1# -- 2# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/ 3# -- 4# This software comes with ABSOLUTELY NO WARRANTY. For details, see 5# the enclosed file COPYING for license information (GPL). If you 6# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt. 7# -- 8 9use strict; 10use warnings; 11use utf8; 12 13use vars (qw($Self)); 14 15# get helper object 16$Kernel::OM->ObjectParamAdd( 17 'Kernel::System::UnitTest::Helper' => { 18 RestoreDatabase => 1, 19 }, 20); 21my $Helper = $Kernel::OM->Get('Kernel::System::UnitTest::Helper'); 22 23# get needed objects 24my $GroupObject = $Kernel::OM->Get('Kernel::System::Group'); 25my $UserObject = $Kernel::OM->Get('Kernel::System::User'); 26 27# create test users 28my %UserIDByUserLogin; 29for my $UserCount ( 0 .. 2 ) { 30 my ( $UserLogin, $UserID ) = $Helper->TestUserCreate(); 31 32 $UserIDByUserLogin{$UserLogin} = $UserID; 33} 34my @UserIDs = values %UserIDByUserLogin; 35 36# create test groups 37my %GroupIDByGroupName; 38my $GroupNameRandomPartBase = $Helper->GetRandomID(); 39for my $GroupCount ( 1 .. 3 ) { 40 my $GroupName = 'test-permission-group-' . $GroupNameRandomPartBase . '-' . $GroupCount; 41 my $GroupID = $GroupObject->GroupAdd( 42 Name => $GroupName, 43 ValidID => 1, 44 UserID => 1, 45 ); 46 47 $GroupIDByGroupName{$GroupName} = $GroupID; 48} 49my @GroupIDs = values %GroupIDByGroupName; 50 51# create test roles 52my %RoleIDByRoleName; 53my $RoleNameRandomPartBase = $Helper->GetRandomID(); 54for my $RoleCount ( 1 .. 3 ) { 55 my $RoleName = 'test-permission-role-' . $RoleNameRandomPartBase . '-' . $RoleCount; 56 my $RoleID = $GroupObject->RoleAdd( 57 Name => $RoleName, 58 ValidID => 1, 59 UserID => 1, 60 ); 61 62 $RoleIDByRoleName{$RoleName} = $RoleID; 63} 64my @RoleIDs = values %RoleIDByRoleName; 65 66# 67# Permission tests (users and groups) 68# 69my @UserGroupPermissionTests = ( 70 { 71 GroupIDs => [ 72 $GroupIDs[0], $GroupIDs[1], 73 ], 74 UserIDs => [ 75 $UserIDs[1], $UserIDs[2], 76 ], 77 Permissions => { 78 ro => 1, 79 move_into => 1, 80 create => 1, 81 owner => 1, 82 priority => 0, 83 rw => 0, 84 }, 85 }, 86 { 87 GroupIDs => [ 88 $GroupIDs[1], 89 ], 90 UserIDs => [ 91 $UserIDs[2], 92 ], 93 Permissions => { 94 ro => 0, 95 move_into => 1, 96 create => 0, 97 owner => 1, 98 priority => 0, 99 rw => 0, 100 }, 101 }, 102 { 103 GroupIDs => [ 104 $GroupIDs[0], $GroupIDs[2], 105 ], 106 UserIDs => [ 107 $UserIDs[0], $UserIDs[2], 108 ], 109 Permissions => { 110 ro => 1, 111 move_into => 1, 112 create => 1, 113 owner => 1, 114 priority => 1, 115 rw => 1, 116 }, 117 }, 118 { 119 GroupIDs => [ 120 $GroupIDs[0], $GroupIDs[1], $GroupIDs[2], 121 ], 122 UserIDs => [ 123 $UserIDs[0], $UserIDs[1], $UserIDs[2], 124 ], 125 Permissions => { 126 ro => 0, 127 move_into => 1, 128 create => 0, 129 owner => 0, 130 priority => 0, 131 rw => 0, 132 }, 133 }, 134); 135 136for my $PermissionTest (@UserGroupPermissionTests) { 137 138 # add users to groups 139 for my $UserID ( @{ $PermissionTest->{UserIDs} } ) { 140 for my $GroupID ( @{ $PermissionTest->{GroupIDs} } ) { 141 my $Success = $GroupObject->PermissionGroupUserAdd( 142 GID => $GroupID, 143 UID => $UserID, 144 Permission => $PermissionTest->{Permissions}, 145 UserID => 1, 146 ); 147 148 $Self->True( 149 $Success, 150 "PermissionGroupUserAdd() - add permissions for group ID $GroupID and user ID $UserID" 151 ); 152 } 153 } 154 155 # check if users are assigned to the groups (PermissionGroupUserGet) 156 for my $GroupID (@GroupIDs) { 157 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 158 159 my %UserList = $GroupObject->PermissionGroupUserGet( 160 GroupID => $GroupID, 161 Type => $Permission, 162 ); 163 164 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 165 my $UserID = $UserIDByUserLogin{$UserLogin}; 166 167 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 168 169 # If user or group is not part of test, permission is expected to be not set 170 if ( 171 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 172 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 173 ) 174 { 175 $PermissionSet = 0; 176 } 177 178 my $PermissionMatch 179 = ( $PermissionSet && exists $UserList{$UserID} && $UserList{$UserID} eq $UserLogin ) 180 || ( !$PermissionSet && !exists $UserList{$UserID} ); 181 182 $Self->True( 183 $PermissionMatch, 184 "PermissionGroupUserGet() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 185 ); 186 } 187 } 188 } 189 190 # check if groups are assigned to the users (PermissionUserGroupGet) 191 for my $UserID (@UserIDs) { 192 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 193 194 my %GroupList = $GroupObject->PermissionUserGroupGet( 195 UserID => $UserID, 196 Type => $Permission, 197 ); 198 199 for my $GroupName ( sort keys %GroupIDByGroupName ) { 200 my $GroupID = $GroupIDByGroupName{$GroupName}; 201 202 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 203 204 # If user or group is not part of test, permission is expected to be not set 205 if ( 206 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 207 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 208 ) 209 { 210 $PermissionSet = 0; 211 } 212 213 my $PermissionMatch 214 = ( $PermissionSet && exists $GroupList{$GroupID} && $GroupList{$GroupID} eq $GroupName ) 215 || ( !$PermissionSet && !exists $GroupList{$GroupID} ); 216 217 $Self->True( 218 $PermissionMatch, 219 "PermissionUserGroupGet() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 220 ); 221 } 222 } 223 224 } 225 226 # check if users are assigned to the groups (PermissionGroupGet) 227 for my $GroupID (@GroupIDs) { 228 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 229 230 my %UserList = $GroupObject->PermissionGroupGet( 231 GroupID => $GroupID, 232 Type => $Permission, 233 ); 234 235 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 236 my $UserID = $UserIDByUserLogin{$UserLogin}; 237 238 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 239 240 # If user or group is not part of test, permission is expected to be not set 241 if ( 242 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 243 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 244 ) 245 { 246 $PermissionSet = 0; 247 } 248 249 my $PermissionMatch 250 = ( $PermissionSet && exists $UserList{$UserID} && $UserList{$UserID} eq $UserLogin ) 251 || ( !$PermissionSet && !exists $UserList{$UserID} ); 252 253 $Self->True( 254 $PermissionMatch, 255 "PermissionGroupGet() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 256 ); 257 } 258 } 259 } 260 261 # check if groups are assigned to the users (PermissionUserGet) 262 for my $UserID (@UserIDs) { 263 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 264 265 my %GroupList = $GroupObject->PermissionUserGet( 266 UserID => $UserID, 267 Type => $Permission, 268 ); 269 270 for my $GroupName ( sort keys %GroupIDByGroupName ) { 271 my $GroupID = $GroupIDByGroupName{$GroupName}; 272 273 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 274 275 # If user or group is not part of test, permission is expected to be not set 276 if ( 277 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 278 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 279 ) 280 { 281 $PermissionSet = 0; 282 } 283 284 my $PermissionMatch 285 = ( $PermissionSet && exists $GroupList{$GroupID} && $GroupList{$GroupID} eq $GroupName ) 286 || ( !$PermissionSet && !exists $GroupList{$GroupID} ); 287 288 $Self->True( 289 $PermissionMatch, 290 "PermissionUserGet() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 291 ); 292 } 293 } 294 } 295 296 # check involved users (PermissionUserInvolvedGet) 297 for my $UserID (@UserIDs) { 298 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 299 300 my %Users = $GroupObject->PermissionUserInvolvedGet( 301 UserID => $UserID, 302 Type => $Permission, 303 ); 304 305 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 306 307 # If user is not part of test, permission is expected to be not set 308 if ( !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) ) { 309 $PermissionSet = 0; 310 } 311 312 my $NumberOfUsers = keys %Users; 313 my $NumberOfExpectedUsers = $PermissionSet 314 ? @{ $PermissionTest->{UserIDs} } 315 : 0; 316 317 my $UsersCorrect = 1; 318 if ( $NumberOfUsers != $NumberOfExpectedUsers ) { 319 $UsersCorrect = 0; 320 } 321 elsif ($NumberOfUsers) { 322 323 # check if the user IDs match 324 PERMISSIONTESTUSERID: 325 for my $PermissionTestUserID ( @{ $PermissionTest->{UserIDs} } ) { 326 if ( !exists $Users{$PermissionTestUserID} ) { 327 $UsersCorrect = 0; 328 last PERMISSIONTESTUSERID; 329 } 330 } 331 } 332 333 $Self->True( 334 $UsersCorrect, 335 "PermissionUserInvolvedGet() - involved users must be correct for permission $Permission and user ID $UserID" 336 ); 337 } 338 } 339 340 # check if users are assigned to the groups (PermissionCheck) 341 for my $GroupName ( sort keys %GroupIDByGroupName ) { 342 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 343 344 my $GroupID = $GroupIDByGroupName{$GroupName}; 345 346 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 347 348 my $UserID = $UserIDByUserLogin{$UserLogin}; 349 350 my $PermissionResult = $GroupObject->PermissionCheck( 351 UserID => $UserID, 352 GroupName => $GroupName, 353 Type => $Permission, 354 ) // 0; 355 356 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 357 358 # If user or group is not part of test, permission is expected to be not set 359 if ( 360 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 361 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 362 ) 363 { 364 $PermissionSet = 0; 365 } 366 367 $Self->Is( 368 $PermissionResult, 369 $PermissionSet, 370 "PermissionCheck() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 371 ); 372 } 373 } 374 } 375 376 # remove permissions for all test groups and test users 377 my %PermissionsRemoved; 378 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 379 $PermissionsRemoved{$Permission} = 0; 380 } 381 382 for my $UserID ( @{ $PermissionTest->{UserIDs} } ) { 383 for my $GroupID ( @{ $PermissionTest->{GroupIDs} } ) { 384 my $Success = $GroupObject->PermissionGroupUserAdd( 385 GID => $GroupID, 386 UID => $UserID, 387 Permission => \%PermissionsRemoved, 388 UserID => 1, 389 ); 390 391 $Self->True( 392 $Success, 393 "PermissionGroupUserAdd() - remove permissions for group ID $GroupID and user ID $UserID" 394 ); 395 } 396 } 397 398 # check that all test users have been removed from the groups (PermissionGroupUserGet) 399 for my $GroupID (@GroupIDs) { 400 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 401 402 my %UserList = $GroupObject->PermissionGroupUserGet( 403 GroupID => $GroupID, 404 Type => $Permission, 405 ); 406 407 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 408 my $UserID = $UserIDByUserLogin{$UserLogin}; 409 410 my $PermissionMatch = !exists $UserList{$UserID}; 411 412 $Self->True( 413 $PermissionMatch, 414 "PermissionGroupUserGet() - permission $Permission must not be set for user ID $UserID and group ID $GroupID" 415 ); 416 } 417 } 418 } 419 420 # check if groups have been removed from users (PermissionGroupGet) 421 for my $GroupID (@GroupIDs) { 422 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 423 424 my %UserList = $GroupObject->PermissionGroupGet( 425 GroupID => $GroupID, 426 Type => $Permission, 427 ); 428 429 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 430 my $UserID = $UserIDByUserLogin{$UserLogin}; 431 432 $Self->False( 433 exists $UserList{$UserID}, 434 "PermissionGroupGet() - permission $Permission must be set to 0 for user ID $UserID and group ID $GroupID" 435 ); 436 } 437 } 438 } 439 440 # check if groups have been removed from users via roles (PermissionUserGet) 441 for my $UserID (@UserIDs) { 442 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 443 444 my %GroupList = $GroupObject->PermissionUserGet( 445 UserID => $UserID, 446 Type => $Permission, 447 ); 448 449 for my $GroupName ( sort keys %GroupIDByGroupName ) { 450 my $GroupID = $GroupIDByGroupName{$GroupName}; 451 452 $Self->False( 453 exists $GroupList{$GroupID}, 454 "PermissionUserGet() - permission $Permission must be set to 0 for user ID $UserID and group ID $GroupID" 455 ); 456 } 457 } 458 } 459} 460 461# 462# Permission tests (users and roles) 463# 464my @UserRolePermissionTests = ( 465 { 466 RoleIDs => [ 467 $RoleIDs[0], 468 ], 469 UserIDs => [ 470 $UserIDs[1], $UserIDs[2], 471 ], 472 }, 473 { 474 RoleIDs => [ 475 $RoleIDs[0], $RoleIDs[2], 476 ], 477 UserIDs => [ 478 $UserIDs[0], 479 ], 480 }, 481 { 482 RoleIDs => [ 483 $RoleIDs[0], $RoleIDs[2], 484 ], 485 UserIDs => [ 486 $UserIDs[0], 487 ], 488 }, 489 { 490 RoleIDs => [ 491 $RoleIDs[0], $RoleIDs[1], $RoleIDs[2], 492 ], 493 UserIDs => [ 494 $UserIDs[0], $UserIDs[1], $UserIDs[2], 495 ], 496 }, 497); 498 499for my $PermissionTest (@UserRolePermissionTests) { 500 501 # add users to roles 502 for my $UserID ( @{ $PermissionTest->{UserIDs} } ) { 503 for my $RoleID ( @{ $PermissionTest->{RoleIDs} } ) { 504 my $Success = $GroupObject->PermissionRoleUserAdd( 505 RID => $RoleID, 506 UID => $UserID, 507 Active => 1, 508 UserID => 1, 509 ); 510 511 $Self->True( 512 $Success, 513 "PermissionRoleUserAdd() - add permission for role ID $RoleID and user ID $UserID" 514 ); 515 } 516 } 517 518 # check if users are assigned to the roles (PermissionRoleUserGet) 519 for my $RoleID (@RoleIDs) { 520 my %UserList = $GroupObject->PermissionRoleUserGet( 521 RoleID => $RoleID, 522 ); 523 524 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 525 my $UserID = $UserIDByUserLogin{$UserLogin}; 526 527 my $PermissionSet = 1; 528 529 # If user or role is not part of test, permission is expected to be not set 530 if ( 531 !( grep {m/^$RoleID$/} @{ $PermissionTest->{RoleIDs} } ) 532 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 533 ) 534 { 535 $PermissionSet = 0; 536 } 537 538 my $PermissionMatch = ( $PermissionSet && exists $UserList{$UserID} && $UserList{$UserID} eq $UserLogin ) 539 || ( !$PermissionSet && !exists $UserList{$UserID} ); 540 541 $Self->True( 542 $PermissionMatch, 543 "PermissionRoleUserGet() - permission for role must be set to $PermissionSet for user ID $UserID and role ID $RoleID" 544 ); 545 } 546 } 547 548 # check if roles are assigned to the users (PermissionUserRoleGet) 549 for my $UserID (@UserIDs) { 550 my %RoleList = $GroupObject->PermissionUserRoleGet( 551 UserID => $UserID, 552 ); 553 554 for my $RoleName ( sort keys %RoleIDByRoleName ) { 555 my $RoleID = $RoleIDByRoleName{$RoleName}; 556 557 my $PermissionSet = 1; 558 559 # If user or role is not part of test, permission is expected to be not set 560 if ( 561 !( grep {m/^$RoleID$/} @{ $PermissionTest->{RoleIDs} } ) 562 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 563 ) 564 { 565 $PermissionSet = 0; 566 } 567 568 my $PermissionMatch = ( $PermissionSet && exists $RoleList{$RoleID} && $RoleList{$RoleID} eq $RoleName ) 569 || ( !$PermissionSet && !exists $RoleList{$RoleID} ); 570 571 $Self->True( 572 $PermissionMatch, 573 "PermissionUserRoleGet() - permission for role must be set to $PermissionSet for user ID $UserID and role ID $RoleID" 574 ); 575 } 576 } 577 578 # remove permissions for all test roles and test users 579 for my $UserID ( @{ $PermissionTest->{UserIDs} } ) { 580 for my $RoleID ( @{ $PermissionTest->{RoleIDs} } ) { 581 my $Success = $GroupObject->PermissionRoleUserAdd( 582 RID => $RoleID, 583 UID => $UserID, 584 Active => 0, 585 UserID => 1, 586 ); 587 588 $Self->True( 589 $Success, 590 "PermissionRoleUserAdd() - remove permissions for role ID $RoleID and user ID $UserID" 591 ); 592 } 593 } 594 595 # check that all test users have been removed from the roles (PermissionRoleUserGet) 596 for my $RoleID (@RoleIDs) { 597 my %UserList = $GroupObject->PermissionRoleUserGet( 598 RoleID => $RoleID, 599 ); 600 601 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 602 my $UserID = $UserIDByUserLogin{$UserLogin}; 603 604 my $PermissionMatch = !exists $UserList{$UserID}; 605 606 $Self->True( 607 $PermissionMatch, 608 "PermissionRoleUserGet() - permission for role must not be set for user ID $UserID and role ID $RoleID" 609 ); 610 } 611 } 612} 613 614# 615# Permission tests (users and roles via groups) 616# 617my @UserRoleGroupPermissionTests = ( 618 { 619 RoleIDs => [ 620 $RoleIDs[0], $RoleIDs[1], 621 ], 622 UserIDs => [ 623 $UserIDs[0], $UserIDs[1], 624 ], 625 GroupIDs => [ 626 $GroupIDs[1], $GroupIDs[2], 627 ], 628 Permissions => { 629 ro => 1, 630 move_into => 1, 631 create => 1, 632 owner => 1, 633 priority => 0, 634 rw => 0, 635 }, 636 }, 637 { 638 RoleIDs => [ 639 $RoleIDs[1], 640 ], 641 UserIDs => [ 642 $UserIDs[2], 643 ], 644 GroupIDs => [ 645 $GroupIDs[2], 646 ], 647 Permissions => { 648 ro => 0, 649 move_into => 1, 650 create => 0, 651 owner => 1, 652 priority => 0, 653 rw => 0, 654 }, 655 }, 656 { 657 RoleIDs => [ 658 $RoleIDs[0], $RoleIDs[2], 659 ], 660 UserIDs => [ 661 $UserIDs[0], 662 ], 663 GroupIDs => [ 664 $GroupIDs[0], $GroupIDs[2], 665 ], 666 Permissions => { 667 ro => 1, 668 move_into => 1, 669 create => 1, 670 owner => 1, 671 priority => 1, 672 rw => 1, 673 }, 674 }, 675 { 676 RoleIDs => [ 677 $RoleIDs[0], $RoleIDs[1], $RoleIDs[2], 678 ], 679 UserIDs => [ 680 $UserIDs[0], $UserIDs[1], $UserIDs[2], 681 ], 682 GroupIDs => [ 683 $GroupIDs[0], $GroupIDs[1], $GroupIDs[2], 684 ], 685 Permissions => { 686 ro => 0, 687 move_into => 1, 688 create => 0, 689 owner => 0, 690 priority => 0, 691 rw => 0, 692 }, 693 }, 694); 695 696for my $PermissionTest (@UserRoleGroupPermissionTests) { 697 698 # add roles to groups 699 for my $RoleID ( @{ $PermissionTest->{RoleIDs} } ) { 700 for my $GroupID ( @{ $PermissionTest->{GroupIDs} } ) { 701 my $Success = $GroupObject->PermissionGroupRoleAdd( 702 GID => $GroupID, 703 RID => $RoleID, 704 Permission => $PermissionTest->{Permissions}, 705 UserID => 1, 706 ); 707 708 $Self->True( 709 $Success, 710 "PermissionGroupRoleAdd() - add permissions for group ID $GroupID and role ID $RoleID" 711 ); 712 } 713 } 714 715 # check if roles are assigned to the groups (PermissionGroupRoleGet) 716 for my $GroupID (@GroupIDs) { 717 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 718 719 my %RoleList = $GroupObject->PermissionGroupRoleGet( 720 GroupID => $GroupID, 721 Type => $Permission, 722 ); 723 724 for my $RoleName ( sort keys %RoleIDByRoleName ) { 725 my $RoleID = $RoleIDByRoleName{$RoleName}; 726 727 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 728 729 # If role or group is not part of test, permission is expected to be not set 730 if ( 731 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 732 || !( grep {m/^$RoleID$/} @{ $PermissionTest->{RoleIDs} } ) 733 ) 734 { 735 $PermissionSet = 0; 736 } 737 738 my $PermissionMatch = ( $PermissionSet && exists $RoleList{$RoleID} && $RoleList{$RoleID} eq $RoleName ) 739 || ( !$PermissionSet && !exists $RoleList{$RoleID} ); 740 741 $Self->True( 742 $PermissionMatch, 743 "PermissionGroupRoleGet() - permission $Permission must be set to $PermissionSet for role ID $RoleID and group ID $GroupID" 744 ); 745 } 746 } 747 } 748 749 # check if groups are assigned to the roles (PermissionRoleGroupGet) 750 for my $RoleID (@RoleIDs) { 751 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 752 753 my %GroupList = $GroupObject->PermissionRoleGroupGet( 754 RoleID => $RoleID, 755 Type => $Permission, 756 ); 757 758 for my $GroupName ( sort keys %GroupIDByGroupName ) { 759 my $GroupID = $GroupIDByGroupName{$GroupName}; 760 761 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 762 763 # If role or group is not part of test, permission is expected to be not set 764 if ( 765 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 766 || !( grep {m/^$RoleID$/} @{ $PermissionTest->{RoleIDs} } ) 767 ) 768 { 769 $PermissionSet = 0; 770 } 771 772 my $PermissionMatch 773 = ( $PermissionSet && exists $GroupList{$GroupID} && $GroupList{$GroupID} eq $GroupName ) 774 || ( !$PermissionSet && !exists $GroupList{$GroupID} ); 775 776 $Self->True( 777 $PermissionMatch, 778 "PermissionRoleGroupGet() - permission $Permission must be set to $PermissionSet for role ID $RoleID and group ID $GroupID" 779 ); 780 } 781 } 782 } 783 784 # add users to roles 785 for my $UserID ( @{ $PermissionTest->{UserIDs} } ) { 786 for my $RoleID ( @{ $PermissionTest->{RoleIDs} } ) { 787 my $Success = $GroupObject->PermissionRoleUserAdd( 788 RID => $RoleID, 789 UID => $UserID, 790 Active => 1, 791 UserID => 1, 792 ); 793 794 $Self->True( 795 $Success, 796 "PermissionRoleUserAdd() - add permission for role ID $RoleID and user ID $UserID" 797 ); 798 } 799 } 800 801 # check if groups are assigned to users via roles (PermissionGroupGet) 802 for my $GroupID (@GroupIDs) { 803 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 804 805 my %UserList = $GroupObject->PermissionGroupGet( 806 GroupID => $GroupID, 807 Type => $Permission, 808 ); 809 810 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 811 my $UserID = $UserIDByUserLogin{$UserLogin}; 812 813 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 814 815 # If user or group is not part of test, permission is expected to be not set 816 if ( 817 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 818 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 819 ) 820 { 821 $PermissionSet = 0; 822 } 823 824 my $PermissionMatch 825 = ( $PermissionSet && exists $UserList{$UserID} && $UserList{$UserID} eq $UserLogin ) 826 || ( !$PermissionSet && !exists $UserList{$UserID} ); 827 828 $Self->True( 829 $PermissionMatch, 830 "PermissionGroupGet() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 831 ); 832 } 833 } 834 } 835 836 # check if groups are assigned to users via roles (PermissionUserGet) 837 for my $UserID (@UserIDs) { 838 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 839 840 my %GroupList = $GroupObject->PermissionUserGet( 841 UserID => $UserID, 842 Type => $Permission, 843 ); 844 845 for my $GroupName ( sort keys %GroupIDByGroupName ) { 846 my $GroupID = $GroupIDByGroupName{$GroupName}; 847 848 my $PermissionSet = $PermissionTest->{Permissions}->{$Permission}; 849 850 # If user or group is not part of test, permission is expected to be not set 851 if ( 852 !( grep {m/^$GroupID$/} @{ $PermissionTest->{GroupIDs} } ) 853 || !( grep {m/^$UserID$/} @{ $PermissionTest->{UserIDs} } ) 854 ) 855 { 856 $PermissionSet = 0; 857 } 858 859 my $PermissionMatch 860 = ( $PermissionSet && exists $GroupList{$GroupID} && $GroupList{$GroupID} eq $GroupName ) 861 || ( !$PermissionSet && !exists $GroupList{$GroupID} ); 862 863 $Self->True( 864 $PermissionMatch, 865 "PermissionUserGet() - permission $Permission must be set to $PermissionSet for user ID $UserID and group ID $GroupID" 866 ); 867 } 868 } 869 } 870 871 # remove roles from users 872 for my $UserID ( @{ $PermissionTest->{UserIDs} } ) { 873 for my $RoleID ( @{ $PermissionTest->{RoleIDs} } ) { 874 my $Success = $GroupObject->PermissionRoleUserAdd( 875 RID => $RoleID, 876 UID => $UserID, 877 Active => 0, 878 UserID => 1, 879 ); 880 881 $Self->True( 882 $Success, 883 "PermissionRoleUserAdd() - remove permissions for role ID $RoleID and user ID $UserID" 884 ); 885 } 886 } 887 888 # check if groups have been removed from users via roles (PermissionGroupGet) 889 for my $GroupID (@GroupIDs) { 890 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 891 892 my %UserList = $GroupObject->PermissionGroupGet( 893 GroupID => $GroupID, 894 Type => $Permission, 895 ); 896 897 for my $UserLogin ( sort keys %UserIDByUserLogin ) { 898 my $UserID = $UserIDByUserLogin{$UserLogin}; 899 900 $Self->False( 901 exists $UserList{$UserID}, 902 "PermissionGroupGet() - permission $Permission must be set to 0 for user ID $UserID and group ID $GroupID" 903 ); 904 } 905 } 906 } 907 908 # check if groups have been removed from users via roles (PermissionUserGet) 909 for my $UserID (@UserIDs) { 910 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 911 912 my %GroupList = $GroupObject->PermissionUserGet( 913 UserID => $UserID, 914 Type => $Permission, 915 ); 916 917 for my $GroupName ( sort keys %GroupIDByGroupName ) { 918 my $GroupID = $GroupIDByGroupName{$GroupName}; 919 920 $Self->False( 921 exists $GroupList{$GroupID}, 922 "PermissionUserGet() - permission $Permission must be set to 0 for user ID $UserID and group ID $GroupID" 923 ); 924 } 925 } 926 } 927 928 # remove permissions for all test groups and test roles 929 my %PermissionsRemoved; 930 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 931 $PermissionsRemoved{$Permission} = 0; 932 } 933 934 for my $RoleID ( @{ $PermissionTest->{RoleIDs} } ) { 935 for my $GroupID ( @{ $PermissionTest->{GroupIDs} } ) { 936 my $Success = $GroupObject->PermissionGroupRoleAdd( 937 GID => $GroupID, 938 RID => $RoleID, 939 Permission => \%PermissionsRemoved, 940 UserID => 1, 941 ); 942 943 $Self->True( 944 $Success, 945 "PermissionGroupRoleAdd() - remove permissions for group ID $GroupID and role ID $RoleID" 946 ); 947 } 948 } 949 950 # check that all test roles have been removed from the groups (PermissionGroupRoleGet) 951 for my $GroupID (@GroupIDs) { 952 for my $Permission ( sort keys %{ $PermissionTest->{Permissions} } ) { 953 954 my %RoleList = $GroupObject->PermissionGroupRoleGet( 955 GroupID => $GroupID, 956 Type => $Permission, 957 ); 958 959 for my $RoleName ( sort keys %RoleIDByRoleName ) { 960 my $RoleID = $RoleIDByRoleName{$RoleName}; 961 962 my $PermissionMatch = !exists $RoleList{$RoleID}; 963 964 $Self->True( 965 $PermissionMatch, 966 "PermissionGroupRoleGet() - permission $Permission must not be set for role ID $RoleID and group ID $GroupID" 967 ); 968 } 969 } 970 } 971} 972 973# cleanup is done by RestoreDatabase 974 9751; 976