[pve-access-control.git] / src / test / realm_sync_test.pl

#!/usr/bin/perl

use strict;
use warnings;

use Test::MockModule;
use Test::More;
use Storable qw(dclone);

use PVE::AccessControl;
use PVE::API2::Domains;

my $domainscfg = {
    ids => {
	"pam" => { type => 'pam' },
	"pve" => { type => 'pve' },
	"syncedrealm" => { type => 'ldap' }
    },
};

my $initialusercfg = {
    users => {
	'root@pam' => { username => 'root', },
	'user1@syncedrealm' => {
	    username => 'user1',
	    enable => 1,
	    'keys' => 'some',
	},
	'user2@syncedrealm' => {
	    username => 'user2',
	    enable => 1,
	},
	'user3@syncedrealm' => {
	    username => 'user3',
	    enable => 1,
	},
    },
    groups => {
	'group1-syncedrealm' => { users => {}, },
	'group2-syncedrealm' => { users => {}, },
    },
    acl_root => {
	users => {
	    'user3@syncedrealm' => {},
	},
	groups => {},
    },
};

my $sync_response = {
    user => [
	{
	    attributes => { 'uid' => ['user1'], },
	    dn => 'uid=user1,dc=syncedrealm',
	},
	{
	    attributes => { 'uid' => ['user2'], },
	    dn => 'uid=user2,dc=syncedrealm',
	},
	{
	    attributes => { 'uid' => ['user4'], },
	    dn => 'uid=user4,dc=syncedrealm',
	},
    ],
    groups => [
	{
	    dn => 'dc=group1,dc=syncedrealm',
	    members => [
		'uid=user1,dc=syncedrealm',
	    ],
	},
	{
	    dn => 'dc=group3,dc=syncedrealm',
	    members => [
		'uid=nonexisting,dc=syncedrealm',
	    ],
	}
    ],
};

my $returned_user_cfg = {};

# mocking all cluster and ldap operations
my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
$pve_cluster_module->mock(
    cfs_update => sub {},
    cfs_read_file => sub {
	my ($filename) = @_;
	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
	die "unexpected cfs_read_file";
    },
    cfs_write_file => sub {
	my ($filename, $data) = @_;
	if ($filename eq 'user.cfg') {
	    $returned_user_cfg = $data;
	    return;
	}
	die "unexpected cfs_read_file";
    },
    cfs_lock_file => sub {
	my ($filename, $timeout, $code) = @_;
	return $code->();
    },
);

my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
$pve_api_domains->mock(
    cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
    cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
);

my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
$pve_accesscontrol->mock(
    cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
);

my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
$pve_rpcenvironment->mock(
    get => sub { return bless {}, 'PVE::RPCEnvironment'; },
    get_user => sub { return 'root@pam'; },
    fork_worker => sub {
	my ($class, $workertype, $id, $user, $code) = @_;

	return $code->();
    },
);

my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
$pve_ldap_module->mock(
    ldap_connect => sub { return {}; },
    ldap_bind => sub {},
    query_users => sub {
	return $sync_response->{user};
    },
    query_groups => sub {
	return $sync_response->{groups};
    },
);

my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
$pve_auth_ldap->mock(
    connect_and_bind => sub { return {}; },
);

my $tests = [
    [
	"non-full without purge",
	{
	    realm => 'syncedrealm',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user3@syncedrealm' => {
		    username => 'user3',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group2-syncedrealm' => { users => {}, },
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl_root => {
		users => {
		    'user3@syncedrealm' => {},
		},
		groups => {},
	    },
	},
    ],
    [
	"full without purge",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'entry;properties',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, }
	    },
	    acl_root => {
		users => {
		    'user3@syncedrealm' => {},
		},
		groups => {},
	    },
	},
    ],
    [
	"non-full with purge",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'acl',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user3@syncedrealm' => {
		    username => 'user3',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group2-syncedrealm' => { users => {}, },
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl_root => {
		users => {},
		groups => {},
	    },
	},
    ],
    [
	"full with purge",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'acl;entry;properties',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl_root => {
		users => {},
		groups => {},
	    },
	},
    ],
    [
	"don't delete properties, but users and acls",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'acl;entry',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl_root => {
		users => {},
		groups => {},
	    },
	},
    ],
];

for my $test (@$tests) {
    my $name = $test->[0];
    my $parameters = $test->[1];
    my $expected = $test->[2];
    $returned_user_cfg = {};
    PVE::API2::Domains->sync($parameters);
    is_deeply($returned_user_cfg, $expected, $name);
}

done_testing();
Commit	Line	Data
dcdf5789 DC	1	#!/usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5
	6	use Test::MockModule;
	7	use Test::More;
	8	use Storable qw(dclone);
	9
	10	use PVE::AccessControl;
	11	use PVE::API2::Domains;
	12
	13	my $domainscfg = {
	14	ids => {
	15	"pam" => { type => 'pam' },
	16	"pve" => { type => 'pve' },
	17	"syncedrealm" => { type => 'ldap' }
	18	},
	19	};
	20
	21	my $initialusercfg = {
	22	users => {
	23	'root@pam' => { username => 'root', },
	24	'user1@syncedrealm' => {
	25	username => 'user1',
	26	enable => 1,
	27	'keys' => 'some',
	28	},
	29	'user2@syncedrealm' => {
	30	username => 'user2',
	31	enable => 1,
	32	},
	33	'user3@syncedrealm' => {
	34	username => 'user3',
	35	enable => 1,
	36	},
	37	},
	38	groups => {
	39	'group1-syncedrealm' => { users => {}, },
	40	'group2-syncedrealm' => { users => {}, },
	41	},
170cf17b FG	42	acl_root => {
	43	users => {
	44	'user3@syncedrealm' => {},
dcdf5789	45	},
170cf17b	46	groups => {},
dcdf5789 DC	47	},
	48	};
	49
	50	my $sync_response = {
	51	user => [
	52	{
	53	attributes => { 'uid' => ['user1'], },
	54	dn => 'uid=user1,dc=syncedrealm',
	55	},
	56	{
	57	attributes => { 'uid' => ['user2'], },
	58	dn => 'uid=user2,dc=syncedrealm',
	59	},
	60	{
	61	attributes => { 'uid' => ['user4'], },
	62	dn => 'uid=user4,dc=syncedrealm',
	63	},
	64	],
	65	groups => [
	66	{
	67	dn => 'dc=group1,dc=syncedrealm',
	68	members => [
	69	'uid=user1,dc=syncedrealm',
	70	],
	71	},
	72	{
	73	dn => 'dc=group3,dc=syncedrealm',
	74	members => [
	75	'uid=nonexisting,dc=syncedrealm',
	76	],
	77	}
	78	],
	79	};
	80
	81	my $returned_user_cfg = {};
	82
	83	# mocking all cluster and ldap operations
	84	my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
	85	$pve_cluster_module->mock(
	86	cfs_update => sub {},
	87	cfs_read_file => sub {
	88	my ($filename) = @_;
	89	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
	90	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
	91	die "unexpected cfs_read_file";
	92	},
	93	cfs_write_file => sub {
	94	my ($filename, $data) = @_;
	95	if ($filename eq 'user.cfg') {
	96	$returned_user_cfg = $data;
	97	return;
	98	}
	99	die "unexpected cfs_read_file";
	100	},
	101	cfs_lock_file => sub {
	102	my ($filename, $timeout, $code) = @_;
	103	return $code->();
	104	},
	105	);
	106
	107	my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
	108	$pve_api_domains->mock(
	109	cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
	110	cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
111	);
112
113	my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
114	$pve_accesscontrol->mock(
115	cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
116	);
117
118	my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
119	$pve_rpcenvironment->mock(
120	get => sub { return bless {}, 'PVE::RPCEnvironment'; },
121	get_user => sub { return 'root@pam'; },
122	fork_worker => sub {
123	my ($class, $workertype, $id, $user, $code) = @_;
124
125	return $code->();
126	},
127	);
128
129	my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
130	$pve_ldap_module->mock(
131	ldap_connect => sub { return {}; },
132	ldap_bind => sub {},
133	query_users => sub {
134	return $sync_response->{user};
135	},
136	query_groups => sub {
137	return $sync_response->{groups};
138	},
139	);
140
141	my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
142	$pve_auth_ldap->mock(
143	connect_and_bind => sub { return {}; },
144	);
145
146	my $tests = [
147	[
148	"non-full without purge",
149	{
150	realm => 'syncedrealm',
dcdf5789 DC	151	scope => 'both',
	152	},
	153	{
	154	users => {
	155	'root@pam' => { username => 'root', },
	156	'user1@syncedrealm' => {
	157	username => 'user1',
	158	enable => 1,
	159	'keys' => 'some',
	160	},
	161	'user2@syncedrealm' => {
	162	username => 'user2',
	163	enable => 1,
	164	},
	165	'user3@syncedrealm' => {
	166	username => 'user3',
	167	enable => 1,
	168	},
	169	'user4@syncedrealm' => {
	170	username => 'user4',
	171	enable => 1,
	172	},
	173	},
	174	groups => {
	175	'group1-syncedrealm' => {
	176	users => {
	177	'user1@syncedrealm' => 1,
	178	},
	179	},
	180	'group2-syncedrealm' => { users => {}, },
	181	'group3-syncedrealm' => { users => {}, },
	182	},
170cf17b FG	183	acl_root => {
	184	users => {
	185	'user3@syncedrealm' => {},
dcdf5789	186	},
170cf17b	187	groups => {},
dcdf5789 DC	188	},
	189	},
	190	],
	191	[
	192	"full without purge",
	193	{
	194	realm => 'syncedrealm',
2f58f671	195	'remove-vanished' => 'entry;properties',
dcdf5789 DC	196	scope => 'both',
	197	},
	198	{
	199	users => {
	200	'root@pam' => { username => 'root', },
	201	'user1@syncedrealm' => {
	202	username => 'user1',
	203	enable => 1,
	204	},
	205	'user2@syncedrealm' => {
	206	username => 'user2',
	207	enable => 1,
	208	},
	209	'user4@syncedrealm' => {
	210	username => 'user4',
	211	enable => 1,
	212	},
	213	},
	214	groups => {
	215	'group1-syncedrealm' => {
	216	users => {
	217	'user1@syncedrealm' => 1,
	218	},
	219	},
	220	'group3-syncedrealm' => { users => {}, }
	221	},
170cf17b FG	222	acl_root => {
	223	users => {
	224	'user3@syncedrealm' => {},
dcdf5789	225	},
170cf17b	226	groups => {},
dcdf5789 DC	227	},
	228	},
	229	],
	230	[
	231	"non-full with purge",
	232	{
	233	realm => 'syncedrealm',
2f58f671	234	'remove-vanished' => 'acl',
dcdf5789 DC	235	scope => 'both',
	236	},
	237	{
	238	users => {
	239	'root@pam' => { username => 'root', },
	240	'user1@syncedrealm' => {
	241	username => 'user1',
	242	enable => 1,
	243	'keys' => 'some',
	244	},
	245	'user2@syncedrealm' => {
	246	username => 'user2',
	247	enable => 1,
	248	},
	249	'user3@syncedrealm' => {
	250	username => 'user3',
	251	enable => 1,
	252	},
	253	'user4@syncedrealm' => {
	254	username => 'user4',
	255	enable => 1,
	256	},
	257	},
	258	groups => {
	259	'group1-syncedrealm' => {
	260	users => {
	261	'user1@syncedrealm' => 1,
	262	},
	263	},
	264	'group2-syncedrealm' => { users => {}, },
	265	'group3-syncedrealm' => { users => {}, },
	266	},
170cf17b FG	267	acl_root => {
	268	users => {},
	269	groups => {},
dcdf5789 DC	270	},
	271	},
	272	],
	273	[
	274	"full with purge",
	275	{
	276	realm => 'syncedrealm',
2f58f671	277	'remove-vanished' => 'acl;entry;properties',
dcdf5789 DC	278	scope => 'both',
	279	},
	280	{
	281	users => {
	282	'root@pam' => { username => 'root', },
	283	'user1@syncedrealm' => {
	284	username => 'user1',
	285	enable => 1,
	286	},
	287	'user2@syncedrealm' => {
	288	username => 'user2',
	289	enable => 1,
	290	},
	291	'user4@syncedrealm' => {
	292	username => 'user4',
	293	enable => 1,
	294	},
	295	},
	296	groups => {
	297	'group1-syncedrealm' => {
	298	users => {
	299	'user1@syncedrealm' => 1,
	300	},
	301	},
	302	'group3-syncedrealm' => { users => {}, },
	303	},
170cf17b FG	304	acl_root => {
	305	users => {},
	306	groups => {},
dcdf5789 DC	307	},
	308	},
	309	],
fa2afa15 DC	310	[
	311	"don't delete properties, but users and acls",
	312	{
	313	realm => 'syncedrealm',
	314	'remove-vanished' => 'acl;entry',
	315	scope => 'both',
	316	},
	317	{
	318	users => {
	319	'root@pam' => { username => 'root', },
	320	'user1@syncedrealm' => {
	321	username => 'user1',
	322	enable => 1,
	323	'keys' => 'some',
	324	},
	325	'user2@syncedrealm' => {
	326	username => 'user2',
	327	enable => 1,
	328	},
	329	'user4@syncedrealm' => {
	330	username => 'user4',
	331	enable => 1,
	332	},
	333	},
	334	groups => {
	335	'group1-syncedrealm' => {
	336	users => {
	337	'user1@syncedrealm' => 1,
	338	},
	339	},
	340	'group3-syncedrealm' => { users => {}, },
	341	},
170cf17b FG	342	acl_root => {
	343	users => {},
	344	groups => {},
fa2afa15 DC	345	},
	346	},
	347	],
dcdf5789 DC	348	];
	349
	350	for my $test (@$tests) {
	351	my $name = $test->[0];
	352	my $parameters = $test->[1];
	353	my $expected = $test->[2];
	354	$returned_user_cfg = {};
	355	PVE::API2::Domains->sync($parameters);
	356	is_deeply($returned_user_cfg, $expected, $name);
	357	}
	358
	359	done_testing();