]> git.proxmox.com Git - pve-access-control.git/blob - src/test/realm_sync_test.pl
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bump version to 8.1.4
[pve-access-control.git] / src / test / realm_sync_test.pl
1 #!/usr/bin/perl
2
3 use strict;
4 use warnings;
5
6 use Test::MockModule;
7 use Test::More;
8 use Storable qw(dclone);
9
10 use PVE::AccessControl;
11 use PVE::API2::Domains;
12
13 my $domainscfg = {
14 ids => {
15 "pam" => { type => 'pam' },
16 "pve" => { type => 'pve' },
17 "syncedrealm" => { type => 'ldap' }
18 },
19 };
20
21 my $initialusercfg = {
22 users => {
23 'root@pam' => { username => 'root', },
24 'user1@syncedrealm' => {
25 username => 'user1',
26 enable => 1,
27 'keys' => 'some',
28 },
29 'user2@syncedrealm' => {
30 username => 'user2',
31 enable => 1,
32 },
33 'user3@syncedrealm' => {
34 username => 'user3',
35 enable => 1,
36 },
37 },
38 groups => {
39 'group1-syncedrealm' => { users => {}, },
40 'group2-syncedrealm' => { users => {}, },
41 },
42 acl_root => {
43 users => {
44 'user3@syncedrealm' => {},
45 },
46 groups => {},
47 },
48 };
49
50 my $sync_response = {
51 user => [
52 {
53 attributes => { 'uid' => ['user1'], },
54 dn => 'uid=user1,dc=syncedrealm',
55 },
56 {
57 attributes => { 'uid' => ['user2'], },
58 dn => 'uid=user2,dc=syncedrealm',
59 },
60 {
61 attributes => { 'uid' => ['user4'], },
62 dn => 'uid=user4,dc=syncedrealm',
63 },
64 ],
65 groups => [
66 {
67 dn => 'dc=group1,dc=syncedrealm',
68 members => [
69 'uid=user1,dc=syncedrealm',
70 ],
71 },
72 {
73 dn => 'dc=group3,dc=syncedrealm',
74 members => [
75 'uid=nonexisting,dc=syncedrealm',
76 ],
77 }
78 ],
79 };
80
81 my $returned_user_cfg = {};
82
83 # mocking all cluster and ldap operations
84 my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
85 $pve_cluster_module->mock(
86 cfs_update => sub {},
87 cfs_read_file => sub {
88 my ($filename) = @_;
89 if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
90 if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
91 die "unexpected cfs_read_file";
92 },
93 cfs_write_file => sub {
94 my ($filename, $data) = @_;
95 if ($filename eq 'user.cfg') {
96 $returned_user_cfg = $data;
97 return;
98 }
99 die "unexpected cfs_read_file";
100 },
101 cfs_lock_file => sub {
102 my ($filename, $timeout, $code) = @_;
103 return $code->();
104 },
105 );
106
107 my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
108 $pve_api_domains->mock(
109 cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
110 cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
111 );
112
113 my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
114 $pve_accesscontrol->mock(
115 cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
116 );
117
118 my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
119 $pve_rpcenvironment->mock(
120 get => sub { return bless {}, 'PVE::RPCEnvironment'; },
121 get_user => sub { return 'root@pam'; },
122 fork_worker => sub {
123 my ($class, $workertype, $id, $user, $code) = @_;
124
125 return $code->();
126 },
127 );
128
129 my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
130 $pve_ldap_module->mock(
131 ldap_connect => sub { return {}; },
132 ldap_bind => sub {},
133 query_users => sub {
134 return $sync_response->{user};
135 },
136 query_groups => sub {
137 return $sync_response->{groups};
138 },
139 );
140
141 my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
142 $pve_auth_ldap->mock(
143 connect_and_bind => sub { return {}; },
144 );
145
146 my $tests = [
147 [
148 "non-full without purge",
149 {
150 realm => 'syncedrealm',
151 scope => 'both',
152 },
153 {
154 users => {
155 'root@pam' => { username => 'root', },
156 'user1@syncedrealm' => {
157 username => 'user1',
158 enable => 1,
159 'keys' => 'some',
160 },
161 'user2@syncedrealm' => {
162 username => 'user2',
163 enable => 1,
164 },
165 'user3@syncedrealm' => {
166 username => 'user3',
167 enable => 1,
168 },
169 'user4@syncedrealm' => {
170 username => 'user4',
171 enable => 1,
172 },
173 },
174 groups => {
175 'group1-syncedrealm' => {
176 users => {
177 'user1@syncedrealm' => 1,
178 },
179 },
180 'group2-syncedrealm' => { users => {}, },
181 'group3-syncedrealm' => { users => {}, },
182 },
183 acl_root => {
184 users => {
185 'user3@syncedrealm' => {},
186 },
187 groups => {},
188 },
189 },
190 ],
191 [
192 "full without purge",
193 {
194 realm => 'syncedrealm',
195 'remove-vanished' => 'entry;properties',
196 scope => 'both',
197 },
198 {
199 users => {
200 'root@pam' => { username => 'root', },
201 'user1@syncedrealm' => {
202 username => 'user1',
203 enable => 1,
204 },
205 'user2@syncedrealm' => {
206 username => 'user2',
207 enable => 1,
208 },
209 'user4@syncedrealm' => {
210 username => 'user4',
211 enable => 1,
212 },
213 },
214 groups => {
215 'group1-syncedrealm' => {
216 users => {
217 'user1@syncedrealm' => 1,
218 },
219 },
220 'group3-syncedrealm' => { users => {}, }
221 },
222 acl_root => {
223 users => {
224 'user3@syncedrealm' => {},
225 },
226 groups => {},
227 },
228 },
229 ],
230 [
231 "non-full with purge",
232 {
233 realm => 'syncedrealm',
234 'remove-vanished' => 'acl',
235 scope => 'both',
236 },
237 {
238 users => {
239 'root@pam' => { username => 'root', },
240 'user1@syncedrealm' => {
241 username => 'user1',
242 enable => 1,
243 'keys' => 'some',
244 },
245 'user2@syncedrealm' => {
246 username => 'user2',
247 enable => 1,
248 },
249 'user3@syncedrealm' => {
250 username => 'user3',
251 enable => 1,
252 },
253 'user4@syncedrealm' => {
254 username => 'user4',
255 enable => 1,
256 },
257 },
258 groups => {
259 'group1-syncedrealm' => {
260 users => {
261 'user1@syncedrealm' => 1,
262 },
263 },
264 'group2-syncedrealm' => { users => {}, },
265 'group3-syncedrealm' => { users => {}, },
266 },
267 acl_root => {
268 users => {},
269 groups => {},
270 },
271 },
272 ],
273 [
274 "full with purge",
275 {
276 realm => 'syncedrealm',
277 'remove-vanished' => 'acl;entry;properties',
278 scope => 'both',
279 },
280 {
281 users => {
282 'root@pam' => { username => 'root', },
283 'user1@syncedrealm' => {
284 username => 'user1',
285 enable => 1,
286 },
287 'user2@syncedrealm' => {
288 username => 'user2',
289 enable => 1,
290 },
291 'user4@syncedrealm' => {
292 username => 'user4',
293 enable => 1,
294 },
295 },
296 groups => {
297 'group1-syncedrealm' => {
298 users => {
299 'user1@syncedrealm' => 1,
300 },
301 },
302 'group3-syncedrealm' => { users => {}, },
303 },
304 acl_root => {
305 users => {},
306 groups => {},
307 },
308 },
309 ],
310 [
311 "don't delete properties, but users and acls",
312 {
313 realm => 'syncedrealm',
314 'remove-vanished' => 'acl;entry',
315 scope => 'both',
316 },
317 {
318 users => {
319 'root@pam' => { username => 'root', },
320 'user1@syncedrealm' => {
321 username => 'user1',
322 enable => 1,
323 'keys' => 'some',
324 },
325 'user2@syncedrealm' => {
326 username => 'user2',
327 enable => 1,
328 },
329 'user4@syncedrealm' => {
330 username => 'user4',
331 enable => 1,
332 },
333 },
334 groups => {
335 'group1-syncedrealm' => {
336 users => {
337 'user1@syncedrealm' => 1,
338 },
339 },
340 'group3-syncedrealm' => { users => {}, },
341 },
342 acl_root => {
343 users => {},
344 groups => {},
345 },
346 },
347 ],
348 ];
349
350 for my $test (@$tests) {
351 my $name = $test->[0];
352 my $parameters = $test->[1];
353 my $expected = $test->[2];
354 $returned_user_cfg = {};
355 PVE::API2::Domains->sync($parameters);
356 is_deeply($returned_user_cfg, $expected, $name);
357 }
358
359 done_testing();
Access control framework