From 3cfcbcfdf4dda55ec3a96e2d31477d5348a411c0 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Tue, 16 Aug 2016 14:23:16 -0400
Subject: ignore noisy 401 errors from soledad log.

Change-Id: Ia1764cb28e263353856523c11f351a39774bf3b4
---
 puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg
index 3af5045b..11ad3a54 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/soledad.cfg
@@ -1,4 +1,7 @@
 /var/log/soledad.log
+# Ignore 401 errors because they are quite noisy due to scanners giving us many false
+# positives, and we do not need to see those
+ I \".*401 [0-9]+
  C WSGI application error
  C Error
  C error
-- 
cgit v1.2.3


From c02ff0e5c834ff0ba0923dc55c7a8be760e3cfd7 Mon Sep 17 00:00:00 2001
From: Victor Shyba <victor.shyba@gmail.com>
Date: Wed, 17 Aug 2016 18:59:24 -0300
Subject: [test] soledad doesnt have design docs anymore

This code was testing for it and should be removed.
---
 tests/white-box/webapp.rb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb
index 68f3dcd2..424465da 100644
--- a/tests/white-box/webapp.rb
+++ b/tests/white-box/webapp.rb
@@ -104,9 +104,6 @@ class Webapp < LeapTest
     repeatedly_try("/#{db_name}") do |body, response, error|
       assert false, "Could not find user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
     end
-    repeatedly_try("/#{db_name}/_design/docs") do |body, response, error|
-      assert false, "Could not find design docs for user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
-    end
   end
 
   #
-- 
cgit v1.2.3


From 9d46cdf76480cd7b0fb3b8d526476ea055fc5439 Mon Sep 17 00:00:00 2001
From: Victor Shyba <victor.shyba@gmail.com>
Date: Wed, 17 Aug 2016 19:00:24 -0300
Subject: [bug] check privileges and db access separately

This commit introduces a way to check if db exists and then check if it
is properly set in two asserts, so we can have two distinct phrases to
avoid confusion.

- Resolves: #8388
---
 tests/white-box/webapp.rb | 41 ++++++++++++-----------------------------
 1 file changed, 12 insertions(+), 29 deletions(-)

diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb
index 424465da..40c234d6 100644
--- a/tests/white-box/webapp.rb
+++ b/tests/white-box/webapp.rb
@@ -61,7 +61,7 @@ class Webapp < LeapTest
           soledad_url = "https://#{soledad_server}/user-#{user.id}"
           soledad_cert = "/usr/local/share/ca-certificates/leap_ca.crt"
           assert_run "#{command} #{user.id} #{user.session_token} #{soledad_url} #{soledad_cert} #{user.password}"
-          assert_user_db_exists(user)
+          assert_user_db_privileges(user)
           pass
         end
       end
@@ -96,36 +96,19 @@ class Webapp < LeapTest
   end
 
   #
-  # returns true if the per-user db created by soledad-server exists.
-  # we try three times, and give up after that.
+  # checks if user db exists and is properly protected
   #
-  def assert_user_db_exists(user)
-    db_name = "user-#{user.id}"
-    repeatedly_try("/#{db_name}") do |body, response, error|
-      assert false, "Could not find user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
+  def assert_user_db_privileges(user)
+    db_name = "/user-#{user.id}"
+    get(couchdb_url(db_name)) do |body, response, error|
+      code = response.code.to_i
+      assert code != 404, "Could not find user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
+      # After moving to couchdb, webapp user is not allowed to Read user dbs,
+      # but the return code for non-existent databases is 404. See #7674
+      # 401 should come as we aren't supposed to have read privileges on it.
+      assert code != 200, "Incorrect security settings (design doc) on user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
+      assert code == 401, "Unknown error on user db on user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
     end
   end
 
-  #
-  # tries the URL repeatedly, giving up and yield the last response if
-  # no try returned a 200 http status code.
-  #
-  def repeatedly_try(url, &block)
-    last_body, last_response, last_error = nil
-    3.times do
-      sleep 0.2
-      get(couchdb_url(url)) do |body, response, error|
-        last_body, last_response, last_error = body, response, error
-        # After moving to couchdb, webapp user is not allowed to Read user dbs,
-        # but the return code for non-existent databases is 404. See #7674
-        if response.code.to_i == 401
-          return
-        end
-      end
-      sleep 1
-    end
-    yield last_body, last_response, last_error
-    return
-  end
-
 end
-- 
cgit v1.2.3