[pve-devel] [PATCH access-control v4 1/4] add regression tests for realm-sync

Dominik Csapak d.csapak at proxmox.com
Mon Mar 28 14:38:02 CEST 2022


to fully test the 'end-to-end' sync api call, we have to mock quite
some methods for cluster/rpcenvironment/ldap

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 src/test/Makefile           |   1 +
 src/test/realm_sync_test.pl | 338 ++++++++++++++++++++++++++++++++++++
 2 files changed, 339 insertions(+)
 create mode 100755 src/test/realm_sync_test.pl

diff --git a/src/test/Makefile b/src/test/Makefile
index adaacb9..859a84b 100644
--- a/src/test/Makefile
+++ b/src/test/Makefile
@@ -12,3 +12,4 @@ check:
 	perl -I.. perm-test6.pl
 	perl -I.. perm-test7.pl
 	perl -I.. perm-test8.pl
+	perl -I.. realm_sync_test.pl
diff --git a/src/test/realm_sync_test.pl b/src/test/realm_sync_test.pl
new file mode 100755
index 0000000..2a4a132
--- /dev/null
+++ b/src/test/realm_sync_test.pl
@@ -0,0 +1,338 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Test::MockModule;
+use Test::More;
+use Storable qw(dclone);
+
+use PVE::AccessControl;
+use PVE::API2::Domains;
+
+my $domainscfg = {
+    ids => {
+	"pam" => { type => 'pam' },
+	"pve" => { type => 'pve' },
+	"syncedrealm" => { type => 'ldap' }
+    },
+};
+
+my $initialusercfg = {
+    users => {
+	'root at pam' => { username => 'root', },
+	'user1 at syncedrealm' => {
+	    username => 'user1',
+	    enable => 1,
+	    'keys' => 'some',
+	},
+	'user2 at syncedrealm' => {
+	    username => 'user2',
+	    enable => 1,
+	},
+	'user3 at syncedrealm' => {
+	    username => 'user3',
+	    enable => 1,
+	},
+    },
+    groups => {
+	'group1-syncedrealm' => { users => {}, },
+	'group2-syncedrealm' => { users => {}, },
+    },
+    acl => {
+	'/' => {
+	    users => {
+		'user3 at syncedrealm' => {},
+	    },
+	    groups => {},
+	},
+    },
+};
+
+my $sync_response = {
+    user => [
+	{
+	    attributes => { 'uid' => ['user1'], },
+	    dn => 'uid=user1,dc=syncedrealm',
+	},
+	{
+	    attributes => { 'uid' => ['user2'], },
+	    dn => 'uid=user2,dc=syncedrealm',
+	},
+	{
+	    attributes => { 'uid' => ['user4'], },
+	    dn => 'uid=user4,dc=syncedrealm',
+	},
+    ],
+    groups => [
+	{
+	    dn => 'dc=group1,dc=syncedrealm',
+	    members => [
+		'uid=user1,dc=syncedrealm',
+	    ],
+	},
+	{
+	    dn => 'dc=group3,dc=syncedrealm',
+	    members => [
+		'uid=nonexisting,dc=syncedrealm',
+	    ],
+	}
+    ],
+};
+
+my $returned_user_cfg = {};
+
+# mocking all cluster and ldap operations
+my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
+$pve_cluster_module->mock(
+    cfs_update => sub {},
+    cfs_read_file => sub {
+	my ($filename) = @_;
+	if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
+	if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
+	die "unexpected cfs_read_file";
+    },
+    cfs_write_file => sub {
+	my ($filename, $data) = @_;
+	if ($filename eq 'user.cfg') {
+	    $returned_user_cfg = $data;
+	    return;
+	}
+	die "unexpected cfs_read_file";
+    },
+    cfs_lock_file => sub {
+	my ($filename, $timeout, $code) = @_;
+	return $code->();
+    },
+);
+
+my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
+$pve_api_domains->mock(
+    cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
+    cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
+);
+
+my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
+$pve_accesscontrol->mock(
+    cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
+);
+
+my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
+$pve_rpcenvironment->mock(
+    get => sub { return bless {}, 'PVE::RPCEnvironment'; },
+    get_user => sub { return 'root at pam'; },
+    fork_worker => sub {
+	my ($class, $workertype, $id, $user, $code) = @_;
+
+	return $code->();
+    },
+);
+
+my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
+$pve_ldap_module->mock(
+    ldap_connect => sub { return {}; },
+    ldap_bind => sub {},
+    query_users => sub {
+	return $sync_response->{user};
+    },
+    query_groups => sub {
+	return $sync_response->{groups};
+    },
+);
+
+my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
+$pve_auth_ldap->mock(
+    connect_and_bind => sub { return {}; },
+);
+
+my $tests = [
+    [
+	"non-full without purge",
+	{
+	    realm => 'syncedrealm',
+	    full => 0,
+	    purge => 0,
+	    scope => 'both',
+	},
+	{
+	    users => {
+		'root at pam' => { username => 'root', },
+		'user1 at syncedrealm' => {
+		    username => 'user1',
+		    enable => 1,
+		    'keys' => 'some',
+		},
+		'user2 at syncedrealm' => {
+		    username => 'user2',
+		    enable => 1,
+		},
+		'user3 at syncedrealm' => {
+		    username => 'user3',
+		    enable => 1,
+		},
+		'user4 at syncedrealm' => {
+		    username => 'user4',
+		    enable => 1,
+		},
+	    },
+	    groups => {
+		'group1-syncedrealm' => {
+		    users => {
+			'user1 at syncedrealm' => 1,
+		    },
+		},
+		'group2-syncedrealm' => { users => {}, },
+		'group3-syncedrealm' => { users => {}, },
+	    },
+	    acl => {
+		'/' => {
+		    users => {
+			'user3 at syncedrealm' => {},
+		    },
+		    groups => {},
+		},
+	    },
+	},
+    ],
+    [
+	"full without purge",
+	{
+	    realm => 'syncedrealm',
+	    full => 1,
+	    purge => 0,
+	    scope => 'both',
+	},
+	{
+	    users => {
+		'root at pam' => { username => 'root', },
+		'user1 at syncedrealm' => {
+		    username => 'user1',
+		    enable => 1,
+		},
+		'user2 at syncedrealm' => {
+		    username => 'user2',
+		    enable => 1,
+		},
+		'user4 at syncedrealm' => {
+		    username => 'user4',
+		    enable => 1,
+		},
+	    },
+	    groups => {
+		'group1-syncedrealm' => {
+		    users => {
+			'user1 at syncedrealm' => 1,
+		    },
+		},
+		'group3-syncedrealm' => { users => {}, }
+	    },
+	    acl => {
+		'/' => {
+		    users => {
+			'user3 at syncedrealm' => {},
+		    },
+		    groups => {},
+		},
+	    },
+	},
+    ],
+    [
+	"non-full with purge",
+	{
+	    realm => 'syncedrealm',
+	    full => 0,
+	    purge => 1,
+	    scope => 'both',
+	},
+	{
+	    users => {
+		'root at pam' => { username => 'root', },
+		'user1 at syncedrealm' => {
+		    username => 'user1',
+		    enable => 1,
+		    'keys' => 'some',
+		},
+		'user2 at syncedrealm' => {
+		    username => 'user2',
+		    enable => 1,
+		},
+		'user3 at syncedrealm' => {
+		    username => 'user3',
+		    enable => 1,
+		},
+		'user4 at syncedrealm' => {
+		    username => 'user4',
+		    enable => 1,
+		},
+	    },
+	    groups => {
+		'group1-syncedrealm' => {
+		    users => {
+			'user1 at syncedrealm' => 1,
+		    },
+		},
+		'group2-syncedrealm' => { users => {}, },
+		'group3-syncedrealm' => { users => {}, },
+	    },
+	    acl => {
+		'/' => {
+		    users => {
+			'user3 at syncedrealm' => {},
+		    },
+		    groups => {},
+		},
+	    },
+	},
+    ],
+    [
+	"full with purge",
+	{
+	    realm => 'syncedrealm',
+	    full => 1,
+	    purge => 1,
+	    scope => 'both',
+	},
+	{
+	    users => {
+		'root at pam' => { username => 'root', },
+		'user1 at syncedrealm' => {
+		    username => 'user1',
+		    enable => 1,
+		},
+		'user2 at syncedrealm' => {
+		    username => 'user2',
+		    enable => 1,
+		},
+		'user4 at syncedrealm' => {
+		    username => 'user4',
+		    enable => 1,
+		},
+	    },
+	    groups => {
+		'group1-syncedrealm' => {
+		    users => {
+			'user1 at syncedrealm' => 1,
+		    },
+		},
+		'group3-syncedrealm' => { users => {}, },
+	    },
+	    acl => {
+		'/' => {
+		    users => {},
+		    groups => {},
+		},
+	    },
+	},
+    ],
+];
+
+for my $test (@$tests) {
+    my $name = $test->[0];
+    my $parameters = $test->[1];
+    my $expected = $test->[2];
+    $returned_user_cfg = {};
+    PVE::API2::Domains->sync($parameters);
+    is_deeply($returned_user_cfg, $expected, $name);
+}
+
+done_testing();
-- 
2.30.2






More information about the pve-devel mailing list