SmtpCertsController, routes and tests

author: Azul <azul@leap.se> 2014-05-15 11:17:47 +0200
committer: Azul <azul@leap.se> 2014-05-19 14:24:47 +0200
commit: 71dcf3f4e5d423b78b47f675297fc98b28ef3442 (patch)
tree: 7415f1f5825abf2d21b2232ccd1ff820f1f513d2
parent: 5dd6c1529f8f4fc5089c71b0a44e360acaea900d (diff)
5 files changed, 110 insertions, 0 deletions
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
new file mode 100644
index 0000000..001425d
--- /dev/null
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -0,0 +1,21 @@
+class V1::SmtpCertsController < ApplicationController
+
+  before_filter :require_login
+  before_filter :require_email_account
+
+  # GET /cert
+  def show
+    @cert = ClientCertificate.new prefix: current_user.email_address
+    render text: @cert.to_s, content_type: 'text/plain'
+  end
+
+  protected
+
+  def require_email_account
+    access_denied unless service_level.provides? 'email'
+  end
+
+  def service_level
+    current_user.effective_service_level
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 745b97d..ff2d2cc 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -26,6 +26,7 @@ LeapWeb::Application.routes.draw do
     resources :users, :only => [:create, :update, :destroy, :index]
     resources :messages, :only => [:index, :update]
     resource :cert, :only => [:show]
+    resource :smtp_cert, :only => [:show]
     resource :service, :only => [:show]
   end
 
diff --git a/test/functional/v1/smtp_certs_controller_test.rb b/test/functional/v1/smtp_certs_controller_test.rb
new file mode 100644
index 0000000..f9ba26f
--- /dev/null
+++ b/test/functional/v1/smtp_certs_controller_test.rb
@@ -0,0 +1,35 @@
+require 'test_helper'
+
+class V1::SmtpCertsControllerTest < ActionController::TestCase
+
+  test "no smtp cert without login" do
+    with_config allow_anonymous_certs: true do
+      get :show, format: 'json'
+      assert_access_denied
+    end
+  end
+
+  test "require service level with email" do
+    login
+    get :show
+    assert_access_denied
+  end
+
+  test "send cert with username" do
+    login effective_service_level: ServiceLevel.new(id: 2)
+    cert = expect_cert(@current_user.email_address)
+    get :show
+    assert_response :success
+    assert_equal cert.to_s, @response.body
+  end
+
+  protected
+
+  def expect_cert(prefix)
+    cert = stub :to_s => "#{prefix.downcase} cert"
+    ClientCertificate.expects(:new).
+      with(:prefix => prefix).
+      returns(cert)
+    return cert
+  end
+end
diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb
new file mode 100644
index 0000000..a579d93
--- /dev/null
+++ b/test/integration/api/smtp_cert_test.rb
@@ -0,0 +1,51 @@
+require 'test_helper'
+require 'openssl'
+
+class SmtpCertTest < ApiIntegrationTest
+
+  test "retrieve smtp cert" do
+    @user = FactoryGirl.create :user, effective_service_level_code: 2
+    login
+    get '/1/smtp_cert', {}, RACK_ENV
+    assert_text_response
+    assert_response_includes "BEGIN RSA PRIVATE KEY"
+    assert_response_includes "END RSA PRIVATE KEY"
+    assert_response_includes "BEGIN CERTIFICATE"
+    assert_response_includes "END CERTIFICATE"
+  end
+
+  test "key matches the cert" do
+    @user = FactoryGirl.create :user, effective_service_level_code: 2
+    login
+    get '/1/smtp_cert', {}, RACK_ENV
+    assert_text_response
+    cert = OpenSSL::X509::Certificate.new(get_response.body)
+    key = OpenSSL::PKey::RSA.new(get_response.body)
+    assert cert.check_private_key(key)
+  end
+
+  # we'll store the fingerprint later.
+  test "fingerprint matches" do
+    @user = FactoryGirl.create :user, effective_service_level_code: 2
+    login
+    get '/1/smtp_cert', {}, RACK_ENV
+    assert_text_response
+    cert = OpenSSL::X509::Certificate.new(get_response.body)
+    fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':')
+    skip "we're not storing the fingerprints yet"
+    assert_equal fingerprint, @user.identity.cert_fingerprints.last
+  end
+
+  test "fetching smtp certs requires email account" do
+    login
+    get '/1/smtp_cert', {}, RACK_ENV
+    assert_json_response error: I18n.t(:not_authorized)
+  end
+
+  test "no anonymous smtp certs" do
+    with_config allow_anonymous_certs: true do
+      get '/1/smtp_cert', {}, RACK_ENV
+      assert_json_response error: I18n.t(:not_authorized)
+    end
+  end
+end
diff --git a/test/support/api_integration_test.rb b/test/support/api_integration_test.rb
index 50c528b..aa9c00d 100644
--- a/test/support/api_integration_test.rb
+++ b/test/support/api_integration_test.rb
@@ -6,6 +6,8 @@ class ApiIntegrationTest < ActionDispatch::IntegrationTest
   def login(user = nil)
     @user ||= user ||= FactoryGirl.create(:user)
     @token ||= DUMMY_TOKEN
+    # make sure @token is up to date if it already exists
+    @token.reload if @token.persisted
     @token.user_id = @user.id
     @token.last_seen_at = Time.now
     @token.save
author	Azul <azul@leap.se>	2014-05-15 11:17:47 +0200
committer	Azul <azul@leap.se>	2014-05-19 14:24:47 +0200
commit	71dcf3f4e5d423b78b47f675297fc98b28ef3442 (patch)
tree	7415f1f5825abf2d21b2232ccd1ff820f1f513d2
parent	5dd6c1529f8f4fc5089c71b0a44e360acaea900d (diff)