'LDAP Authorization Basic Tests', 'description' => 'Test ldap authorization.', 'group' => 'LDAP Authorization' ); } function __construct($test_id = NULL) { parent::__construct($test_id); } public $module_name = 'ldap_authorization'; protected $ldap_test_data; function setUp() { parent::setUp(array( 'ldap_authentication', 'ldap_authorization', 'ldap_authorization_drupal_role', 'ldap_test')); // don't need any real servers, configured, just ldap_servers code base variable_set('ldap_simpletest', 2); } function tearDown() { parent::tearDown(); variable_del('ldap_help_watchdog_detail'); variable_del('ldap_simpletest'); } /** * test install, api functions, and simple authorizations granted on logon */ function testSimpleStuff() { // just to give warning if setup doesn't succeed. may want to take these out at some point. $setup_success = ( module_exists('ldap_authentication') && module_exists('ldap_servers') && module_exists('ldap_authorization') && module_exists('ldap_authorization_drupal_role') && (variable_get('ldap_simpletest', 2) > 0) ); $this->assertTrue($setup_success, ' ldap_authorizations setup successful', 'LDAP Authorization: Test Setup Success'); $api_functions = array( 'ldap_authorization_get_consumer_object' => array(1, 1), 'ldap_authorization_get_consumers' => array(3, 0), 'ldap_authorizations_user_authorizations' => array(4, 1), ); foreach ($api_functions as $api_function_name => $param_count) { $reflector = new ReflectionFunction($api_function_name); $this->assertTrue( function_exists($api_function_name) && $param_count[1] == $reflector->getNumberOfRequiredParameters() && $param_count[0] == $reflector->getNumberOfParameters() , ' api function ' . $api_function_name . ' parameters and required parameters count unchanged.', 'LDAP Server: API Functions'); } // make sure ldap authorization doesn't break cron. $this->assertTrue( drupal_cron_run(), t('Cron can run with ldap authorization enabled.'), 'LDAP Authorization: Cron Test' ); /** * this is geared toward testing logon functionality */ $sid = 'activedirectory1'; $testid = 'ExclusiveModeUserLogon3'; $sids = array($sid); $this->prepTestData(LDAP_TEST_LDAP_NAME, $sids, 'provisionToDrupal', 'default', 'drupal_role_default'); $hpotter_logon_edit = array( 'name' => 'hpotter', 'pass' => 'goodpwd', ); $this->drupalPost('user', $hpotter_logon_edit, t('Log in')); $this->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP Authorization: Test Logon'); $this->assertTrue( $this->testFunctions->ldapUserIsAuthmapped('hpotter'), 'Ldap user properly authmapped.', 'LDAP Authorization: Test Logon' ); $hpotter = $this->testFunctions->userByNameFlushingCache('hpotter'); $roles = array_values($hpotter->roles); $desired_roles = array('students', 'authenticated user', 'cn=gryffindor,ou=groups,dc=hogwarts,dc=edu', 'cn=honors students,ou=groups,dc=hogwarts,dc=edu'); $diff1 = array_diff($roles, $desired_roles); $diff2 = array_diff($desired_roles, $roles); $correct_roles = (count($diff1) == 0 && count($diff2) == 0); $roles_display = join(', ', $roles); if (!$correct_roles) { debug('hpotter roles'); debug($roles); debug('desired roles'); debug($desired_roles); } $this->assertTrue( $correct_roles, t('hpotter granted correct roles on actual logon: %roles', array('%roles' => $roles_display)), 'LDAP Authorization: Test Logon for roles' ); $this->drupalGet('user/logout'); /** * test revoking of no longer deserved roles when revokeLdapProvisioned=1 */ $this->consumerAdminConf['drupal_role']->revokeLdapProvisioned = 1; $this->consumerAdminConf['drupal_role']->save(); // setup: remove hpotter from honors members $test_data_pre_test = variable_get('ldap_test_server__' . $sid, NULL); $test_data = variable_get('ldap_test_server__' . $sid, NULL); $this->removeUserFromGroup($test_data, 'cn=hpotter,ou=people,dc=hogwarts,dc=edu', 'cn=honors students,ou=groups,dc=hogwarts,dc=edu', "dc=hogwarts,dc=edu"); variable_set('ldap_test_server__' . $sid, $test_data); $hpotter_dn = 'cn=hpotter,ou=people,dc=hogwarts,dc=edu'; $this->drupalPost('user', $hpotter_logon_edit, t('Log in')); $hpotter = $this->testFunctions->userByNameFlushingCache('hpotter'); $roles = array_values($hpotter->roles); $this->assertFalse( in_array('cn=honors students,ou=groups,dc=hogwarts,dc=edu', $roles), 'when revokeLdapProvisioned=1, removed role from user', 'LDAP Authorization: Test Logon' ); $this->assertTrue( empty($hpotter->data['ldap_authorizations']['drupal_role']['cn=honors students,ou=groups,dc=hogwarts,dc=edu']), 'when revokeLdapProvisioned=1, removed user->data[ldap_authorizations][drupal_role][]', 'LDAP Authorization: Test Logon' ); // return test data to original state variable_set('ldap_test_server__' . $sid, $test_data_pre_test); $this->drupalGet('user/logout'); /** * test regranting of removed roles (regrantLdapProvisioned = 0) */ $hpotter = $this->testFunctions->userByNameFlushingCache('hpotter'); $roles = array_values($hpotter->roles); $this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 0; $this->consumerAdminConf['drupal_role']->save(); $this->testFunctions->removeRoleFromUser($hpotter, "cn=gryffindor,ou=groups,dc=hogwarts,dc=edu"); $this->drupalPost('user', $hpotter_logon_edit, t('Log in')); $hpotter = $this->testFunctions->userByNameFlushingCache('hpotter'); $roles = array_values($hpotter->roles); $this->assertFalse( in_array("cn=gryffindor,ou=groups,dc=hogwarts,dc=edu", $roles), 'when regrantLdapProvisioned=0, did not regrant role on logon', 'LDAP Authorization: Test Logon' ); $this->assertTrue( !empty($hpotter->data['ldap_authorizations']['drupal_role']['cn=gryffindor,ou=groups,dc=hogwarts,dc=edu']), 'when regrantLdapProvisioned=0, role is not regranted, but initial grant still remains in user->data[ldap_authorizations][drupal_role][]', 'LDAP Authorization: Test Logon' ); $this->drupalGet('user/logout'); /** * test regranting of removed roles (regrantLdapProvisioned = 1) */ $this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 1; $this->consumerAdminConf['drupal_role']->save(); $this->drupalPost('user', $hpotter_logon_edit, t('Log in')); $hpotter = $this->testFunctions->userByNameFlushingCache('hpotter'); $roles = array_values($hpotter->roles); $this->assertTrue( in_array("cn=gryffindor,ou=groups,dc=hogwarts,dc=edu", $roles), 'when regrantLdapProvisioned=0, did not regrant role on logon', 'LDAP Authorization: Test Logon' ); $this->drupalGet('user/logout'); } /** * authorization configuration flags tests clumped together */ function testFlags() { $sid = 'activedirectory1'; $this->prepTestData( LDAP_TEST_LDAP_NAME, array($sid), 'provisionToDrupal', 'default', 'drupal_role_default' ); /** * LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed */ $user = $this->drupalCreateUser(array()); $hpotter = $this->testFunctions->drupalLdapUpdateUser(array('name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'), TRUE, $user); list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query'); // just see if the correct ones are derived. $roles1 = $new_authorizations['drupal_role']; // $consumer_conf_admin = ldap_authorization_get_consumer_admin_object('drupal_role', FALSE); $this->consumerAdminConf['drupal_role']->status = 0; $this->consumerAdminConf['drupal_role']->save(); list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'drupal_role'); // just see if the correct ones are derived. $roles2 = isset($new_authorizations['drupal_role']) ? $new_authorizations['drupal_role'] : array(); $correct_roles = (count($roles1) > 0 && count($roles2) == 0); // not worried about which roles here, just that some are granted $this->assertTrue( $correct_roles, 'disable consumer configuration disallows authorizations.', 'LDAP_authorz.Flags.status.0' ); if (!$correct_roles) { debug('LDAP_authorz.Flags.enable.0 roles with enabled'); debug($roles1); debug('LDAP_authorz.Flags.enable.0 roles with disabled'); debug($roles2); } /** * LDAP_authorz.onlyLdapAuthenticated=1: create normal user and * apply authorization query. should return no roles */ $this->consumerAdminConf['drupal_role']->onlyApplyToLdapAuthenticated = 1; $this->consumerAdminConf['drupal_role']->status = 1; $this->consumerAdminConf['drupal_role']->save(); $user = $this->drupalCreateUser(array()); $hgrainger = $this->testFunctions->drupalLdapUpdateUser(array('name' => 'hgrainger', 'mail' => 'hgrainger@hogwarts.edu'), TRUE, $user); // remove authmap in case it exists so test will work db_delete('authmap') ->condition('uid', $user->uid) ->condition('module', 'ldap_user') ->execute(); list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query'); // just see if the correct ones are derived. $roles = isset($new_authorizations['drupal_role']) ? $new_authorizations['drupal_role'] : array(); $success = (count($roles) == 0); $this->assertTrue( $success, ' only apply to ldap authenticated grants no roles for non ldap user.', 'LDAP_authorz.onlyLdapAuthenticated.1' ); if (!$success) { debug('LDAP_authorz.onlyLdapAuthenticated.1'); debug($roles); debug($this->testFunctions->ldapUserIsAuthmapped('hgrainger')); debug($new_authorizations); debug($notifications); } /** * LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled */ $this->consumerAdminConf['drupal_role']->synchOnLogon = 0; $this->consumerAdminConf['drupal_role']->save(); $edit = array( 'name' => 'hgrainger', 'pass' => 'goodpwd', ); $this->drupalPost('user', $edit, t('Log in')); $this->assertText( t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon.0' ); $this->assertTrue( $this->testFunctions->ldapUserIsAuthmapped('hgrainger'), 'Ldap user properly authmapped.', 'LDAP_authorz.Flags.synchOnLogon.0' ); $hgrainger = user_load_by_name('hgrainger'); $this->drupalGet('user/logout'); $this->consumerAdminConf['drupal_role']->synchOnLogon = 1; $this->consumerAdminConf['drupal_role']->save(); $edit = array( 'name' => 'hgrainger', 'pass' => 'goodpwd', ); $this->drupalPost('user', $edit, t('Log in')); $this->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon=1'); $hgrainger = user_load_by_name('hgrainger'); $this->drupalGet('user/logout'); // create a couple roles for next 2 tests $troublemaker = new stdClass(); $troublemaker->name = 'troublemaker'; user_role_save($troublemaker); $troublemaker = user_role_load_by_name('troublemaker'); $superadmin = new stdClass(); $superadmin->name = 'superadmin'; user_role_save($superadmin); $superadmin = user_role_load_by_name('superadmin'); /** * LDAP_authorz.Flags.revokeLdapProvisioned: test flag for * removing manually granted roles * * $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid. * * grant roles via ldap and some not vai ldap manually, * then alter ldap so they are no longer valid, * then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked * */ $this->consumerAdminConf['drupal_role']->onlyApplyToLdapAuthenticated = 0; $this->consumerAdminConf['drupal_role']->revokeLdapProvisioned = 1; $this->consumerAdminConf['drupal_role']->createConsumers = 1; $this->consumerAdminConf['drupal_role']->save(); // set correct roles manually $hpotter = user_load_by_name('hpotter'); user_delete($hpotter->uid); $user = $this->drupalCreateUser(array()); $hpotter = $this->testFunctions->drupalLdapUpdateUser(array('name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'), TRUE, $user); $edit = array( 'name' => 'hpotter', 'pass' => 'goodpwd', ); $this->drupalPost('user', $edit, t('Log in')); $this->assertText( t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1' ); $hpotter = user_load_by_name('hpotter'); // add an underserved, ldap granted drupal role superadmin // and an undeserved, non ldap granted role troublemaker $hpotter = user_load($hpotter->uid, TRUE); $roles = $hpotter->roles; $roles[$troublemaker->rid] = $troublemaker->name; $roles[$superadmin->rid] = $superadmin->name; $data = array( 'roles' => $roles, 'data' => array('ldap_authorizations' => array( 'drupal_role' => array( $superadmin->name => array('date_granted' => 1304216778), ), ), ), ); $hpotter = user_save($hpotter, $data); // apply correct authorizations. should remove the administrator role but not the manually created 'troublemaker' role list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'drupal_role', 'logon'); $hpotter = user_load($hpotter->uid, TRUE); $this->assertTrue( (!isset($new_authorizations['drupal_role'][$superadmin->rid])), ' revoke superadmin ldap granted roles when no longer deserved.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1' ); /** * LDAP_authorz.Flags.regrantLdapProvisioned * $this->regrantLdapProvisioned == 1 : * Re grant !consumer_namePlural previously granted * by LDAP Authorization but removed manually. * * - manually remove ldap granted role * - logon * - check if regranted */ $this->drupalGet('user/logout'); $this->consumerAdminConf['drupal_role']->regrantLdapProvisioned = 1; $this->consumerAdminConf['drupal_role']->save(); $hpotter = user_load($hpotter->uid, TRUE); $roles = $hpotter->roles; unset($roles[$superadmin->rid]); user_save($hpotter, array('roles' => $roles)); $hpotter = user_load($hpotter->uid, TRUE); list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'drupal_role', 'logon'); $hpotter = user_load($hpotter->uid, TRUE); $success = !in_array('administrator', array_values($hpotter->roles)); $this->assertTrue( $success, 'regrant Ldap Provisioned roles that were manually revoked', 'LDAP_authorz.Flags.regrantLdapProvisioned=1' ); if (!$success) { debug('LDAP_authorz.Flags.regrantLdapProvisioned=1'); debug('hpotter roles'); debug($hpotter->roles); debug('new_authorizations'); debug($new_authorizations); } /** * LDAP_authorz.Flags.createConsumers=1 */ //add new mapping to and enable create consumers $this->prepTestData(LDAP_TEST_LDAP_NAME, array($sid), 'provisionToDrupal', 'default', 'drupal_role_default'); $this->drupalGet('user/logout'); $new_role = 'oompa-loompas'; $this->consumerAdminConf['drupal_role']->createConsumers = 1; $this->consumerAdminConf['drupal_role']->mappings[] = array( 'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu', 'user_entered' => $new_role, 'normalized' => $new_role, 'simplified' => $new_role, 'valid' => TRUE, 'error_message' => '', ); $this->consumerAdminConf['drupal_role']->save(); // debug('mappings'); debug($this->consumerAdminConf['drupal_role']->mappings); $edit = array( 'name' => 'hpotter', 'pass' => 'goodpwd', ); $this->drupalPost('user', $edit, t('Log in')); $new_role_created = in_array($new_role, array_values(user_roles())); // debug("roles"); debug(user_roles()); $roles_by_name = array_flip(user_roles()); $hpotter = user_load_by_name('hpotter'); $hpotter = user_load($hpotter->uid, TRUE); $role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]); $this->assertTrue( ($new_role_created && $role_granted), 'create consumers (e.g. roles)', 'LDAP_authorz.Flags.createConsumers=1' ); if (!($new_role_created && $role_granted)) { debug('roles'); debug(user_roles()); debug('roles by name'); debug($roles_by_name); debug('hpotter->roles'); debug($hpotter->roles); debug("new role desired: $new_role"); debug("$new_role_created AND $role_granted"); } } public function testUIForms() { $ldap_simpletest_initial = variable_get('ldap_simpletest', 2); variable_del('ldap_simpletest'); // need to be out of fake server mode to test ui. $sid = 'activedirectory1'; $this->prepTestData(LDAP_TEST_LDAP_NAME, array($sid), 'provisionToDrupal', 'default'); ldap_servers_module_load_include('php', 'ldap_servers', 'LdapServerAdmin.class'); $ldap_server = new LdapServerAdmin($sid); $server_properties = $this->testFunctions->data['ldap_servers'][$sid]['properties']; foreach ($server_properties as $property => $value) { $ldap_server->{$property} = $value; } $ldap_server->save('add'); $consumer_form_data = array( 'sid' => array('activedirectory1', 'activedirectory1'), 'status' => array(TRUE, TRUE), 'only_ldap_authenticated' => array(FALSE, TRUE), 'use_first_attr_as_groupid' => array(FALSE, TRUE), 'mappings' => array("a|b", "a|b"), 'use_filter' => array(FALSE, TRUE), 'synchronization_modes[user_logon]' => array(TRUE, FALSE), 'synchronization_actions[revoke_ldap_provisioned]' => array(TRUE, FALSE), 'synchronization_actions[regrant_ldap_provisioned]' => array(FALSE, TRUE), 'synchronization_actions[create_consumers]' => array(TRUE, FALSE), ); $this->privileged_user = $this->drupalCreateUser(array('administer site configuration')); $this->drupalLogin($this->privileged_user); $ldap_server = ldap_servers_get_servers('activedirectory1', NULL, TRUE, TRUE); $this->drupalGet('admin/config/people/ldap/servers/edit/activedirectory1'); // this is just for debugging to show the server. $ldap_server_admin = new LdapServerAdmin($sid); if (!is_array($ldap_server_admin->basedn)) { $ldap_server_admin->basedn = @unserialize($ldap_server_admin->basedn); $ldap_server_admin->save('update'); $ldap_server_admin = new LdapServerAdmin($sid); } $this->drupalGet('admin/config/people/ldap/servers/edit/activedirectory1'); foreach (array(0) as $i) { foreach (array('drupal_role') as $consumer_type) { foreach (array(1) as $ctools_enabled) { // may want to put this back in after ctools requirement is fixed $this->ldapTestId = "testUIForms.$i.$consumer_type.ctools.$ctools_enabled"; if ($ctools_enabled) { module_enable(array('ctools')); } else { module_disable(array('ctools')); } $lcase_transformed = array(); /** add server conf test **/ $this->drupalGet('admin/config/people/ldap/authorization/add/' . $consumer_type); $edit = array(); foreach ($consumer_form_data as $input_name => $input_values) { $edit[$input_name] = $input_values[$i]; } $this->drupalPost('admin/config/people/ldap/authorization/add/' . $consumer_type, $edit, t('Add')); $field_to_prop_map = LdapAuthorizationConsumerConf::field_to_properties_map(); $ldap_consumer = ldap_authorization_get_consumer_object($consumer_type); $this->assertTrue(is_object($ldap_consumer), 'ldap consumer conf loaded after add-save', $this->ldapTestId . ' Add consumer configuration'); // assert one ldap server exists in db table // assert load of server has correct properties for each input $mismatches = $this->compareFormToProperties($ldap_consumer, $consumer_form_data, $i, $field_to_prop_map, $lcase_transformed); if (count($mismatches)) { debug('mismatches between ldap server properties and form submitted values'); debug($mismatches); // debug($ldap_consumer); // throw recursion debug($consumer_form_data); } $this->assertTrue(count($mismatches) == 0, 'Add form for ldap consumer properties match values submitted.', $this->ldapTestId . ' Add consumer conf'); /** update server conf test **/ $this->drupalGet('admin/config/people/ldap/authorization/edit/' . $consumer_type); $edit = array(); foreach ($consumer_form_data as $input_name => $input_values) { if ($input_values[$i] !== NULL) { $edit[$input_name] = $input_values[$i]; } } unset($edit['sid']); $this->drupalPost('admin/config/people/ldap/authorization/edit/' . $consumer_type, $edit, t('Save')); $ldap_consumer = ldap_authorization_get_consumer_object($consumer_type); $this->assertTrue(is_object($ldap_consumer), 'ldap consumer conf loaded after edit-save', $this->ldapTestId . ' update consumer configuration'); $mismatches = $this->compareFormToProperties($ldap_consumer, $consumer_form_data, $i, $field_to_prop_map, $lcase_transformed); if (count($mismatches)) { debug('mismatches between ldap server properties and form submitted values'); debug($mismatches); // debug($ldap_consumer); // throw recursion debug($consumer_form_data); } $this->assertTrue(count($mismatches) == 0, 'Update form for ldap server properties match values submitted.', $this->ldapTestId . '.Update consumer conf'); /** delete server conf test **/ $this->drupalGet('admin/config/people/ldap/authorization/delete/' . $consumer_type); $this->drupalPost('admin/config/people/ldap/authorization/delete/' . $consumer_type, array(), t('Delete')); ctools_include('export'); ctools_export_load_object_reset('ldap_authorization'); $consumer_conf = ldap_authorization_get_consumer_conf($consumer_type);// $pass = (is_object($consumer_conf) && $consumer_conf->inDatabase === FALSE); $this->assertTrue($pass, 'Delete form for consumer conf deleted conf.', $this->ldapTestId . '.Delete consumer conf'); if (!$pass) { debug('ldap consumer after delete. is_object=' . is_object($consumer_conf)); debug('inDatabase?' . is_object($ldap_consumer) ? $consumer_conf->inDatabase : '?'); debug("numericConsumerConfId" . $consumer_conf->numericConsumerConfId); debug("status" . $consumer_conf->status); debug("sid" . $consumer_conf->sid); } } } } variable_set('ldap_simpletest', $ldap_simpletest_initial); // return to fake server mode } }