9 files changed, 78 insertions, 43 deletions

diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb
index 977e03e..62ef3fd 100644
--- a/certs/app/controllers/certs_controller.rb
+++ b/certs/app/controllers/certs_controller.rb
@@ -1,16 +1,51 @@
 class CertsController < ApplicationController
 
-  before_filter :logged_in_or_free_certs
+  before_filter :login_if_required
 
   # GET /cert
   def show
-    @cert = ClientCertificate.new(free: !logged_in?)
+    @cert = ClientCertificate.new(:prefix => certificate_prefix)
     render text: @cert.to_s, content_type: 'text/plain'
   end
 
   protected
 
-  def logged_in_or_free_certs
-    authorize unless APP_CONFIG[:free_certs_enabled]
+  def login_if_required
+    authorize unless APP_CONFIG[:allow_anonymous_certs]
+  end
+
+  #
+  # this is some temporary logic until we store the service level in the user db.
+  #
+  # better logic might look like this:
+  #
+  # if logged_in?
+  #   service_level = user.service_level
+  # elsif allow_anonymous?
+  #   service_level = service_levels[:anonymous]
+  # else
+  #   service_level = nil
+  # end
+  #
+  # if service_level.bandwidth == 'limited' && allow_limited?
+  #   prefix = limited
+  # elsif allow_unlimited?
+  #   prefix = unlimited
+  # else
+  #   prefix = nil
+  # end
+  #
+  def certificate_prefix
+    if logged_in?
+      if APP_CONFIG[:allow_unlimited_certs]
+        APP_CONFIG[:unlimited_cert_prefix]
+      elsif APP_CONFIG[:allow_limited_certs]
+        APP_CONFIG[:limited_cert_prefix]
+      end
+    elsif !APP_CONFIG[:allow_limited_certs]
+      APP_CONFIG[:unlimited_cert_prefix]
+    else
+      APP_CONFIG[:limited_cert_prefix]
+    end
   end
 end
diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb
index 13e0318..76b07a2 100644
--- a/certs/app/models/client_certificate.rb
+++ b/certs/app/models/client_certificate.rb
@@ -21,7 +21,7 @@ class ClientCertificate
     cert = CertificateAuthority::Certificate.new
 
     # set subject
-    cert.subject.common_name = common_name(options[:free])
+    cert.subject.common_name = common_name(options[:prefix])
 
     # set expiration
     cert.not_before = yesterday
@@ -65,8 +65,8 @@ class ClientCertificate
     Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16)
   end
 
-  def common_name(for_free_cert = false)
-    (for_free_cert ? APP_CONFIG[:free_cert_prefix] : '') + random_common_name
+  def common_name(prefix = nil)
+    [prefix, random_common_name].join
   end
 
   #
diff --git a/certs/test/functional/certs_controller_test.rb b/certs/test/functional/certs_controller_test.rb
index 7826dd6..503e74b 100644
--- a/certs/test/functional/certs_controller_test.rb
+++ b/certs/test/functional/certs_controller_test.rb
@@ -2,35 +2,39 @@ require 'test_helper'
 
 class CertsControllerTest < ActionController::TestCase
 
-  test "send free cert without login" do
-    cert = stub :to_s => "free cert"
-    ClientCertificate.expects(:new).with(free: true).returns(cert)
-    get :show
-    assert_response :success
-    assert_equal cert.to_s, @response.body
+  test "send limited cert without login" do
+    with_config allow_limited_certs: true, allow_anonymous_certs: true do
+      cert = stub :to_s => "limited cert"
+      ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert)
+      get :show
+      assert_response :success
+      assert_equal cert.to_s, @response.body
+    end
   end
 
-  test "send cert" do
-    login
-    cert = stub :to_s => "real cert"
-    ClientCertificate.expects(:new).with(free: false).returns(cert)
-    get :show
-    assert_response :success
-    assert_equal cert.to_s, @response.body
+  test "send unlimited cert" do
+    with_config allow_unlimited_certs: true do
+      login
+      cert = stub :to_s => "unlimited cert"
+      ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:unlimited_cert_prefix]).returns(cert)
+      get :show
+      assert_response :success
+      assert_equal cert.to_s, @response.body
+    end
   end
 
-  test "login required if free certs disabled" do
-    with_config free_certs_enabled: false do
+  test "login required if anonymous certs disabled" do
+    with_config allow_anonymous_certs: false do
       get :show
       assert_response :redirect
     end
   end
 
-  test "get paid cert if free certs disabled" do
-    with_config free_certs_enabled: false do
+  test "send limited cert" do
+    with_config allow_limited_certs: true, allow_unlimited_certs: false do
       login
       cert = stub :to_s => "real cert"
-      ClientCertificate.expects(:new).with(free: false).returns(cert)
+      ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert)
       get :show
       assert_response :success
       assert_equal cert.to_s, @response.body
diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb
index abb5560..036e724 100644
--- a/certs/test/unit/client_certificate_test.rb
+++ b/certs/test/unit/client_certificate_test.rb
@@ -9,18 +9,12 @@ class ClientCertificateTest < ActiveSupport::TestCase
     assert sample.to_s
   end
 
-  test "free cert has configured prefix" do
-    sample = ClientCertificate.new(free: true)
-    prefix = APP_CONFIG[:free_cert_prefix]
+  test "cert has configured prefix" do
+    prefix = "PREFIX"
+    sample = ClientCertificate.new(:prefix => prefix)
     assert sample.cert.subject.common_name.starts_with?(prefix)
   end
 
-  test "real cert has no free cert prefix" do
-    sample = ClientCertificate.new
-    prefix = APP_CONFIG[:free_cert_prefix]
-    assert !sample.cert.subject.common_name.starts_with?(prefix)
-  end
-
   test "cert issuer matches ca subject" do
     sample = ClientCertificate.new
     cert = OpenSSL::X509::Certificate.new(sample.cert.to_pem)
diff --git a/config/defaults.yml b/config/defaults.yml
index d0fb52f..cca827a 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -7,8 +7,11 @@ cert_options: &cert_options
   client_cert_lifespan: 2
   client_cert_bit_size: 2024
   client_cert_hash: "SHA256"
-  free_certs_enabled: true
-  free_cert_prefix: "FREE"
+  allow_limited_certs: false
+  allow_unlimited_certs: true
+  allow_anonymous_certs: false
+  limited_cert_prefix: "LIMITED"
+  unlimited_cert_prefix: "UNLIMITED"
 
 development:
   <<: *dev_ca
diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index 1b2789e..9e7d4b2 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -5,8 +5,7 @@ en:
   cancel: "Cancel"
   login: "Login"
   login_message: "Please login with your account."
-  wrong_password: "wrong password"
-  user_not_found: "could not be found"
+  invalid_user_pass: "Not a valid username/password combination"
   update_login_and_password: "Update Login and Password"
   cancel_account: "Cancel your account"
   remove_account: "Remove Account"
diff --git a/users/lib/warden/strategies/secure_remote_password.rb b/users/lib/warden/strategies/secure_remote_password.rb
index 363e6a0..f1b1a57 100644
--- a/users/lib/warden/strategies/secure_remote_password.rb
+++ b/users/lib/warden/strategies/secure_remote_password.rb
@@ -28,7 +28,7 @@ module Warden
         if client = validate
           success!(User.find_by_login(client.username))
         else
-          fail!(:password => "wrong_password")
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
         end
       end
 
@@ -44,7 +44,7 @@ module Warden
           session[:handshake] = SRP::Session.new(client, params['A'].hex)
           custom! json_response(session[:handshake])
         else
-          fail! :login => "user_not_found"
+          fail!({:login => "invalid_user_pass", :password => "invalid_user_pass"})
         end
       end
 
diff --git a/users/test/integration/api/Readme.md b/users/test/integration/api/Readme.md
index 3a91f3d..04363bd 100644
--- a/users/test/integration/api/Readme.md
+++ b/users/test/integration/api/Readme.md
@@ -19,5 +19,5 @@ POST: http://localhost:9292/sessions
  -> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"}
 PUT: http://localhost:9292/sessions/SWQ055
     {"M": "123ABC"}
- -> {"field":"password","error":"wrong password"}
+ -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]}
 ```
diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index 314d71a..e618541 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -75,7 +75,7 @@ class AccountFlowTest < ActiveSupport::TestCase
   test "signup and wrong password login attempt" do
     srp = SRP::Client.new @login, :password => "wrong password"
     server_auth = srp.authenticate(self)
-    assert_json_error :password => "wrong password"
+    assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"})
     assert !last_response.successful?
     assert_nil server_auth["M2"]
   end
@@ -86,7 +86,7 @@ class AccountFlowTest < ActiveSupport::TestCase
     assert_raises RECORD_NOT_FOUND do
       server_auth = srp.authenticate(self)
     end
-    assert_json_error :login => "could not be found"
+    assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"})
     assert !last_response.successful?
     assert_nil server_auth
   end