From 5a6a85ab077dad588c55ad37b920ae0171514a70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josu=C3=A9=20Tille?= <josue@tille.ch>
Date: Wed, 9 Jan 2019 12:04:05 +0100
Subject: [PATCH] Add check LDAP integrity

---
 src/yunohost/tests/test_backuprestore.py |  7 ++
 src/yunohost/tests/test_permission.py    | 94 +++++++++++++++++++++++-
 src/yunohost/tests/test_user-group.py    |  8 ++
 3 files changed, 106 insertions(+), 3 deletions(-)

diff --git a/src/yunohost/tests/test_backuprestore.py b/src/yunohost/tests/test_backuprestore.py
index 3560181bc..508ea890b 100644
--- a/src/yunohost/tests/test_backuprestore.py
+++ b/src/yunohost/tests/test_backuprestore.py
@@ -14,6 +14,7 @@ from yunohost.backup import backup_create, backup_restore, backup_list, backup_i
 from yunohost.domain import _get_maindomain
 from yunohost.utils.error import YunohostError
 from yunohost.user import user_permission_list
+from yunohost.tests.test_permission import check_LDAP_db_integrity
 
 # Get main domain
 maindomain = ""
@@ -91,6 +92,12 @@ def teardown_function(function):
         shutil.rmtree("/opt/test_backup_output_directory")
 
 
+@pytest.fixture(autouse=True)
+def check_LDAP_db_integrity_call():
+    check_LDAP_db_integrity()
+    yield
+    check_LDAP_db_integrity()
+
 #
 # Helpers                                                                    #
 #
diff --git a/src/yunohost/tests/test_permission.py b/src/yunohost/tests/test_permission.py
index c6b7c4129..2ed84f937 100644
--- a/src/yunohost/tests/test_permission.py
+++ b/src/yunohost/tests/test_permission.py
@@ -48,6 +48,94 @@ def teardown_function(function):
     except:
         pass
 
+@pytest.fixture(autouse=True)
+def check_LDAP_db_integrity_call():
+    check_LDAP_db_integrity()
+    yield
+    check_LDAP_db_integrity()
+
+def check_LDAP_db_integrity():
+    # Here we check that all attributes in all object are sychronized.
+    # Here is the list of attributes per object:
+    # user : memberOf, permission
+    # group : member, permission
+    # permission : groupPermission, inheritPermission
+    #
+    # The idea is to check that all attributes on all sides of object are sychronized.
+    # One part should be done automatically by the "memberOf" overlay of LDAP.
+    # The other part is done by the the "permission_sync_to_user" function of the permission module
+
+    user_search = auth.search('ou=users,dc=yunohost,dc=org',
+                              '(&(objectclass=person)(!(uid=root))(!(uid=nobody)))',
+                              ['uid', 'memberOf', 'permission'])
+    group_search = auth.search('ou=groups,dc=yunohost,dc=org',
+                               '(objectclass=groupOfNamesYnh)',
+                               ['cn', 'member', 'memberUid', 'permission'])
+    permission_search = auth.search('ou=permission,dc=yunohost,dc=org',
+                                    '(objectclass=permissionYnh)',
+                                    ['cn', 'groupPermission', 'inheritPermission', 'memberUid'])
+
+    user_map = {u['uid'][0]: u for u in user_search}
+    group_map = {g['cn'][0]: g for g in group_search}
+    permission_map = {p['cn'][0]: p for p in permission_search}
+
+    for user in user_search:
+        user_dn = 'uid=' + user['uid'][0] + ',ou=users,dc=yunohost,dc=org'
+        group_list = [m.split("=")[1].split(",")[0] for m in user['memberOf']]
+        permission_list = []
+        if 'permission' in user:
+            permission_list = [m.split("=")[1].split(",")[0] for m in user['permission']]
+
+        for group in group_list:
+            assert user_dn in group_map[group]['member']
+        for permission in permission_list:
+            assert user_dn in permission_map[permission]['inheritPermission']
+
+    for permission in permission_search:
+        permission_dn = 'cn=' + permission['cn'][0] + ',ou=permission,dc=yunohost,dc=org'
+        user_list = []
+        group_list = []
+        if 'inheritPermission' in permission:
+            user_list = [m.split("=")[1].split(",")[0] for m in permission['inheritPermission']]
+            assert set(user_list) == set(permission['memberUid'])
+        if 'groupPermission' in permission:
+            group_list = [m.split("=")[1].split(",")[0] for m in permission['groupPermission']]
+
+        for user in user_list:
+            assert permission_dn in user_map[user]['permission']
+        for group in group_list:
+            assert permission_dn in group_map[group]['permission']
+            if 'member' in group_map[group]:
+                user_list_in_group = [m.split("=")[1].split(",")[0] for m in group_map[group]['member']]
+                assert set(user_list_in_group) <= set(user_list)
+
+    for group in group_search:
+        group_dn = 'cn=' + group['cn'][0] + ',ou=groups,dc=yunohost,dc=org'
+        user_list = []
+        permission_list = []
+        if 'member' in group:
+            user_list = [m.split("=")[1].split(",")[0] for m in group['member']]
+            if group['cn'][0] in user_list:
+                # If it's the main group of the user it's normal that it is not in the memberUid
+                g_list = list(user_list)
+                g_list.remove(group['cn'][0])
+                if 'memberUid' in group:
+                    assert set(g_list) == set(group['memberUid'])
+                else:
+                    assert g_list == []
+            else:
+                assert set(user_list) == set(group['memberUid'])
+        if 'permission' in group:
+            permission_list = [m.split("=")[1].split(",")[0] for m in group['permission']]
+
+        for user in user_list:
+            assert group_dn in user_map[user]['memberOf']
+        for permission in permission_list:
+            assert group_dn in permission_map[permission]['groupPermission']
+            if 'inheritPermission' in permission_map:
+                allowed_user_list = [m.split("=")[1].split(",")[0] for m in permission_map[permission]['inheritPermission']]
+                assert set(user_list) <= set(allowed_user_list)
+
 #
 # List functions
 #
@@ -177,11 +265,11 @@ def test_disallow_group_1():
 
 def test_reset_permission():
     # Reset permission
-    user_permission_remove(auth, ["blog"], "main", group="bob")
+    user_permission_clear(auth, ["blog"], "main")
 
     res = user_permission_list(auth)['permissions']
-    assert ["alice"] == res['blog']['main']['allowed_users']
-    assert ["alice"] == res['blog']['main']['allowed_groups']
+    assert set(["alice", "bob"]) == set(res['blog']['main']['allowed_users'])
+    assert ["all_users"] == res['blog']['main']['allowed_groups']
 
 # internal functions
 
diff --git a/src/yunohost/tests/test_user-group.py b/src/yunohost/tests/test_user-group.py
index 351a3b432..48b56884e 100644
--- a/src/yunohost/tests/test_user-group.py
+++ b/src/yunohost/tests/test_user-group.py
@@ -4,6 +4,7 @@ from moulinette.core import init_authenticator, MoulinetteError
 from yunohost.user import user_list, user_info, user_group_list, user_create, user_delete, user_update, user_group_add, user_group_delete, user_group_update, user_group_info
 from yunohost.domain import _get_maindomain
 from yunohost.utils.error import YunohostError
+from yunohost.tests.test_permission import check_LDAP_db_integrity
 
 # Get main domain
 maindomain = _get_maindomain()
@@ -39,6 +40,12 @@ def setup_function(function):
 def teardown_function(function):
     clean_user_groups()
 
+@pytest.fixture(autouse=True)
+def check_LDAP_db_integrity_call():
+    check_LDAP_db_integrity()
+    yield
+    check_LDAP_db_integrity()
+
 #
 # List functions
 #
@@ -187,6 +194,7 @@ def test_bad_update_user_1():
     with pytest.raises(YunohostError):
         user_update(auth, "not_exit", firstname="NewName", lastname="NewLast")
 
+
 def bad_update_group_1():
     # Check groups not found
     with pytest.raises(YunohostError):