add tests for approving, denying PI membership requests (#198)

simonLeary42 · web-flow · commit e614cdcd3837 · 2025-04-30T15:42:45.000-04:00
* add tests for approving, denying PI membership requests

* use uids instead of objects for assertions

* add tests for removing group members

* unityLDAP use its own getEntry method

* write test for PI group disband (requires changes in phpopenldaper)

* remove print debugging

* add comment

* remove checks on write success

* add phpopenldaper as a submodule

* make sure github actions does recursive checkout

* remove junk submodule

* update submodule

* phpcs:disable not needed in test/

* new exception type

* no more delete return success

* update submodule

* ignore phpunit result cache

* PI disbanding has been removed

* revert redirect changes

* remove old submodule

* revert gitignore change

* revert autoload change
diff --git a/resources/lib/UnityGroup.php b/resources/lib/UnityGroup.php
@@ -218,8 +218,7 @@ public function denyGroup($operator = null, $send_mail = true)
     //     // now we delete the ldap entry
     //     $ldapPiGroupEntry = $this->getLDAPPiGroup();
     //     if ($ldapPiGroupEntry->exists()) {
-    //         ldapPiGroupEntry->delete();
-
+    //         $ldapPiGroupEntry->delete();
     //         $this->REDIS->removeCacheArray("sorted_groups", "", $this->getPIUID());
     //         foreach ($users as $user) {
     //             $this->REDIS->removeCacheArray($user->getUID(), "groups", $this->getPIUID());
diff --git a/resources/lib/UnityLDAP.php b/resources/lib/UnityLDAP.php
@@ -312,28 +312,24 @@ public function getAllOrgGroups($UnitySQL, $UnityMailer, $UnityRedis, $UnityWebh
     public function getUserEntry($uid)
     {
         $uid = ldap_escape($uid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$uid," . $this->STR_USEROU);
-        return $ldap_entry;
+        return $this->getEntry(unityLDAP::RDN . "=$uid," . $this->STR_USEROU);
     }
 
     public function getGroupEntry($gid)
     {
         $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);
-        return $ldap_entry;
+        return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);
     }
 
     public function getPIGroupEntry($gid)
     {
         $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);
-        return $ldap_entry;
+        return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);
     }
 
     public function getOrgGroupEntry($gid)
     {
         $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
-        $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);
-        return $ldap_entry;
+        return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);
     }
 }
diff --git a/test/functional/LoginShellSetTest.php b/test/functional/LoginShellSetTest.php
@@ -23,9 +23,7 @@ public function tearDown(): void
     public static function getShells()
     {
         global $HTTP_HEADER_TEST_INPUTS;
-        // phpcs:disable
         return [["/bin/bash"]] + array_map(function($x){return [$x];}, $HTTP_HEADER_TEST_INPUTS);
-        // phpcs:enable
     }
 
     private function isShellValid(string $shell)
diff --git a/test/functional/PiMemberApproveTest.php b/test/functional/PiMemberApproveTest.php
@@ -0,0 +1,74 @@
+<?php
+
+use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\Attributes\DataProvider;
+use UnityWebPortal\lib\UnityUser;
+
+class PiMemberApproveTest extends TestCase {
+    static $requestUid;
+    static $noRequestUid;
+
+    public static function setUpBeforeClass(): void{
+        global $USER;
+        switchUser(...getNormalUser());
+        self::$requestUid = $USER->getUID();
+        switchUser(...getNormalUser2());
+        self::$noRequestUid = $USER->getUID();
+    }
+
+    private function approveUser(string $uid)
+    {
+        post(
+            __DIR__ . "/../../webroot/panel/pi.php",
+            ["form_type" => "userReq", "action" => "approve", "uid" => $uid]
+        );
+    }
+
+    public function testApproveRequest()
+    {
+        global $USER, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK;
+        switchUser(...getUserIsPIHasNoMembersNoMemberRequests());
+        $pi = $USER;
+        $piGroup = $USER->getPIGroup();
+        $this->assertTrue($piGroup->exists());
+        $this->assertEquals([$pi->getUID()], $piGroup->getGroupMemberUIDs());
+        $this->assertEmpty($piGroup->getRequests());
+        $requestedUser = new UnityUser(self::$requestUid, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK);
+        try {
+            $piGroup->newUserRequest($requestedUser);
+            $this->assertFalse($piGroup->userExists($requestedUser));
+
+            $piGroup->approveUser($requestedUser);
+            $this->assertEmpty($piGroup->getRequests());
+
+            $this->assertEquals([$pi->getUID(), self::$requestUid], $piGroup->getGroupMemberUIDs());
+            $this->assertTrue($piGroup->userExists($requestedUser));
+        } finally {
+            $piGroup->removeUser($requestedUser);
+            $SQL->removeRequest(self::$requestUid, $piGroup->getPIUID());
+        }
+    }
+
+    public function testApproveNonexistentRequest()
+    {
+        global $USER, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK;
+        switchUser(...getUserIsPIHasNoMembersNoMemberRequests());
+        $pi = $USER;
+        $piGroup = $USER->getPIGroup();
+        $this->assertTrue($piGroup->exists());
+        $this->assertEquals([$pi->getUID()], $piGroup->getGroupMemberUIDs());
+        $this->assertEmpty($piGroup->getRequests());
+
+        $notRequestedUser = new UnityUser(self::$noRequestUid, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK);
+        $this->assertFalse($piGroup->userExists($notRequestedUser));
+        $this->assertEmpty($piGroup->getRequests());
+
+        try {
+            $piGroup->approveUser($notRequestedUser);
+            $this->assertEquals([$pi->getUID()], $piGroup->getGroupMemberUIDs());
+            $this->assertFalse($piGroup->userExists($notRequestedUser));
+        } finally {
+            $piGroup->removeUser($notRequestedUser);
+        }
+    }
+}
diff --git a/test/functional/PiMemberDenyTest.php b/test/functional/PiMemberDenyTest.php
@@ -0,0 +1,46 @@
+<?php
+
+use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\Attributes\DataProvider;
+use UnityWebPortal\lib\UnityUser;
+
+class PiMemberDenyTest extends TestCase {
+    static $requestUid;
+
+    public static function setUpBeforeClass(): void{
+        global $USER;
+        switchUser(...getNormalUser());
+        self::$requestUid = $USER->getUID();
+    }
+
+    private function denyUser(string $uid)
+    {
+        post(
+            __DIR__ . "/../../webroot/panel/pi.php",
+            ["form_type" => "userReq", "action" => "approve", "uid" => $uid]
+        );
+    }
+
+    public function testDenyRequest()
+    {
+        global $USER, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK;
+        switchUser(...getUserIsPIHasNoMembersNoMemberRequests());
+        $pi = $USER;
+        $piGroup = $USER->getPIGroup();
+        $this->assertTrue($piGroup->exists());
+        $this->assertEquals([$pi->getUID()], $piGroup->getGroupMemberUIDs());
+        $this->assertEmpty($piGroup->getRequests());
+        $requestedUser = new UnityUser(self::$requestUid, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK);
+        try {
+            $piGroup->newUserRequest($requestedUser);
+            $this->assertFalse($piGroup->userExists($requestedUser));
+
+            $piGroup->denyUser($requestedUser);
+            $this->assertEmpty($piGroup->getRequests());
+            $this->assertEquals([$pi->getUID()], $piGroup->getGroupMemberUIDs());
+            $this->assertFalse($piGroup->userExists($requestedUser));
+        } finally {
+            $SQL->removeRequest(self::$requestUid, $piGroup->getPIUID());
+        }
+    }
+}
diff --git a/test/functional/PiRemoveUserTest.php b/test/functional/PiRemoveUserTest.php
@@ -0,0 +1,68 @@
+<?php
+
+use PHPUnit\Framework\TestCase;
+use PHPUnit\Framework\Attributes\DataProvider;
+use UnityWebPortal\lib\UnityUser;
+
+class PiRemoveUserTest extends TestCase {
+    private function removeUser(string $uid)
+    {
+        post(
+            __DIR__ . "/../../webroot/panel/pi.php",
+            ["form_name" => "remUser", "uid" => $uid]
+        );
+    }
+
+    public function testRemoveUser()
+    {
+        global $USER, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK;
+        switchUser(...getUserIsPIHasAtLeastOneMember());
+        $pi = $USER;
+        $piUid = $USER->getUID();
+        $piGroup = $USER->getPIGroup();
+        $this->assertTrue($piGroup->exists());
+        $memberUIDs = $piGroup->getGroupMemberUIDs();
+        // the 0th member of the PI group is the PI
+        $this->assertGreaterThan(1, count($memberUIDs));
+        // the ordering of the uids in getGroupMemberUIDs is different each time
+        // use a linear search to find a user who is not the PI
+        $memberToDelete = null;
+        foreach ($memberUIDs as $uid) {
+            if ($uid != $piUid) {
+                $memberToDelete = new UnityUser($uid, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK);
+                break;
+            }
+        }
+        $this->assertNotEquals($pi->getUID(), $memberToDelete->getUID());
+        $this->assertTrue($piGroup->userExists($memberToDelete));
+        try {
+            $this->removeUser($memberToDelete->getUID());
+            $this->assertFalse($piGroup->userExists($memberToDelete));
+        } finally {
+            if (!$piGroup->userExists($memberToDelete)) {
+                $piGroup->newUserRequest($memberToDelete);
+                $piGroup->approveUser($memberToDelete);
+            }
+        }
+    }
+
+    public function testRemovePIFromTheirOwnGroup()
+    {
+        global $USER, $LDAP, $SQL, $MAILER, $REDIS, $WEBHOOK;
+        switchUser(...getUserIsPIHasAtLeastOneMember());
+        $pi = $USER;
+        $piGroup = $USER->getPIGroup();
+        $this->assertTrue($piGroup->exists());
+        $this->assertTrue($piGroup->userExists($pi));
+        $this->expectException(Exception::class);
+        try {
+            $this->removeUser($pi->getUID());
+            $this->assertTrue($piGroup->userExists($pi));
+        } finally {
+            if (!$piGroup->userExists($pi)) {
+                $piGroup->newUserRequest($pi);
+                $piGroup->approveUser($pi);
+            }
+       }
+    }
+}
diff --git a/test/phpunit-bootstrap.php b/test/phpunit-bootstrap.php
@@ -106,6 +106,11 @@ function getNormalUser()
     return ["user2@org1.test", "foo", "bar", "user2@org1.test"];
 }
 
+function getNormalUser2()
+{
+    return ["user2@org1.test", "foo", "bar", "user2@org1.test"];
+}
+
 function getUserHasNotRequestedAccountDeletionHasGroup()
 {
     return ["user1@org1.test", "foo", "bar", "user1@org1.test"];
@@ -136,6 +141,16 @@ function getUserWithOneKey()
     return ["user5@org2.test", "foo", "bar", "user5@org2.test"];
 }
 
+function getUserIsPIHasNoMembersNoMemberRequests()
+{
+    return ["user5@org2.test", "foo", "bar", "user5@org2.test"];
+}
+
+function getUserIsPIHasAtLeastOneMember()
+{
+    return ["user1@org1.test", "foo", "bar", "user1@org1.test"];
+}
+
 function getNonExistentUser()
 {
     return ["user1@nonexistent.test", "foo", "bar", "user1@nonexistent.test"];
diff --git a/test/unit/AjaxSshValidateTest.php b/test/unit/AjaxSshValidateTest.php
@@ -12,9 +12,7 @@ public static function providerTestSshValidate()
         // sanity check only, see UnitySiteTest for more comprehensive test cases
         return [
             [false, "foobar"],
-            // phpcs:disable
             [true, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a"],
-            // phpcs:enable
         ];
     }
 
diff --git a/test/unit/UnityGithubTest.php b/test/unit/UnityGithubTest.php
@@ -17,9 +17,7 @@ public static function providerTestGetGithubKeys()
             # user with no keys
             ["sheldor1510", []],
             # user with 1 key
-            //phpcs:disable
             ["simonLeary42", ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGRl6JWPj+Gq2Lz9GjYdUl4/unLoFOyfgeiII1CxutpabPByRJbeuonR0zTpn51tZeYuAUOJBOeKt+Lj4i4UDGl6igpdXXSwkBXl7jxfRPwJ6WuTkDx7Z8ynwnqlDV2q089q4OX/b/uuHgsIhIBwrouKsRQaZIqTbwNMfiqQ2zl14V0KMrTPzOiwR6Q+hqSaR5Z29WKE7ff/OWzSC3/0T6avCmcCbQaRPJdVM+QC17B0vl8FzPwRjorMngwZ0cImdQ/0Ww1d12YAL7UWp1c2egfnthKP3MuQZnNF8ixsAk1eIIwTRdiI87BOoorW8NXhxXmhyheRCsFwyP4LJBqyUVoZJ0UYyk0AO4G9EStnfpiz8YXGK+M1G4tUrWgzs1cdjlHtgCWUmITtgabnYCC4141m7n4GZTk2H/lSrJcvAs3JEiwLTj1lzeGgzeSsz/XKsnOJyzjEVr2Jp3iT+J9PbQpfS0SxTCIGgxMqllovv79pfsF/zc+vaxqSShyHW7oyn7hLMHM60LO/IIX1RWGL3rD9ecXx2pXXQ1RhIkVteIi13XkFt+KW00cstFlAd3EHCoY/XorShd2jeID7tpnYlmNfotYUs6IKefvpNC0PWkh5UXFEv3SUfw4Wd8O0DiHfhkrhxn1W/GajqSIlZ5DKgPzFg8EHexv8lSa7WJg0H3YQ=="]]
-            //phpcs:enable
         ];
     }
 
diff --git a/tools/docker-dev/sql/bootstrap-users.sql b/tools/docker-dev/sql/bootstrap-users.sql
@@ -1 +1,6 @@
-INSERT INTO `account_deletion_requests` (`id`, `timestamp`, `uid`) VALUES (1, '1970-01-01 00:00:01', 'user4_org1_test');
+INSERT INTO `account_deletion_requests` (`id`, `timestamp`, `uid`) VALUES
+    (1, '1970-01-01 00:00:01', 'user4_org1_test');
+
+-- INSERT INTO `requests` (`id`, `request_for`, `uid`, `timestamp`) VALUES
+--     (1, 'pi_user1_org1_test', 'user6_org1_test', '1970-01-01 00:00:01'),
+--     (2, 'pi_user1_org1_test', 'user7_org1_test', '1970-01-01 00:00:01');

Original file line number	Diff line number	Diff line change
`@@ -312,28 +312,24 @@ public function getAllOrgGroups($UnitySQL, $UnityMailer, $UnityRedis, $UnityWebh`
`312`	`312`	`public function getUserEntry($uid)`
`313`	`313`	`{`
`314`	`314`	`$uid = ldap_escape($uid, LDAP_ESCAPE_DN);`
`315`		`- $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$uid," . $this->STR_USEROU);`
`316`		`- return $ldap_entry;`
	`315`	`+ return $this->getEntry(unityLDAP::RDN . "=$uid," . $this->STR_USEROU);`
`317`	`316`	`}`
`318`	`317`
`319`	`318`	`public function getGroupEntry($gid)`
`320`	`319`	`{`
`321`	`320`	`$uid = ldap_escape($gid, LDAP_ESCAPE_DN);`
`322`		`- $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);`
`323`		`- return $ldap_entry;`
	`321`	`+ return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);`
`324`	`322`	`}`
`325`	`323`
`326`	`324`	`public function getPIGroupEntry($gid)`
`327`	`325`	`{`
`328`	`326`	`$uid = ldap_escape($gid, LDAP_ESCAPE_DN);`
`329`		`- $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);`
`330`		`- return $ldap_entry;`
	`327`	`+ return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);`
`331`	`328`	`}`
`332`	`329`
`333`	`330`	`public function getOrgGroupEntry($gid)`
`334`	`331`	`{`
`335`	`332`	`$uid = ldap_escape($gid, LDAP_ESCAPE_DN);`
`336`		`- $ldap_entry = new LDAPEntry($this->getConn(), unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);`
`337`		`- return $ldap_entry;`
	`333`	`+ return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);`
`338`	`334`	`}`
`339`	`335`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,7 @@ public function tearDown(): void`
`23`	`23`	`public static function getShells()`
`24`	`24`	`{`
`25`	`25`	`global $HTTP_HEADER_TEST_INPUTS;`
`26`		`- // phpcs:disable`
`27`	`26`	`return [["/bin/bash"]] + array_map(function($x){return [$x];}, $HTTP_HEADER_TEST_INPUTS);`
`28`		`- // phpcs:enable`
`29`	`27`	`}`
`30`	`28`
`31`	`29`	`private function isShellValid(string $shell)`
-Original file line number
+Diff line change
     return ["[email protected]", "foo", "bar", "[email protected]"];
+}
 +function getNormalUser2()
 +{
 +    return ["[email protected]", "foo", "bar", "[email protected]"];
 +}
++
 function getUserHasNotRequestedAccountDeletionHasGroup()
+{
     return ["[email protected]", "foo", "bar", "[email protected]"];
     return ["[email protected]", "foo", "bar", "[email protected]"];
+}
 +function getUserIsPIHasNoMembersNoMemberRequests()
 +{
 +    return ["[email protected]", "foo", "bar", "[email protected]"];
 +}
++
 +function getUserIsPIHasAtLeastOneMember()
 +{
 +    return ["[email protected]", "foo", "bar", "[email protected]"];
 +}
++
 function getNonExistentUser()
+{
     return ["[email protected]", "foo", "bar", "[email protected]"];
Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,7 @@ public static function providerTestSshValidate()`
`12`	`12`	`// sanity check only, see UnitySiteTest for more comprehensive test cases`
`13`	`13`	`return [`
`14`	`14`	`[false, "foobar"],`
`15`		`- // phpcs:disable`
`16`	`15`	`[true, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+XqO25MUB9x/pS04I3JQ7rMGboWyGXh0GUzkOrTi7a"],`
`17`		`- // phpcs:enable`
`18`	`16`	`];`
`19`	`17`	`}`
`20`	`18`
Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,7 @@ public static function providerTestGetGithubKeys()`
`17`	`17`	`# user with no keys`
`18`	`18`	`["sheldor1510", []],`
`19`	`19`	`# user with 1 key`
`20`		`- //phpcs:disable`
`21`	`20`	["simonLeary42", ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGRl6JWPj+Gq2Lz9GjYdUl4/unLoFOyfgeiII1CxutpabPByRJbeuonR0zTpn51tZeYuAUOJBOeKt+Lj4i4UDGl6igpdXXSwkBXl7jxfRPwJ6WuTkDx7Z8ynwnqlDV2q089q4OX/b/uuHgsIhIBwrouKsRQaZIqTbwNMfiqQ2zl14V0KMrTPzOiwR6Q+hqSaR5Z29WKE7ff/OWzSC3/0T6avCmcCbQaRPJdVM+QC17B0vl8FzPwRjorMngwZ0cImdQ/0Ww1d12YAL7UWp1c2egfnthKP3MuQZnNF8ixsAk1eIIwTRdiI87BOoorW8NXhxXmhyheRCsFwyP4LJBqyUVoZJ0UYyk0AO4G9EStnfpiz8YXGK+M1G4tUrWgzs1cdjlHtgCWUmITtgabnYCC4141m7n4GZTk2H/lSrJcvAs3JEiwLTj1lzeGgzeSsz/XKsnOJyzjEVr2Jp3iT+J9PbQpfS0SxTCIGgxMqllovv79pfsF/zc+vaxqSShyHW7oyn7hLMHM60LO/IIX1RWGL3rD9ecXx2pXXQ1RhIkVteIi13XkFt+KW00cstFlAd3EHCoY/XorShd2jeID7tpnYlmNfotYUs6IKefvpNC0PWkh5UXFEv3SUfw4Wd8O0DiHfhkrhxn1W/GajqSIlZ5DKgPzFg8EHexv8lSa7WJg0H3YQ=="]]
`22`		`- //phpcs:enable`
`23`	`21`	`];`
`24`	`22`	`}`
`25`	`23`