=====================
ShibbolethPermissions
=====================

I want to describe setting up a Shibboleth Permissions instance. Begin by using
the utility method for adding ShibbolethPermissions to an existing acl_users.

    >>> from Products.ShibbolethPermissions.tests import utils

Make sure trying to do this on an object without any acl_users fails.

    >>> utils.addShibbolethPermissions(object())
    Traceback (most recent call last):
    ...
    LookupError: No acl_users can be acquired or otherwise found.

Now, let's actually get a PAS to use.

    >>> pas = self.portal.acl_users
    >>> pas
    <PluggableAuthService at /plone/acl_users>

And make sure we can set up our plugin in the PAS instance.

    >>> shibperms = utils.addShibbolethPermissions(self.portal)
    >>> shibperms
    <ShibbolethPermissionsHandler at /plone/acl_users/ShibbolethPermissions>


Set up AutoUserMakerPASPlugin
-----------------------------

Because AutoUserMakerPASPlugin is where Shibboleth attributes are made available
to ShibbolethPermissions and that AutoUserMakerPASPlugin actually assigns the
role's granted by ShibbolethPermissions.

    >>> def inOrder(config):
    ...     keys = config.keys()
    ...     keys.sort()
    ...     for ii in keys: print "'%s':%s" % (ii, str(config[ii]))

    >>> class MockResponse:
    ...     def __init__(self):
    ...         self.url = ''
    ...     def redirect(self, url):
    ...         self.url = url
    >>> class MockForm:
    ...     def __init__(self, form={}):
    ...         self.form = form
    ...         self.RESPONSE = MockResponse()
    >>> apache = utils.addAutoUserMakerPASPlugin(self.portal)
    >>> apache
    <ApacheAuthPluginHandler at /plone/acl_users/AutoUserMakerPASPlugin>

    >>> request = MockForm({"strip_domain_names": 0,
    ...                     "strip_domain_name_list": 'test.org',
    ...                     "http_remote_user": 'HTTP_TEST_USER',
    ...                     "http_commonname": 'HTTP_TEST_COMMONNAME',
    ...                     "http_description": 'HTTP_TEST_TITLE',
    ...                     "http_email": 'HTTP_TEST_EMAIL',
    ...                     "http_locality": 'HTTP_TEST_TOWN',
    ...                     "http_state": 'HTTP_TEST_STATE',
    ...                     "http_country": 'HTTP_TEST_COUNTRY',
    ...                     "http_authz_tokens": 'HTTP_TEST_USER',
    ...                     "http_sharing_tokens": 'HTTP_TEST_USER',
    ...                     "http_sharing_labels": 'TEST_TITLE'})
    >>> apache.manage_changeConfig(request)
    >>> config = apache.getConfig()
    >>> config['http_sharing_tokens']
    ('HTTP_TEST_USER',)


Plone Configuration Testing
---------------------------

Here, we're really only testing the methods on ShibbolethPermissionsHandler and
ShibbolethPermissions. Properly speaking the forms in folder_localrole_form
call python functions installed in portal_skins/custom. Here we're calling the
methods those functions call, directly.

Let's start with just making sure AutoUserMakerPASPlugin returns the token/label
list as expected.

    >>> shibperms.getShibAttrs()
    [('TEST_TITLE', 'HTTP_TEST_USER')]

First, we have to add a rule. Mimic the call from folder_localrole_shib_add.py.

    >>> shibperms.addLocalRoles('/', {'HTTP_TEST_USER': 'test'}, ['Manager',])
    >>> inOrder(shibperms.getLocalRoles())
    '/':[{'_roles': ['Manager'], 'HTTP_TEST_USER': 'test'}]

Now let's change the role being assigned, but first make sure not providing
a path doesn't do anything, nor does providing an invalid path.

    >>> shibperms.updLocalRoles()
    >>> inOrder(shibperms.getLocalRoles())
    '/':[{'_roles': ['Manager'], 'HTTP_TEST_USER': 'test'}]

    >>> shibperms.updLocalRoles('/doesnotexist')
    >>> inOrder(shibperms.getLocalRoles())
    '/':[{'_roles': ['Manager'], 'HTTP_TEST_USER': 'test'}]

    >>> shibperms.updLocalRoles('/', 0, ['Owner',])
    >>> inOrder(shibperms.getLocalRoles())
    '/':[{'_roles': ['Owner'], 'HTTP_TEST_USER': 'test'}]

<input type="hidden" name="change_type" value="delete" />
<input type="hidden" name="physicalPath" value="/"
name="shib_toggle" value="#" id="shib_toggle"
name="row_number:list" id="row_number"
<select name="member_role:list" id="user_member_role"
name="folder_localrole_shib_upd:method"
name="folder_localrole_shib_del:method"
name="shibattrs"

Now let's delete the entry., but first make sure not providing an invalid path
doesn't do anything.

    >>> shibperms.delLocalRoles('/doesnotexist')
    >>> inOrder(shibperms.getLocalRoles())
    '/':[{'_roles': ['Owner'], 'HTTP_TEST_USER': 'test'}]

    >>> shibperms.delLocalRoles('/', 0)
    >>> inOrder(shibperms.getLocalRoles())

Now let's try the functions that folder_localrole_form calls. That function
(folder_localrole_shib_add) takes the middle two lists and turns that into a
dictionary, which is what addLocalRoles() wants.

*TODO* Figure out how to call python scripts in custom.

    > custom = self.portal.portal_skins.custom
    > custom.folder_localrole_shib_add('/', ('HTTP_TEST_USER',), ('junk',), ('Owner',))
    > inOrder(shiblogin.getLocalRoles())

ZMI Configuration Testing
-------------------------

We need to have an entry or two to test what an administrator can do from the
ZMI.

    >>> shibperms.addLocalRoles('/Members', {'HTTP_TEST_USER': 'test'}, ['Manager',])
    >>> shibperms.addLocalRoles('/', {'HTTP_TEST_USER': 'junk'}, ['Owner',])

Now make sure they're there.

    >>> inOrder(shibperms.getLocalRoles())
    '/':[{'_roles': ['Owner'], 'HTTP_TEST_USER': 'junk'}]
    '/Members':[{'_roles': ['Manager'], 'HTTP_TEST_USER': 'test'}]

Now delete one.

    >>> request = MockForm({'plonepath': '/'})
    >>> shibperms.manage_changeConfig(request)
    >>> inOrder(shibperms.getLocalRoles())
    '/Members':[{'_roles': ['Manager'], 'HTTP_TEST_USER': 'test'}]

Delete all.
    >>> shibperms.delLocalRoles()
    >>> inOrder(shibperms.getLocalRoles())
