AUTHENTICATED_ROLE], $this->ldapTestId);
256
    if (!$success) {
257
      debug(array($user_data, array($consumer_ids['students'][OG_AUTHENTICATED_ROLE] => $og_auth->emptyConsumer)));
258
      debug("user authorizations:"); debug($og_auth->usersAuthorizations($web_user, TRUE));
259
    }
260
    $web_user = user_load($web_user->uid, TRUE);
261
    $result = $og_auth->authorizationRevoke($web_user, $user_data, array('node:454:44334'  => $og_auth->emptyConsumer), $ldap_entry, TRUE);
262
    $this->assertFalse($result,
263
      'LdapAuthorizationConsumerOG authorizationRevoke() test revoke of bogus authorization', $this->ldapTestId);
264

    
265
    $web_user = user_load($web_user->uid, TRUE);
266
    $result = $og_auth->authorizationGrant($web_user, $user_data, array('node:454:44334' => $og_auth->emptyConsumer), $ldap_entry, TRUE);
267
    $this->assertFalse($result,
268
      'LdapAuthorizationConsumerOG authorizationGrant() test grant of bogus authorization', $this->ldapTestId);
269

    
270
    $web_user = user_load($web_user->uid, TRUE);
271
    $result = $og_auth->authorizationRevoke($web_user, $user_data, array('bogusformat'), $ldap_entry, TRUE);
272
    $this->assertFalse($result,
273
      'LdapAuthorizationConsumerOG authorizationRevoke()  test revoke malformed params', $this->ldapTestId);
274

    
275
    $web_user = user_load($web_user->uid, TRUE);
276
    $result = $og_auth->authorizationGrant($web_user, $user_data, array('bogusformat'), $ldap_entry, TRUE);
277
    $this->assertFalse($result,
278
      'LdapAuthorizationConsumerOG authorizationGrant() test grant malformed params', $this->ldapTestId);
279

    
280
    /***
281
     * II.B. Also test function in ldap_authorization_og.module
282
     */
283

    
284
    list($students_group, $group_entity_id) = ldap_authorization_og2_get_group_from_name('node', 'students');
285
    //debug("ldap_authorization_og2_get_group_from_name: students_group"); debug($students_group);
286
    $this->assertTrue($students_group->title == 'students', 'ldap_authorization_og2_get_group_from_name() function works', $this->ldapTestId);
287

    
288
    $test = ldap_authorization_og2_has_role($this->groupType, $group_nids['gryffindor'], $web_user->uid, OG_ADMINISTRATOR_ROLE);
289
    $this->assertTrue($test, 'ldap_authorization_og2_has_role() function works', $this->ldapTestId);
290

    
291
    $test = ldap_authorization_og2_has_role($this->groupType,  $group_nids['students'], $web_user->uid, OG_ADMINISTRATOR_ROLE);
292
    $this->assertTrue($test === FALSE, 'ldap_authorization_og2_has_role() function fails with FALSE', $this->ldapTestId);
293

    
294
  }
295

    
296

    
297
  /**
298
 * authorization configuration flags tests clumped together
299
 */
300

    
301
function testFlags() {
302

    
303
  $sid = 'activedirectory1';
304
  $this->prepTestData(
305
    LDAP_TEST_LDAP_NAME,
306
    array($sid),
307
    'provisionToDrupal',
308
    'default',
309
    'og_group2'
310
    );
311

    
312
  $og_group_consumer = ldap_authorization_get_consumers('og_group', TRUE, TRUE);
313
  /**
314
   * LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed
315
   */
316

    
317
  list($props_set_display, $props_set_correctly) = $this->checkConsumerConfSetup('og_group2');
318
  $this->assertTrue(
319
    $props_set_correctly,
320
    'Authorization Configuration set correctly in test setup',
321
    'LDAP_authorz.Flags.setup.0'
322
  );
323
  if (!$props_set_correctly) {
324
    debug('LDAP_authorz.Flags.setup.0 properties not set correctly'); debug($props_set_display);
325
  }
326

    
327
  $this->consumerAdminConf['og_group']->useFirstAttrAsGroupId = 0;
328
  $this->consumerAdminConf['og_group']->status = 0;
329
  $this->consumerAdminConf['og_group']->save();
330

    
331
  $user = $this->drupalCreateUser(array());
332
  $hpotter = $this->testFunctions->drupalLdapUpdateUser(array('name' => 'hpotter', 'mail' =>  'hpotter@hogwarts.edu'), TRUE, $user);
333

    
334
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query');  // just see if the correct ones are derived.
335
  $groups1 = $new_authorizations['og_group'];
336
 // debug('ldap_authorizations_user_authorizations disabled:'); debug($new_authorizations);  debug($notifications);
337
  $this->assertTrue(
338
    count($new_authorizations['og_group']) == 0,
339
    'disabled consumer configuration disallows authorizations.',
340
    'LDAP_authorz.Flags.status.0'
341
  );
342

    
343
  list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this->getTestData(TRUE);
344

    
345
  $this->consumerAdminConf['og_group']->status = 1;
346
  $this->consumerAdminConf['og_group']->save();
347
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'og_group');  // just see if the correct ones are derived.
348
  //debug('ldap_authorizations_user_authorizations enabled: '); debug($new_authorizations);  debug($notifications);
349

    
350
  $correct_groups = !empty($new_authorizations['og_group'][$consumer_ids['students'][OG_AUTHENTICATED_ROLE]]) &&
351
    !empty($new_authorizations['og_group'][$consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE]]);
352
  $this->assertTrue($correct_groups, 'enabled consumer configuration allows authorizations.', 'LDAP_authorz.Flags.status.1');
353
  if (!$correct_groups) {
354
    debug('LDAP_authorz.Flags.enable.1 roles with enabled'); debug($new_authorizations);
355
  }
356

    
357

    
358
  /**
359
   * LDAP_authorz.onlyLdapAuthenticated=1: create normal user and
360
   * apply authorization query.  should return no roles
361
   */
362
  $this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 1;
363
  $this->consumerAdminConf['og_group']->status = 1;
364
  $this->consumerAdminConf['og_group']->save();
365

    
366
  $user = $this->drupalCreateUser(array());
367
  $hgrainger = $this->testFunctions->drupalLdapUpdateUser(array('name' => 'hgrainger', 'mail' =>  'hgrainger@hogwarts.edu'), TRUE, $user);
368

    
369
  // remove old authmap in case it exists so test will work
370
  db_delete('authmap')
371
    ->condition('uid', $user->uid)
372
    ->condition('module', 'ldap_user')
373
    ->execute();
374

    
375
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query');  // just see if the correct ones are derived.
376
  $success = (isset($new_authorizations['og_group']) && count($new_authorizations['og_group'] ) == 0);
377
  $this->assertTrue($success, ' only apply to ldap authenticated grants no roles for non ldap user.', 'LDAP_authorz.onlyLdapAuthenticated.1');
378
  if (!$success) {
379
    debug('LDAP_authorz.onlyLdapAuthenticated.1');
380
    debug($new_authorizations);
381
    debug($this->testFunctions->ldapUserIsAuthmapped('hgrainger'));
382
    debug($notifications);
383
  }
384

    
385

    
386
  /**
387
   * LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled
388
   */
389

    
390
  $this->consumerAdminConf['og_group']->synchOnLogon = 0;
391
  $this->consumerAdminConf['og_group']->save();
392
  $edit = array(
393
    'name' => 'hgrainger',
394
    'pass' => 'goodpwd',
395
  );
396
  $this->drupalPost('user', $edit, t('Log in'));
397
  $this->assertText(
398
    t('Member for'),
399
    'New Ldap user with good password authenticated.',
400
    'LDAP_authorz.Flags.synchOnLogon.0'
401
  );
402
  $this->assertTrue(
403
    $this->testFunctions->ldapUserIsAuthmapped('hgrainger'),
404
    'Ldap user properly authmapped.',
405
    'LDAP_authorz.Flags.synchOnLogon.0'
406
  );
407

    
408
  $hgrainger = user_load_by_name('hgrainger');
409
  $this->drupalGet('user/logout');
410

    
411
  $this->consumerAdminConf['og_group']->synchOnLogon = 1;
412
  $this->consumerAdminConf['og_group']->save();
413
  $edit = array(
414
    'name' => 'hgrainger',
415
    'pass' => 'goodpwd',
416
  );
417
  $this->drupalPost('user', $edit, t('Log in'));
418
  $this->assertText(t('Member for'), 'New Ldap user with good password authenticated.',
419
    'LDAP_authorz.Flags.synchOnLogon=1');
420
  $hgrainger = user_load_by_name('hgrainger');
421
  $this->drupalGet('user/logout');
422

    
423
  // create a couple roles for next 2 tests
424
  $troublemaker = new stdClass();
425
  $troublemaker->name = 'troublemaker';
426
  user_role_save($troublemaker);
427
  $troublemaker = user_role_load_by_name('troublemaker');
428

    
429
  $superadmin = new stdClass();
430
  $superadmin->name = 'superadmin';
431
  user_role_save($superadmin);
432
  $superadmin = user_role_load_by_name('superadmin');
433

    
434
   /**
435
   * LDAP_authorz.Flags.revokeLdapProvisioned: test flag for
436
   *   removing manually granted roles
437
   *
438
   *   $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid.
439
   *
440
   *   grant roles via ldap and some not vai ldap manually,
441
   *   then alter ldap so they are no longer valid,
442
   *   then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked
443
   *
444
   */
445

    
446
  $this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 0;
447
  $this->consumerAdminConf['og_group']->revokeLdapProvisioned = 1;
448
  $this->consumerAdminConf['og_group']->createConsumers = 1;
449
  $this->consumerAdminConf['og_group']->save();
450
  // set correct roles manually
451
  $hpotter = user_load_by_name('hpotter');
452
  user_delete($hpotter->uid);
453
  $user = $this->drupalCreateUser(array());
454
  $hpotter = $this->testFunctions->drupalLdapUpdateUser(array('name' => 'hpotter', 'mail' =>  'hpotter@hogwarts.edu'), TRUE, $user);
455
  $edit = array(
456
    'name' => 'hpotter',
457
    'pass' => 'goodpwd',
458
  );
459
  $this->drupalPost('user', $edit, t('Log in'));
460
  $this->assertText(
461
    t('Member for'),
462
    'New Ldap user with good password authenticated.',
463
    'LDAP_authorz.Flags.revokeLdapProvisioned=1'
464
  );
465
  $hpotter = user_load_by_name('hpotter');
466

    
467
  // add an underserved, ldap granted drupal role superadmin
468
  // and an undeserved, non ldap granted role troublemaker
469
  $hpotter = user_load($hpotter->uid, TRUE);
470
  $roles = $hpotter->roles;
471
  $roles[$troublemaker->rid] = $troublemaker->name;
472
  $roles[$superadmin->rid] = $superadmin->name;
473

    
474
  $data = array(
475
    'roles' =>  $roles,
476
    'data' => array('ldap_authorizations' =>
477
      array(
478
        'og_group' =>
479
        array(
480
          $superadmin->name =>
481
          array('date_granted' => 1304216778),
482
        ),
483
      ),
484
    ),
485
  );
486
  $hpotter = user_save($hpotter, $data);
487

    
488
  // apply correct authorizations.  should remove the administrator role but not the manually created 'troublemaker' role
489
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon');
490

    
491
  $hpotter = user_load($hpotter->uid, TRUE);
492
  $this->assertTrue(
493
    (!isset($new_authorizations['og_group'][$superadmin->rid])),
494
    ' revoke superadmin ldap granted roles when no longer deserved.',
495
    'LDAP_authorz.Flags.revokeLdapProvisioned=1'
496
  );
497

    
498

    
499
   /**
500
   * LDAP_authorz.Flags.regrantLdapProvisioned
501
   * $this->regrantLdapProvisioned == 1 :
502
   *   Re grant !consumer_namePlural previously granted
503
   *   by LDAP Authorization but removed manually.
504
   *
505
   * - manually remove ldap granted role
506
   * - logon
507
   * - check if regranted
508
   */
509
  $this->drupalGet('user/logout');
510
  $this->consumerAdminConf['og_group']->regrantLdapProvisioned = 1;
511
  $this->consumerAdminConf['og_group']->save();
512
  $hpotter = user_load($hpotter->uid, TRUE);
513
  $roles = $hpotter->roles;
514
  unset($roles[$superadmin->rid]);
515
  user_save($hpotter, array('roles' => $roles));
516
  $hpotter = user_load($hpotter->uid, TRUE);
517
  list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon');
518
  $hpotter = user_load($hpotter->uid, TRUE);
519
  $success = !in_array('administrator', array_values($hpotter->roles));
520

    
521
  $this->assertTrue(
522
    $success,
523
    'regrant Ldap Provisioned roles that were manually revoked',
524
    'LDAP_authorz.Flags.regrantLdapProvisioned=1'
525
  );
526
  if (!$success) {
527
    debug('LDAP_authorz.Flags.regrantLdapProvisioned=1');
528
    debug('hpotter roles'); debug($hpotter->roles);
529
    debug('new_authorizations'); debug($new_authorizations);
530
  }
531

    
532
  /**
533
  * LDAP_authorz.Flags.createConsumers=1
534
  */
535

    
536
  if (!empty($og_group_consumer['allowConsumerObjectCreation']) && $og_group_consumer['allowConsumerObjectCreation']) {
537
    //@todo.  this needs to be finished when creation of og groups is added to ldap authorization og functionality
538

    
539
    //add new mapping to and enable create consumers
540
    $this->prepTestData('hogwarts', array($sid), 'provisionToDrupal', 'default', 'drupal_role_default');
541
    $this->drupalGet('user/logout');
542
    $new_role = 'oompa-loompas';
543
    $this->consumerAdminConf['og_group']->createConsumers = 1;
544
    $this->consumerAdminConf['og_group']->mappings[] = array(
545
      'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu',
546
      'user_entered' => $new_role,
547
      'normalized' => 'node:' . $new_role . ':' . OG_AUTHENTICATED_ROLE,
548
      'simplified' => $new_role,
549
      'valid' => TRUE,
550
      'error_message' => '',
551
      );
552

    
553
    $this->consumerAdminConf['og_group']->save();
554

    
555
    $edit = array(
556
      'name' => 'hpotter',
557
      'pass' => 'goodpwd',
558
    );
559
    $this->drupalPost('user', $edit, t('Log in'));
560

    
561
    $new_role_created = in_array($new_role, array_values(user_roles()));
562
    $roles_by_name = array_flip(user_roles());
563
    $hpotter = user_load_by_name('hpotter');
564
    $hpotter = user_load($hpotter->uid, TRUE);
565
    $role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]);
566
    debug('roles'); debug(user_roles());
567
    debug('roles by name'); debug($roles_by_name);
568
    debug('hpotter->roles'); debug($hpotter->roles);
569
    debug("$new_role_created AND $role_granted");
570

    
571
    $this->assertTrue(
572
      ($new_role_created && $role_granted),
573
      'create consumers (e.g. roles)',
574
      'LDAP_authorz.Flags.createConsumers=1'
575
    );
576
  }
577

    
578
}
579

    
580
}