# -*-perl-*-

# $Id: 80_security.t,v 1.3 2004/02/26 02:02:29 lachoy Exp $

use strict;
use lib qw( t/ );
use Test::More tests => 39;

do "t/config.pl";

BEGIN { use_ok( 'SPOPS::Secure', qw( :level :scope ) ) }

{
    my %config = (
      test => {
         class      => 'DummyTest',
         isa        => [ 'SecurityCommon', 'SPOPS::Secure', 'SPOPS::Loopback' ],
         field      => [ qw( myid name ) ],
         id_field   => 'myid',
         creation_security => {
            u => 'WRITE',
            g   => { 2 => 'WRITE' },
            w   => 'READ',
         },
      },
      security => {
         class      => 'SecurityTest',
         isa        => [ 'SPOPS::Key::Random', 'SPOPS::Secure::Loopback', 'SPOPS::Loopback' ],
         field      => [ qw/ sid object_id class scope scope_id security_level / ],
         id_field   => 'sid',
      },
      user => {
         class      => 'UserTest',
         isa        => [ 'SPOPS::Loopback' ],
         field      => [ qw/ user_id login_name group_id / ],
         id_field   => 'user_id',
      },
      group => {
         class      => 'GroupTest',
         isa        => [ 'SPOPS::Loopback' ],
         field      => [ qw/ group_id name / ],
         id_field   => 'group_id',
      },
    );

    # Create our test class using the loopback

    require_ok( 'SPOPS::Initialize' );

    my $class_init_list = eval { SPOPS::Initialize->process({ config => \%config }) };
    diag( "Error initializing: $@" ) if ( $@ );
    ok( ! $@, "Initialize process run" );
    my %class_init_map = map { $_ => 1 } @{ $class_init_list };
    ok( $class_init_map{DummyTest}, 'Object class initialized' );
    ok( $class_init_map{SecurityTest}, 'Security object class initialized' );
    ok( $class_init_map{UserTest}, 'User object class initialized' );
    ok( $class_init_map{GroupTest}, 'Group object class initialized' );

    my $creation_security = DummyTest->creation_security;
    is( $creation_security->{u}, 'WRITE', 'User creation security specified' );
    is( $creation_security->{g}{2}, 'WRITE', 'Group creation security specified' );
    is( $creation_security->{w}, 'READ', 'Group creation security specified' );

    DummyTest->set_security_class( 'SecurityTest' );

    # First create a few groups
    eval {
        GroupTest->new({ group_id => 1, name => 'admin' })->save();   # supergroup
        GroupTest->new({ group_id => 2, name => 'manager' })->save();
        GroupTest->new({ group_id => 3, name => 'public' })->save();
    };
    ok( ! $@, "Groups created ok" );

    # Now a few users
    eval {
        UserTest->new({ user_id => 1, login_name => 'admin',          # superuser
                        group_id => 1 })->save();
        UserTest->new({ user_id => 2, login_name => 'snoopy',
                        group_id => 2 })->save();
        UserTest->new({ user_id => 3, login_name => 'charlie',
                        group_id => 3 })->save();
    };
    ok( ! $@, "Users created ok" );

    my $user_admin  = UserTest->fetch(1);
    my $grp_admin   = GroupTest->fetch(1);
    my $user_snoopy = UserTest->fetch(2);
    my $grp_manager = GroupTest->fetch(2);
    my $user_chuck  = UserTest->fetch(3);
    my $grp_public  = GroupTest->fetch(3);

    # Now create a few dummy objects as various users
    eval {
        DummyTest->set_user( $user_admin );
        DummyTest->set_group( $grp_admin );
        DummyTest->new({ myid => 1, name => 'Primo' })->save();
        DummyTest->set_user( $user_snoopy );
        DummyTest->set_group( $grp_manager );
        DummyTest->new({ myid => 2, name => 'Secondo' })->save();
        DummyTest->set_user( $user_chuck );
        DummyTest->set_group( $grp_public );
        DummyTest->new({ myid => 3, name => 'Trio' })->save();
    };
    diag( "Dummy create failed: $@" ) if ( $@ );
    ok( ! $@, "Dummy objects created ok" );

    # Retrieve the dummy objects and ensure the security level is set
    # properly when we set the user for each

    DummyTest->set_group( undef );

    DummyTest->set_user( $user_admin );
    my $du_one   = eval { DummyTest->fetch(1) };
    ok( ! $@, "No security violation user 1" );
    is( $du_one->{tmp_security_level}, SEC_LEVEL_WRITE, "Fetched security user level 1" );

    DummyTest->set_user( $user_chuck );
    my $du_two   = eval { DummyTest->fetch(2) };
    ok( ! $@, "No security violation user 2" );
    is( $du_two->{tmp_security_level}, SEC_LEVEL_READ, "Fetched security user level 2" );

    DummyTest->set_user( $user_snoopy );
    my $du_three = eval { DummyTest->fetch(3) };
    ok( ! $@, "No security violation user 3" );
    is( $du_three->{tmp_security_level}, SEC_LEVEL_READ, "Fetched security user level 3" );

    # Retrieve the dummy objects and ensure the security level is set
    # properly when we set the group to admin

    DummyTest->set_group( $grp_manager );
    DummyTest->set_user( undef );

    my $dg_one   = eval { DummyTest->fetch(1) };
    ok( ! $@, "No security violation group 1" );
    is( $dg_one->{tmp_security_level}, SEC_LEVEL_WRITE, "Fetched security group level 1" );

    my $dg_two   = eval { DummyTest->fetch(2) };
    ok( ! $@, "No security violation group 2" );
    is( $dg_two->{tmp_security_level}, SEC_LEVEL_WRITE, "Fetched security group level 2" );

    my $dg_three = eval { DummyTest->fetch(3) };
    ok( ! $@, "No security violation group 3" );
    is( $dg_three->{tmp_security_level}, SEC_LEVEL_WRITE, "Fetched security group level 3" );


    # Now fetch some security objects and check them out

    my $security_one   = SecurityTest->fetch_group({ where => 'object_id = 1' });
    my $security_two   = SecurityTest->fetch_group({ where => 'object_id = 2' });
    my $security_three = SecurityTest->fetch_group({ where => 'object_id = 3' });

    is( scalar @{ $security_one }, 3, 'Number of security objects 1' );
    is( check_user( $security_one, 1 ), SEC_LEVEL_WRITE, 'User settings 1' );
    is( check_group( $security_one, 2 ), SEC_LEVEL_WRITE, 'Group settings 1' );
    is( check_world( $security_one ), SEC_LEVEL_READ, 'World settings 1' );

    is( scalar @{ $security_two }, 3, 'Number of security objects 2' );
    is( check_user( $security_two, 2 ), SEC_LEVEL_WRITE, 'User settings 2' );
    is( check_group( $security_two, 2 ), SEC_LEVEL_WRITE, 'Group settings 2' );
    is( check_world( $security_two ), SEC_LEVEL_READ, 'World settings 2' );

    is( scalar @{ $security_three }, 3, 'Number of security objects 3' );
    is( check_user( $security_three, 3 ), SEC_LEVEL_WRITE, 'User settings 3' );
    is( check_group( $security_three, 2 ), SEC_LEVEL_WRITE, 'Group settings 3' );
    is( check_world( $security_three ), SEC_LEVEL_READ, 'World settings 3' );

    my $s_world_one = SecurityTest->fetch_match( $du_one, { scope => SEC_SCOPE_WORLD } );
    is( $s_world_one->{security_level}, SEC_LEVEL_READ, 'Fetch match world 1' );
    my $s_one_user = SecurityTest->fetch_match( $du_one, { scope => SEC_SCOPE_USER,
                                                           scope_id => 1 } );
    is( $s_one_user->{security_level}, SEC_LEVEL_WRITE, 'Fetch match user 1' );

}

sub check_user {
    my ( $security, $user_id ) = @_;
    for ( @{ $security } ) {
        if ( $_->{scope} eq SEC_SCOPE_USER and $_->{scope_id} eq $user_id ) {
            return $_->{security_level};
        }
    }
    return undef;
}

sub check_group {
    my ( $security, $group_id ) = @_;
    for ( @{ $security } ) {
        if ( $_->{scope} eq SEC_SCOPE_GROUP and $_->{scope_id} eq $group_id ) {
            return $_->{security_level};
        }
    }
    return undef;
}

sub check_world {
    my ( $security ) = @_;
    for ( @{ $security } ) {
        if ( $_->{scope} eq SEC_SCOPE_WORLD ) {
            return $_->{security_level};
        }
    }
    return undef;
}