Add testing for LDAP with memcache

.gitlab-ci.yml

@@ -2,6 +2,7 @@ stages:
   - build
   - test
   - testall
+  - testldap
 
 build:
   stage: build
@@ -260,7 +261,7 @@ test_memcache:
     - echo "en_NZ.UTF-8 UTF-8" >> /etc/locale.gen
     - locale-gen
     - echo "LANG=en_NZ.UTF-8" > /etc/default/locale
-    - apt-get -y install libdbd-pg-perl libyaml-perl php php-cli php-pgsql php-xml php-memcached postgresql-client postgresql libapache2-mod-php curl xmlstarlet memcached
+    - apt-get -y install libdbd-pg-perl libyaml-perl php php-cli php-pgsql php-xml php-memcached postgresql-client postgresql libapache2-mod-php curl xmlstarlet memcached netcat-openbsd
     - phpenmod memcached
     - curl 'https://gitlab.com/davical-project/awl/-/archive/master/awl-master.tar.gz' | tar zxf -
     - mv awl-master /usr/share/awl/
@@ -299,3 +300,63 @@ test_memcache:
     - xz apache2_log/test_memcache/*
     - mkdir -p davical_log
     - cp -r /var/log/davical davical_log/test_memcache
+
+# Only test if the memcache test passes
+test_memcache_and_ldap:
+  stage: testldap
+  image: debian:unstable
+  artifacts:
+    paths:
+      - testing/report.xml
+      - apache2_log/*
+      - davical_log/*
+    reports:
+      junit: testing/report.xml
+    when:
+      always
+  script:
+    - apt-get -y update
+    - bash -c 'mkdir -p /usr/share/man/man{0..10}'
+    - apt-get -y install locales
+    - echo "en_NZ.UTF-8 UTF-8" >> /etc/locale.gen
+    - locale-gen
+    - echo "LANG=en_NZ.UTF-8" > /etc/default/locale
+    - apt-get -y install libdbd-pg-perl libyaml-perl php php-cli php-pgsql php-xml php-memcached php-ldap postgresql-client postgresql libapache2-mod-php curl xmlstarlet memcached libnet-ldap-server-test-perl netcat-openbsd
+    - phpenmod memcached
+    - phpenmod ldap
+    - curl 'https://gitlab.com/davical-project/awl/-/archive/master/awl-master.tar.gz' | tar zxf -
+    - mv awl-master /usr/share/awl/
+    - chown -R www-data /usr/share/awl/
+    - dpkg --ignore-depends=libawl-php -i *.deb
+    - echo '127.0.1.1  regression mycaldav mycaldav_ldap myempty' >> /etc/hosts
+    - rm /etc/apache2/ports.conf /etc/apache2/sites-enabled/000-default.conf && touch /etc/apache2/ports.conf
+    - cp testing/apache-site.conf.example /etc/apache2/sites-enabled/davical-regression.conf
+    - sed -i 's/\/path\/to/\/usr\/share/g' /etc/apache2/sites-enabled/davical-regression.conf
+    - mkdir /usr/share/davical/testing/
+    - cp testing/*.php /usr/share/davical/testing/
+    - rm /etc/davical/config.php
+    - cat testing/regression-conf.php.example | sed 's.//$c->dbg.$c->dbg.' | sed -E 's.//(memcache|ldap) ..g' > /etc/davical/regression-conf.php
+    - ln -s /etc/davical/regression-conf.php /etc/davical/mycaldav_ldap-conf.php
+    - mkdir -p /var/log/davical
+    - chown www-data /var/log/davical
+    - sed -i '/peer/d' /etc/postgresql/16/main/pg_hba.conf
+    - echo 'local  all  all  trust' >> /etc/postgresql/16/main/pg_hba.conf
+    - pg_ctlcluster 16 main start
+    - su postgres -c 'createuser davical_dba --createdb --createrole --superuser'
+    - su postgres -c 'createuser davical_app --superuser'
+    - su postgres -c 'createuser testrunner --superuser'
+    - pg_ctlcluster 16 main restart
+    - a2enmod rewrite
+    - a2enmod headers
+    - apache2ctl start
+    - /etc/init.d/memcached start
+    - useradd testrunner
+    # testrunner needs to be able to read /var/log/apache2/regression-error.log for the ldap tests.
+    - adduser testrunner adm
+    - cd testing && su testrunner -c 'IS_CI=yes ALLSUITES="ldap" ./run_regressions.sh all x'
+  after_script:
+    - mkdir -p apache2_log
+    - cp -r /var/log/apache2 apache2_log/test_memcache_and_ldap
+    - xz apache2_log/test_memcache_and_ldap/*
+    - mkdir -p davical_log
+    - cp -r /var/log/davical davical_log/test_memcache_and_ldap

testing/apache-site.conf.example

@@ -1,7 +1,7 @@
 Listen 127.0.1.1:80
 <VirtualHost 127.0.1.1:80>
   ServerName regression
-  ServerAlias myempty mycaldav
+  ServerAlias myempty mycaldav mycaldav_ldap
   DocumentRoot /path/to/davical/htdocs
   CustomLog ${APACHE_LOG_DIR}/regression-access.log combined
   ErrorLog  ${APACHE_LOG_DIR}/regression-error.log

testing/regression-conf.php.example

@@ -23,4 +23,26 @@
   // if testing memcache
   //memcache $c->memcache_servers[] = '127.0.0.1,11211';
   //memcache $c->auth_cache = true;
+
+  // if testing LDAP
+  //ldap $c->authenticate_hook['call'] = 'LDAP_check';
+  //ldap $c->authenticate_hook['config'] = array(
+  //ldap   'host' => 'localhost',
+  //ldap   'port' => '21394',
+  //ldap   'baseDNUsers'   => 'dc=example,dc=com',
+  //ldap   'mapping_field' => array("username" => "uid",
+  //ldap                            "modified" => "modifyTimestamp",
+  //ldap                            "fullname" => "cn" ,
+  //ldap                            "email" =>"mail"
+  //ldap   ),
+  //ldap   'group_mapping_field' => array("username" => "cn",
+  //ldap                                  "modified" => "modifyTimestamp",
+  //ldap                                  "fullname" => "cn" ,
+  //ldap                                  "members" =>"memberUid"
+  //ldap   ),
+  //ldap   'format_updated' => array('Y' => array(0,4), 'm' => array(4,2), 'd' => array(6,2), 'H' => array(8,2), 'M' => array(10,2), 'S' => array(12,2))
+  //ldap );
+
+  //ldap include('drivers_ldap.php');
+
 ?>

testing/tests/ldap/0000-clear-memcached.result

@@ -0,0 +1 @@
+OK

testing/tests/ldap/0000-clear-memcached.test

@@ -0,0 +1,3 @@
+# Ensure that memcached has nothing cached.
+
+SCRIPT=echo flush_all | nc -N 127.0.0.1 11211

testing/tests/ldap/0000-confirm-no-ldap1-user.result

@@ -0,0 +1 @@
+

testing/tests/ldap/0000-confirm-no-ldap1-user.test

@@ -0,0 +1,6 @@
+# Check that no usr record exists
+QUERY
+SELECT active ,email, fullname, last_used, password, username, user_no
+FROM usr 
+WHERE username = 'ldap1';
+ENDQUERY

testing/tests/ldap/0001-test-ldap.result

@@ -0,0 +1,67 @@
+HTTP/1.1 207 Multi-Status
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule
+DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy
+ETag: "ed58709591152964fd4a584af5b55d79"
+Content-Length: 942
+Content-Type: text/xml; charset="utf-8"
+
+<?xml version="1.0" encoding="utf-8" ?>
+<multistatus xmlns="DAV:">
+ <response>
+  <href>/caldav.php/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+ <response>
+  <href>/caldav.php/resource1/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+     <principal/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+ <response>
+  <href>/caldav.php/resource2/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+     <principal/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+ <response>
+  <href>/caldav.php/ldap1/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+     <principal/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+</multistatus>
+
+           active: >1<
+            email: >ldap1@example.com<
+         fullname: >ldap1<
+        last_used: >NULL<
+         password: >NULL<
+          user_no: >1001<
+         username: >ldap1<
+

testing/tests/ldap/0001-test-ldap.test

@@ -0,0 +1,64 @@
+BEGINPERL
+if ($debug) { $ENV{'LDAP_DEBUG'} = 1 };
+
+use Net::LDAP::Server::Test;
+use Net::LDAP;
+use IO::Socket::INET;
+
+#my $port = find_idle_port();
+
+#my $ldap_port = RT::Test->find_idle_port;
+my $ldap_port = 21394;
+my $ldap_socket = IO::Socket::INET->new(
+    Listen    => 5,
+    Proto     => 'tcp',
+    Reuse     => 1,
+    LocalPort => $ldap_port,
+);
+
+# Keep it around after this block exits.
+$evaled{'ldap_server'} = Net::LDAP::Server::Test->new( $ldap_socket, auto_schema => 1 );
+
+my $ldap = Net::LDAP->new("localhost:$ldap_port") || die "Failed to instantiate Net::LDAP: $!";
+$ldap->bind();
+my $username = "ldap1";
+my $base     = "dc=example,dc=com";
+my $dn       = "uid=$username,$base";
+my $entry    = {
+    cn           => $username,
+    mail         => "$username\@example.com",
+    uid          => $username,
+    objectClass  => 'User',
+    userPassword => 'ldap1',
+};
+$ldap->add( $base );
+$ldap->add( $dn, attr => [%$entry] );
+
+# We need to keep the client around, otherwise the test server will exit.
+$evaled{'ldap_client'} = $ldap;
+#sleep 100;
+ENDPERL
+
+TYPE=PROPFIND
+URL=http://regression_ldap.host/caldav.php/
+HEADER=Content-Type: text/xml
+HEADER=Depth: 1
+AUTH=ldap1:ldap1
+HEAD
+
+BEGINDATA
+<?xml version="1.0" encoding="utf-8" ?>
+<D:propfind xmlns:D="DAV:">
+  <D:prop>
+    <D:resourcetype/>
+  </D:prop>
+</D:propfind>
+ENDDATA
+
+# Check that a usr record has been created.
+QUERY
+SELECT active, email, fullname, last_used, password, username, user_no
+FROM usr 
+WHERE username = 'ldap1';
+ENDQUERY
+

testing/tests/ldap/0002-NoCachedCredentials-ldap1.result

@@ -0,0 +1,2 @@
+No cached credentials found - no salt
+No cached credentials found

testing/tests/ldap/0002-NoCachedCredentials-ldap1.test

@@ -0,0 +1,4 @@
+# Make sure there are no cached credentials present.
+SCRIPT=if [ $(grep "HTTPAuthLogin:CheckCache: No salt stored for ldap1" /var/log/apache2/regression-error.log | wc -l) -eq 1 ] ; then echo "No cached credentials found" - no salt; else echo "Cached credentials, salt present, failed"; fi
+SCRIPT=if [ $(grep "HTTPAuthLogin:CheckCache: Cached credentials for ldap1 are good" /var/log/apache2/regression-error.log | wc -l) -eq 0 ] ; then echo "No cached credentials found"; else echo "Cached credentials, failed"; fi
+

testing/tests/ldap/0003-test-ldap.result

@@ -0,0 +1,67 @@
+HTTP/1.1 207 Multi-Status
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+DAV: 1, 2, 3, access-control, calendar-access, calendar-schedule
+DAV: extended-mkcol, bind, addressbook, calendar-auto-schedule, calendar-proxy
+ETag: "ed58709591152964fd4a584af5b55d79"
+Content-Length: 942
+Content-Type: text/xml; charset="utf-8"
+
+<?xml version="1.0" encoding="utf-8" ?>
+<multistatus xmlns="DAV:">
+ <response>
+  <href>/caldav.php/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+ <response>
+  <href>/caldav.php/resource1/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+     <principal/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+ <response>
+  <href>/caldav.php/resource2/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+     <principal/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+ <response>
+  <href>/caldav.php/ldap1/</href>
+  <propstat>
+   <prop>
+    <resourcetype>
+     <collection/>
+     <principal/>
+    </resourcetype>
+   </prop>
+   <status>HTTP/1.1 200 OK</status>
+  </propstat>
+ </response>
+</multistatus>
+
+           active: >1<
+            email: >ldap1@example.com<
+         fullname: >ldap1<
+        last_used: >NULL<
+         password: >NULL<
+          user_no: >1001<
+         username: >ldap1<
+

testing/tests/ldap/0003-test-ldap.test

@@ -0,0 +1 @@
+0001-test-ldap.test

testing/tests/ldap/0004-CachedCredentials-ldap1.result

@@ -0,0 +1 @@
+Cached credentials found

testing/tests/ldap/0004-CachedCredentials-ldap1.test

@@ -0,0 +1,5 @@
+# Check to see if the log line for cached credentials being valid is
+# present. That is only issued if we're successfully fetch valid credentials
+# from our cache.
+SCRIPT=if [ $(grep "HTTPAuthLogin:CheckCache: Cached credentials for ldap1 are good" /var/log/apache2/regression-error.log | wc -l) -eq 1 ] ; then echo "Cached credentials found"; else echo "Cached credentials failed"; fi
+

testing/tests/ldap/0005-test-invalid-user.result

@@ -0,0 +1,7 @@
+HTTP/1.1 401 Unauthorized
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+WWW-Authenticate: Basic realm="DAViCal CalDAV Server"
+Content-Length: 40
+Content-Type: text/plain; ; charset="utf-8"
+
+Please log in for access to this system.

testing/tests/ldap/0005-test-invalid-user.test

@@ -0,0 +1,64 @@
+BEGINPERL
+if ($debug) { $ENV{'LDAP_DEBUG'} = 1 };
+
+use Net::LDAP::Server::Test;
+use Net::LDAP;
+use IO::Socket::INET;
+
+#my $port = find_idle_port();
+
+#my $ldap_port = RT::Test->find_idle_port;
+my $ldap_port = 21394;
+my $ldap_socket = IO::Socket::INET->new(
+    Listen    => 5,
+    Proto     => 'tcp',
+    Reuse     => 1,
+    LocalPort => $ldap_port,
+);
+
+# Keep it around after this block exits.
+$evaled{'ldap_server'} = Net::LDAP::Server::Test->new( $ldap_socket, auto_schema => 1 );
+
+my $ldap = Net::LDAP->new("localhost:$ldap_port") || die "Failed to instantiate Net::LDAP: $!";
+$ldap->bind();
+my $username = "ldap1";
+my $base     = "dc=example,dc=com";
+my $dn       = "uid=$username,$base";
+my $entry    = {
+    cn           => $username,
+    mail         => "$username\@example.com",
+    uid          => $username,
+    objectClass  => 'User',
+    userPassword => 'ldap1',
+};
+$ldap->add( $base );
+$ldap->add( $dn, attr => [%$entry] );
+
+# We need to keep the client around, otherwise the test server will exit.
+$evaled{'ldap_client'} = $ldap;
+#sleep 100;
+ENDPERL
+
+TYPE=PROPFIND
+URL=http://regression_ldap.host/caldav.php/
+HEADER=Content-Type: text/xml
+HEADER=Depth: 1
+AUTH=ldap2:ldap2
+HEAD
+
+BEGINDATA
+<?xml version="1.0" encoding="utf-8" ?>
+<D:propfind xmlns:D="DAV:">
+  <D:prop>
+    <D:resourcetype/>
+  </D:prop>
+</D:propfind>
+ENDDATA
+
+# Check that no usr record has been created.
+QUERY
+SELECT active, email, fullname, last_used, password, username, user_no
+FROM usr 
+WHERE username = 'ldap2';
+ENDQUERY
+

testing/tests/ldap/0006-NoCachedCredentials-ldap2.result

@@ -0,0 +1,2 @@
+No cached credentials found - no salt
+No cached credentials found

testing/tests/ldap/0006-NoCachedCredentials-ldap2.test

@@ -0,0 +1,4 @@
+# Make sure there are no cached credentials present.
+SCRIPT=if [ $(grep "HTTPAuthLogin:CheckCache: No salt stored for ldap2" /var/log/apache2/regression-error.log | wc -l) -eq 1 ] ; then echo "No cached credentials found - no salt"; else echo "Cached credentials, present, failed"; fi
+SCRIPT=if [ $(grep "HTTPAuthLogin:CheckCache: Cached credentials for ldap2" /var/log/apache2/regression-error.log | wc -l) -eq 0 ] ; then echo "No cached credentials found"; else echo "Cached credentials, failed"; fi
+

testing/tests/ldap/0007-test-invalid-user.result

@@ -0,0 +1,7 @@
+HTTP/1.1 401 Unauthorized
+Date: Dow, 01 Jan 2000 00:00:00 GMT
+WWW-Authenticate: Basic realm="DAViCal CalDAV Server"
+Content-Length: 40
+Content-Type: text/plain; ; charset="utf-8"
+
+Please log in for access to this system.

testing/tests/ldap/0007-test-invalid-user.test

@@ -0,0 +1,66 @@
+# Test again for an invalid user to check that the failed credentials are
+# cached.
+BEGINPERL
+if ($debug) { $ENV{'LDAP_DEBUG'} = 1 };
+
+use Net::LDAP::Server::Test;
+use Net::LDAP;
+use IO::Socket::INET;
+
+#my $port = find_idle_port();
+
+#my $ldap_port = RT::Test->find_idle_port;
+my $ldap_port = 21394;
+my $ldap_socket = IO::Socket::INET->new(
+    Listen    => 5,
+    Proto     => 'tcp',
+    Reuse     => 1,
+    LocalPort => $ldap_port,
+);
+
+# Keep it around after this block exits.
+$evaled{'ldap_server'} = Net::LDAP::Server::Test->new( $ldap_socket, auto_schema => 1 );
+
+my $ldap = Net::LDAP->new("localhost:$ldap_port") || die "Failed to instantiate Net::LDAP: $!";
+$ldap->bind();
+my $username = "ldap1";
+my $base     = "dc=example,dc=com";
+my $dn       = "uid=$username,$base";
+my $entry    = {
+    cn           => $username,
+    mail         => "$username\@example.com",
+    uid          => $username,
+    objectClass  => 'User',
+    userPassword => 'ldap1',
+};
+$ldap->add( $base );
+$ldap->add( $dn, attr => [%$entry] );
+
+# We need to keep the client around, otherwise the test server will exit.
+$evaled{'ldap_client'} = $ldap;
+#sleep 100;
+ENDPERL
+
+TYPE=PROPFIND
+URL=http://regression_ldap.host/caldav.php/
+HEADER=Content-Type: text/xml
+HEADER=Depth: 1
+AUTH=ldap2:ldap2
+HEAD
+
+BEGINDATA
+<?xml version="1.0" encoding="utf-8" ?>
+<D:propfind xmlns:D="DAV:">
+  <D:prop>
+    <D:resourcetype/>
+  </D:prop>
+</D:propfind>
+ENDDATA
+
+# Check that no usr record has been created.
+QUERY
+SELECT active, email, fullname, last_used, password, username, user_no
+FROM usr 
+WHERE username = 'ldap2';
+ENDQUERY
+

testing/tests/ldap/0008-CachedCredentialsFailed-ldap2.result

@@ -0,0 +1 @@
+Cached credentials found, password incorrect

testing/tests/ldap/0008-CachedCredentialsFailed-ldap2.test

@@ -0,0 +1,5 @@
+# Check to see if the log line for cached credentials being invalid is
+# present. That is only issued if we've fetch a fail for the credentials
+# from our cache.
+SCRIPT=if [ $(grep "HTTPAuthLogin:CheckCache: Cached credentials for ldap2 are good and invalid" /var/log/apache2/regression-error.log | wc -l) -eq 1 ] ; then echo "Cached credentials found, password incorrect"; else echo "Cached credentials failed"; fi
+

testing/tests/ldap/Create-Database.result

@@ -0,0 +1,14 @@
+
+
+Supported locales updated.
+Updated view: dav_principal.sql applied.
+CalDAV functions updated.
+RRULE functions updated.
+Database permissions updated.
+NOTE
+====
+*  The password for the 'admin' user has been set to 'nimda'
+
+Thanks for trying DAViCal! Check the configuration in /etc/davical/config.php.
+For help, look at our website and wiki, or visit #davical on irc.oftc.net.
+

testing/tests/ldap/Load-Sample-Data.result

@@ -0,0 +1,15 @@
+ setval 
+--------
+   1000
+(1 row)
+
+ setval 
+--------
+   1000
+(1 row)
+
+ setval 
+--------
+     10
+(1 row)
+

testing/tests/ldap/Really-Upgrade-Database.result

@@ -0,0 +1,7 @@
+The database is version XX currently at revision 1.3.5.
+No patches were applied.
+Supported locales updated.
+Updated view: dav_principal.sql applied.
+CalDAV functions updated.
+RRULE functions updated.
+Database permissions updated.

testing/tests/ldap/Restore-Database.result

@@ -0,0 +1,140 @@
+ set_config 
+------------
+ public
+(1 row)
+
+ setval 
+--------
+   1013
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+     10
+(1 row)
+
+ setval 
+--------
+     10
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+      1
+(1 row)
+
+ setval 
+--------
+   1000
+(1 row)
+

testing/tests/ldap/Upgrade-Database.result

@@ -0,0 +1,5 @@
+Supported locales updated.
+Updated view: dav_principal.sql applied.
+CalDAV functions updated.
+RRULE functions updated.
+Database permissions updated.

testing/tests/ldap/sample-data.sql

@@ -0,0 +1,126 @@
+-- Some sample data to prime the database...
+-- base-data.sql should be processed before this
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 2, TRUE, current_date, current_date, 'andrew', '**x', 'Andrew McMillan', 'andrew@catalyst.net.nz' );
+INSERT INTO role_member (user_no, role_no) VALUES( 2, 1);
+
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 10, TRUE, current_date, current_date, 'user1', '**user1', 'User 1', 'user1@example.net' );
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 11, TRUE, current_date, current_date, 'user2', '**user2', 'User 2', 'user2@example.net' );
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 12, TRUE, current_date, current_date, 'user3', '**user3', 'User 3', 'user3@example.net' );
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 13, TRUE, current_date, current_date, 'user4', '**user4', 'User 4', 'user4@example.net' );
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 14, TRUE, current_date, current_date, 'user5', '**user5', 'User 5', 'user5@example.net' );
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 15, TRUE, current_date, current_date, 'User Six', '**user6', 'User 6', 'user6@example.net' );
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 20, TRUE, current_date, current_date, 'manager1', '**manager1', 'Manager 1', 'manager1@example.net' );
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 30, TRUE, current_date, current_date, 'assistant1', '**assistant1', 'Assistant 1', 'assistant1@example.net' );
+
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 100, TRUE, current_date, current_date, 'resource1', '*salt*unpossible', 'Resource 1', 'resource1@example.net' );
+INSERT INTO role_member (user_no, role_no) VALUES( 100, 4);
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 101, TRUE, current_date, current_date, 'resource2', '*salt*unpossible', 'Resource 2', 'resource2@example.net' );
+INSERT INTO role_member (user_no, role_no) VALUES( 101, 4);
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 200, TRUE, current_date, current_date, 'resmgr1', '*salt*unpossible', 'Resource Managers', 'resource-managers@example.net' );
+INSERT INTO role_member (user_no, role_no) VALUES( 200, 2);
+
+INSERT INTO usr ( user_no, active, email_ok, updated, username, password, fullname, email )
+    VALUES( 300, TRUE, current_date, current_date, 'teamclient1', '*salt*unpossible', 'Team for Client1', 'team-client1@example.net' );
+INSERT INTO role_member (user_no, role_no) VALUES( 300, 2);
+
+SELECT setval('usr_user_no_seq', 1000);
+SELECT setval('dav_id_seq', 1000);
+
+UPDATE usr SET joined = '2009-06-01', updated = '2009-06-02';
+
+INSERT INTO collection (user_no, parent_container, dav_name, dav_etag,
+                 dav_displayname, is_calendar, created, modified,
+                 public_events_only, publicly_readable, collection_id, resourcetypes )
+    SELECT user_no, '/' || username || '/',  '/' || username || '/home/', md5(username),
+           username || ' home', TRUE, '2009-06-03', '2009-06-04',
+           FALSE, FALSE, user_no + 150, '<DAV::collection/><urn:ietf:params:xml:ns:caldav:calendar/>'
+      FROM usr ORDER BY user_no;
+
+INSERT INTO collection (user_no, parent_container, dav_name, dav_etag,
+                 dav_displayname, is_calendar, is_addressbook, created, modified,
+                 public_events_only, publicly_readable, collection_id, resourcetypes )
+    SELECT user_no, '/' || username || '/',  '/' || username || '/addresses/', md5(username),
+           username || ' addresses', FALSE, TRUE, '1957-07-26', '1998-03-16',
+           FALSE, FALSE, user_no + 450, '<DAV::collection/><urn:ietf:params:xml:ns:carddav:addressbook/>'
+      FROM usr ORDER BY user_no;
+
+
+INSERT INTO principal (type_id, user_no, displayname, default_privileges)
+         SELECT 1, user_no, fullname, privilege_to_bits(ARRAY['read-free-busy','schedule-send','schedule-deliver']) FROM usr
+                 WHERE NOT EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Group' AND role_member.user_no = usr.user_no)
+                   AND NOT EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Resource' AND role_member.user_no = usr.user_no)
+                   AND NOT EXISTS(SELECT 1 FROM principal WHERE principal.user_no = usr.user_no) ORDER BY user_no;
+
+INSERT INTO principal (type_id, user_no, displayname, default_privileges)
+         SELECT 2, user_no, fullname, privilege_to_bits(ARRAY['read','schedule-send','schedule-deliver']) FROM usr
+                 WHERE EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Resource' AND role_member.user_no = usr.user_no)
+                   AND NOT EXISTS(SELECT 1 FROM principal WHERE principal.user_no = usr.user_no) ORDER BY user_no;
+
+INSERT INTO principal (type_id, user_no, displayname, default_privileges)
+         SELECT 3, user_no, fullname, privilege_to_bits(ARRAY['read-free-busy','schedule-send','schedule-deliver']) FROM usr
+                 WHERE EXISTS(SELECT 1 FROM role_member JOIN roles USING(role_no) WHERE role_name = 'Group' AND role_member.user_no = usr.user_no)
+                   AND NOT EXISTS(SELECT 1 FROM principal WHERE principal.user_no = usr.user_no) ORDER BY user_no;
+
+-- Set the insert sequence to the next number, with a minimum of 1000
+SELECT setval('relationship_type_rt_id_seq', (SELECT 10 UNION SELECT rt_id FROM relationship_type ORDER BY 1 DESC LIMIT 1) );
+
+-- The resources for meetings
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 200, 100, 1 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 200, 101, 1 );
+
+-- The people who administer meetings
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 10, 200, 1 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 11, 200, 1 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30, 200, 1 );
+
+-- Between a PA and their Manager
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30,  20, 2 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30,  10, 2 );
+
+
+-- Between a team
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 20, 300, 3 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 10, 300, 3 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 30, 300, 3 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 300, 20, 3 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 300, 10, 3 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 300, 30, 3 );
+
+-- Granting explicit free/busy permission
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 11,  10, 4 );
+INSERT INTO relationship ( from_user, to_user, rt_id ) VALUES( 10,  11, 4 );
+
+
+UPDATE relationship r SET confers = (SELECT bit_confers FROM relationship_type rt WHERE rt.rt_id=r.rt_id);
+
+INSERT INTO group_member ( group_id, member_id)
+              SELECT g.principal_id, m.principal_id
+                FROM relationship JOIN principal g ON(to_user=g.user_no AND g.type_id = 3)    -- Group
+                                  JOIN principal m ON(from_user=m.user_no AND m.type_id IN (1,2)) ORDER BY 1, 2; -- Person | Resource
+
+INSERT INTO grants ( by_principal, to_principal, privileges, is_group )
+   SELECT pby.principal_id AS by_principal, pto.principal_id AS to_principal,
+                                  confers AS privileges, pto.type_id > 2 AS is_group
+     FROM relationship r JOIN usr f ON(f.user_no=r.from_user)
+                         JOIN usr t ON(t.user_no=r.to_user)
+                         JOIN principal pby ON(t.user_no=pby.user_no)
+                         JOIN principal pto ON(pto.user_no=f.user_no)
+     WHERE rt_id < 4 AND pby.type_id < 3 ORDER BY 1, 2;