* @author Christoph Wurst * @author Joas Schilling * @author Morris Jobke * @author Roeland Jago Douma * @author Thomas Müller * @author Victor Dubiniuk * @author Vincent Petry * @author Vinicius Cubas Brand * @author Xuanwo * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see * */ namespace OCA\User_LDAP\Tests; use OCA\User_LDAP\Access; use OCA\User_LDAP\Connection; use OCA\User_LDAP\Group_LDAP as GroupLDAP; use OCA\User_LDAP\GroupPluginManager; use OCA\User_LDAP\ILDAPWrapper; use OCA\User_LDAP\Mapping\GroupMapping; use OCA\User_LDAP\User\Manager; use OCP\GroupInterface; use PHPUnit\Framework\MockObject\MockObject; use Test\TestCase; /** * Class GroupLDAPTest * * @group DB * * @package OCA\User_LDAP\Tests */ class Group_LDAPTest extends TestCase { public function testCountEmptySearchString() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $groupDN = 'cn=group,dc=foo,dc=bar'; $this->enableGroups($access); $access->expects($this->any()) ->method('groupname2dn') ->willReturn($groupDN); $access->expects($this->any()) ->method('readAttribute') ->willReturnCallback(function ($dn) use ($groupDN) { if ($dn === $groupDN) { return [ 'uid=u11,ou=users,dc=foo,dc=bar', 'uid=u22,ou=users,dc=foo,dc=bar', 'uid=u33,ou=users,dc=foo,dc=bar', 'uid=u34,ou=users,dc=foo,dc=bar' ]; } return []; }); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); // for primary groups $access->expects($this->once()) ->method('countUsers') ->willReturn(2); $access->userManager->expects($this->any()) ->method('getAttributes') ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->countUsersInGroup('group'); $this->assertSame(6, $users); } /** * @return MockObject|Access */ private function getAccessMock() { static $conMethods; static $accMethods; if (is_null($conMethods) || is_null($accMethods)) { $conMethods = get_class_methods(Connection::class); $accMethods = get_class_methods(Access::class); } $lw = $this->createMock(ILDAPWrapper::class); $connector = $this->getMockBuilder(Connection::class) ->setMethods($conMethods) ->setConstructorArgs([$lw, '', null]) ->getMock(); $access = $this->createMock(Access::class); $access->connection = $connector; $access->userManager = $this->createMock(Manager::class); return $access; } /** * @return MockObject|GroupPluginManager */ private function getPluginManagerMock() { return $this->createMock(GroupPluginManager::class); } private function enableGroups(Access $access) { $access->connection = $this->createMock(Connection::class); $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function ($name) { if ($name === 'ldapDynamicGroupMemberURL') { return ''; } elseif ($name === 'ldapBaseGroups') { return []; } return 1; }); } public function testCountWithSearchString() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $access->expects($this->any()) ->method('groupname2dn') ->willReturn('cn=group,dc=foo,dc=bar'); $access->expects($this->any()) ->method('fetchListOfUsers') ->willReturn([]); $access->expects($this->any()) ->method('readAttribute') ->willReturnCallback(function ($name) { //the search operation will call readAttribute, thus we need //to analyze the "dn". All other times we just need to return //something that is neither null or false, but once an array //with the users in the group – so we do so all other times for //simplicity. if (str_starts_with($name, 'u')) { return strpos($name, '3'); } return ['u11', 'u22', 'u33', 'u34']; }); $access->expects($this->any()) ->method('dn2username') ->willReturnCallback(function () { return 'foobar' . \OC::$server->getSecureRandom()->generate(7); }); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); $access->expects($this->any()) ->method('escapeFilterPart') ->willReturnArgument(0); $access->userManager->expects($this->any()) ->method('getAttributes') ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->countUsersInGroup('group', '3'); $this->assertSame(2, $users); } public function testCountUsersWithPlugin() { /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'countUsersInGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::COUNT_USERS) ->willReturn(true); $pluginManager->expects($this->once()) ->method('countUsersInGroup') ->with('gid', 'search') ->willReturn(42); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertEquals($ldap->countUsersInGroup('gid', 'search'), 42); } public function testGidNumber2NameSuccess() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('searchGroups') ->willReturn([['dn' => ['cn=foo,dc=barfoo,dc=bar']]]); $access->expects($this->once()) ->method('dn2groupname') ->with('cn=foo,dc=barfoo,dc=bar') ->willReturn('MyGroup'); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->gidNumber2Name('3117', $userDN); $this->assertSame('MyGroup', $group); } public function testGidNumberID2NameNoGroup() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('searchGroups') ->willReturn([]); $access->expects($this->never()) ->method('dn2groupname'); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->gidNumber2Name('3117', $userDN); $this->assertSame(false, $group); } public function testGidNumberID2NameNoName() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('searchGroups') ->willReturn([['dn' => ['cn=foo,dc=barfoo,dc=bar']]]); $access->expects($this->once()) ->method('dn2groupname') ->willReturn(false); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->gidNumber2Name('3117', $userDN); $this->assertSame(false, $group); } public function testGetEntryGidNumberValue() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $dn = 'cn=foobar,cn=foo,dc=barfoo,dc=bar'; $attr = 'gidNumber'; $access->expects($this->once()) ->method('readAttribute') ->with($dn, $attr) ->willReturn(['3117']); $groupBackend = new GroupLDAP($access, $pluginManager); $gid = $groupBackend->getGroupGidNumber($dn); $this->assertSame('3117', $gid); } public function testGetEntryGidNumberNoValue() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $dn = 'cn=foobar,cn=foo,dc=barfoo,dc=bar'; $attr = 'gidNumber'; $access->expects($this->once()) ->method('readAttribute') ->with($dn, $attr) ->willReturn(false); $groupBackend = new GroupLDAP($access, $pluginManager); $gid = $groupBackend->getGroupGidNumber($dn); $this->assertSame(false, $gid); } public function testPrimaryGroupID2NameSuccessCache() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $gid = '3117'; $groupDN = 'cn=foo,dc=barfoo,dc=bar'; /** @var MockObject $connection */ $connection = $access->connection; $connection->expects($this->once()) ->method('getFromCache') ->with('primaryGroupIDtoName_' . $gid) ->willReturn('MyGroup'); $access->expects($this->never()) ->method('getSID'); $access->expects($this->never()) ->method('searchGroups'); $access->expects($this->never()) ->method('dn2groupname'); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->primaryGroupID2Name($gid, $userDN); $this->assertSame('MyGroup', $group); } public function testPrimaryGroupID2NameSuccess() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('getSID') ->with($userDN) ->willReturn('S-1-5-21-249921958-728525901-1594176202'); $access->expects($this->once()) ->method('searchGroups') ->willReturn([['dn' => ['cn=foo,dc=barfoo,dc=bar']]]); $access->expects($this->once()) ->method('dn2groupname') ->with('cn=foo,dc=barfoo,dc=bar') ->willReturn('MyGroup'); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->primaryGroupID2Name('3117', $userDN); $this->assertSame('MyGroup', $group); } public function testPrimaryGroupID2NameNoSID() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('getSID') ->with($userDN) ->willReturn(false); $access->expects($this->never()) ->method('searchGroups'); $access->expects($this->never()) ->method('dn2groupname'); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->primaryGroupID2Name('3117', $userDN); $this->assertSame(false, $group); } public function testPrimaryGroupID2NameNoGroup() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('getSID') ->with($userDN) ->willReturn('S-1-5-21-249921958-728525901-1594176202'); $access->expects($this->once()) ->method('searchGroups') ->willReturn([]); $access->expects($this->never()) ->method('dn2groupname'); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->primaryGroupID2Name('3117', $userDN); $this->assertSame(false, $group); } public function testPrimaryGroupID2NameNoName() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $userDN = 'cn=alice,cn=foo,dc=barfoo,dc=bar'; $access->expects($this->once()) ->method('getSID') ->with($userDN) ->willReturn('S-1-5-21-249921958-728525901-1594176202'); $access->expects($this->once()) ->method('searchGroups') ->willReturn([['dn' => ['cn=foo,dc=barfoo,dc=bar']]]); $access->expects($this->once()) ->method('dn2groupname') ->willReturn(false); $groupBackend = new GroupLDAP($access, $pluginManager); $group = $groupBackend->primaryGroupID2Name('3117', $userDN); $this->assertSame(false, $group); } public function testGetEntryGroupIDValue() { //tests getEntryGroupID via getGroupPrimaryGroupID //which is basically identical to getUserPrimaryGroupIDs $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $dn = 'cn=foobar,cn=foo,dc=barfoo,dc=bar'; $attr = 'primaryGroupToken'; $access->expects($this->once()) ->method('readAttribute') ->with($dn, $attr) ->willReturn(['3117']); $groupBackend = new GroupLDAP($access, $pluginManager); $gid = $groupBackend->getGroupPrimaryGroupID($dn); $this->assertSame('3117', $gid); } public function testGetEntryGroupIDNoValue() { //tests getEntryGroupID via getGroupPrimaryGroupID //which is basically identical to getUserPrimaryGroupIDs $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $dn = 'cn=foobar,cn=foo,dc=barfoo,dc=bar'; $attr = 'primaryGroupToken'; $access->expects($this->once()) ->method('readAttribute') ->with($dn, $attr) ->willReturn(false); $groupBackend = new GroupLDAP($access, $pluginManager); $gid = $groupBackend->getGroupPrimaryGroupID($dn); $this->assertSame(false, $gid); } /** * tests whether Group Backend behaves correctly when cache with uid and gid * is hit */ public function testInGroupHitsUidGidCache() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $uid = 'someUser'; $gid = 'someGroup'; $cacheKey = 'inGroup' . $uid . ':' . $gid; $access->connection->expects($this->once()) ->method('getFromCache') ->with($cacheKey) ->willReturn(true); $access->expects($this->never()) ->method('username2dn'); $groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend->inGroup($uid, $gid); } public function groupWithMembersProvider() { return [ [ 'someGroup', 'cn=someGroup,ou=allTheGroups,ou=someDepartment,dc=someDomain,dc=someTld', [ 'uid=oneUser,ou=someTeam,ou=someDepartment,dc=someDomain,dc=someTld', 'uid=someUser,ou=someTeam,ou=someDepartment,dc=someDomain,dc=someTld', 'uid=anotherUser,ou=someTeam,ou=someDepartment,dc=someDomain,dc=someTld', 'uid=differentUser,ou=someTeam,ou=someDepartment,dc=someDomain,dc=someTld', ], ], ]; } /** * @dataProvider groupWithMembersProvider */ public function testInGroupMember(string $gid, string $groupDn, array $memberDNs) { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $access->connection = $this->createMock(Connection::class); $uid = 'someUser'; $userDn = $memberDNs[0]; $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function ($name) { switch ($name) { case 'ldapGroupMemberAssocAttr': return 'member'; case 'ldapDynamicGroupMemberURL': return ''; case 'hasPrimaryGroups': case 'ldapNestedGroups': return 0; default: return 1; } }); $access->connection->expects($this->any()) ->method('getFromCache') ->willReturn(null); $access->expects($this->once()) ->method('username2dn') ->with($uid) ->willReturn($userDn); $access->expects($this->once()) ->method('groupname2dn') ->willReturn($groupDn); $access->expects($this->any()) ->method('readAttribute') ->willReturn($memberDNs); $groupBackend = new GroupLDAP($access, $pluginManager); $this->assertTrue($groupBackend->inGroup($uid, $gid)); } /** * @dataProvider groupWithMembersProvider */ public function testInGroupMemberNot(string $gid, string $groupDn, array $memberDNs) { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $access->connection = $this->createMock(Connection::class); $uid = 'unelatedUser'; $userDn = 'uid=unrelatedUser,ou=unrelatedTeam,ou=unrelatedDepartment,dc=someDomain,dc=someTld'; $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function ($name) { switch ($name) { case 'ldapGroupMemberAssocAttr': return 'member'; case 'ldapDynamicGroupMemberURL': return ''; case 'hasPrimaryGroups': case 'ldapNestedGroups': return 0; default: return 1; } }); $access->connection->expects($this->any()) ->method('getFromCache') ->willReturn(null); $access->expects($this->once()) ->method('username2dn') ->with($uid) ->willReturn($userDn); $access->expects($this->once()) ->method('groupname2dn') ->willReturn($groupDn); $access->expects($this->any()) ->method('readAttribute') ->willReturn($memberDNs); $groupBackend = new GroupLDAP($access, $pluginManager); $this->assertFalse($groupBackend->inGroup($uid, $gid)); } /** * @dataProvider groupWithMembersProvider */ public function testInGroupMemberUid(string $gid, string $groupDn, array $memberDNs) { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $memberUids = []; $userRecords = []; foreach ($memberDNs as $dn) { $memberUids[] = ldap_explode_dn($dn, false)[0]; $userRecords[] = ['dn' => [$dn]]; } $access->connection = $this->createMock(Connection::class); $uid = 'someUser'; $userDn = $memberDNs[0]; $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function ($name) { switch ($name) { case 'ldapGroupMemberAssocAttr': return 'memberUid'; case 'ldapDynamicGroupMemberURL': return ''; case 'ldapLoginFilter': return 'uid=%uid'; case 'hasPrimaryGroups': case 'ldapNestedGroups': return 0; default: return 1; } }); $access->connection->expects($this->any()) ->method('getFromCache') ->willReturn(null); $access->userManager->expects($this->any()) ->method('getAttributes') ->willReturn(['uid', 'mail', 'displayname']); $access->expects($this->once()) ->method('username2dn') ->with($uid) ->willReturn($userDn); $access->expects($this->once()) ->method('groupname2dn') ->willReturn($groupDn); $access->expects($this->any()) ->method('readAttribute') ->willReturn($memberUids); $access->expects($this->any()) ->method('fetchListOfUsers') ->willReturn($userRecords); $access->expects($this->any()) ->method('combineFilterWithOr') ->willReturn('(|(pseudo=filter)(filter=pseudo))'); $groupBackend = new GroupLDAP($access, $pluginManager); $this->assertTrue($groupBackend->inGroup($uid, $gid)); } public function testGetGroupsWithOffset() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $access->expects($this->once()) ->method('nextcloudGroupNames') ->willReturn(['group1', 'group2']); $groupBackend = new GroupLDAP($access, $pluginManager); $groups = $groupBackend->getGroups('', 2, 2); $this->assertSame(2, count($groups)); } /** * tests that a user listing is complete, if all its members have the group * as their primary. */ public function testUsersInGroupPrimaryMembersOnly() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $access->connection->expects($this->any()) ->method('getFromCache') ->willReturn(null); $access->expects($this->any()) ->method('readAttribute') ->willReturnCallback(function ($dn, $attr) { if ($attr === 'primaryGroupToken') { return [1337]; } elseif ($attr === 'gidNumber') { return [4211]; } return []; }); $access->expects($this->any()) ->method('groupname2dn') ->willReturn('cn=foobar,dc=foo,dc=bar'); $access->expects($this->exactly(2)) ->method('nextcloudUserNames') ->willReturnOnConsecutiveCalls(['lisa', 'bart', 'kira', 'brad'], ['walle', 'dino', 'xenia']); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); $access->expects($this->any()) ->method('combineFilterWithAnd') ->willReturn('pseudo=filter'); $access->userManager->expects($this->any()) ->method('getAttributes') ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->usersInGroup('foobar'); $this->assertSame(7, count($users)); } /** * tests that a user listing is complete, if all its members have the group * as their primary. */ public function testUsersInGroupPrimaryAndUnixMembers() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $access->connection->expects($this->any()) ->method('getFromCache') ->willReturn(null); $access->expects($this->any()) ->method('readAttribute') ->willReturnCallback(function ($dn, $attr) { if ($attr === 'primaryGroupToken') { return [1337]; } return []; }); $access->expects($this->any()) ->method('groupname2dn') ->willReturn('cn=foobar,dc=foo,dc=bar'); $access->expects($this->once()) ->method('nextcloudUserNames') ->willReturn(['lisa', 'bart', 'kira', 'brad']); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); $access->expects($this->any()) ->method('combineFilterWithAnd') ->willReturn('pseudo=filter'); $access->userManager->expects($this->any()) ->method('getAttributes') ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->usersInGroup('foobar'); $this->assertSame(4, count($users)); } /** * tests that a user counting is complete, if all its members have the group * as their primary. */ public function testCountUsersInGroupPrimaryMembersOnly() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $access->connection->expects($this->any()) ->method('getFromCache') ->willReturn(null); $access->expects($this->any()) ->method('readAttribute') ->willReturnCallback(function ($dn, $attr) { if ($attr === 'primaryGroupToken') { return [1337]; } return []; }); $access->expects($this->any()) ->method('groupname2dn') ->willReturn('cn=foobar,dc=foo,dc=bar'); $access->expects($this->once()) ->method('countUsers') ->willReturn(4); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); $access->userManager->expects($this->any()) ->method('getAttributes') ->willReturn(['displayName', 'mail']); $groupBackend = new GroupLDAP($access, $pluginManager); $users = $groupBackend->countUsersInGroup('foobar'); $this->assertSame(4, $users); } public function testGetUserGroupsMemberOf() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $this->enableGroups($access); $dn = 'cn=userX,dc=foobar'; $access->connection->hasPrimaryGroups = false; $access->connection->hasGidNumber = false; $access->expects($this->any()) ->method('username2dn') ->willReturn($dn); $access->expects($this->exactly(5)) ->method('readAttribute') ->will($this->onConsecutiveCalls(['cn=groupA,dc=foobar', 'cn=groupB,dc=foobar'], [], [], [], [])); $access->expects($this->any()) ->method('dn2groupname') ->willReturnArgument(0); $access->expects($this->any()) ->method('groupname2dn') ->willReturnArgument(0); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); $groupBackend = new GroupLDAP($access, $pluginManager); $groups = $groupBackend->getUserGroups('userX'); $this->assertSame(2, count($groups)); } public function testGetUserGroupsMemberOfDisabled() { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $access->connection = $this->createMock(Connection::class); $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function ($name) { if ($name === 'useMemberOfToDetectMembership') { return 0; } elseif ($name === 'ldapDynamicGroupMemberURL') { return ''; } return 1; }); $dn = 'cn=userX,dc=foobar'; $access->connection->hasPrimaryGroups = false; $access->connection->hasGidNumber = false; $access->expects($this->once()) ->method('username2dn') ->willReturn($dn); $access->expects($this->never()) ->method('readAttribute') ->with($dn, 'memberOf'); $access->expects($this->once()) ->method('nextcloudGroupNames') ->willReturn([]); $groupBackend = new GroupLDAP($access, $pluginManager); $groupBackend->getUserGroups('userX'); } public function nestedGroupsProvider(): array { return [ [true], [false], ]; } /** * @dataProvider nestedGroupsProvider */ public function testGetGroupsByMember(bool $nestedGroups) { $access = $this->getAccessMock(); $pluginManager = $this->getPluginManagerMock(); $groupFilter = '(&(objectclass=nextcloudGroup)(nextcloudEnabled=TRUE))'; $access->connection = $this->createMock(Connection::class); $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function (string $name) use ($nestedGroups, $groupFilter) { switch ($name) { case 'useMemberOfToDetectMembership': return 0; case 'ldapDynamicGroupMemberURL': return ''; case 'ldapNestedGroups': return (int)$nestedGroups; case 'ldapGroupMemberAssocAttr': return 'member'; case 'ldapGroupFilter': return $groupFilter; case 'ldapBaseGroups': return []; case 'ldapGroupDisplayName': return 'cn'; } return 1; }); $dn = 'cn=userX,dc=foobar'; $access->connection->hasPrimaryGroups = false; $access->connection->hasGidNumber = false; $access->expects($this->exactly(2)) ->method('username2dn') ->willReturn($dn); $access->expects($this->any()) ->method('readAttribute') ->willReturn([]); $access->expects($this->any()) ->method('combineFilterWithAnd') ->willReturnCallback(function (array $filterParts) { // ⚠ returns a pseudo-filter only, not real LDAP Filter syntax return implode('&', $filterParts); }); $group1 = [ 'cn' => 'group1', 'dn' => ['cn=group1,ou=groups,dc=domain,dc=com'], 'member' => [$dn], ]; $group2 = [ 'cn' => 'group2', 'dn' => ['cn=group2,ou=groups,dc=domain,dc=com'], 'member' => [$dn], ]; $group3 = [ 'cn' => 'group3', 'dn' => ['cn=group3,ou=groups,dc=domain,dc=com'], 'member' => [$group2['dn'][0]], ]; $expectedGroups = ($nestedGroups ? [$group1, $group2, $group3] : [$group1, $group2]); $expectedGroupsNames = ($nestedGroups ? ['group1', 'group2', 'group3'] : ['group1', 'group2']); $access->expects($this->any()) ->method('nextcloudGroupNames') ->with($expectedGroups) ->willReturn($expectedGroupsNames); $access->expects($nestedGroups ? $this->atLeastOnce() : $this->once()) ->method('fetchListOfGroups') ->willReturnCallback(function ($filter, $attr, $limit, $offset) use ($nestedGroups, $groupFilter, $group1, $group2, $group3, $dn) { static $firstRun = true; if (!$nestedGroups) { // When nested groups are enabled, groups cannot be filtered early as it would // exclude intermediate groups. But we can, and should, when working with flat groups. $this->assertTrue(str_contains($filter, $groupFilter)); } [$memberFilter] = explode('&', $filter); if ($memberFilter === 'member='.$dn) { return [$group1, $group2]; return []; } elseif ($memberFilter === 'member='.$group2['dn'][0]) { return [$group3]; } else { return []; } }); $access->expects($this->any()) ->method('dn2groupname') ->willReturnCallback(function (string $dn) { return ldap_explode_dn($dn, 1)[0]; }); $access->expects($this->any()) ->method('groupname2dn') ->willReturnCallback(function (string $gid) use ($group1, $group2, $group3) { if ($gid === $group1['cn']) { return $group1['dn'][0]; } if ($gid === $group2['cn']) { return $group2['dn'][0]; } if ($gid === $group3['cn']) { return $group3['dn'][0]; } }); $access->expects($this->any()) ->method('isDNPartOfBase') ->willReturn(true); $groupBackend = new GroupLDAP($access, $pluginManager); $groups = $groupBackend->getUserGroups('userX'); $this->assertEquals($expectedGroupsNames, $groups); $groupsAgain = $groupBackend->getUserGroups('userX'); $this->assertEquals($expectedGroupsNames, $groupsAgain); } public function testCreateGroupWithPlugin() { /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'createGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::CREATE_GROUP) ->willReturn(true); $pluginManager->expects($this->once()) ->method('createGroup') ->with('gid') ->willReturn('result'); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertEquals($ldap->createGroup('gid'), true); } public function testCreateGroupFailing() { $this->expectException(\Exception::class); /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'createGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::CREATE_GROUP) ->willReturn(false); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $ldap->createGroup('gid'); } public function testDeleteGroupWithPlugin() { /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'deleteGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::DELETE_GROUP) ->willReturn(true); $pluginManager->expects($this->once()) ->method('deleteGroup') ->with('gid') ->willReturn(true); $mapper = $this->getMockBuilder(GroupMapping::class) ->setMethods(['unmap']) ->disableOriginalConstructor() ->getMock(); $access = $this->getAccessMock(); $access->expects($this->any()) ->method('getGroupMapper') ->willReturn($mapper); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertTrue($ldap->deleteGroup('gid')); } public function testDeleteGroupFailing() { $this->expectException(\Exception::class); /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'deleteGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::DELETE_GROUP) ->willReturn(false); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $ldap->deleteGroup('gid'); } public function testAddToGroupWithPlugin() { /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'addToGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::ADD_TO_GROUP) ->willReturn(true); $pluginManager->expects($this->once()) ->method('addToGroup') ->with('uid', 'gid') ->willReturn('result'); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertEquals($ldap->addToGroup('uid', 'gid'), 'result'); } public function testAddToGroupFailing() { $this->expectException(\Exception::class); /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'addToGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::ADD_TO_GROUP) ->willReturn(false); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $ldap->addToGroup('uid', 'gid'); } public function testRemoveFromGroupWithPlugin() { /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'removeFromGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::REMOVE_FROM_GROUP) ->willReturn(true); $pluginManager->expects($this->once()) ->method('removeFromGroup') ->with('uid', 'gid') ->willReturn('result'); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertEquals($ldap->removeFromGroup('uid', 'gid'), 'result'); } public function testRemoveFromGroupFailing() { $this->expectException(\Exception::class); /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'removeFromGroup']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::REMOVE_FROM_GROUP) ->willReturn(false); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $ldap->removeFromGroup('uid', 'gid'); } public function testGetGroupDetailsWithPlugin() { /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'getGroupDetails']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::GROUP_DETAILS) ->willReturn(true); $pluginManager->expects($this->once()) ->method('getGroupDetails') ->with('gid') ->willReturn('result'); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertEquals($ldap->getGroupDetails('gid'), 'result'); } public function testGetGroupDetailsFailing() { $this->expectException(\Exception::class); /** @var GroupPluginManager|MockObject $pluginManager */ $pluginManager = $this->getMockBuilder(GroupPluginManager::class) ->setMethods(['implementsActions', 'getGroupDetails']) ->getMock(); $pluginManager->expects($this->once()) ->method('implementsActions') ->with(GroupInterface::GROUP_DETAILS) ->willReturn(false); $access = $this->getAccessMock(); $access->connection = $this->createMock(Connection::class); $ldap = new GroupLDAP($access, $pluginManager); $ldap->getGroupDetails('gid'); } public function groupMemberProvider() { $base = 'dc=species,dc=earth'; $birdsDn = [ 'uid=3723,' . $base, 'uid=8372,' . $base, 'uid=8427,' . $base, 'uid=2333,' . $base, 'uid=4754,' . $base, ]; $birdsUid = [ '3723', '8372', '8427', '2333', '4754', ]; $animalsDn = [ 'uid=lion,' . $base, 'uid=tiger,' . $base, ]; $plantsDn = [ 'uid=flower,' . $base, 'uid=tree,' . $base, ]; $thingsDn = [ 'uid=thing1,' . $base, 'uid=thing2,' . $base, ]; return [ [ #0 – test DNs ['cn=Birds,' . $base => $birdsDn], ['cn=Birds,' . $base => $birdsDn] ], [ #1 – test uids ['cn=Birds,' . $base => $birdsUid], ['cn=Birds,' . $base => $birdsUid] ], [ #2 – test simple nested group ['cn=Animals,' . $base => array_merge($birdsDn, $animalsDn)], [ 'cn=Animals,' . $base => array_merge(['cn=Birds,' . $base], $animalsDn), 'cn=Birds,' . $base => $birdsDn, ] ], [ #3 – test recursive nested group [ 'cn=Animals,' . $base => array_merge($birdsDn, $animalsDn), 'cn=Birds,' . $base => array_merge($birdsDn, $animalsDn), ], [ 'cn=Animals,' . $base => array_merge(['cn=Birds,' . $base,'cn=Birds,' . $base,'cn=Animals,' . $base], $animalsDn), 'cn=Birds,' . $base => array_merge(['cn=Animals,' . $base,'cn=Birds,' . $base], $birdsDn), ] ], [ #4 – Complicated nested group ['cn=Things,' . $base => array_merge($birdsDn, $animalsDn, $thingsDn, $plantsDn)], [ 'cn=Animals,' . $base => array_merge(['cn=Birds,' . $base], $animalsDn), 'cn=Birds,' . $base => $birdsDn, 'cn=Plants,' . $base => $plantsDn, 'cn=Things,' . $base => array_merge(['cn=Animals,' . $base,'cn=Plants,' . $base], $thingsDn), ] ], ]; } /** * @param string[] $expectedMembers * @dataProvider groupMemberProvider */ public function testGroupMembers(array $expectedResult, array $groupsInfo = null) { $access = $this->getAccessMock(); $access->expects($this->any()) ->method('readAttribute') ->willReturnCallback(function ($group) use ($groupsInfo) { if (isset($groupsInfo[$group])) { return $groupsInfo[$group]; } return []; }); $access->connection = $this->createMock(Connection::class); $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function (string $name) { if ($name === 'ldapNestedGroups') { return 1; } elseif ($name === 'ldapGroupMemberAssocAttr') { return 'attr'; } return null; }); /** @var GroupPluginManager $pluginManager */ $pluginManager = $this->createMock(GroupPluginManager::class); $ldap = new GroupLDAP($access, $pluginManager); foreach ($expectedResult as $groupDN => $expectedMembers) { $resultingMembers = $this->invokePrivate($ldap, '_groupMembers', [$groupDN]); $this->assertEqualsCanonicalizing($expectedMembers, $resultingMembers); } } public function displayNameProvider() { return [ ['Graphic Novelists', ['Graphic Novelists']], ['', false], ]; } /** * @dataProvider displayNameProvider */ public function testGetDisplayName(string $expected, $ldapResult) { $gid = 'graphic_novelists'; $access = $this->getAccessMock(); $access->expects($this->atLeastOnce()) ->method('readAttribute') ->willReturn($ldapResult); $access->connection = $this->createMock(Connection::class); $access->connection->expects($this->any()) ->method('__get') ->willReturnCallback(function ($name) { if ($name === 'ldapGroupMemberAssocAttr') { return 'member'; } elseif ($name === 'ldapGroupFilter') { return 'objectclass=nextcloudGroup'; } elseif ($name === 'ldapGroupDisplayName') { return 'cn'; } return null; }); $access->expects($this->any()) ->method('groupname2dn') ->willReturn('fakedn'); /** @var GroupPluginManager $pluginManager */ $pluginManager = $this->createMock(GroupPluginManager::class); $ldap = new GroupLDAP($access, $pluginManager); $this->assertSame($expected, $ldap->getDisplayName($gid)); } }