cacert-testmgr/external/ZendFramework-1.9.5/tests/Zend/Ldap/CanonTest.php

403 lines
17 KiB
PHP
Raw Permalink Normal View History

<?php
/**
* Zend Framework
*
* LICENSE
*
* This source file is subject to the new BSD license that is bundled
* with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://framework.zend.com/license/new-bsd
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@zend.com so we can send you a copy immediately.
*
* @category Zend
* @package Zend_Ldap
* @subpackage UnitTests
* @copyright Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
* @version $Id: CanonTest.php 17363 2009-08-03 07:40:18Z bkarwin $
*/
/**
* Test helper
*/
require_once dirname(__FILE__) . '/../../TestHelper.php';
/**
* Zend_Ldap
*/
require_once 'Zend/Ldap.php';
/* Note: The ldap_connect function does not actually try to connect. This
* is why many tests attempt to bind with invalid credentials. If the
* bind returns 'Invalid credentials' we know the transport related work
* was successful.
*/
/**
* @category Zend
* @package Zend_Ldap
* @subpackage UnitTests
* @copyright Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
* @group Zend_Ldap
*/
class Zend_Ldap_CanonTest extends PHPUnit_Framework_TestCase
{
protected $_options = null;
public function setUp()
{
$this->_options = array(
'host' => TESTS_ZEND_LDAP_HOST,
'username' => TESTS_ZEND_LDAP_USERNAME,
'password' => TESTS_ZEND_LDAP_PASSWORD,
'baseDn' => TESTS_ZEND_LDAP_BASE_DN,
);
if (defined('TESTS_ZEND_LDAP_PORT'))
$this->_options['port'] = TESTS_ZEND_LDAP_PORT;
if (defined('TESTS_ZEND_LDAP_USE_START_TLS'))
$this->_options['useStartTls'] = TESTS_ZEND_LDAP_USE_START_TLS;
if (defined('TESTS_ZEND_LDAP_USE_SSL'))
$this->_options['useSsl'] = TESTS_ZEND_LDAP_USE_SSL;
if (defined('TESTS_ZEND_LDAP_BIND_REQUIRES_DN'))
$this->_options['bindRequiresDn'] = TESTS_ZEND_LDAP_BIND_REQUIRES_DN;
if (defined('TESTS_ZEND_LDAP_ACCOUNT_FILTER_FORMAT'))
$this->_options['accountFilterFormat'] = TESTS_ZEND_LDAP_ACCOUNT_FILTER_FORMAT;
if (defined('TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME'))
$this->_options['accountDomainName'] = TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME;
if (defined('TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT'))
$this->_options['accountDomainNameShort'] = TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT;
}
public function testPlainCanon()
{
$ldap = new Zend_Ldap($this->_options);
/* This test tries to canonicalize each name (uname, uname@example.com,
* EXAMPLE\uname) to each of the 3 forms (username, principal and backslash)
* for a total of canonicalizations.
*/
if (defined('TESTS_ZEND_LDAP_ALT_USERNAME')) {
$names[Zend_Ldap::ACCTNAME_FORM_USERNAME] = TESTS_ZEND_LDAP_ALT_USERNAME;
if (defined('TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME')) {
$names[Zend_Ldap::ACCTNAME_FORM_PRINCIPAL] =
TESTS_ZEND_LDAP_ALT_USERNAME . '@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME;
}
if (defined('TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT')) {
$names[Zend_Ldap::ACCTNAME_FORM_BACKSLASH] =
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\\' . TESTS_ZEND_LDAP_ALT_USERNAME;
}
}
foreach ($names as $_form => $name) {
foreach ($names as $form => $_name) {
$ret = $ldap->getCanonicalAccountName($name, $form);
$this->assertEquals($names[$form], $ret);
}
}
}
public function testInvalidAccountCanon()
{
$ldap = new Zend_Ldap($this->_options);
try {
$ldap->bind('invalid', 'invalid');
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$msg = $zle->getMessage();
$this->assertTrue(strstr($msg, 'Invalid credentials') ||
strstr($msg, 'No such object') ||
strstr($msg, 'No object found'));
}
}
public function testDnCanon()
{
$ldap = new Zend_Ldap($this->_options);
$name = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME, Zend_Ldap::ACCTNAME_FORM_DN);
$this->assertEquals(TESTS_ZEND_LDAP_ALT_DN, $name);
}
public function testMismatchDomainBind()
{
$ldap = new Zend_Ldap($this->_options);
try {
$ldap->bind('BOGUS\\doesntmatter', 'doesntmatter');
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertTrue($zle->getCode() == Zend_Ldap_Exception::LDAP_X_DOMAIN_MISMATCH);
}
}
public function testAccountCanonization()
{
$options = $this->_options;
$ldap = new Zend_Ldap($options);
$canonDn = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME,
Zend_Ldap::ACCTNAME_FORM_DN);
$this->assertEquals(TESTS_ZEND_LDAP_ALT_DN, $canonDn);
$canonUsername = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME,
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->assertEquals(TESTS_ZEND_LDAP_ALT_USERNAME, $canonUsername);
$canonBackslash = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME,
Zend_Ldap::ACCTNAME_FORM_BACKSLASH);
$this->assertEquals(
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\\' . TESTS_ZEND_LDAP_ALT_USERNAME,
$canonBackslash);
$canonPrincipal = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME,
Zend_Ldap::ACCTNAME_FORM_PRINCIPAL);
$this->assertEquals(
TESTS_ZEND_LDAP_ALT_USERNAME . '@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
$canonPrincipal);
$options['accountCanonicalForm'] = Zend_Ldap::ACCTNAME_FORM_USERNAME;
$ldap->setOptions($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME);
$this->assertEquals(TESTS_ZEND_LDAP_ALT_USERNAME, $canon);
$options['accountCanonicalForm'] = Zend_Ldap::ACCTNAME_FORM_BACKSLASH;
$ldap->setOptions($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME);
$this->assertEquals(
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\\' . TESTS_ZEND_LDAP_ALT_USERNAME, $canon);
$options['accountCanonicalForm'] = Zend_Ldap::ACCTNAME_FORM_PRINCIPAL;
$ldap->setOptions($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME);
$this->assertEquals(
TESTS_ZEND_LDAP_ALT_USERNAME . '@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME, $canon);
unset($options['accountCanonicalForm']);
unset($options['accountDomainName']);
$ldap->setOptions($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME);
$this->assertEquals(
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\\' . TESTS_ZEND_LDAP_ALT_USERNAME, $canon);
unset($options['accountDomainNameShort']);
$ldap->setOptions($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME);
$this->assertEquals(TESTS_ZEND_LDAP_ALT_USERNAME, $canon);
$options['accountDomainName'] = TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME;
$ldap->setOptions($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME);
$this->assertEquals(
TESTS_ZEND_LDAP_ALT_USERNAME . '@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME, $canon);
}
public function testDefaultAccountFilterFormat()
{
$options = $this->_options;
unset($options['accountFilterFormat']);
$options['bindRequiresDn'] = true;
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName('invalid', Zend_Ldap::ACCTNAME_FORM_DN);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('(&(objectClass=posixAccount)(uid=invalid))', $zle->getMessage());
}
$options['bindRequiresDn'] = false;
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName('invalid', Zend_Ldap::ACCTNAME_FORM_DN);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('(&(objectClass=user)(sAMAccountName=invalid))', $zle->getMessage());
}
}
public function testPossibleAuthority()
{
$options = $this->_options;
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName('invalid\invalid',
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Binding domain is not an authority for user: invalid\invalid',
$zle->getMessage());
}
try {
$canon = $ldap->getCanonicalAccountName('invalid@invalid.tld',
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Binding domain is not an authority for user: invalid@invalid.tld',
$zle->getMessage());
}
unset($options['accountDomainName']);
$ldap = new Zend_Ldap($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\invalid',
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->assertEquals('invalid', $canon);
try {
$canon = $ldap->getCanonicalAccountName('invalid@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Binding domain is not an authority for user: invalid@' .
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
$zle->getMessage());
}
unset($options['accountDomainNameShort']);
$options['accountDomainName'] = TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME;
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\invalid',
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Binding domain is not an authority for user: ' .
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\invalid',
$zle->getMessage());
}
$canon = $ldap->getCanonicalAccountName('invalid@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->assertEquals('invalid', $canon);
unset($options['accountDomainName']);
$ldap = new Zend_Ldap($options);
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\invalid',
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->assertEquals('invalid', $canon);
$canon = $ldap->getCanonicalAccountName('invalid@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->assertEquals('invalid', $canon);
}
public function testInvalidAccountName()
{
$options = $this->_options;
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName('0@' . TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Invalid account name syntax: 0@' .
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME,
$zle->getMessage());
}
try {
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\\0',
Zend_Ldap::ACCTNAME_FORM_USERNAME);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Invalid account name syntax: ' .
TESTS_ZEND_LDAP_ACCOUNT_DOMAIN_NAME_SHORT . '\\0',
$zle->getMessage());
}
}
public function testGetUnknownCanonicalForm()
{
$options = $this->_options;
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME, 99);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Unknown canonical name form: 99',
$zle->getMessage());
}
}
public function testGetUnavailableCanoncialForm()
{
$options = $this->_options;
unset($options['accountDomainName']);
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME,
Zend_Ldap::ACCTNAME_FORM_PRINCIPAL);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Option required: accountDomainName',
$zle->getMessage());
}
unset($options['accountDomainNameShort']);
$ldap = new Zend_Ldap($options);
try {
$canon = $ldap->getCanonicalAccountName(TESTS_ZEND_LDAP_ALT_USERNAME,
Zend_Ldap::ACCTNAME_FORM_BACKSLASH);
$this->fail('Expected exception not thrown');
} catch (Zend_Ldap_Exception $zle) {
$this->assertContains('Option required: accountDomainNameShort',
$zle->getMessage());
}
}
public function testSplittingOption()
{
$options = $this->_options;
unset($options['accountDomainName']);
unset($options['accountDomainNameShort']);
$options['tryUsernameSplit'] = true;
$ldap = new Zend_Ldap($options);
$this->assertEquals('username', $ldap->getCanonicalAccountName('username@example.com',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('username', $ldap->getCanonicalAccountName('EXAMPLE\username',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('username', $ldap->getCanonicalAccountName('username',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$options['tryUsernameSplit'] = false;
$ldap = new Zend_Ldap($options);
$this->assertEquals('username@example.com',
$ldap->getCanonicalAccountName('username@example.com', Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('example\username', $ldap->getCanonicalAccountName('EXAMPLE\username',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('username', $ldap->getCanonicalAccountName('username',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
}
/**
* ZF-4495
*/
public function testSpecialCharacterInUsername()
{
$options = $this->_options;
$options['accountDomainName'] = 'example.com';
$options['accountDomainNameShort'] = 'EXAMPLE';
$ldap = new Zend_Ldap($options);
$this->assertEquals('schäfer', $ldap->getCanonicalAccountName('SCHÄFER@example.com',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('schäfer', $ldap->getCanonicalAccountName('EXAMPLE\SCHÄFER',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('schäfer', $ldap->getCanonicalAccountName('SCHÄFER',
Zend_Ldap::ACCTNAME_FORM_USERNAME));
$this->assertEquals('schäfer@example.com', $ldap->getCanonicalAccountName('SCHÄFER@example.com',
Zend_Ldap::ACCTNAME_FORM_PRINCIPAL));
$this->assertEquals('schäfer@example.com', $ldap->getCanonicalAccountName('EXAMPLE\SCHÄFER',
Zend_Ldap::ACCTNAME_FORM_PRINCIPAL));
$this->assertEquals('schäfer@example.com', $ldap->getCanonicalAccountName('SCHÄFER',
Zend_Ldap::ACCTNAME_FORM_PRINCIPAL));
$this->assertEquals('EXAMPLE\schäfer', $ldap->getCanonicalAccountName('SCHÄFER@example.com',
Zend_Ldap::ACCTNAME_FORM_BACKSLASH));
$this->assertEquals('EXAMPLE\schäfer', $ldap->getCanonicalAccountName('EXAMPLE\SCHÄFER',
Zend_Ldap::ACCTNAME_FORM_BACKSLASH));
$this->assertEquals('EXAMPLE\schäfer', $ldap->getCanonicalAccountName('SCHÄFER',
Zend_Ldap::ACCTNAME_FORM_BACKSLASH));
}
}