summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/v1/smtp_certs_controller.rb21
-rw-r--r--config/routes.rb1
-rw-r--r--test/functional/v1/smtp_certs_controller_test.rb35
-rw-r--r--test/integration/api/smtp_cert_test.rb51
-rw-r--r--test/support/api_integration_test.rb2
5 files changed, 110 insertions, 0 deletions
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
new file mode 100644
index 0000000..001425d
--- /dev/null
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -0,0 +1,21 @@
+class V1::SmtpCertsController < ApplicationController
+
+ before_filter :require_login
+ before_filter :require_email_account
+
+ # GET /cert
+ def show
+ @cert = ClientCertificate.new prefix: current_user.email_address
+ render text: @cert.to_s, content_type: 'text/plain'
+ end
+
+ protected
+
+ def require_email_account
+ access_denied unless service_level.provides? 'email'
+ end
+
+ def service_level
+ current_user.effective_service_level
+ end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 745b97d..ff2d2cc 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -26,6 +26,7 @@ LeapWeb::Application.routes.draw do
resources :users, :only => [:create, :update, :destroy, :index]
resources :messages, :only => [:index, :update]
resource :cert, :only => [:show]
+ resource :smtp_cert, :only => [:show]
resource :service, :only => [:show]
end
diff --git a/test/functional/v1/smtp_certs_controller_test.rb b/test/functional/v1/smtp_certs_controller_test.rb
new file mode 100644
index 0000000..f9ba26f
--- /dev/null
+++ b/test/functional/v1/smtp_certs_controller_test.rb
@@ -0,0 +1,35 @@
+require 'test_helper'
+
+class V1::SmtpCertsControllerTest < ActionController::TestCase
+
+ test "no smtp cert without login" do
+ with_config allow_anonymous_certs: true do
+ get :show, format: 'json'
+ assert_access_denied
+ end
+ end
+
+ test "require service level with email" do
+ login
+ get :show
+ assert_access_denied
+ end
+
+ test "send cert with username" do
+ login effective_service_level: ServiceLevel.new(id: 2)
+ cert = expect_cert(@current_user.email_address)
+ get :show
+ assert_response :success
+ assert_equal cert.to_s, @response.body
+ end
+
+ protected
+
+ def expect_cert(prefix)
+ cert = stub :to_s => "#{prefix.downcase} cert"
+ ClientCertificate.expects(:new).
+ with(:prefix => prefix).
+ returns(cert)
+ return cert
+ end
+end
diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb
new file mode 100644
index 0000000..a579d93
--- /dev/null
+++ b/test/integration/api/smtp_cert_test.rb
@@ -0,0 +1,51 @@
+require 'test_helper'
+require 'openssl'
+
+class SmtpCertTest < ApiIntegrationTest
+
+ test "retrieve smtp cert" do
+ @user = FactoryGirl.create :user, effective_service_level_code: 2
+ login
+ get '/1/smtp_cert', {}, RACK_ENV
+ assert_text_response
+ assert_response_includes "BEGIN RSA PRIVATE KEY"
+ assert_response_includes "END RSA PRIVATE KEY"
+ assert_response_includes "BEGIN CERTIFICATE"
+ assert_response_includes "END CERTIFICATE"
+ end
+
+ test "key matches the cert" do
+ @user = FactoryGirl.create :user, effective_service_level_code: 2
+ login
+ get '/1/smtp_cert', {}, RACK_ENV
+ assert_text_response
+ cert = OpenSSL::X509::Certificate.new(get_response.body)
+ key = OpenSSL::PKey::RSA.new(get_response.body)
+ assert cert.check_private_key(key)
+ end
+
+ # we'll store the fingerprint later.
+ test "fingerprint matches" do
+ @user = FactoryGirl.create :user, effective_service_level_code: 2
+ login
+ get '/1/smtp_cert', {}, RACK_ENV
+ assert_text_response
+ cert = OpenSSL::X509::Certificate.new(get_response.body)
+ fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':')
+ skip "we're not storing the fingerprints yet"
+ assert_equal fingerprint, @user.identity.cert_fingerprints.last
+ end
+
+ test "fetching smtp certs requires email account" do
+ login
+ get '/1/smtp_cert', {}, RACK_ENV
+ assert_json_response error: I18n.t(:not_authorized)
+ end
+
+ test "no anonymous smtp certs" do
+ with_config allow_anonymous_certs: true do
+ get '/1/smtp_cert', {}, RACK_ENV
+ assert_json_response error: I18n.t(:not_authorized)
+ end
+ end
+end
diff --git a/test/support/api_integration_test.rb b/test/support/api_integration_test.rb
index 50c528b..aa9c00d 100644
--- a/test/support/api_integration_test.rb
+++ b/test/support/api_integration_test.rb
@@ -6,6 +6,8 @@ class ApiIntegrationTest < ActionDispatch::IntegrationTest
def login(user = nil)
@user ||= user ||= FactoryGirl.create(:user)
@token ||= DUMMY_TOKEN
+ # make sure @token is up to date if it already exists
+ @token.reload if @token.persisted
@token.user_id = @user.id
@token.last_seen_at = Time.now
@token.save