[pve-access-control.git] / src / test / realm_sync_test.pl

#!/usr/bin/perl

use strict;
use warnings;

use Test::MockModule;
use Test::More;
use Storable qw(dclone);

use PVE::AccessControl;
use PVE::API2::Domains;

my $domainscfg = {
    ids => {
	"pam" => { type => 'pam' },
	"pve" => { type => 'pve' },
	"syncedrealm" => { type => 'ldap' }
    },
};

my $initialusercfg = {
    users => {
	'root@pam' => { username => 'root', },
	'user1@syncedrealm' => {
	    username => 'user1',
	    enable => 1,
	    'keys' => 'some',
	},
	'user2@syncedrealm' => {
	    username => 'user2',
	    enable => 1,
	},
	'user3@syncedrealm' => {
	    username => 'user3',
	    enable => 1,
	},
    },
    groups => {
	'group1-syncedrealm' => { users => {}, },
	'group2-syncedrealm' => { users => {}, },
    },
    acl => {
	'/' => {
	    users => {
		'user3@syncedrealm' => {},
	    },
	    groups => {},
	},
    },
};

my $sync_response = {
    user => [
	{
	    attributes => { 'uid' => ['user1'], },
	    dn => 'uid=user1,dc=syncedrealm',
	},
	{
	    attributes => { 'uid' => ['user2'], },
	    dn => 'uid=user2,dc=syncedrealm',
	},
	{
	    attributes => { 'uid' => ['user4'], },
	    dn => 'uid=user4,dc=syncedrealm',
	},
    ],
    groups => [
	{
	    dn => 'dc=group1,dc=syncedrealm',
	    members => [
		'uid=user1,dc=syncedrealm',
	    ],
	},
	{
	    dn => 'dc=group3,dc=syncedrealm',
	    members => [
		'uid=nonexisting,dc=syncedrealm',
	    ],
	}
    ],
};

my $returned_user_cfg = {};

# mocking all cluster and ldap operations
my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
$pve_cluster_module->mock(
    cfs_update => sub {},
    cfs_read_file => sub {
	my ($filename) = @_;
	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
	die "unexpected cfs_read_file";
    },
    cfs_write_file => sub {
	my ($filename, $data) = @_;
	if ($filename eq 'user.cfg') {
	    $returned_user_cfg = $data;
	    return;
	}
	die "unexpected cfs_read_file";
    },
    cfs_lock_file => sub {
	my ($filename, $timeout, $code) = @_;
	return $code->();
    },
);

my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
$pve_api_domains->mock(
    cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
    cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
);

my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
$pve_accesscontrol->mock(
    cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
);

my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
$pve_rpcenvironment->mock(
    get => sub { return bless {}, 'PVE::RPCEnvironment'; },
    get_user => sub { return 'root@pam'; },
    fork_worker => sub {
	my ($class, $workertype, $id, $user, $code) = @_;

	return $code->();
    },
);

my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
$pve_ldap_module->mock(
    ldap_connect => sub { return {}; },
    ldap_bind => sub {},
    query_users => sub {
	return $sync_response->{user};
    },
    query_groups => sub {
	return $sync_response->{groups};
    },
);

my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
$pve_auth_ldap->mock(
    connect_and_bind => sub { return {}; },
);

my $tests = [
    [
	"non-full without purge",
	{
	    realm => 'syncedrealm',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user3@syncedrealm' => {
		    username => 'user3',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group2-syncedrealm' => { users => {}, },
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {
			'user3@syncedrealm' => {},
		    },
		    groups => {},
		},
	    },
	},
    ],
    [
	"full without purge",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'entry;properties',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, }
	    },
	    acl => {
		'/' => {
		    users => {
			'user3@syncedrealm' => {},
		    },
		    groups => {},
		},
	    },
	},
    ],
    [
	"non-full with purge",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'acl',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user3@syncedrealm' => {
		    username => 'user3',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group2-syncedrealm' => { users => {}, },
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {},
		    groups => {},
		},
	    },
	},
    ],
    [
	"full with purge",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'acl;entry;properties',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {},
		    groups => {},
		},
	    },
	},
    ],
    [
	"don't delete properties, but users and acls",
	{
	    realm => 'syncedrealm',
	    'remove-vanished' => 'acl;entry',
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {},
		    groups => {},
		},
	    },
	},
    ],
];

for my $test (@$tests) {
    my $name = $test->[0];
    my $parameters = $test->[1];
    my $expected = $test->[2];
    $returned_user_cfg = {};
    PVE::API2::Domains->sync($parameters);
    is_deeply($returned_user_cfg, $expected, $name);
}

done_testing();
Commit	Line	Data
dcdf5789 DC	1	#!/usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5
	6	use Test::MockModule;
	7	use Test::More;
	8	use Storable qw(dclone);
	9
	10	use PVE::AccessControl;
	11	use PVE::API2::Domains;
	12
	13	my $domainscfg = {
	14	ids => {
	15	"pam" => { type => 'pam' },
	16	"pve" => { type => 'pve' },
	17	"syncedrealm" => { type => 'ldap' }
	18	},
	19	};
	20
	21	my $initialusercfg = {
	22	users => {
	23	'root@pam' => { username => 'root', },
	24	'user1@syncedrealm' => {
	25	username => 'user1',
	26	enable => 1,
	27	'keys' => 'some',
	28	},
	29	'user2@syncedrealm' => {
	30	username => 'user2',
	31	enable => 1,
	32	},
	33	'user3@syncedrealm' => {
	34	username => 'user3',
	35	enable => 1,
	36	},
	37	},
	38	groups => {
	39	'group1-syncedrealm' => { users => {}, },
	40	'group2-syncedrealm' => { users => {}, },
	41	},
	42	acl => {
	43	'/' => {
	44	users => {
	45	'user3@syncedrealm' => {},
	46	},
	47	groups => {},
	48	},
	49	},
	50	};
	51
	52	my $sync_response = {
	53	user => [
	54	{
	55	attributes => { 'uid' => ['user1'], },
	56	dn => 'uid=user1,dc=syncedrealm',
	57	},
	58	{
	59	attributes => { 'uid' => ['user2'], },
	60	dn => 'uid=user2,dc=syncedrealm',
	61	},
	62	{
	63	attributes => { 'uid' => ['user4'], },
	64	dn => 'uid=user4,dc=syncedrealm',
65	},
66	],
67	groups => [
68	{
69	dn => 'dc=group1,dc=syncedrealm',
70	members => [
71	'uid=user1,dc=syncedrealm',
72	],
73	},
74	{
75	dn => 'dc=group3,dc=syncedrealm',
76	members => [
77	'uid=nonexisting,dc=syncedrealm',
78	],
79	}
80	],
81	};
82
83	my $returned_user_cfg = {};
84
85	# mocking all cluster and ldap operations
86	my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
87	$pve_cluster_module->mock(
88	cfs_update => sub {},
89	cfs_read_file => sub {
90	my ($filename) = @_;
91	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
92	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
93	die "unexpected cfs_read_file";
94	},
95	cfs_write_file => sub {
96	my ($filename, $data) = @_;
97	if ($filename eq 'user.cfg') {
98	$returned_user_cfg = $data;
99	return;
100	}
101	die "unexpected cfs_read_file";
102	},
103	cfs_lock_file => sub {
104	my ($filename, $timeout, $code) = @_;
105	return $code->();
106	},
107	);
108
109	my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
110	$pve_api_domains->mock(
111	cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
112	cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
113	);
114
115	my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
116	$pve_accesscontrol->mock(
117	cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
118	);
119
120	my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
121	$pve_rpcenvironment->mock(
122	get => sub { return bless {}, 'PVE::RPCEnvironment'; },
123	get_user => sub { return 'root@pam'; },
124	fork_worker => sub {
125	my ($class, $workertype, $id, $user, $code) = @_;
126
127	return $code->();
128	},
129	);
130
131	my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
132	$pve_ldap_module->mock(
133	ldap_connect => sub { return {}; },
134	ldap_bind => sub {},
135	query_users => sub {
136	return $sync_response->{user};
137	},
138	query_groups => sub {
139	return $sync_response->{groups};
140	},
141	);
142
143	my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
144	$pve_auth_ldap->mock(
145	connect_and_bind => sub { return {}; },
146	);
147
148	my $tests = [
149	[
150	"non-full without purge",
151	{
152	realm => 'syncedrealm',
dcdf5789 DC	153	scope => 'both',
	154	},
	155	{
	156	users => {
	157	'root@pam' => { username => 'root', },
	158	'user1@syncedrealm' => {
	159	username => 'user1',
	160	enable => 1,
	161	'keys' => 'some',
	162	},
	163	'user2@syncedrealm' => {
	164	username => 'user2',
	165	enable => 1,
	166	},
	167	'user3@syncedrealm' => {
	168	username => 'user3',
	169	enable => 1,
	170	},
	171	'user4@syncedrealm' => {
	172	username => 'user4',
	173	enable => 1,
	174	},
	175	},
	176	groups => {
	177	'group1-syncedrealm' => {
	178	users => {
	179	'user1@syncedrealm' => 1,
	180	},
	181	},
	182	'group2-syncedrealm' => { users => {}, },
	183	'group3-syncedrealm' => { users => {}, },
	184	},
	185	acl => {
	186	'/' => {
	187	users => {
	188	'user3@syncedrealm' => {},
	189	},
	190	groups => {},
	191	},
	192	},
	193	},
	194	],
	195	[
	196	"full without purge",
	197	{
	198	realm => 'syncedrealm',
2f58f671	199	'remove-vanished' => 'entry;properties',
dcdf5789 DC	200	scope => 'both',
	201	},
	202	{
	203	users => {
	204	'root@pam' => { username => 'root', },
	205	'user1@syncedrealm' => {
	206	username => 'user1',
	207	enable => 1,
	208	},
	209	'user2@syncedrealm' => {
	210	username => 'user2',
	211	enable => 1,
	212	},
	213	'user4@syncedrealm' => {
	214	username => 'user4',
	215	enable => 1,
	216	},
	217	},
	218	groups => {
	219	'group1-syncedrealm' => {
	220	users => {
	221	'user1@syncedrealm' => 1,
	222	},
	223	},
	224	'group3-syncedrealm' => { users => {}, }
	225	},
	226	acl => {
	227	'/' => {
	228	users => {
	229	'user3@syncedrealm' => {},
	230	},
	231	groups => {},
	232	},
	233	},
	234	},
	235	],
	236	[
	237	"non-full with purge",
	238	{
	239	realm => 'syncedrealm',
2f58f671	240	'remove-vanished' => 'acl',
dcdf5789 DC	241	scope => 'both',
	242	},
	243	{
	244	users => {
	245	'root@pam' => { username => 'root', },
	246	'user1@syncedrealm' => {
	247	username => 'user1',
	248	enable => 1,
	249	'keys' => 'some',
	250	},
	251	'user2@syncedrealm' => {
	252	username => 'user2',
	253	enable => 1,
	254	},
	255	'user3@syncedrealm' => {
	256	username => 'user3',
	257	enable => 1,
	258	},
	259	'user4@syncedrealm' => {
	260	username => 'user4',
	261	enable => 1,
	262	},
	263	},
	264	groups => {
	265	'group1-syncedrealm' => {
	266	users => {
	267	'user1@syncedrealm' => 1,
	268	},
	269	},
	270	'group2-syncedrealm' => { users => {}, },
	271	'group3-syncedrealm' => { users => {}, },
	272	},
	273	acl => {
	274	'/' => {
98df2ebc	275	users => {},
dcdf5789 DC	276	groups => {},
	277	},
	278	},
	279	},
	280	],
	281	[
	282	"full with purge",
	283	{
	284	realm => 'syncedrealm',
2f58f671	285	'remove-vanished' => 'acl;entry;properties',
dcdf5789 DC	286	scope => 'both',
	287	},
	288	{
	289	users => {
	290	'root@pam' => { username => 'root', },
	291	'user1@syncedrealm' => {
	292	username => 'user1',
	293	enable => 1,
	294	},
	295	'user2@syncedrealm' => {
	296	username => 'user2',
	297	enable => 1,
	298	},
	299	'user4@syncedrealm' => {
	300	username => 'user4',
	301	enable => 1,
	302	},
	303	},
	304	groups => {
	305	'group1-syncedrealm' => {
	306	users => {
	307	'user1@syncedrealm' => 1,
	308	},
	309	},
	310	'group3-syncedrealm' => { users => {}, },
	311	},
	312	acl => {
	313	'/' => {
	314	users => {},
	315	groups => {},
	316	},
	317	},
	318	},
	319	],
fa2afa15 DC	320	[
	321	"don't delete properties, but users and acls",
	322	{
	323	realm => 'syncedrealm',
	324	'remove-vanished' => 'acl;entry',
	325	scope => 'both',
	326	},
	327	{
	328	users => {
	329	'root@pam' => { username => 'root', },
	330	'user1@syncedrealm' => {
	331	username => 'user1',
	332	enable => 1,
	333	'keys' => 'some',
	334	},
	335	'user2@syncedrealm' => {
	336	username => 'user2',
	337	enable => 1,
	338	},
	339	'user4@syncedrealm' => {
	340	username => 'user4',
	341	enable => 1,
	342	},
	343	},
	344	groups => {
	345	'group1-syncedrealm' => {
	346	users => {
	347	'user1@syncedrealm' => 1,
	348	},
	349	},
	350	'group3-syncedrealm' => { users => {}, },
	351	},
	352	acl => {
	353	'/' => {
	354	users => {},
	355	groups => {},
	356	},
	357	},
	358	},
	359	],
dcdf5789 DC	360	];
	361
	362	for my $test (@$tests) {
	363	my $name = $test->[0];
	364	my $parameters = $test->[1];
	365	my $expected = $test->[2];
	366	$returned_user_cfg = {};
	367	PVE::API2::Domains->sync($parameters);
	368	is_deeply($returned_user_cfg, $expected, $name);
	369	}
	370
	371	done_testing();