Merge remote-tracking branch 'elijah/newtests' into develop

12 files changed, 811 insertions, 279 deletions

diff --git a/bin/run_tests b/bin/run_tests
index e026b5f7..b3e60fcc 100755
--- a/bin/run_tests
+++ b/bin/run_tests
@@ -14,7 +14,6 @@
 require 'minitest/unit'
 require 'yaml'
 require 'tsort'
-require 'net/http'
 
 ##
 ## EXIT CODES
@@ -114,7 +113,10 @@ class LeapTest < MiniTest::Unit::TestCase
   # the default fail() is part of the kernel and it just throws a runtime exception. for tests,
   # we want the same behavior as assert(false)
   #
-  def fail(msg=nil)
+  def fail(msg=nil, exception=nil)
+    if DEBUG && exception && exception.respond_to?(:backtrace)
+      msg += MiniTest::filter_backtrace(exception.backtrace).join "\n"
+    end
     assert(false, msg)
   end
 
@@ -129,207 +131,6 @@ class LeapTest < MiniTest::Unit::TestCase
     :alpha
   end
 
-  #
-  # attempts a http GET on the url, yields |body, response, error|
-  #
-  def get(url, params=nil)
-    uri = URI(url)
-    if params
-      uri.query = URI.encode_www_form(params)
-    end
-    http = Net::HTTP.new uri.host, uri.port
-    if uri.scheme == 'https'
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      http.use_ssl = true
-    end
-    http.start do |agent|
-      request = Net::HTTP::Get.new uri.request_uri
-      if uri.user
-        request.basic_auth uri.user, uri.password
-      end
-      response = agent.request(request)
-      if response.is_a?(Net::HTTPSuccess)
-        yield response.body, response, nil
-      else
-        yield nil, response, nil
-      end
-    end
-  rescue => exc
-    yield nil, nil, exc
-  end
-
-  def assert_get(url, params=nil, options=nil)
-    options ||= {}
-    get(url, params) do |body, response, error|
-      if body
-        yield body if block_given?
-      elsif response
-        fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", options[:error_msg]].compact.join("\n")
-      else
-        fail ["Expected a response from #{url}, but got \"#{error}\" instead.", options[:error_msg]].compact.join("\n")
-      end
-    end
-  end
-
-  #
-  # only a warning for now, should be a failure in the future
-  #
-  def assert_auth_fail(url, params)
-    uri = URI(url)
-    get(url, params) do |body, response, error|
-      unless response.code.to_s == "401"
-        warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')."
-        return false
-      end
-    end
-    true
-  end
-
-  #
-  # test if a socket can be connected to
-  #
-
-  #
-  # tcp connection helper with timeout
-  #
-  def try_tcp_connect(host, port, timeout = 5)
-    addr     = Socket.getaddrinfo(host, nil)
-    sockaddr = Socket.pack_sockaddr_in(port, addr[0][3])
-
-    Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket|
-      socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
-      begin
-        socket.connect_nonblock(sockaddr)
-      rescue IO::WaitReadable
-        if IO.select([socket], nil, nil, timeout) == nil
-          raise "Connection timeout"
-        else
-          socket.connect_nonblock(sockaddr)
-        end
-      rescue IO::WaitWritable
-        if IO.select(nil, [socket], nil, timeout) == nil
-          raise "Connection timeout"
-        else
-          socket.connect_nonblock(sockaddr)
-        end
-      end
-      return socket
-    end
-  end
-
-  def try_tcp_write(socket, timeout = 5)
-    begin
-      socket.write_nonblock("\0")
-    rescue IO::WaitReadable
-      if IO.select([socket], nil, nil, timeout) == nil
-        raise "Write timeout"
-      else
-        retry
-      end
-    rescue IO::WaitWritable
-      if IO.select(nil, [socket], nil, timeout) == nil
-        raise "Write timeout"
-      else
-        retry
-      end
-    end
-  end
-
-  def try_tcp_read(socket, timeout = 5)
-    begin
-      socket.read_nonblock(1)
-    rescue IO::WaitReadable
-      if IO.select([socket], nil, nil, timeout) == nil
-        raise "Read timeout"
-      else
-        retry
-      end
-    rescue IO::WaitWritable
-      if IO.select(nil, [socket], nil, timeout) == nil
-        raise "Read timeout"
-      else
-        retry
-      end
-    end
-  end
-
-  def assert_tcp_socket(host, port, msg=nil)
-    begin
-      socket = try_tcp_connect(host, port, 1)
-      #try_tcp_write(socket,1)
-      #try_tcp_read(socket,1)
-    rescue StandardError => exc
-      fail ["Failed to open socket #{host}:#{port}", exc].join("\n")
-    ensure
-      socket.close if socket
-    end
-  end
-
-  #
-  # Matches the regexp in the file, and returns the first matched string (or fails if no match).
-  #
-  def file_match(filename, regexp)
-    if match = File.read(filename).match(regexp)
-      match.captures.first
-    else
-      fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}."
-    end
-  end
-
-  #
-  # Matches the regexp in the file, and returns array of matched strings (or fails if no match).
-  #
-  def file_matches(filename, regexp)
-    if match = File.read(filename).match(regexp)
-      match.captures
-    else
-      fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}."
-    end
-  end
-
-  #
-  # checks to make sure the given property path exists in $node (e.g. hiera.yaml)
-  # and returns the value
-  #
-  def assert_property(property)
-    latest = $node
-    property.split('.').each do |segment|
-      latest = latest[segment]
-      fail "Required node property `#{property}` is missing." if latest.nil?
-    end
-    return latest
-  end
-
-  #
-  # works like pgrep command line
-  # return an array of hashes like so [{:pid => "1234", :process => "ls"}]
-  #
-  def pgrep(match)
-    output = `pgrep --full --list-name '#{match}'`
-    output.each_line.map{|line|
-      pid = line.split(' ')[0]
-      process = line.gsub(/(#{pid} |\n)/, '')
-      if process =~ /pgrep --full --list-name/
-        nil
-      else
-        {:pid => pid, :process => process}
-      end
-    }.compact
-  end
-end
-
-def assert_running(process)
-  assert pgrep(process).any?, "No running process for #{process}"
-end
-
-#
-# runs the specified command, failing on a non-zero exit status.
-#
-def assert_run(command)
-  output = `#{command}`
-  if $?.exitstatus != 0
-    fail "Error running `#{command}`:\n#{output}"
-  end
 end
 
 #
@@ -441,7 +242,7 @@ class LeapRunner < MiniTest::Unit
   def report_line(prefix, klass, meth, e=nil, message=nil)
     msg_txt = nil
     if message
-      message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:password@")
+      message = message.sub(/http:\/\/([a-z_]+):([a-zA-Z0-9_]+)@/, "http://\\1:REDACTED@")
       if $output_format == :human
         indent = "\n  "
         msg_txt = indent + message.split("\n").join(indent)
@@ -556,7 +357,8 @@ def print_help
        "  --test TEST      Run only the test with name TEST.",
        "  --list-tests     Prints the names of all available tests and exit.",
        "  --retry COUNT    If the tests don't pass, retry COUNT additional times (default is zero)",
-       "  --wait SECONDS   Wait for SECONDS between retries (default is 5)"].join("\n")
+       "  --wait SECONDS   Wait for SECONDS between retries (default is 5)",
+       "  --debug          Print out full stack trace on errors"].join("\n")
   exit(0)
 end
 
@@ -615,6 +417,9 @@ def main
 
   # load all test classes
   this_file = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__
+  Dir[File.expand_path('../../tests/helpers/*.rb', this_file)].each do |helper|
+    require helper
+  end
   Dir[File.expand_path('../../tests/white-box/*.rb', this_file)].each do |test_file|
     begin
       require test_file
@@ -636,10 +441,19 @@ def main
       when '--list-tests' then list_tests
       when '--retry' then ARGV.shift; $retry = ARGV.shift.to_i
       when '--wait' then ARGV.shift; $wait = ARGV.shift.to_i
+      when '--debug' then ARGV.shift
+      when '-d' then ARGV.shift
       else break
     end
   end
   run_tests
 end
 
+if ARGV.include?('--debug') || ARGV.include?('-d')
+  DEBUG=true
+  require 'debugger'
+else
+  DEBUG=false
+end
+
 main()
diff --git a/tests/README.md b/tests/README.md
index debbf700..814c25b1 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -1,12 +1,25 @@
-This directory contains to kinds of tests:
+Tests
+---------------------------------
 
-White Box Tests
-================================
+tests/white-box/
 
-These tests are run on the server as superuser. They are for troubleshooting any problems with the internal setup of the server.
+    These tests are run on the server as superuser. They are for
+    troubleshooting any problems with the internal setup of the server.
 
-Black Box Tests
-================================
+tests/black-box/
+
+    These test are run the user's local machine. They are for troubleshooting
+    any external problems with the service exposed by the server.
+
+Additional Files
+---------------------------------
+
+tests/helpers/
+
+    Utility functions made available to all tests.
+
+tests/order.rb
+
+    Configuration file to specify which nodes should be tested in which order.
 
-These test are run the user's local machine. They are for troubleshooting any external problems with the service exposed by the server.
 
diff --git a/tests/helpers/couchdb_helper.rb b/tests/helpers/couchdb_helper.rb
new file mode 100644
index 00000000..d4d3c0e0
--- /dev/null
+++ b/tests/helpers/couchdb_helper.rb
@@ -0,0 +1,103 @@
+class LeapTest
+
+  #
+  # generates a couchdb url for when couchdb is running
+  # remotely and is available via stunnel.
+  #
+  # example properties:
+  #
+  # stunnel:
+  #   clients:
+  #     couch_client:
+  #       couch1_5984:
+  #         accept_port: 4000
+  #         connect: couch1.bitmask.i
+  #         connect_port: 15984
+  #
+  def couchdb_urls_via_stunnel(path="", options=nil)
+    if options && options[:username] && options[:password]
+      userpart = "%{username}:%{password}@" % options
+    else
+      userpart = ""
+    end
+    assert_property('stunnel.clients.couch_client').values.collect do |stunnel_conf|
+      assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.'
+      URLString.new("http://#{userpart}localhost:#{port}#{path}").tap {|url|
+        remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last
+        url.memo = "(via stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address]
+      }
+    end
+  end
+
+  #
+  # generates a couchdb url for accessing couchdb via haproxy
+  #
+  # example properties:
+  #
+  # haproxy:
+  #   couch:
+  #     listen_port: 4096
+  #     servers:
+  #       panda:
+  #         backup: false
+  #         host: localhost
+  #         port: 4000
+  #         weight: 100
+  #         writable: true
+  #
+  def couchdb_url_via_haproxy(path="", options=nil)
+    if options && options[:username] && options[:password]
+      userpart = "%{username}:%{password}@" % options
+    else
+      userpart = ""
+    end
+    port = assert_property('haproxy.couch.listen_port')
+    return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url|
+      url.memo = '(via haproxy)'
+    }
+  end
+
+  #
+  # generates a couchdb url for when couchdb is running locally.
+  #
+  # example properties:
+  #
+  # couch:
+  #   port: 5984
+  #
+  def couchdb_url_via_localhost(path="", options=nil)
+    port = (options && options[:port]) || assert_property('couch.port')
+    if options && options[:username]
+      password = property("couch.users.%{username}.password" % options)
+      userpart = "%s:%s@" % [options[:username], password]
+    else
+      userpart = ""
+    end
+    return URLString.new("http://#{userpart}localhost:#{port}#{path}").tap { |url|
+      url.memo = '(via direct localhost connection)'
+    }
+  end
+
+  #
+  # returns a single url for accessing couchdb
+  #
+  def couchdb_url(path="", options=nil)
+    if property('couch.port')
+      couchdb_url_via_localhost(path, options)
+    elsif property('stunnel.clients.couch_client')
+      couchdb_urls_via_stunnel(path, options).first
+    end
+  end
+
+  #
+  # returns an array of urls for accessing couchdb
+  #
+  def couchdb_urls(path="", options=nil)
+    if property('couch.port')
+      [couchdb_url_via_localhost(path, options)]
+    elsif property('stunnel.clients.couch_client')
+      couchdb_urls_via_stunnel(path, options)
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/tests/helpers/files_helper.rb b/tests/helpers/files_helper.rb
new file mode 100644
index 00000000..d6795889
--- /dev/null
+++ b/tests/helpers/files_helper.rb
@@ -0,0 +1,54 @@
+class LeapTest
+
+  #
+  # Matches the regexp in the file, and returns the first matched string (or fails if no match).
+  #
+  def file_match(filename, regexp)
+    if match = File.read(filename).match(regexp)
+      match.captures.first
+    else
+      fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}."
+    end
+  end
+
+  #
+  # Matches the regexp in the file, and returns array of matched strings (or fails if no match).
+  #
+  def file_matches(filename, regexp)
+    if match = File.read(filename).match(regexp)
+      match.captures
+    else
+      fail "Regexp #{regexp.inspect} not found in file #{filename.inspect}."
+    end
+  end
+
+  #
+  # checks to make sure the given property path exists in $node (e.g. hiera.yaml)
+  # and returns the value
+  #
+  def assert_property(property)
+    latest = $node
+    property.split('.').each do |segment|
+      latest = latest[segment]
+      fail "Required node property `#{property}` is missing." if latest.nil?
+    end
+    return latest
+  end
+
+  #
+  # a handy function to get the value of a long property path
+  # without needing to test the existance individually of each part
+  # in the tree.
+  #
+  # e.g. property("stunnel.clients.couch_client")
+  #
+  def property(property)
+    latest = $node
+    property.split('.').each do |segment|
+      latest = latest[segment]
+      return nil if latest.nil?
+    end
+    return latest
+  end
+
+end
\ No newline at end of file
diff --git a/tests/helpers/http_helper.rb b/tests/helpers/http_helper.rb
new file mode 100644
index 00000000..c941ef63
--- /dev/null
+++ b/tests/helpers/http_helper.rb
@@ -0,0 +1,145 @@
+require 'net/http'
+
+class LeapTest
+
+  #
+  # In order to easily provide detailed error messages, it is useful
+  # to append a memo to a url string that details what this url is for
+  # (e.g. stunnel, haproxy, etc).
+  #
+  # So, the url happens to be a UrlString, the memo field is used
+  # if there is an error in assert_get.
+  #
+  class URLString < String
+    attr_accessor :memo
+  end
+
+  #
+  # aliases for http_send()
+  #
+  def get(url, params=nil, options=nil, &block)
+    http_send("GET", url, params, options, &block)
+  end
+  def delete(url, params=nil, options=nil, &block)
+    http_send("DELETE", url, params, options, &block)
+  end
+  def post(url, params=nil, options=nil, &block)
+    http_send("POST", url, params, options, &block)
+  end
+  def put(url, params=nil, options=nil, &block)
+    http_send("PUT", url, params, options, &block)
+  end
+
+  #
+  # send a GET, DELETE, POST, or PUT
+  # yields |body, response, error|
+  #
+  def http_send(method, url, params=nil, options=nil)
+    options ||= {}
+    response = nil
+
+    # build uri
+    uri = URI(url)
+    if params && (method == 'GET' || method == 'DELETE')
+      uri.query = URI.encode_www_form(params)
+    end
+
+    # build http
+    http = Net::HTTP.new uri.host, uri.port
+    if uri.scheme == 'https'
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      http.use_ssl = true
+    end
+
+    # build request
+    request = build_request(method, uri, params, options)
+
+    # make http request
+    http.start do |agent|
+      response = agent.request(request)
+      yield response.body, response, nil
+    end
+  rescue => exc
+    yield nil, response, exc
+  end
+
+  #
+  # Aliases for assert_http_send()
+  #
+  def assert_get(url, params=nil, options=nil, &block)
+    assert_http_send("GET", url, params, options, &block)
+  end
+  def assert_delete(url, params=nil, options=nil, &block)
+    assert_http_send("DELETE", url, params, options, &block)
+  end
+  def assert_post(url, params=nil, options=nil, &block)
+    assert_http_send("POST", url, params, options, &block)
+  end
+  def assert_put(url, params=nil, options=nil, &block)
+    assert_http_send("PUT", url, params, options, &block)
+  end
+
+  #
+  # calls http_send, yielding results if successful or failing with
+  # descriptive infor otherwise.
+  #
+  def assert_http_send(method, url, params=nil, options=nil, &block)
+    options ||= {}
+    error_msg = options[:error_msg] || (url.respond_to?(:memo) ? url.memo : nil)
+    http_send(method, url, params, options) do |body, response, error|
+      if body && response && response.code.to_i >= 200 && response.code.to_i < 300
+        if block
+          yield(body) if block.arity == 1
+          yield(response, body) if block.arity == 2
+        end
+      elsif response
+        fail ["Expected a 200 status code from #{url}, but got #{response.code} instead.", error_msg, body].compact.join("\n")
+      else
+        fail ["Expected a response from #{url}, but got \"#{error}\" instead.", error_msg, body].compact.join("\n"), error
+      end
+    end
+  end
+
+  #
+  # only a warning for now, should be a failure in the future
+  #
+  def assert_auth_fail(url, params)
+    uri = URI(url)
+    get(url, params) do |body, response, error|
+      unless response.code.to_s == "401"
+        warn "Expected a '401 Unauthorized' response, but got #{response.code} instead (GET #{uri.request_uri} with username '#{uri.user}')."
+        return false
+      end
+    end
+    true
+  end
+
+  private
+
+  def build_request(method, uri, params, options)
+    request = case method
+      when "GET"    then Net::HTTP::Get.new(uri.request_uri)
+      when "DELETE" then Net::HTTP::Delete.new(uri.request_uri)
+      when "POST"   then Net::HTTP::Post.new(uri.request_uri)
+      when "PUT"    then Net::HTTP::Put.new(uri.request_uri)
+    end
+    if uri.user
+      request.basic_auth uri.user, uri.password
+    end
+    if params && (method == 'POST' || method == 'PUT')
+      if options[:format] == :json || options[:format] == 'json'
+        request["Content-Type"] = "application/json"
+        request.body = params.to_json
+      else
+        request.set_form_data(params) if params
+      end
+    end
+    if options[:headers]
+      options[:headers].each do |key, value|
+        request[key] = value
+      end
+    end
+    request
+  end
+
+end
\ No newline at end of file
diff --git a/tests/helpers/network_helper.rb b/tests/helpers/network_helper.rb
new file mode 100644
index 00000000..ff92d382
--- /dev/null
+++ b/tests/helpers/network_helper.rb
@@ -0,0 +1,79 @@
+class LeapTest
+
+  #
+  # tcp connection helper with timeout
+  #
+  def try_tcp_connect(host, port, timeout = 5)
+    addr     = Socket.getaddrinfo(host, nil)
+    sockaddr = Socket.pack_sockaddr_in(port, addr[0][3])
+
+    Socket.new(Socket.const_get(addr[0][0]), Socket::SOCK_STREAM, 0).tap do |socket|
+      socket.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+      begin
+        socket.connect_nonblock(sockaddr)
+      rescue IO::WaitReadable
+        if IO.select([socket], nil, nil, timeout) == nil
+          raise "Connection timeout"
+        else
+          socket.connect_nonblock(sockaddr)
+        end
+      rescue IO::WaitWritable
+        if IO.select(nil, [socket], nil, timeout) == nil
+          raise "Connection timeout"
+        else
+          socket.connect_nonblock(sockaddr)
+        end
+      end
+      return socket
+    end
+  end
+
+  def try_tcp_write(socket, timeout = 5)
+    begin
+      socket.write_nonblock("\0")
+    rescue IO::WaitReadable
+      if IO.select([socket], nil, nil, timeout) == nil
+        raise "Write timeout"
+      else
+        retry
+      end
+    rescue IO::WaitWritable
+      if IO.select(nil, [socket], nil, timeout) == nil
+        raise "Write timeout"
+      else
+        retry
+      end
+    end
+  end
+
+  def try_tcp_read(socket, timeout = 5)
+    begin
+      socket.read_nonblock(1)
+    rescue IO::WaitReadable
+      if IO.select([socket], nil, nil, timeout) == nil
+        raise "Read timeout"
+      else
+        retry
+      end
+    rescue IO::WaitWritable
+      if IO.select(nil, [socket], nil, timeout) == nil
+        raise "Read timeout"
+      else
+        retry
+      end
+    end
+  end
+
+  def assert_tcp_socket(host, port, msg=nil)
+    begin
+      socket = try_tcp_connect(host, port, 1)
+      #try_tcp_write(socket,1)
+      #try_tcp_read(socket,1)
+    rescue StandardError => exc
+      fail ["Failed to open socket #{host}:#{port}", exc].join("\n")
+    ensure
+      socket.close if socket
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/tests/helpers/os_helper.rb b/tests/helpers/os_helper.rb
new file mode 100644
index 00000000..529e899f
--- /dev/null
+++ b/tests/helpers/os_helper.rb
@@ -0,0 +1,34 @@
+class LeapTest
+
+  #
+  # works like pgrep command line
+  # return an array of hashes like so [{:pid => "1234", :process => "ls"}]
+  #
+  def pgrep(match)
+    output = `pgrep --full --list-name '#{match}'`
+    output.each_line.map{|line|
+      pid = line.split(' ')[0]
+      process = line.gsub(/(#{pid} |\n)/, '')
+      if process =~ /pgrep --full --list-name/
+        nil
+      else
+        {:pid => pid, :process => process}
+      end
+    }.compact
+  end
+
+  def assert_running(process)
+    assert pgrep(process).any?, "No running process for #{process}"
+  end
+
+  #
+  # runs the specified command, failing on a non-zero exit status.
+  #
+  def assert_run(command)
+    output = `#{command}`
+    if $?.exitstatus != 0
+      fail "Error running `#{command}`:\n#{output}"
+    end
+  end
+
+end
\ No newline at end of file
diff --git a/tests/helpers/srp_helper.rb b/tests/helpers/srp_helper.rb
new file mode 100644
index 00000000..9f4d7f5b
--- /dev/null
+++ b/tests/helpers/srp_helper.rb
@@ -0,0 +1,171 @@
+#
+# Here are some very stripped down helper methods for SRP, useful only for
+# testing the client side.
+#
+
+require 'digest'
+require 'openssl'
+require 'securerandom'
+
+module SRP
+
+  ##
+  ## UTIL
+  ##
+
+  module Util
+    PRIME_N = <<-EOS.split.join.hex
+115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3
+    EOS
+    BIG_PRIME_N = <<-EOS.split.join.hex # 1024 bits modulus (N)
+eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c25657
+6d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089da
+d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5
+7ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb
+06e3
+    EOS
+    GENERATOR = 2 # g
+
+    def hn_xor_hg
+      byte_xor_hex(sha256_int(BIG_PRIME_N), sha256_int(GENERATOR))
+    end
+
+    # a^n (mod m)
+    def modpow(a, n, m = BIG_PRIME_N)
+      r = 1
+      while true
+        r = r * a % m if n[0] == 1
+        n >>= 1
+        return r if n == 0
+        a = a * a % m
+      end
+    end
+
+    #  Hashes the (long) int args
+    def sha256_int(*args)
+      sha256_hex(*args.map{|a| "%02x" % a})
+    end
+
+    #  Hashes the hex args
+    def sha256_hex(*args)
+      h = args.map{|a| a.length.odd? ? "0#{a}" : a }.join('')
+      sha256_str([h].pack('H*'))
+    end
+
+    def sha256_str(s)
+      Digest::SHA2.hexdigest(s)
+    end
+
+    def bigrand(bytes)
+      OpenSSL::Random.random_bytes(bytes).unpack("H*")[0]
+    end
+
+    def multiplier
+      @muliplier ||= calculate_multiplier
+    end
+
+    protected
+
+    def calculate_multiplier
+      sha256_int(BIG_PRIME_N, GENERATOR).hex
+    end
+
+    def byte_xor_hex(a, b)
+      a = [a].pack('H*')
+      b = [b].pack('H*')
+      a.bytes.each_with_index.map do |a_byte, i|
+        (a_byte ^ (b[i].ord || 0)).chr
+      end.join
+    end
+  end
+
+  ##
+  ## SESSION
+  ##
+
+  class Session
+    include SRP::Util
+    attr_accessor :user
+    attr_accessor :bb
+
+    def initialize(user, aa=nil)
+      @user = user
+      @a = bigrand(32).hex
+    end
+
+    def m
+      @m ||= sha256_hex(n_xor_g_long, login_hash, @user.salt.to_s(16), aa, bb, k)
+    end
+
+    def aa
+      @aa ||= modpow(GENERATOR, @a).to_s(16) # A = g^a (mod N)
+    end
+
+    protected
+
+    # client: K = H( (B - kg^x) ^ (a + ux) )
+    def client_secret
+      base = bb.hex
+      base -= modpow(GENERATOR, @user.private_key) * multiplier
+      base = base % BIG_PRIME_N
+      modpow(base, @user.private_key * u.hex + @a)
+    end
+
+    def k
+      @k ||= sha256_int(client_secret)
+    end
+
+    def n_xor_g_long
+      @n_xor_g_long ||= hn_xor_hg.bytes.map{|b| "%02x" % b.ord}.join
+    end
+
+    def login_hash
+      @login_hash ||= sha256_str(@user.username)
+    end
+
+    def u
+      @u ||= sha256_hex(aa, bb)
+    end
+  end
+
+  ##
+  ## Dummy USER
+  ##
+
+  class User
+    include SRP::Util
+
+    attr_accessor :username
+    attr_accessor :password
+    attr_accessor :salt
+    attr_accessor :verifier
+
+    def initialize
+      @username = "test_user_" + SecureRandom.urlsafe_base64(10).downcase.gsub(/[_-]/, '')
+      @password = "password_" + SecureRandom.urlsafe_base64(10)
+      @salt     = bigrand(4).hex
+      @verifier = modpow(GENERATOR, private_key)
+    end
+
+    def private_key
+      @private_key ||= calculate_private_key
+    end
+
+    def to_params
+      {
+        'user[login]' => @username,
+        'user[password_verifier]' => @verifier.to_s(16),
+        'user[password_salt]' => @salt.to_s(16)
+      }
+    end
+
+    private
+
+    def calculate_private_key
+      shex = '%x' % [@salt]
+      inner = sha256_str([@username, @password].join(':'))
+      sha256_hex(shex, inner).hex
+    end
+  end
+
+end
diff --git a/tests/order.rb b/tests/order.rb
index ffa6ae4e..4468686f 100644
--- a/tests/order.rb
+++ b/tests/order.rb
@@ -3,6 +3,10 @@ class LeapCli::Config::Node
   # returns a list of node names that should be tested before this node.
   # make sure to not return ourselves (please no dependency loops!).
   #
+  # NOTE: this method determines the order that nodes are tested in. To specify
+  # the order of tests on a particular node, each test can call class method
+  # LeapTest.depends_on().
+  #
   def test_dependencies
     dependents = LeapCli::Config::ObjectList.new
     unless services.include?('couchdb')
diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb
index a5adb2bf..d438b193 100644
--- a/tests/white-box/couchdb.rb
+++ b/tests/white-box/couchdb.rb
@@ -52,7 +52,7 @@ class CouchDB < LeapTest
   #
   def test_03_Are_configured_nodes_online?
     return unless multimaster?
-    url = couchdb_url("/_membership", :user => 'admin')
+    url = couchdb_url("/_membership", :username => 'admin')
     assert_get(url) do |body|
       response = JSON.parse(body)
       nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes']
@@ -71,7 +71,7 @@ class CouchDB < LeapTest
 
   def test_04_Do_ACL_users_exist?
     acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp', 'replication']
-    url = couchdb_backend_url("/_users/_all_docs", :user => 'admin')
+    url = couchdb_backend_url("/_users/_all_docs", :username => 'admin')
     assert_get(url) do |body|
       response = JSON.parse(body)
       assert_equal acl_users.count, response['total_rows']
@@ -84,7 +84,7 @@ class CouchDB < LeapTest
   def test_05_Do_required_databases_exist?
     dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"]
     dbs_that_should_exist.each do |db_name|
-      url = couchdb_url("/"+db_name, :user => 'admin')
+      url = couchdb_url("/"+db_name, :username => 'admin')
       assert_get(url) do |body|
         assert response = JSON.parse(body)
         assert_equal db_name, response['db_name']
@@ -102,50 +102,54 @@ class CouchDB < LeapTest
 
   #def test_06_Is_ACL_enforced?
   #  ok = assert_auth_fail(
-  #    couchdb_url('/users/_all_docs', :user => 'leap_mx'),
+  #    couchdb_url('/users/_all_docs', :username => 'leap_mx'),
   #    {:limit => 1}
   #  )
   #  ok = assert_auth_fail(
-  #    couchdb_url('/users/_all_docs', :user => 'leap_mx'),
+  #    couchdb_url('/users/_all_docs', :username => 'leap_mx'),
   #    {:limit => 1}
   #  ) && ok
   #  pass if ok
   #end
 
-  def test_07_What?
+  def test_07_Can_records_be_created?
+    token = Token.new
+    url = couchdb_url("/tokens", :username => 'admin')
+    assert_post(url, token, :format => :json) do |body|
+      assert response = JSON.parse(body), "POST response should be JSON"
+      assert response["ok"], "POST response should be OK"
+      assert_delete(File.join(url, response["id"]), :rev => response["rev"]) do |body|
+        assert response = JSON.parse(body), "DELETE response should be JSON"
+        assert response["ok"], "DELETE response should be OK"
+      end
+    end
     pass
   end
 
   private
 
-  def couchdb_url(path="", options=nil)
-    options||={}
-    @port ||= begin
-      assert_property 'couch.port'
-      $node['couch']['port']
-    end
-    url = 'http://'
-    if options[:user]
-      assert_property 'couch.users.' + options[:user]
-      password = $node['couch']['users'][options[:user]]['password']
-      url += "%s:%s@" % [options[:user], password]
-    end
-    url += "localhost:#{options[:port] || @port}#{path}"
-    url
+  def multimaster?
+    mode == "multimaster"
   end
 
+  def mode
+    assert_property('couch.mode')
+  end
+
+  # TODO: admin port is hardcoded for now but should be configurable.
   def couchdb_backend_url(path="", options={})
-    # TODO: admin port is hardcoded for now but should be configurable.
     options = {port: multimaster? && "5986"}.merge options
     couchdb_url(path, options)
   end
 
-  def multimaster?
-    mode == "multimaster"
-  end
-
-  def mode
-    assert_property('couch.mode')
+  require 'securerandom'
+  require 'digest/sha2'
+  class Token < Hash
+    def initialize
+      self['token'] = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self['_id'] = Digest::SHA512.hexdigest(self['token'])
+      self['last_seen_at'] = Time.now
+    end
   end
 
 end
diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb
new file mode 100644
index 00000000..da780de4
--- /dev/null
+++ b/tests/white-box/mx.rb
@@ -0,0 +1,50 @@
+raise SkipTest unless $node["services"].include?("mx")
+
+require 'json'
+
+class Mx < LeapTest
+  depends_on "Network"
+
+  def setup
+  end
+
+  def test_01_Can_contact_couchdb?
+    dbs = ["identities"]
+    dbs.each do |db_name|
+      couchdb_urls("/"+db_name, url_options).each do |url|
+        assert_get(url) do |body|
+          assert response = JSON.parse(body)
+          assert_equal db_name, response['db_name']
+        end
+      end
+    end
+    pass
+  end
+
+  def test_02_Can_contact_couchdb_via_haproxy?
+    if property('haproxy.couch')
+      url = couchdb_url_via_haproxy("", url_options)
+      assert_get(url) do |body|
+        assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
+      end
+      pass
+    end
+  end
+
+  def test_03_Are_MX_daemons_running?
+    assert_running 'leap_mx'
+    assert_running '/usr/lib/postfix/master'
+    assert_running '/usr/sbin/unbound'
+    pass
+  end
+
+  private
+
+  def url_options
+    {
+      :username => property('couchdb_leap_mx_user.username'),
+      :password => property('couchdb_leap_mx_user.password')
+    }
+  end
+
+end
diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb
index 7df57fd7..0fea1c7f 100644
--- a/tests/white-box/webapp.rb
+++ b/tests/white-box/webapp.rb
@@ -1,58 +1,29 @@
 raise SkipTest unless $node["services"].include?("webapp")
 
-require 'socket'
+require 'json'
 
 class Webapp < LeapTest
   depends_on "Network"
 
-  HAPROXY_CONFIG = '/etc/haproxy/haproxy.cfg'
-
   def setup
   end
 
-  #
-  # example properties:
-  #
-  # stunnel:
-  #   clients:
-  #     couch_client:
-  #       couch1_5984:
-  #         accept_port: 4000
-  #         connect: couch1.bitmask.i
-  #         connect_port: 15984
-  #
   def test_01_Can_contact_couchdb?
-    assert_property('stunnel.clients.couch_client')
-    $node['stunnel']['clients']['couch_client'].values.each do |stunnel_conf|
-      assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.'
-      local_stunnel_url = "http://localhost:#{port}"
-      remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last
-      msg = "(stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address]
-      assert_get(local_stunnel_url, nil, error_msg: msg) do |body|
-        assert_match /"couchdb":"Welcome"/, body, "Request to #{local_stunnel_url} should return couchdb welcome message."
-      end
+    url = couchdb_url("", url_options)
+    assert_get(url) do |body|
+      assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
     end
     pass
   end
 
-  #
-  # example properties:
-  #
-  # haproxy:
-  #   servers:
-  #     couch1:
-  #       backup: false
-  #       host: localhost
-  #       port: 4000
-  #       weight: 10
-  #
-  def test_02_Is_haproxy_working?
-    port = file_match(HAPROXY_CONFIG, /^  bind localhost:(\d+)$/)
-    url = "http://localhost:#{port}"
-    assert_get(url) do |body|
-      assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
+  def test_02_Can_contact_couchdb_via_haproxy?
+    if property('haproxy.couch')
+      url = couchdb_url_via_haproxy("", url_options)
+      assert_get(url) do |body|
+        assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
+      end
+      pass
     end
-    pass
   end
 
   def test_03_Are_daemons_running?
@@ -70,4 +41,94 @@ class Webapp < LeapTest
     pass
   end
 
+  def test_05_Can_create_user?
+    @@user = nil
+    user = SRP::User.new
+    url = api_url("/1/users.json")
+    assert_post(url, user.to_params) do |body|
+      assert response = JSON.parse(body), 'response should be JSON'
+      assert response['ok'], 'creating a user should be successful'
+    end
+    @@user = user
+    pass
+  end
+
+  def test_06_Can_authenticate?
+    @@user_id = nil
+    @@session_token = nil
+    if @@user.nil?
+      skip "Depends on user creation"
+    else
+      url = api_url("/1/sessions.json")
+      session = SRP::Session.new(@@user)
+      params = {'login' => @@user.username, 'A' => session.aa}
+      assert_post(url, params) do |response, body|
+        cookie = response['Set-Cookie'].split(';').first
+        assert(response = JSON.parse(body), 'response should be JSON')
+        assert(bb = response["B"])
+        session.bb = bb
+        url = api_url("/1/sessions/login.json")
+        params = {'client_auth' => session.m, 'A' => session.aa}
+        options = {:headers => {'Cookie' => cookie}}
+        assert_put(url, params, options) do |body|
+          assert(response = JSON.parse(body), 'response should be JSON')
+          assert(response['M2'], 'response should include M2')
+          assert(@@session_token = response['token'], 'response should include token')
+          assert(@@user_id = response['id'], 'response should include user id')
+        end
+      end
+      pass
+    end
+  end
+
+  def test_07_Can_delete_user?
+    if @@user_id.nil? || @@session_token.nil?
+      skip "Depends on authentication"
+    else
+      url = api_url("/1/users/#{@@user_id}.json")
+      options = {:headers => {
+        "Authorization" => "Token token=\"#{@@session_token}\""
+      }}
+      delete(url, {}, options) do |body, response, error|
+        if response.code.to_i != 200
+          skip "It appears the web api is too old to support deleting users"
+        else
+          assert(response = JSON.parse(body), 'response should be JSON')
+          assert(response["success"], 'delete should be a success')
+          pass
+        end
+      end
+    end
+  end
+
+  private
+
+  def url_options
+    {
+      :username => property('couchdb_webapp_user.username'),
+      :password => property('couchdb_webapp_user.password')
+    }
+  end
+
+  def api_url(path)
+    "https://%{domain}:%{port}#{path}" % {
+      :domain   => property('api.domain'),
+      :port     => property('api.port')
+    }
+  end
+
+  #
+  # I tried, but couldn't get this working:
+  # #
+  # # get an CSRF authenticity token
+  # #
+  # url = api_url("/")
+  # csrf_token = nil
+  # assert_get(url) do |body|
+  #   lines = body.split("\n").grep(/csrf-token/)
+  #   assert lines.any?, 'failed to find csrf-token'
+  #   csrf_token = lines.first.split('"')[1]
+  #   assert csrf_token, 'failed to find csrf-token'
+  # end
+
 end