[pve-devel] [PATCH access-control v4 1/4] add regression tests for realm-sync
Dominik Csapak
d.csapak at proxmox.com
Mon Mar 28 14:38:02 CEST 2022
to fully test the 'end-to-end' sync api call, we have to mock quite
some methods for cluster/rpcenvironment/ldap
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
src/test/Makefile | 1 +
src/test/realm_sync_test.pl | 338 ++++++++++++++++++++++++++++++++++++
2 files changed, 339 insertions(+)
create mode 100755 src/test/realm_sync_test.pl
diff --git a/src/test/Makefile b/src/test/Makefile
index adaacb9..859a84b 100644
--- a/src/test/Makefile
+++ b/src/test/Makefile
@@ -12,3 +12,4 @@ check:
perl -I.. perm-test6.pl
perl -I.. perm-test7.pl
perl -I.. perm-test8.pl
+ perl -I.. realm_sync_test.pl
diff --git a/src/test/realm_sync_test.pl b/src/test/realm_sync_test.pl
new file mode 100755
index 0000000..2a4a132
--- /dev/null
+++ b/src/test/realm_sync_test.pl
@@ -0,0 +1,338 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Test::MockModule;
+use Test::More;
+use Storable qw(dclone);
+
+use PVE::AccessControl;
+use PVE::API2::Domains;
+
+my $domainscfg = {
+ ids => {
+ "pam" => { type => 'pam' },
+ "pve" => { type => 'pve' },
+ "syncedrealm" => { type => 'ldap' }
+ },
+};
+
+my $initialusercfg = {
+ users => {
+ 'root at pam' => { username => 'root', },
+ 'user1 at syncedrealm' => {
+ username => 'user1',
+ enable => 1,
+ 'keys' => 'some',
+ },
+ 'user2 at syncedrealm' => {
+ username => 'user2',
+ enable => 1,
+ },
+ 'user3 at syncedrealm' => {
+ username => 'user3',
+ enable => 1,
+ },
+ },
+ groups => {
+ 'group1-syncedrealm' => { users => {}, },
+ 'group2-syncedrealm' => { users => {}, },
+ },
+ acl => {
+ '/' => {
+ users => {
+ 'user3 at syncedrealm' => {},
+ },
+ groups => {},
+ },
+ },
+};
+
+my $sync_response = {
+ user => [
+ {
+ attributes => { 'uid' => ['user1'], },
+ dn => 'uid=user1,dc=syncedrealm',
+ },
+ {
+ attributes => { 'uid' => ['user2'], },
+ dn => 'uid=user2,dc=syncedrealm',
+ },
+ {
+ attributes => { 'uid' => ['user4'], },
+ dn => 'uid=user4,dc=syncedrealm',
+ },
+ ],
+ groups => [
+ {
+ dn => 'dc=group1,dc=syncedrealm',
+ members => [
+ 'uid=user1,dc=syncedrealm',
+ ],
+ },
+ {
+ dn => 'dc=group3,dc=syncedrealm',
+ members => [
+ 'uid=nonexisting,dc=syncedrealm',
+ ],
+ }
+ ],
+};
+
+my $returned_user_cfg = {};
+
+# mocking all cluster and ldap operations
+my $pve_cluster_module = Test::MockModule->new('PVE::Cluster');
+$pve_cluster_module->mock(
+ cfs_update => sub {},
+ cfs_read_file => sub {
+ my ($filename) = @_;
+ if ($filename eq 'domains.cfg') { return dclone($domainscfg); }
+ if ($filename eq 'user.cfg') { return dclone($initialusercfg); }
+ die "unexpected cfs_read_file";
+ },
+ cfs_write_file => sub {
+ my ($filename, $data) = @_;
+ if ($filename eq 'user.cfg') {
+ $returned_user_cfg = $data;
+ return;
+ }
+ die "unexpected cfs_read_file";
+ },
+ cfs_lock_file => sub {
+ my ($filename, $timeout, $code) = @_;
+ return $code->();
+ },
+);
+
+my $pve_api_domains = Test::MockModule->new('PVE::API2::Domains');
+$pve_api_domains->mock(
+ cfs_read_file => sub { PVE::Cluster::cfs_read_file(@_); },
+ cfs_write_file => sub { PVE::Cluster::cfs_write_file(@_); },
+);
+
+my $pve_accesscontrol = Test::MockModule->new('PVE::AccessControl');
+$pve_accesscontrol->mock(
+ cfs_lock_file => sub { PVE::Cluster::cfs_lock_file(@_); },
+);
+
+my $pve_rpcenvironment = Test::MockModule->new('PVE::RPCEnvironment');
+$pve_rpcenvironment->mock(
+ get => sub { return bless {}, 'PVE::RPCEnvironment'; },
+ get_user => sub { return 'root at pam'; },
+ fork_worker => sub {
+ my ($class, $workertype, $id, $user, $code) = @_;
+
+ return $code->();
+ },
+);
+
+my $pve_ldap_module = Test::MockModule->new('PVE::LDAP');
+$pve_ldap_module->mock(
+ ldap_connect => sub { return {}; },
+ ldap_bind => sub {},
+ query_users => sub {
+ return $sync_response->{user};
+ },
+ query_groups => sub {
+ return $sync_response->{groups};
+ },
+);
+
+my $pve_auth_ldap = Test::MockModule->new('PVE::Auth::LDAP');
+$pve_auth_ldap->mock(
+ connect_and_bind => sub { return {}; },
+);
+
+my $tests = [
+ [
+ "non-full without purge",
+ {
+ realm => 'syncedrealm',
+ full => 0,
+ purge => 0,
+ scope => 'both',
+ },
+ {
+ users => {
+ 'root at pam' => { username => 'root', },
+ 'user1 at syncedrealm' => {
+ username => 'user1',
+ enable => 1,
+ 'keys' => 'some',
+ },
+ 'user2 at syncedrealm' => {
+ username => 'user2',
+ enable => 1,
+ },
+ 'user3 at syncedrealm' => {
+ username => 'user3',
+ enable => 1,
+ },
+ 'user4 at syncedrealm' => {
+ username => 'user4',
+ enable => 1,
+ },
+ },
+ groups => {
+ 'group1-syncedrealm' => {
+ users => {
+ 'user1 at syncedrealm' => 1,
+ },
+ },
+ 'group2-syncedrealm' => { users => {}, },
+ 'group3-syncedrealm' => { users => {}, },
+ },
+ acl => {
+ '/' => {
+ users => {
+ 'user3 at syncedrealm' => {},
+ },
+ groups => {},
+ },
+ },
+ },
+ ],
+ [
+ "full without purge",
+ {
+ realm => 'syncedrealm',
+ full => 1,
+ purge => 0,
+ scope => 'both',
+ },
+ {
+ users => {
+ 'root at pam' => { username => 'root', },
+ 'user1 at syncedrealm' => {
+ username => 'user1',
+ enable => 1,
+ },
+ 'user2 at syncedrealm' => {
+ username => 'user2',
+ enable => 1,
+ },
+ 'user4 at syncedrealm' => {
+ username => 'user4',
+ enable => 1,
+ },
+ },
+ groups => {
+ 'group1-syncedrealm' => {
+ users => {
+ 'user1 at syncedrealm' => 1,
+ },
+ },
+ 'group3-syncedrealm' => { users => {}, }
+ },
+ acl => {
+ '/' => {
+ users => {
+ 'user3 at syncedrealm' => {},
+ },
+ groups => {},
+ },
+ },
+ },
+ ],
+ [
+ "non-full with purge",
+ {
+ realm => 'syncedrealm',
+ full => 0,
+ purge => 1,
+ scope => 'both',
+ },
+ {
+ users => {
+ 'root at pam' => { username => 'root', },
+ 'user1 at syncedrealm' => {
+ username => 'user1',
+ enable => 1,
+ 'keys' => 'some',
+ },
+ 'user2 at syncedrealm' => {
+ username => 'user2',
+ enable => 1,
+ },
+ 'user3 at syncedrealm' => {
+ username => 'user3',
+ enable => 1,
+ },
+ 'user4 at syncedrealm' => {
+ username => 'user4',
+ enable => 1,
+ },
+ },
+ groups => {
+ 'group1-syncedrealm' => {
+ users => {
+ 'user1 at syncedrealm' => 1,
+ },
+ },
+ 'group2-syncedrealm' => { users => {}, },
+ 'group3-syncedrealm' => { users => {}, },
+ },
+ acl => {
+ '/' => {
+ users => {
+ 'user3 at syncedrealm' => {},
+ },
+ groups => {},
+ },
+ },
+ },
+ ],
+ [
+ "full with purge",
+ {
+ realm => 'syncedrealm',
+ full => 1,
+ purge => 1,
+ scope => 'both',
+ },
+ {
+ users => {
+ 'root at pam' => { username => 'root', },
+ 'user1 at syncedrealm' => {
+ username => 'user1',
+ enable => 1,
+ },
+ 'user2 at syncedrealm' => {
+ username => 'user2',
+ enable => 1,
+ },
+ 'user4 at syncedrealm' => {
+ username => 'user4',
+ enable => 1,
+ },
+ },
+ groups => {
+ 'group1-syncedrealm' => {
+ users => {
+ 'user1 at syncedrealm' => 1,
+ },
+ },
+ 'group3-syncedrealm' => { users => {}, },
+ },
+ acl => {
+ '/' => {
+ users => {},
+ groups => {},
+ },
+ },
+ },
+ ],
+];
+
+for my $test (@$tests) {
+ my $name = $test->[0];
+ my $parameters = $test->[1];
+ my $expected = $test->[2];
+ $returned_user_cfg = {};
+ PVE::API2::Domains->sync($parameters);
+ is_deeply($returned_user_cfg, $expected, $name);
+}
+
+done_testing();
--
2.30.2
More information about the pve-devel
mailing list