[pve-access-control.git] / src / test / realm_sync_test.pl

#!/usr/bin/perl

use strict;
use warnings;

use Test::MockModule;
use Test::More;
use Storable qw(dclone);

use PVE::AccessControl;
use PVE::API2::Domains;

my $domainscfg = {
    ids => {
	"pam" => { type => 'pam' },
	"pve" => { type => 'pve' },
	"syncedrealm" => { type => 'ldap' }
    },
};

my $initialusercfg = {
    users => {
	'root@pam' => { username => 'root', },
	'user1@syncedrealm' => {
	    username => 'user1',
	    enable => 1,
	    'keys' => 'some',
	},
	'user2@syncedrealm' => {
	    username => 'user2',
	    enable => 1,
	},
	'user3@syncedrealm' => {
	    username => 'user3',
	    enable => 1,
	},
    },
    groups => {
	'group1-syncedrealm' => { users => {}, },
	'group2-syncedrealm' => { users => {}, },
    },
    acl => {
	'/' => {
	    users => {
		'user3@syncedrealm' => {},
	    },
	    groups => {},
	},
    },
};

my $sync_response = {
    user => [
	{
	    attributes => { 'uid' => ['user1'], },
	    dn => 'uid=user1,dc=syncedrealm',
	},
	{
	    attributes => { 'uid' => ['user2'], },
	    dn => 'uid=user2,dc=syncedrealm',
	},
	{
	    attributes => { 'uid' => ['user4'], },
	    dn => 'uid=user4,dc=syncedrealm',
	},
    ],
    groups => [
	{
	    dn => 'dc=group1,dc=syncedrealm',
	    members => [
		'uid=user1,dc=syncedrealm',
	    ],
	},
	{
	    dn => 'dc=group3,dc=syncedrealm',
	    members => [
		'uid=nonexisting,dc=syncedrealm',
	    ],
	}
    ],
};

my $returned_user_cfg = {};

# mocking all cluster and ldap operations
my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
$pve_cluster_module->mock(
    cfs_update => sub {},
    cfs_read_file => sub {
	my ($filename) = @_;
	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
	die "unexpected cfs_read_file";
    },
    cfs_write_file => sub {
	my ($filename, $data) = @_;
	if ($filename eq 'user.cfg') {
	    $returned_user_cfg = $data;
	    return;
	}
	die "unexpected cfs_read_file";
    },
    cfs_lock_file => sub {
	my ($filename, $timeout, $code) = @_;
	return $code->();
    },
);

my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
$pve_api_domains->mock(
    cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
    cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
);

my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
$pve_accesscontrol->mock(
    cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
);

my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
$pve_rpcenvironment->mock(
    get => sub { return bless {}, 'PVE::RPCEnvironment'; },
    get_user => sub { return 'root@pam'; },
    fork_worker => sub {
	my ($class, $workertype, $id, $user, $code) = @_;

	return $code->();
    },
);

my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
$pve_ldap_module->mock(
    ldap_connect => sub { return {}; },
    ldap_bind => sub {},
    query_users => sub {
	return $sync_response->{user};
    },
    query_groups => sub {
	return $sync_response->{groups};
    },
);

my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
$pve_auth_ldap->mock(
    connect_and_bind => sub { return {}; },
);

my $tests = [
    [
	"non-full without purge",
	{
	    realm => 'syncedrealm',
	    full => 0,
	    purge => 0,
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user3@syncedrealm' => {
		    username => 'user3',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group2-syncedrealm' => { users => {}, },
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {
			'user3@syncedrealm' => {},
		    },
		    groups => {},
		},
	    },
	},
    ],
    [
	"full without purge",
	{
	    realm => 'syncedrealm',
	    full => 1,
	    purge => 0,
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, }
	    },
	    acl => {
		'/' => {
		    users => {
			'user3@syncedrealm' => {},
		    },
		    groups => {},
		},
	    },
	},
    ],
    [
	"non-full with purge",
	{
	    realm => 'syncedrealm',
	    full => 0,
	    purge => 1,
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		    'keys' => 'some',
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user3@syncedrealm' => {
		    username => 'user3',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group2-syncedrealm' => { users => {}, },
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {},
		    groups => {},
		},
	    },
	},
    ],
    [
	"full with purge",
	{
	    realm => 'syncedrealm',
	    full => 1,
	    purge => 1,
	    scope => 'both',
	},
	{
	    users => {
		'root@pam' => { username => 'root', },
		'user1@syncedrealm' => {
		    username => 'user1',
		    enable => 1,
		},
		'user2@syncedrealm' => {
		    username => 'user2',
		    enable => 1,
		},
		'user4@syncedrealm' => {
		    username => 'user4',
		    enable => 1,
		},
	    },
	    groups => {
		'group1-syncedrealm' => {
		    users => {
			'user1@syncedrealm' => 1,
		    },
		},
		'group3-syncedrealm' => { users => {}, },
	    },
	    acl => {
		'/' => {
		    users => {},
		    groups => {},
		},
	    },
	},
    ],
];

for my $test (@$tests) {
    my $name = $test->[0];
    my $parameters = $test->[1];
    my $expected = $test->[2];
    $returned_user_cfg = {};
    PVE::API2::Domains->sync($parameters);
    is_deeply($returned_user_cfg, $expected, $name);
}

done_testing();
Commit	Line	Data
dcdf5789 DC	1	#!/usr/bin/perl
	2
	3	use strict;
	4	use warnings;
	5
	6	use Test::MockModule;
	7	use Test::More;
	8	use Storable qw(dclone);
	9
	10	use PVE::AccessControl;
	11	use PVE::API2::Domains;
	12
	13	my $domainscfg = {
	14	ids => {
	15	"pam" => { type => 'pam' },
	16	"pve" => { type => 'pve' },
	17	"syncedrealm" => { type => 'ldap' }
	18	},
	19	};
	20
	21	my $initialusercfg = {
	22	users => {
	23	'root@pam' => { username => 'root', },
	24	'user1@syncedrealm' => {
	25	username => 'user1',
	26	enable => 1,
	27	'keys' => 'some',
	28	},
	29	'user2@syncedrealm' => {
	30	username => 'user2',
	31	enable => 1,
	32	},
	33	'user3@syncedrealm' => {
	34	username => 'user3',
	35	enable => 1,
	36	},
	37	},
	38	groups => {
	39	'group1-syncedrealm' => { users => {}, },
	40	'group2-syncedrealm' => { users => {}, },
	41	},
	42	acl => {
	43	'/' => {
	44	users => {
	45	'user3@syncedrealm' => {},
	46	},
	47	groups => {},
	48	},
	49	},
	50	};
	51
	52	my $sync_response = {
	53	user => [
	54	{
	55	attributes => { 'uid' => ['user1'], },
	56	dn => 'uid=user1,dc=syncedrealm',
	57	},
	58	{
	59	attributes => { 'uid' => ['user2'], },
	60	dn => 'uid=user2,dc=syncedrealm',
	61	},
	62	{
	63	attributes => { 'uid' => ['user4'], },
	64	dn => 'uid=user4,dc=syncedrealm',
65	},
66	],
67	groups => [
68	{
69	dn => 'dc=group1,dc=syncedrealm',
70	members => [
71	'uid=user1,dc=syncedrealm',
72	],
73	},
74	{
75	dn => 'dc=group3,dc=syncedrealm',
76	members => [
77	'uid=nonexisting,dc=syncedrealm',
78	],
79	}
80	],
81	};
82
83	my $returned_user_cfg = {};
84
85	# mocking all cluster and ldap operations
86	my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
87	$pve_cluster_module->mock(
88	cfs_update => sub {},
89	cfs_read_file => sub {
90	my ($filename) = @_;
91	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
92	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
93	die "unexpected cfs_read_file";
94	},
95	cfs_write_file => sub {
96	my ($filename, $data) = @_;
97	if ($filename eq 'user.cfg') {
98	$returned_user_cfg = $data;
99	return;
100	}
101	die "unexpected cfs_read_file";
102	},
103	cfs_lock_file => sub {
104	my ($filename, $timeout, $code) = @_;
105	return $code->();
106	},
107	);
108
109	my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
110	$pve_api_domains->mock(
111	cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
112	cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
113	);
114
115	my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
116	$pve_accesscontrol->mock(
117	cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
118	);
119
120	my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
121	$pve_rpcenvironment->mock(
122	get => sub { return bless {}, 'PVE::RPCEnvironment'; },
123	get_user => sub { return 'root@pam'; },
124	fork_worker => sub {
125	my ($class, $workertype, $id, $user, $code) = @_;
126
127	return $code->();
128	},
129	);
130
131	my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
132	$pve_ldap_module->mock(
133	ldap_connect => sub { return {}; },
134	ldap_bind => sub {},
135	query_users => sub {
136	return $sync_response->{user};
137	},
138	query_groups => sub {
139	return $sync_response->{groups};
140	},
141	);
142
143	my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
144	$pve_auth_ldap->mock(
145	connect_and_bind => sub { return {}; },
146	);
147
148	my $tests = [
149	[
150	"non-full without purge",
151	{
152	realm => 'syncedrealm',
153	full => 0,
154	purge => 0,
155	scope => 'both',
156	},
157	{
158	users => {
159	'root@pam' => { username => 'root', },
160	'user1@syncedrealm' => {
161	username => 'user1',
162	enable => 1,
163	'keys' => 'some',
164	},
165	'user2@syncedrealm' => {
166	username => 'user2',
167	enable => 1,
168	},
169	'user3@syncedrealm' => {
170	username => 'user3',
171	enable => 1,
172	},
173	'user4@syncedrealm' => {
174	username => 'user4',
175	enable => 1,
176	},
177	},
178	groups => {
179	'group1-syncedrealm' => {
180	users => {
181	'user1@syncedrealm' => 1,
182	},
183	},
184	'group2-syncedrealm' => { users => {}, },
185	'group3-syncedrealm' => { users => {}, },
186	},
187	acl => {
188	'/' => {
189	users => {
190	'user3@syncedrealm' => {},
191	},
192	groups => {},
193	},
194	},
195	},
196	],
197	[
198	"full without purge",
199	{
200	realm => 'syncedrealm',
201	full => 1,
202	purge => 0,
203	scope => 'both',
204	},
205	{
206	users => {
207	'root@pam' => { username => 'root', },
208	'user1@syncedrealm' => {
209	username => 'user1',
210	enable => 1,
211	},
212	'user2@syncedrealm' => {
213	username => 'user2',
214	enable => 1,
215	},
216	'user4@syncedrealm' => {
217	username => 'user4',
218	enable => 1,
219	},
220	},
221	groups => {
222	'group1-syncedrealm' => {
223	users => {
224	'user1@syncedrealm' => 1,
225	},
226	},
227	'group3-syncedrealm' => { users => {}, }
228	},
229	acl => {
230	'/' => {
231	users => {
232	'user3@syncedrealm' => {},
233	},
234	groups => {},
235	},
236	},
237	},
238	],
239	[
240	"non-full with purge",
241	{
242	realm => 'syncedrealm',
243	full => 0,
244	purge => 1,
245	scope => 'both',
246	},
247	{
248	users => {
249	'root@pam' => { username => 'root', },
250	'user1@syncedrealm' => {
251	username => 'user1',
252	enable => 1,
253	'keys' => 'some',
254	},
255	'user2@syncedrealm' => {
256	username => 'user2',
257	enable => 1,
258	},
259	'user3@syncedrealm' => {
260	username => 'user3',
261	enable => 1,
262	},
263	'user4@syncedrealm' => {
264	username => 'user4',
265	enable => 1,
266	},
267	},
268	groups => {
269	'group1-syncedrealm' => {
270	users => {
271	'user1@syncedrealm' => 1,
272	},
273	},
274	'group2-syncedrealm' => { users => {}, },
275	'group3-syncedrealm' => { users => {}, },
276	},
277	acl => {
278	'/' => {
98df2ebc	279	users => {},
dcdf5789 DC	280	groups => {},
	281	},
	282	},
	283	},
	284	],
	285	[
	286	"full with purge",
	287	{
	288	realm => 'syncedrealm',
	289	full => 1,
	290	purge => 1,
	291	scope => 'both',
	292	},
	293	{
	294	users => {
	295	'root@pam' => { username => 'root', },
	296	'user1@syncedrealm' => {
	297	username => 'user1',
	298	enable => 1,
	299	},
	300	'user2@syncedrealm' => {
	301	username => 'user2',
	302	enable => 1,
	303	},
	304	'user4@syncedrealm' => {
	305	username => 'user4',
	306	enable => 1,
	307	},
	308	},
	309	groups => {
	310	'group1-syncedrealm' => {
	311	users => {
	312	'user1@syncedrealm' => 1,
	313	},
	314	},
	315	'group3-syncedrealm' => { users => {}, },
	316	},
	317	acl => {
	318	'/' => {
	319	users => {},
	320	groups => {},
	321	},
	322	},
	323	},
	324	],
	325	];
	326
	327	for my $test (@$tests) {
	328	my $name = $test->[0];
	329	my $parameters = $test->[1];
	330	my $expected = $test->[2];
	331	$returned_user_cfg = {};
	332	PVE::API2::Domains->sync($parameters);
	333	is_deeply($returned_user_cfg, $expected, $name);
	334	}
	335
	336	done_testing();