mirror/Arsse
1
1
Fork 0
mirror of https://code.mensbeam.com/MensBeam/Arsse.git synced 2024-12-23 17:12:41 +00:00
Code Issues Activity
Arsse/tests/User/TestAuthorization.php

317 lines
18 KiB
PHP
Raw Normal View History

Start on tests for authorization
2017-02-28 04:04:13 +00:00
<?php
declare(strict_types=1);
Changed "NewsSync" to "Arsse"
2017-03-28 04:12:12 +00:00
namespace JKingWeb\Arsse;
Removed most calls to userExists() - functions not related to user management now have the existence of the affected user checked in the authorizer, when the affected user differs from the actor - User::authorizationEnabled() now nests: disabling twice and then enabling once leaves the authorizer disabled - Disabling of the authorizer is now tested - User tests now use a partial mock instead of relying on User::authorizationEnabled() - Added authorizer tests against a missing user - Removed folder tests related to missing users - Also added more subscription tests
2017-05-11 22:00:35 +00:00
use Phake;
Start on tests for authorization
2017-02-28 04:04:13 +00:00
class TestAuthorization extends \PHPUnit\Framework\TestCase {
use Test\Tools;
Cover unknown/invalid user levels
2017-02-28 16:19:33 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
const USERS = [
'user@example.com' => User\Driver::RIGHTS_NONE,
'user@example.org' => User\Driver::RIGHTS_NONE,
'dman@example.com' => User\Driver::RIGHTS_DOMAIN_MANAGER,
'dman@example.org' => User\Driver::RIGHTS_DOMAIN_MANAGER,
'dadm@example.com' => User\Driver::RIGHTS_DOMAIN_ADMIN,
'dadm@example.org' => User\Driver::RIGHTS_DOMAIN_ADMIN,
'gman@example.com' => User\Driver::RIGHTS_GLOBAL_MANAGER,
'gman@example.org' => User\Driver::RIGHTS_GLOBAL_MANAGER,
'gadm@example.com' => User\Driver::RIGHTS_GLOBAL_ADMIN,
'gadm@example.org' => User\Driver::RIGHTS_GLOBAL_ADMIN,
// invalid rights levels
'bad1@example.com' => User\Driver::RIGHTS_NONE+1,
'bad1@example.org' => User\Driver::RIGHTS_NONE+1,
'bad2@example.com' => User\Driver::RIGHTS_DOMAIN_MANAGER+1,
'bad2@example.org' => User\Driver::RIGHTS_DOMAIN_MANAGER+1,
'bad3@example.com' => User\Driver::RIGHTS_DOMAIN_ADMIN+1,
'bad3@example.org' => User\Driver::RIGHTS_DOMAIN_ADMIN+1,
'bad4@example.com' => User\Driver::RIGHTS_GLOBAL_MANAGER+1,
'bad4@example.org' => User\Driver::RIGHTS_GLOBAL_MANAGER+1,
'bad5@example.com' => User\Driver::RIGHTS_GLOBAL_ADMIN+1,
'bad5@example.org' => User\Driver::RIGHTS_GLOBAL_ADMIN+1,
Start on tests for authorization
2017-02-28 04:04:13 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
];
const LEVELS = [
User\Driver::RIGHTS_NONE,
User\Driver::RIGHTS_DOMAIN_MANAGER,
User\Driver::RIGHTS_DOMAIN_ADMIN,
User\Driver::RIGHTS_GLOBAL_MANAGER,
User\Driver::RIGHTS_GLOBAL_ADMIN,
];
const DOMAINS = [
'@example.com',
'@example.org',
"",
];
protected $data;
Start on tests for authorization
2017-02-28 04:04:13 +00:00
Cover authorization exceptions Check each of the current User class features and ensure they trigger an exception when they should and do not when they shouldn't. Tests check against both an internal and external mock driver
2017-02-28 17:37:45 +00:00
function setUp(string $drv = Test\User\DriverInternalMock::class, string $db = null) {
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
$this->clearData();
$conf = new Conf();
$conf->userDriver = $drv;
$conf->userComposeNames = true;
Data::$conf = $conf;
if($db !== null) {
Data::$db = new $db();
}
Removed most calls to userExists() - functions not related to user management now have the existence of the affected user checked in the authorizer, when the affected user differs from the actor - User::authorizationEnabled() now nests: disabling twice and then enabling once leaves the authorizer disabled - Disabling of the authorizer is now tested - User tests now use a partial mock instead of relying on User::authorizationEnabled() - Added authorizer tests against a missing user - Removed folder tests related to missing users - Also added more subscription tests
2017-05-11 22:00:35 +00:00
Data::$user = Phake::PartialMock(User::class);
Phake::when(Data::$user)->authorize->thenReturn(true);
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
foreach(self::USERS as $user => $level) {
Data::$user->add($user, "");
Data::$user->rightsSet($user, $level);
}
Removed most calls to userExists() - functions not related to user management now have the existence of the affected user checked in the authorizer, when the affected user differs from the actor - User::authorizationEnabled() now nests: disabling twice and then enabling once leaves the authorizer disabled - Disabling of the authorizer is now tested - User tests now use a partial mock instead of relying on User::authorizationEnabled() - Added authorizer tests against a missing user - Removed folder tests related to missing users - Also added more subscription tests
2017-05-11 22:00:35 +00:00
Phake::reset(Data::$user);
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
}
Eliminated passing of RuntimeData instances - RuntimeData has now been replaced by a single static Data class - The Data class has a load() method which fills the same role as the constructor of RuntimeData - The static Lang class is now an instantiable class and is a member of Data - All tests have been adjusted and pass - The Exception tests no longer require convoluted workarounds: a simple mock for Data::$l suffices; Lang tests also use a mock to prevent loops now instead of using a workaround
2017-03-28 22:50:00 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function tearDown() {
$this->clearData();
}
Start on tests for authorization
2017-02-28 04:04:13 +00:00
Removed most calls to userExists() - functions not related to user management now have the existence of the affected user checked in the authorizer, when the affected user differs from the actor - User::authorizationEnabled() now nests: disabling twice and then enabling once leaves the authorizer disabled - Disabling of the authorizer is now tested - User tests now use a partial mock instead of relying on User::authorizationEnabled() - Added authorizer tests against a missing user - Removed folder tests related to missing users - Also added more subscription tests
2017-05-11 22:00:35 +00:00
function testToggleLogic() {
$this->assertTrue(Data::$user->authorizationEnabled());
$this->assertTrue(Data::$user->authorizationEnabled(true));
$this->assertFalse(Data::$user->authorizationEnabled(false));
$this->assertFalse(Data::$user->authorizationEnabled(false));
$this->assertFalse(Data::$user->authorizationEnabled(true));
$this->assertTrue(Data::$user->authorizationEnabled(true));
}
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testSelfActionLogic() {
foreach(array_keys(self::USERS) as $user) {
Data::$user->auth($user, "");
// users should be able to do basic actions for themselves
$this->assertTrue(Data::$user->authorize($user, "userExists"), "User $user could not act for themselves.");
$this->assertTrue(Data::$user->authorize($user, "userRemove"), "User $user could not act for themselves.");
}
}
Full set of tests for authorization Invalid/unknown rights levels still need better testing.
2017-02-28 15:52:02 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testRegularUserLogic() {
foreach(self::USERS as $actor => $rights) {
if($rights != User\Driver::RIGHTS_NONE) continue;
Data::$user->auth($actor, "");
foreach(array_keys(self::USERS) as $affected) {
// regular users should only be able to act for themselves
if($actor==$affected) {
$this->assertTrue(Data::$user->authorize($affected, "userExists"), "User $actor acted properly for $affected, but the action was denied.");
$this->assertTrue(Data::$user->authorize($affected, "userRemove"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userExists"), "User $actor acted improperly for $affected, but the action was allowed.");
$this->assertFalse(Data::$user->authorize($affected, "userRemove"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// they should never be able to set rights
foreach(self::LEVELS as $level) {
$this->assertFalse(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted improperly for $affected settings rights level $level, but the action was allowed.");
}
}
// they should not be able to list users
foreach(self::DOMAINS as $domain) {
$this->assertFalse(Data::$user->authorize($domain, "userList"), "User $actor improperly checked user list for domain '$domain', but the action was allowed.");
}
}
}
Full set of tests for authorization Invalid/unknown rights levels still need better testing.
2017-02-28 15:52:02 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testDomainManagerLogic() {
foreach(self::USERS as $actor => $actorRights) {
if($actorRights != User\Driver::RIGHTS_DOMAIN_MANAGER) continue;
$actorDomain = substr($actor,strrpos($actor,"@")+1);
Data::$user->auth($actor, "");
foreach(self::USERS as $affected => $affectedRights) {
$affectedDomain = substr($affected,strrpos($affected,"@")+1);
// domain managers should be able to check any user on the same domain
if($actorDomain==$affectedDomain) {
$this->assertTrue(Data::$user->authorize($affected, "userExists"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userExists"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// they should only be able to act for regular users on the same domain
if($actor==$affected || ($actorDomain==$affectedDomain && $affectedRights==User\Driver::RIGHTS_NONE)) {
$this->assertTrue(Data::$user->authorize($affected, "userRemove"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userRemove"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// and they should only be able to set their own rights to regular user
foreach(self::LEVELS as $level) {
if($actor==$affected && in_array($level, [User\Driver::RIGHTS_NONE, User\Driver::RIGHTS_DOMAIN_MANAGER])) {
$this->assertTrue(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted properly for $affected settings rights level $level, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted improperly for $affected settings rights level $level, but the action was allowed.");
}
}
}
// they should also be able to list all users on their own domain
foreach(self::DOMAINS as $domain) {
if($domain=="@".$actorDomain) {
$this->assertTrue(Data::$user->authorize($domain, "userList"), "User $actor properly checked user list for domain '$domain', but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($domain, "userList"), "User $actor improperly checked user list for domain '$domain', but the action was allowed.");
}
}
}
}
Full set of tests for authorization Invalid/unknown rights levels still need better testing.
2017-02-28 15:52:02 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testDomainAdministratorLogic() {
foreach(self::USERS as $actor => $actorRights) {
if($actorRights != User\Driver::RIGHTS_DOMAIN_ADMIN) continue;
$actorDomain = substr($actor,strrpos($actor,"@")+1);
Data::$user->auth($actor, "");
$allowed = [User\Driver::RIGHTS_NONE,User\Driver::RIGHTS_DOMAIN_MANAGER,User\Driver::RIGHTS_DOMAIN_ADMIN];
foreach(self::USERS as $affected => $affectedRights) {
$affectedDomain = substr($affected,strrpos($affected,"@")+1);
// domain admins should be able to check any user on the same domain
if($actorDomain==$affectedDomain) {
$this->assertTrue(Data::$user->authorize($affected, "userExists"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userExists"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// they should be able to act for any user on the same domain who is not a global manager or admin
if($actorDomain==$affectedDomain && in_array($affectedRights, $allowed)) {
$this->assertTrue(Data::$user->authorize($affected, "userRemove"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userRemove"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// they should be able to set rights for any user on their domain who is not a global manager or admin, up to domain admin level
foreach(self::LEVELS as $level) {
if($actorDomain==$affectedDomain && in_array($affectedRights, $allowed) && in_array($level, $allowed)) {
$this->assertTrue(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted properly for $affected settings rights level $level, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted improperly for $affected settings rights level $level, but the action was allowed.");
}
}
}
// they should also be able to list all users on their own domain
foreach(self::DOMAINS as $domain) {
if($domain=="@".$actorDomain) {
$this->assertTrue(Data::$user->authorize($domain, "userList"), "User $actor properly checked user list for domain '$domain', but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($domain, "userList"), "User $actor improperly checked user list for domain '$domain', but the action was allowed.");
}
}
}
}
Full set of tests for authorization Invalid/unknown rights levels still need better testing.
2017-02-28 15:52:02 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testGlobalManagerLogic() {
foreach(self::USERS as $actor => $actorRights) {
if($actorRights != User\Driver::RIGHTS_GLOBAL_MANAGER) continue;
$actorDomain = substr($actor,strrpos($actor,"@")+1);
Data::$user->auth($actor, "");
foreach(self::USERS as $affected => $affectedRights) {
$affectedDomain = substr($affected,strrpos($affected,"@")+1);
// global managers should be able to check any user
$this->assertTrue(Data::$user->authorize($affected, "userExists"), "User $actor acted properly for $affected, but the action was denied.");
// they should only be able to act for regular users
if($actor==$affected || $affectedRights==User\Driver::RIGHTS_NONE) {
$this->assertTrue(Data::$user->authorize($affected, "userRemove"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userRemove"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// and they should only be able to set their own rights to regular user
foreach(self::LEVELS as $level) {
if($actor==$affected && in_array($level, [User\Driver::RIGHTS_NONE, User\Driver::RIGHTS_GLOBAL_MANAGER])) {
$this->assertTrue(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted properly for $affected settings rights level $level, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted improperly for $affected settings rights level $level, but the action was allowed.");
}
}
}
// they should also be able to list all users
foreach(self::DOMAINS as $domain) {
$this->assertTrue(Data::$user->authorize($domain, "userList"), "User $actor properly checked user list for domain '$domain', but the action was denied.");
}
}
}
Full set of tests for authorization Invalid/unknown rights levels still need better testing.
2017-02-28 15:52:02 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testGlobalAdministratorLogic() {
foreach(self::USERS as $actor => $actorRights) {
if($actorRights != User\Driver::RIGHTS_GLOBAL_ADMIN) continue;
Data::$user->auth($actor, "");
// global admins can do anything
foreach(self::USERS as $affected => $affectedRights) {
$this->assertTrue(Data::$user->authorize($affected, "userExists"), "User $actor acted properly for $affected, but the action was denied.");
$this->assertTrue(Data::$user->authorize($affected, "userRemove"), "User $actor acted properly for $affected, but the action was denied.");
foreach(self::LEVELS as $level) {
$this->assertTrue(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted properly for $affected settings rights level $level, but the action was denied.");
}
}
foreach(self::DOMAINS as $domain) {
$this->assertTrue(Data::$user->authorize($domain, "userList"), "User $actor properly checked user list for domain '$domain', but the action was denied.");
}
}
}
Cover unknown/invalid user levels
2017-02-28 16:19:33 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testInvalidLevelLogic() {
foreach(self::USERS as $actor => $rights) {
if(in_array($rights, self::LEVELS)) continue;
Data::$user->auth($actor, "");
foreach(array_keys(self::USERS) as $affected) {
// users with unknown/invalid rights should be treated just like regular users and only be able to act for themselves
if($actor==$affected) {
$this->assertTrue(Data::$user->authorize($affected, "userExists"), "User $actor acted properly for $affected, but the action was denied.");
$this->assertTrue(Data::$user->authorize($affected, "userRemove"), "User $actor acted properly for $affected, but the action was denied.");
} else {
$this->assertFalse(Data::$user->authorize($affected, "userExists"), "User $actor acted improperly for $affected, but the action was allowed.");
$this->assertFalse(Data::$user->authorize($affected, "userRemove"), "User $actor acted improperly for $affected, but the action was allowed.");
}
// they should never be able to set rights
foreach(self::LEVELS as $level) {
$this->assertFalse(Data::$user->authorize($affected, "userRightsSet", $level), "User $actor acted improperly for $affected settings rights level $level, but the action was allowed.");
}
}
// they should not be able to list users
foreach(self::DOMAINS as $domain) {
$this->assertFalse(Data::$user->authorize($domain, "userList"), "User $actor improperly checked user list for domain '$domain', but the action was allowed.");
}
}
}
Cover authorization exceptions Check each of the current User class features and ensure they trigger an exception when they should and do not when they shouldn't. Tests check against both an internal and external mock driver
2017-02-28 17:37:45 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testInternalExceptionLogic() {
$tests = [
// methods of User class to test, with parameters besides affected user
'exists' => [],
'remove' => [],
'add' => [''],
'passwordSet' => [''],
'propertiesGet' => [],
'propertiesSet' => [[]],
'rightsGet' => [],
'rightsSet' => [User\Driver::RIGHTS_GLOBAL_ADMIN],
'list' => [],
];
// try first with a global admin (there should be no exception)
Data::$user->auth("gadm@example.com", "");
$this->assertCount(0, $this->checkExceptions("user@example.org", $tests));
// next try with a regular user acting on another user (everything should fail)
Data::$user->auth("user@example.com", "");
$this->assertCount(sizeof($tests), $this->checkExceptions("user@example.org", $tests));
}
Cover authorization exceptions Check each of the current User class features and ensure they trigger an exception when they should and do not when they shouldn't. Tests check against both an internal and external mock driver
2017-02-28 17:37:45 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
function testExternalExceptionLogic() {
// set up the test for an external driver
$this->setUp(Test\User\DriverExternalMock::class, Test\User\Database::class);
// run the previous test with the external driver set up
$this->testInternalExceptionLogic();
}
Cover authorization exceptions Check each of the current User class features and ensure they trigger an exception when they should and do not when they shouldn't. Tests check against both an internal and external mock driver
2017-02-28 17:37:45 +00:00
Fix whitespace Also fixed my editor so tabs won't happen again!
2017-04-07 01:41:21 +00:00
// meat of testInternalExceptionLogic and testExternalExceptionLogic
// calls each requested function with supplied arguments, catches authorization exceptions, and returns an array of caught failed calls
protected function checkExceptions(string $user, $tests): array {
$err = [];
foreach($tests as $func => $args) {
// list method does not take an affected user, so do not unshift for that one
if($func != "list") array_unshift($args, $user);
try {
call_user_func_array(array(Data::$user, $func), $args);
} catch(User\ExceptionAuthz $e) {
$err[] = $func;
}
}
return $err;
}
Removed most calls to userExists() - functions not related to user management now have the existence of the affected user checked in the authorizer, when the affected user differs from the actor - User::authorizationEnabled() now nests: disabling twice and then enabling once leaves the authorizer disabled - Disabling of the authorizer is now tested - User tests now use a partial mock instead of relying on User::authorizationEnabled() - Added authorizer tests against a missing user - Removed folder tests related to missing users - Also added more subscription tests
2017-05-11 22:00:35 +00:00
function testMissingUserLogic() {
Data::$user->auth("gadm@example.com", "");
$this->assertTrue(Data::$user->authorize("user@example.com", "someFunction"));
$this->assertException("doesNotExist", "User");
Data::$user->authorize("this_user_does_not_exist@example.org", "someFunction");
}
Start on tests for authorization
2017-02-28 04:04:13 +00:00
}
Copy permalink