6 files changed, 262 insertions, 90 deletions
diff --git a/tests/white-box/couchdb.rb b/tests/white-box/couchdb.rb
index 9d5da94f..450c4201 100644
--- a/tests/white-box/couchdb.rb
+++ b/tests/white-box/couchdb.rb
@@ -1,4 +1,4 @@
-raise SkipTest unless $node["services"].include?("couchdb")
+raise SkipTest unless service?(:couchdb)
 
 require 'json'
 
@@ -9,9 +9,11 @@ class CouchDB < LeapTest
   end
 
   def test_00_Are_daemons_running?
-    assert_running 'tapicero'
-    assert_running 'bin/beam'
-    assert_running 'bin/epmd'
+    assert_running '^tapicero', :single => true
+    if multimaster?
+      assert_running 'bin/beam'
+      assert_running 'bin/epmd'
+    end
     pass
   end
 
@@ -29,6 +31,7 @@ class CouchDB < LeapTest
   # compare the configured nodes to the nodes that are actually listed in bigcouch
   #
   def test_02_Is_cluster_membership_ok?
+    return unless multimaster?
     url = couchdb_backend_url("/nodes/_all_docs")
     neighbors = assert_property('couch.bigcouch.neighbors')
     neighbors << assert_property('domain.full')
@@ -48,7 +51,8 @@ class CouchDB < LeapTest
   # this seems backward to me, so it might be the other way around.
   #
   def test_03_Are_configured_nodes_online?
-    url = couchdb_url("/_membership")
+    return unless multimaster?
+    url = couchdb_url("/_membership", :username => 'admin')
     assert_get(url) do |body|
       response = JSON.parse(body)
       nodes_configured_but_not_available = response['cluster_nodes'] - response['all_nodes']
@@ -66,11 +70,11 @@ class CouchDB < LeapTest
   end
 
   def test_04_Do_ACL_users_exist?
-    acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp']
-    url = couchdb_backend_url("/_users/_all_docs")
+    acl_users = ['_design/_auth', 'leap_mx', 'nickserver', 'soledad', 'tapicero', 'webapp', 'replication']
+    url = couchdb_backend_url("/_users/_all_docs", :username => 'admin')
     assert_get(url) do |body|
       response = JSON.parse(body)
-      assert_equal 6, response['total_rows']
+      assert_equal acl_users.count, response['total_rows']
       actual_users = response['rows'].map{|row| row['id'].sub(/^org.couchdb.user:/, '') }
       assert_equal acl_users.sort, actual_users.sort
     end
@@ -80,7 +84,8 @@ class CouchDB < LeapTest
   def test_05_Do_required_databases_exist?
     dbs_that_should_exist = ["customers","identities","keycache","sessions","shared","tickets","tokens","users"]
     dbs_that_should_exist.each do |db_name|
-      assert_get(couchdb_url("/"+db_name)) do |body|
+      url = couchdb_url("/"+db_name, :username => 'admin')
+      assert_get(url) do |body|
         assert response = JSON.parse(body)
         assert_equal db_name, response['db_name']
       end
@@ -88,22 +93,63 @@ class CouchDB < LeapTest
     pass
   end
 
-  private
+  # disable ACL enforcement, because it's a known issue with bigcouch
+  # and will only confuse the user
+  # see https://leap.se/code/issues/6030 for more details
+  #
+  ## for now, this just prints warnings, since we are failing these tests.
+  ##
 
-  def couchdb_url(path="", port=nil)
-    @port ||= begin
-      assert_property 'couch.port'
-      $node['couch']['port']
-    end
-    @password ||= begin
-      assert_property 'couch.users.admin.password'
-      $node['couch']['users']['admin']['password']
+  #def test_06_Is_ACL_enforced?
+  #  ok = assert_auth_fail(
+  #    couchdb_url('/users/_all_docs', :username => 'leap_mx'),
+  #    {:limit => 1}
+  #  )
+  #  ok = assert_auth_fail(
+  #    couchdb_url('/users/_all_docs', :username => 'leap_mx'),
+  #    {:limit => 1}
+  #  ) && ok
+  #  pass if ok
+  #end
+
+  def test_07_Can_records_be_created?
+    token = Token.new
+    url = couchdb_url("/tokens", :username => 'admin')
+    assert_post(url, token, :format => :json) do |body|
+      assert response = JSON.parse(body), "POST response should be JSON"
+      assert response["ok"], "POST response should be OK"
+      assert_delete(File.join(url, response["id"]), :rev => response["rev"]) do |body|
+        assert response = JSON.parse(body), "DELETE response should be JSON"
+        assert response["ok"], "DELETE response should be OK"
+      end
     end
-    "http://admin:#{@password}@localhost:#{port || @port}#{path}"
+    pass
+  end
+
+  private
+
+  def multimaster?
+    mode == "multimaster"
+  end
+
+  def mode
+    assert_property('couch.mode')
+  end
+
+  # TODO: admin port is hardcoded for now but should be configurable.
+  def couchdb_backend_url(path="", options={})
+    options = {port: multimaster? && "5986"}.merge options
+    couchdb_url(path, options)
   end
 
-  def couchdb_backend_url(path="")
-    couchdb_url(path, "5986") # TODO: admin port is hardcoded for now but should be configurable.
+  require 'securerandom'
+  require 'digest/sha2'
+  class Token < Hash
+    def initialize
+      self['token'] = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self['_id'] = Digest::SHA512.hexdigest(self['token'])
+      self['last_seen_at'] = Time.now
+    end
   end
 
 end
diff --git a/tests/white-box/mx.rb b/tests/white-box/mx.rb
new file mode 100644
index 00000000..794a9a41
--- /dev/null
+++ b/tests/white-box/mx.rb
@@ -0,0 +1,50 @@
+raise SkipTest unless service?(:mx)
+
+require 'json'
+
+class Mx < LeapTest
+  depends_on "Network"
+
+  def setup
+  end
+
+  def test_01_Can_contact_couchdb?
+    dbs = ["identities"]
+    dbs.each do |db_name|
+      couchdb_urls("/"+db_name, url_options).each do |url|
+        assert_get(url) do |body|
+          assert response = JSON.parse(body)
+          assert_equal db_name, response['db_name']
+        end
+      end
+    end
+    pass
+  end
+
+  def test_02_Can_contact_couchdb_via_haproxy?
+    if property('haproxy.couch')
+      url = couchdb_url_via_haproxy("", url_options)
+      assert_get(url) do |body|
+        assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
+      end
+      pass
+    end
+  end
+
+  def test_03_Are_MX_daemons_running?
+    assert_running 'leap_mx'
+    assert_running '/usr/lib/postfix/master'
+    assert_running '/usr/sbin/unbound'
+    pass
+  end
+
+  private
+
+  def url_options
+    {
+      :username => property('couchdb_leap_mx_user.username'),
+      :password => property('couchdb_leap_mx_user.password')
+    }
+  end
+
+end
diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb
index e0b0339d..f2041710 100644
--- a/tests/white-box/network.rb
+++ b/tests/white-box/network.rb
@@ -26,38 +26,35 @@ class Network < LeapTest
   #     connect: "127.0.0.1:5984"
   #
   def test_02_Is_stunnel_running?
-    if $node['stunnel']
-      good_stunnel_pids = []
-      $node['stunnel'].each do |stunnel_type, stunnel_configs|
-        if stunnel_type =~ /_clients?$/
-          stunnel_configs.each do |stunnel_name, stunnel_conf|
-            config_file_name = "/etc/stunnel/#{stunnel_name}.conf"
-            processes = pgrep(config_file_name)
-            assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`"
-            good_stunnel_pids += processes.map{|ps| ps[:pid]}
-            assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.'
-            assert_tcp_socket('localhost', port)
-          end
-        elsif stunnel_type =~ /_server$/
-          config_file_name = "/etc/stunnel/#{stunnel_type}.conf"
-          processes = pgrep(config_file_name)
-          assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`"
-          good_stunnel_pids += processes.map{|ps| ps[:pid]}
-          assert accept = stunnel_configs['accept'], "Field `accept` must be present in property `stunnel.#{stunnel_type}`"
-          assert_tcp_socket('localhost', accept)
-          assert connect = stunnel_configs['connect'], "Field `connect` must be present in property `stunnel.#{stunnel_type}`"
-          assert_tcp_socket(*connect.split(':'))
-        else
-          skip "Unknown stunnel type `#{stunnel_type}`"
-        end
+    ignore unless $node['stunnel']
+    good_stunnel_pids = []
+    $node['stunnel']['clients'].each do |stunnel_type, stunnel_configs|
+      stunnel_configs.each do |stunnel_name, stunnel_conf|
+        config_file_name = "/etc/stunnel/#{stunnel_name}.conf"
+        processes = pgrep(config_file_name)
+        assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`"
+        good_stunnel_pids += processes.map{|ps| ps[:pid]}
+        assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.'
+        assert_tcp_socket('localhost', port)
       end
-      all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq
-      assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel"
-      pass
     end
+    $node['stunnel']['servers'].each do |stunnel_name, stunnel_conf|
+      config_file_name = "/etc/stunnel/#{stunnel_name}.conf"
+      processes = pgrep(config_file_name)
+      assert_equal 6, processes.length, "There should be six stunnel processes running for `#{config_file_name}`"
+      good_stunnel_pids += processes.map{|ps| ps[:pid]}
+      assert accept_port = stunnel_conf['accept_port'], "Field `accept` must be present in property `stunnel.servers.#{stunnel_name}`"
+      assert_tcp_socket('localhost', accept_port)
+      assert connect_port = stunnel_conf['connect_port'], "Field `connect` must be present in property `stunnel.servers.#{stunnel_name}`"
+      assert_tcp_socket('localhost', connect_port)
+    end
+    all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq
+    assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel"
+    pass
   end
 
   def test_03_Is_shorewall_running?
+    ignore unless File.exists?('/sbin/shorewall')
     assert_run('/sbin/shorewall status')
     pass
   end
diff --git a/tests/white-box/openvpn.rb b/tests/white-box/openvpn.rb
index 5eb2bdb5..23a40426 100644
--- a/tests/white-box/openvpn.rb
+++ b/tests/white-box/openvpn.rb
@@ -1,6 +1,6 @@
-raise SkipTest unless $node["services"].include?("openvpn")
+raise SkipTest unless service?(:openvpn)
 
-class Openvpn < LeapTest
+class OpenVPN < LeapTest
   depends_on "Network"
 
   def setup
diff --git a/tests/white-box/soledad.rb b/tests/white-box/soledad.rb
new file mode 100644
index 00000000..5a13e4a6
--- /dev/null
+++ b/tests/white-box/soledad.rb
@@ -0,0 +1,17 @@
+raise SkipTest unless service?(:soledad)
+
+require 'json'
+
+class Soledad < LeapTest
+  depends_on "Network"
+  depends_on "CouchDB" if service?(:couchdb)
+
+  def setup
+  end
+
+  def test_00_Is_Soledad_running?
+    assert_running 'soledad'
+    pass
+  end
+
+end
diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb
index 142ac2de..9f104899 100644
--- a/tests/white-box/webapp.rb
+++ b/tests/white-box/webapp.rb
@@ -1,57 +1,29 @@
-raise SkipTest unless $node["services"].include?("webapp")
+raise SkipTest unless service?(:webapp)
 
-require 'socket'
+require 'json'
 
 class Webapp < LeapTest
   depends_on "Network"
 
-  HAPROXY_CONFIG = '/etc/haproxy/haproxy.cfg'
-
   def setup
   end
 
-  #
-  # example properties:
-  #
-  # stunnel:
-  #   couch_client:
-  #     couch1_5984:
-  #       accept_port: 4000
-  #       connect: couch1.bitmask.i
-  #       connect_port: 15984
-  #
   def test_01_Can_contact_couchdb?
-    assert_property('stunnel.couch_client')
-    $node['stunnel']['couch_client'].values.each do |stunnel_conf|
-      assert port = stunnel_conf['accept_port'], 'Field `accept_port` must be present in `stunnel` property.'
-      local_stunnel_url = "http://localhost:#{port}"
-      remote_ip_address = TCPSocket.gethostbyname(stunnel_conf['connect']).last
-      msg = "(stunnel to %s:%s, aka %s)" % [stunnel_conf['connect'], stunnel_conf['connect_port'], remote_ip_address]
-      assert_get(local_stunnel_url, nil, error_msg: msg) do |body|
-        assert_match /"couchdb":"Welcome"/, body, "Request to #{local_stunnel_url} should return couchdb welcome message."
-      end
+    url = couchdb_url("", url_options)
+    assert_get(url) do |body|
+      assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
     end
     pass
   end
 
-  #
-  # example properties:
-  #
-  # haproxy:
-  #   servers:
-  #     couch1:
-  #       backup: false
-  #       host: localhost
-  #       port: 4000
-  #       weight: 10
-  #
-  def test_02_Is_haproxy_working?
-    port = file_match(HAPROXY_CONFIG, /^  bind localhost:(\d+)$/)
-    url = "http://localhost:#{port}"
-    assert_get(url) do |body|
-      assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
+  def test_02_Can_contact_couchdb_via_haproxy?
+    if property('haproxy.couch')
+      url = couchdb_url_via_haproxy("", url_options)
+      assert_get(url) do |body|
+        assert_match /"couchdb":"Welcome"/, body, "Request to #{url} should return couchdb welcome message."
+      end
+      pass
     end
-    pass
   end
 
   def test_03_Are_daemons_running?
@@ -60,4 +32,94 @@ class Webapp < LeapTest
     pass
   end
 
+  #
+  # this is technically a black-box test. so, move this when we have support
+  # for black box tests.
+  #
+  def test_04_Can_access_webapp?
+    assert_get('https://' + $node['webapp']['domain'] + '/')
+    pass
+  end
+
+  def test_05_Can_create_and_authenticate_and_delete_user_via_API?
+    assert_tmp_user
+    pass
+  end
+
+  def test_06_Can_sync_Soledad?
+    soledad_config = property('definition_files.soledad_service')
+    if soledad_config && !soledad_config.empty?
+      soledad_server = pick_soledad_server(soledad_config)
+      if soledad_server
+        assert_tmp_user do |user|
+          assert_user_db_exists(user)
+          command = File.expand_path "../../helpers/soledad_sync.py", __FILE__
+          soledad_url = "https://#{soledad_server}/user-#{user.id}"
+          assert_run "#{command} #{user.id} #{user.session_token} #{soledad_url}"
+          pass
+        end
+      end
+    else
+      skip 'No soledad service configuration'
+    end
+  end
+
+  private
+
+  def url_options
+    {
+      :username => property('couchdb_webapp_user.username'),
+      :password => property('couchdb_webapp_user.password')
+    }
+  end
+
+  #
+  # pick a random soledad server.
+  # I am not sure why, but using IP address directly does not work.
+  #
+  def pick_soledad_server(soledad_config_json_str)
+    soledad_config = JSON.parse(soledad_config_json_str)
+    host_name = soledad_config['hosts'].keys.shuffle.first
+    if host_name
+      hostname = soledad_config['hosts'][host_name]['hostname']
+      port = soledad_config['hosts'][host_name]['port']
+      return "#{hostname}:#{port}"
+    else
+      return nil
+    end
+  end
+
+  #
+  # returns true if the per-user db created by tapicero exists.
+  # we try three times, and give up after that.
+  #
+  def assert_user_db_exists(user)
+    last_body, last_response, last_error = nil
+    3.times do
+      sleep 0.1
+      get(couchdb_url("/user-#{user.id}/_design/docs")) do |body, response, error|
+        last_body, last_response, last_error = body, response, error
+        if response.code.to_i == 200
+          return
+        end
+      end
+      sleep 0.2
+    end
+    assert false, "Could not find user db for test user #{user.username}\nuuid=#{user.id}\nHTTP #{last_response.code} #{last_error} #{last_body}"
+  end
+
+  #
+  # I tried, but couldn't get this working:
+  # #
+  # # get an CSRF authenticity token
+  # #
+  # url = api_url("/")
+  # csrf_token = nil
+  # assert_get(url) do |body|
+  #   lines = body.split("\n").grep(/csrf-token/)
+  #   assert lines.any?, 'failed to find csrf-token'
+  #   csrf_token = lines.first.split('"')[1]
+  #   assert csrf_token, 'failed to find csrf-token'
+  # end
+
 end