['entity_type' => 'node', 'bundle_type' => 'group'], 'time-keeper' => ['entity_type' => 'node', 'bundle_type' => 'group'], ]; /** * */ public static function getInfo() { return [ 'group' => 'LDAP Authorization', 'name' => 'OG 7.x-2.x Tests.', 'description' => 'Test ldap authorization og 2.', ]; } /** * */ public function __construct($test_id = NULL) { parent::__construct($test_id); } /** * */ public function setUp($addl_modules = []) { parent::setUp(['ldap_authentication', 'ldap_authorization', 'ldap_authorization_og']); variable_set('ldap_simpletest', 2); $this->user1 = $this->drupalCreateUser(); $this->groups = []; $this->prepTestData(LDAP_TEST_LDAP_NAME, ['activedirectory1']); // Create group and group content node types. $this->groupBundle = $this->drupalCreateContentType([ 'type' => 'group', 'name' => 'OG Group', ])->type; og_create_field(OG_GROUP_FIELD, $this->groupEntityType, $this->groupBundle); og_create_field(OG_AUDIENCE_FIELD, $this->groupEntityType, $this->groupBundle); // Create og group for each group in group csv. $this->testFunctions->populateFakeLdapServerData(LDAP_TEST_LDAP_NAME, 'activedirectory1'); $this->testFunctions->getCsvLdapData(LDAP_TEST_LDAP_NAME); foreach ($this->testFunctions->csvTables['groups'] as $guid => $group) { $label = $group['cn']; $settings = []; $settings['type'] = $this->groupBundle; $settings[OG_GROUP_FIELD][LANGUAGE_NONE][0]['value'] = 1; $settings['uid'] = $this->user1->uid; $settings['title'] = $label; $settings['type'] = 'group'; $this->group_nodes[$label] = $this->drupalCreateNode($settings); } } /** * */ public function createCustomRoles() { foreach ($this->customOgRoles as $og_role_name => $og_role) { $role = new stdClass(); $role->gid = 0; $role->group_type = $og_role['entity_type']; $role->group_bundle = $og_role['bundle_type']; $role->name = $og_role_name; $status = og_role_save($role); } } /** * Get test data in convenient format, so tests are easier to read and write. */ public function getTestData($debug = FALSE) { $group_nodes = []; $group_nids = []; $group_entity_ids = []; $roles = []; $roles_by_name = []; $consumer_ids = []; foreach (['gryffindor', 'students', 'faculty', 'users', 'hufflepuff', 'slytherin'] as $i => $group_name) { list($group_nodes[$group_name], $group_entity_ids[$group_name]) = ldap_authorization_og2_get_group_from_name($this->groupEntityType, $group_name); $nid = $group_nodes[$group_name]->nid; $group_nids[$group_name] = $nid; $roles[$group_name] = og_roles($this->groupEntityType, $this->groupBundle, $nid, FALSE, TRUE); $roles_by_name[$group_name] = array_flip($roles[$group_name]); foreach ($roles[$group_name] as $rid => $role_name) { $consumer_ids[$group_name][$role_name] = ldap_authorization_og_authorization_id($nid, $rid, 'node'); $consumer_ids[$group_name][$rid] = ldap_authorization_og_authorization_id($nid, $rid, 'node'); } } if ($debug) { debug("group_nids"); debug($group_nids); debug("group_entity_ids"); debug($group_entity_ids); debug("roles"); debug($roles); debug("roles_by_name"); debug($roles_by_name); } return [$group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids]; } /** * Just make sure install succeeds and. */ public function testBasicFunctionsAndApi() { // TODO: Fix failing tests, excluding to make branch pass. return; $this->createCustomRoles(); $all_roles = og_roles($this->groupEntityType, $this->groupBundle, 0, FALSE, TRUE); $this->ldapTestId = $this->module_name . ': setup success'; // Just to give warning if setup doesn't succeed. may want to take these out at some point. $setup_success = ( module_exists('ldap_authentication') && module_exists('ldap_servers') && module_exists('ldap_user') && module_exists('ldap_authorization') && module_exists('ldap_authorization_og') && (variable_get('ldap_simpletest', 0) == 2) ); $this->assertTrue($setup_success, ' ldap_authorizations og setup successful', $this->ldapTestId); $this->ldapTestId = $this->module_name . ': cron test'; $this->assertTrue(drupal_cron_run(), t('Cron can run with ldap authorization og enabled.'), $this->ldapTestId); /*** * I. some basic tests to make sure og module's apis are working before testing ldap_authorization_og * if these aren't working as expected, no ldap authorization og functionality will work. */ $web_user = $this->drupalCreateUser(); $this->ldapTestId = $this->module_name . ': og2 functions'; list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this->getTestData(TRUE); /** * II.0 basic granting tests to make sure og_role_grant, ldap_authorization_og_rid_from_role_name, * and ldap_authorization_og2_get_group functions work * og_is_member($group_type, $gid, $entity_type = 'user', $entity = NULL, $states = array(OG_STATE_ACTIVE)) */ $values = [ 'entity_type' => 'user', 'entity' => $web_user->uid, 'field_name' => FALSE, 'state' => OG_STATE_ACTIVE, ]; $og_gryffindor_membership = og_group($this->groupType, $group_nids['gryffindor'], $values); $og_faculty_membership = og_group($this->groupType, $group_nids['faculty'], $values); og_role_grant($this->groupType, $group_nids['gryffindor'], $web_user->uid, $roles_by_name['gryffindor'][OG_AUTHENTICATED_ROLE]); og_role_grant($this->groupType, $group_nids['faculty'], $web_user->uid, $roles_by_name['faculty'][OG_ADMINISTRATOR_ROLE]); og_role_grant($this->groupType, $group_nids['faculty'], $web_user->uid, $roles_by_name['faculty']['dungeon-master']); og_role_grant($this->groupType, $group_nids['faculty'], $web_user->uid, $roles_by_name['faculty'][OG_AUTHENTICATED_ROLE]); // Need to reload because of issue with og_group and og_role_grant. $web_user = user_load($web_user->uid, TRUE); $ids = [$web_user->uid]; $user_entity = entity_load('user', $ids); $this->assertTrue(og_is_member($this->groupType, $group_nids['gryffindor'], 'user', $web_user), 'User is member of Group gryffindor without LDAP (based on og_is_member() function)', $this->ldapTestId); $this->assertTrue(og_is_member($this->groupType, $group_nids['faculty'], 'user', $web_user), 'User is member of Group faculty without LDAP (based on og_is_member() function)', $this->ldapTestId); $this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['gryffindor'], $web_user->uid, OG_AUTHENTICATED_ROLE), 'User is member of Group gryffindor without LDAP (based on dap_authorization_og_has_role() function)', $this->ldapTestId); $this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['faculty'], $web_user->uid, OG_AUTHENTICATED_ROLE), 'User is member of Group faculty without LDAP (based on ldap_authorization_og2_has_role() function)', $this->ldapTestId); $this->assertTrue(ldap_authorization_og2_has_role($this->groupType, $group_nids['faculty'], $web_user->uid, OG_ADMINISTRATOR_ROLE), 'User is administrator member of Group faculty without LDAP (based on dap_authorization_og_has_role() function)', $this->ldapTestId); /*** * II.A. construct ldapauthorization og object and test methods. * (unit tests for methods and class without any ldap user context). */ // . $this->ldapTestId = $this->module_name . ': LdapAuthorizationConsumerOG class'; $og_auth = new LdapAuthorizationConsumerOG('og_group'); $this->assertTrue(is_object($og_auth), 'Successfully instantiated LdapAuthorizationConsumerOG', $this->ldapTestId); $this->assertTrue($og_auth->consumerType == 'og_group', 'LdapAuthorizationConsumerOG ConsumerType set properly', $this->ldapTestId); $this->assertTrue($og_auth->hasAuthorization($web_user, ldap_authorization_og_authorization_id($group_nids['faculty'], $roles_by_name['faculty'][OG_ADMINISTRATOR_ROLE], 'node')), 'hasAuthorization() method works for non LDAP provisioned og authorization, faculty admin role', $this->ldapTestId); $should_haves = [ $consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE] => 'gryffindor member', $consumer_ids['faculty'][OG_AUTHENTICATED_ROLE] => 'faculty member', $consumer_ids['faculty'][OG_ADMINISTRATOR_ROLE] => 'faculty admin', $consumer_ids['faculty']['dungeon-master'] => 'faculty dungeon master', ]; foreach ($should_haves as $consumer_id => $descriptor) { $this->assertTrue(ldap_authorization_og2_has_consumer_id($consumer_id, $web_user->uid), "LdapAuthorizationConsumerOG usersAuthorizations() for $descriptor - $consumer_id", $this->ldapTestId); } $ldap_entry = NULL; $user_data = []; $web_user = user_load($web_user->uid, TRUE); $this->assertTrue(ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid), "LdapAuthorizationConsumerOG has faculty member role BEFORE authorizationRevoke() test revoke on member role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId); $web_user = user_load($web_user->uid, TRUE); $consumers = [$consumer_ids['faculty']['dungeon-master'] => $og_auth->emptyConsumer]; $og_auth->authorizationRevoke($web_user, $user_data, $consumers, $ldap_entry, TRUE); $result = ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid); $this->assertFalse($result, "LdapAuthorizationConsumerOG authorizationRevoke() test revoke on member role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId); $web_user = user_load($web_user->uid, TRUE); $consumers = [$consumer_ids['faculty']['dungeon-master'] => $og_auth->emptyConsumer]; $og_auth->authorizationRevoke($web_user, $user_data, $consumers, $ldap_entry, TRUE); $this->assertFalse(ldap_authorization_og2_has_consumer_id($consumer_ids['faculty']['dungeon-master'], $web_user->uid), "LdapAuthorizationConsumerOG authorizationRevoke() test revoke on custom member role role " . $consumer_ids['faculty']['dungeon-master'], $this->ldapTestId); $web_user = user_load($web_user->uid, TRUE); $initial_user_authorizations = $og_auth->usersAuthorizations($web_user, TRUE, TRUE); debug("initial_user_authorizations authorizations:"); debug($initial_user_authorizations); debug("initial_user data:"); debug($web_user->data); $og_auth->authorizationGrant($web_user, $user_data, [$consumer_ids['students'][OG_AUTHENTICATED_ROLE] => $og_auth->emptyConsumer], $ldap_entry, TRUE); $success = ldap_authorization_og2_has_consumer_id($consumer_ids['students'][OG_AUTHENTICATED_ROLE], $web_user->uid); $this->assertTrue($success, "LdapAuthorizationConsumerOG authorizationGrant() test grant on member role " . $consumer_ids['students'][OG_AUTHENTICATED_ROLE], $this->ldapTestId); if (!$success) { debug([$user_data, [$consumer_ids['students'][OG_AUTHENTICATED_ROLE] => $og_auth->emptyConsumer]]); debug("user authorizations:"); debug($og_auth->usersAuthorizations($web_user, TRUE)); } $web_user = user_load($web_user->uid, TRUE); $result = $og_auth->authorizationRevoke($web_user, $user_data, ['node:454:44334' => $og_auth->emptyConsumer], $ldap_entry, TRUE); $this->assertFalse($result, 'LdapAuthorizationConsumerOG authorizationRevoke() test revoke of bogus authorization', $this->ldapTestId); $web_user = user_load($web_user->uid, TRUE); $result = $og_auth->authorizationGrant($web_user, $user_data, ['node:454:44334' => $og_auth->emptyConsumer], $ldap_entry, TRUE); $this->assertFalse($result, 'LdapAuthorizationConsumerOG authorizationGrant() test grant of bogus authorization', $this->ldapTestId); $web_user = user_load($web_user->uid, TRUE); $result = $og_auth->authorizationRevoke($web_user, $user_data, ['bogusformat'], $ldap_entry, TRUE); $this->assertFalse($result, 'LdapAuthorizationConsumerOG authorizationRevoke() test revoke malformed params', $this->ldapTestId); $web_user = user_load($web_user->uid, TRUE); $result = $og_auth->authorizationGrant($web_user, $user_data, ['bogusformat'], $ldap_entry, TRUE); $this->assertFalse($result, 'LdapAuthorizationConsumerOG authorizationGrant() test grant malformed params', $this->ldapTestId); /*** * II.B. Also test function in ldap_authorization_og.module */ list($students_group, $group_entity_id) = ldap_authorization_og2_get_group_from_name('node', 'students'); $this->assertTrue($students_group->title == 'students', 'ldap_authorization_og2_get_group_from_name() function works', $this->ldapTestId); $test = ldap_authorization_og2_has_role($this->groupType, $group_nids['gryffindor'], $web_user->uid, OG_ADMINISTRATOR_ROLE); $this->assertTrue($test, 'ldap_authorization_og2_has_role() function works', $this->ldapTestId); $test = ldap_authorization_og2_has_role($this->groupType, $group_nids['students'], $web_user->uid, OG_ADMINISTRATOR_ROLE); $this->assertTrue($test === FALSE, 'ldap_authorization_og2_has_role() function fails with FALSE', $this->ldapTestId); } /** * Authorization configuration flags tests clumped together. */ public function testFlags() { // TODO: Fix failing tests, excluding to make branch pass. return; $sid = 'activedirectory1'; $this->prepTestData( LDAP_TEST_LDAP_NAME, [$sid], 'provisionToDrupal', 'default', 'og_group2' ); $og_group_consumer = ldap_authorization_get_consumers('og_group', TRUE, TRUE); /** * LDAP_authorz.Flags.status=0: Disable ldap_authorization_drupal_role configuration and make sure no authorizations performed */ list($props_set_display, $props_set_correctly) = $this->checkConsumerConfSetup('og_group2'); $this->assertTrue( $props_set_correctly, 'Authorization Configuration set correctly in test setup', 'LDAP_authorz.Flags.setup.0' ); if (!$props_set_correctly) { debug('LDAP_authorz.Flags.setup.0 properties not set correctly'); debug($props_set_display); } $this->consumerAdminConf['og_group']->useFirstAttrAsGroupId = 0; $this->consumerAdminConf['og_group']->status = 0; $this->consumerAdminConf['og_group']->save(); $user = $this->drupalCreateUser([]); $hpotter = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'], TRUE, $user); // Just see if the correct ones are derived. list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query'); $groups1 = $new_authorizations['og_group']; $this->assertTrue( count($new_authorizations['og_group']) == 0, 'disabled consumer configuration disallows authorizations.', 'LDAP_authorz.Flags.status.0' ); list($group_nodes, $group_nids, $group_entity_ids, $roles_by_name, $consumer_ids) = $this->getTestData(TRUE); $this->consumerAdminConf['og_group']->status = 1; $this->consumerAdminConf['og_group']->save(); // Just see if the correct ones are derived. list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'query', 'og_group'); $correct_groups = !empty($new_authorizations['og_group'][$consumer_ids['students'][OG_AUTHENTICATED_ROLE]]) && !empty($new_authorizations['og_group'][$consumer_ids['gryffindor'][OG_AUTHENTICATED_ROLE]]); $this->assertTrue($correct_groups, 'enabled consumer configuration allows authorizations.', 'LDAP_authorz.Flags.status.1'); if (!$correct_groups) { debug('LDAP_authorz.Flags.enable.1 roles with enabled'); debug($new_authorizations); } /** * LDAP_authorz.onlyLdapAuthenticated=1: create normal user and * apply authorization query. should return no roles */ $this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 1; $this->consumerAdminConf['og_group']->status = 1; $this->consumerAdminConf['og_group']->save(); $user = $this->drupalCreateUser([]); $hgrainger = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hgrainger', 'mail' => 'hgrainger@hogwarts.edu'], TRUE, $user); // Remove old authmap in case it exists so test will work. db_delete('authmap') ->condition('uid', $user->uid) ->condition('module', 'ldap_user') ->execute(); // Just see if the correct ones are derived. list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hgrainger, 'query'); $success = (isset($new_authorizations['og_group']) && count($new_authorizations['og_group']) == 0); $this->assertTrue($success, ' only apply to ldap authenticated grants no roles for non ldap user.', 'LDAP_authorz.onlyLdapAuthenticated.1'); if (!$success) { debug('LDAP_authorz.onlyLdapAuthenticated.1'); debug($new_authorizations); debug($this->testFunctions->ldapUserIsAuthmapped('hgrainger')); debug($notifications); } /** * LDAP_authorz.Flags.synchOnLogon - execute logon and check that no roles are applied if disabled */ $this->consumerAdminConf['og_group']->synchOnLogon = 0; $this->consumerAdminConf['og_group']->save(); $edit = [ 'name' => 'hgrainger', 'pass' => 'goodpwd', ]; $this->drupalPost('user', $edit, t('Log in')); $this->assertText( t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon.0' ); $this->assertTrue( $this->testFunctions->ldapUserIsAuthmapped('hgrainger'), 'Ldap user properly authmapped.', 'LDAP_authorz.Flags.synchOnLogon.0' ); $hgrainger = user_load_by_name('hgrainger'); $this->drupalGet('user/logout'); $this->consumerAdminConf['og_group']->synchOnLogon = 1; $this->consumerAdminConf['og_group']->save(); $edit = [ 'name' => 'hgrainger', 'pass' => 'goodpwd', ]; $this->drupalPost('user', $edit, t('Log in')); $this->assertText(t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.synchOnLogon=1'); $hgrainger = user_load_by_name('hgrainger'); $this->drupalGet('user/logout'); // Create a couple roles for next 2 tests. $troublemaker = new stdClass(); $troublemaker->name = 'troublemaker'; user_role_save($troublemaker); $troublemaker = user_role_load_by_name('troublemaker'); $superadmin = new stdClass(); $superadmin->name = 'superadmin'; user_role_save($superadmin); $superadmin = user_role_load_by_name('superadmin'); /** * LDAP_authorz.Flags.revokeLdapProvisioned: test flag for * removing manually granted roles * * $this->revokeLdapProvisioned == 1 : Revoke !consumer_namePlural previously granted by LDAP Authorization but no longer valid. * * grant roles via ldap and some not vai ldap manually, * then alter ldap so they are no longer valid, * then logon again and make sure the ldap provided roles are revoked and the drupal ones are not revoked * */ $this->consumerAdminConf['og_group']->onlyApplyToLdapAuthenticated = 0; $this->consumerAdminConf['og_group']->revokeLdapProvisioned = 1; $this->consumerAdminConf['og_group']->createConsumers = 1; $this->consumerAdminConf['og_group']->save(); // Set correct roles manually. $hpotter = user_load_by_name('hpotter'); user_delete($hpotter->uid); $user = $this->drupalCreateUser([]); $hpotter = $this->testFunctions->drupalLdapUpdateUser(['name' => 'hpotter', 'mail' => 'hpotter@hogwarts.edu'], TRUE, $user); $edit = [ 'name' => 'hpotter', 'pass' => 'goodpwd', ]; $this->drupalPost('user', $edit, t('Log in')); $this->assertText( t('Member for'), 'New Ldap user with good password authenticated.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1' ); $hpotter = user_load_by_name('hpotter'); // Add an underserved, ldap granted drupal role superadmin // and an undeserved, non ldap granted role troublemaker. $hpotter = user_load($hpotter->uid, TRUE); $roles = $hpotter->roles; $roles[$troublemaker->rid] = $troublemaker->name; $roles[$superadmin->rid] = $superadmin->name; $data = [ 'roles' => $roles, 'data' => [ 'ldap_authorizations' => [ 'og_group' => [ $superadmin->name => ['date_granted' => 1304216778], ], ], ], ]; $hpotter = user_save($hpotter, $data); // Apply correct authorizations. should remove the administrator role but not the manually created 'troublemaker' role. list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon'); $hpotter = user_load($hpotter->uid, TRUE); $this->assertTrue( (!isset($new_authorizations['og_group'][$superadmin->rid])), ' revoke superadmin ldap granted roles when no longer deserved.', 'LDAP_authorz.Flags.revokeLdapProvisioned=1' ); /** * LDAP_authorz.Flags.regrantLdapProvisioned * $this->regrantLdapProvisioned == 1 : * Re grant !consumer_namePlural previously granted * by LDAP Authorization but removed manually. * * - manually remove ldap granted role * - logon * - check if regranted */ $this->drupalGet('user/logout'); $this->consumerAdminConf['og_group']->regrantLdapProvisioned = 1; $this->consumerAdminConf['og_group']->save(); $hpotter = user_load($hpotter->uid, TRUE); $roles = $hpotter->roles; unset($roles[$superadmin->rid]); user_save($hpotter, ['roles' => $roles]); $hpotter = user_load($hpotter->uid, TRUE); list($new_authorizations, $notifications) = ldap_authorizations_user_authorizations($hpotter, 'set', 'og_group', 'logon'); $hpotter = user_load($hpotter->uid, TRUE); $success = !in_array('administrator', array_values($hpotter->roles)); $this->assertTrue( $success, 'regrant Ldap Provisioned roles that were manually revoked', 'LDAP_authorz.Flags.regrantLdapProvisioned=1' ); if (!$success) { debug('LDAP_authorz.Flags.regrantLdapProvisioned=1'); debug('hpotter roles'); debug($hpotter->roles); debug('new_authorizations'); debug($new_authorizations); } /** * LDAP_authorz.Flags.createConsumers=1 */ if (!empty($og_group_consumer['allowConsumerObjectCreation']) && $og_group_consumer['allowConsumerObjectCreation']) { // @todo. this needs to be finished when creation of og groups is added to ldap authorization og functionality // Add new mapping to and enable create consumers. $this->prepTestData('hogwarts', [$sid], 'provisionToDrupal', 'default', 'drupal_role_default'); $this->drupalGet('user/logout'); $new_role = 'oompa-loompas'; $this->consumerAdminConf['og_group']->createConsumers = 1; $this->consumerAdminConf['og_group']->mappings[] = [ 'from' => 'cn=students,ou=groups,dc=hogwarts,dc=edu', 'user_entered' => $new_role, 'normalized' => 'node:' . $new_role . ':' . OG_AUTHENTICATED_ROLE, 'simplified' => $new_role, 'valid' => TRUE, 'error_message' => '', ]; $this->consumerAdminConf['og_group']->save(); $edit = [ 'name' => 'hpotter', 'pass' => 'goodpwd', ]; $this->drupalPost('user', $edit, t('Log in')); $new_role_created = in_array($new_role, array_values(user_roles())); $roles_by_name = array_flip(user_roles()); $hpotter = user_load_by_name('hpotter'); $hpotter = user_load($hpotter->uid, TRUE); $role_granted = isset($hpotter->roles[$roles_by_name[$new_role]]); debug('roles'); debug(user_roles()); debug('roles by name'); debug($roles_by_name); debug('hpotter->roles'); debug($hpotter->roles); debug("$new_role_created AND $role_granted"); $this->assertTrue( ($new_role_created && $role_granted), 'create consumers (e.g. roles)', 'LDAP_authorz.Flags.createConsumers=1' ); } } }