8 files changed, 506 insertions, 0 deletions

diff --git a/test/functional/api/certs_controller_test.rb b/test/functional/api/certs_controller_test.rb
new file mode 100644
index 0000000..25ceb8e
--- /dev/null
+++ b/test/functional/api/certs_controller_test.rb
@@ -0,0 +1,66 @@
+require 'test_helper'
+
+class Api::CertsControllerTest < ApiControllerTest
+
+  test "create unlimited cert without login" do
+    with_config allow_anonymous_certs: true do
+      cert = expect_cert('UNLIMITED')
+      api_post :create
+      assert_response :success
+      assert_equal cert.to_s, @response.body
+    end
+  end
+
+  test "create limited cert" do
+    with_config allow_limited_certs: true do
+      login
+      cert = expect_cert('LIMITED')
+      api_post :create
+      assert_response :success
+      assert_equal cert.to_s, @response.body
+    end
+  end
+
+  test "fail to create cert when disabled" do
+    login :enabled? => false
+    api_post :create
+    assert_access_denied
+  end
+
+  test "create unlimited cert" do
+    login effective_service_level: ServiceLevel.new(id: 2)
+    cert = expect_cert('UNLIMITED')
+    api_post :create
+    assert_response :success
+    assert_equal cert.to_s, @response.body
+  end
+
+  test "GET still works as an alias" do
+    login effective_service_level: ServiceLevel.new(id: 2)
+    cert = expect_cert('UNLIMITED')
+    api_get :show
+    assert_response :success
+    assert_equal cert.to_s, @response.body
+  end
+
+  test "redirect if no eip service offered" do
+    api_post :create
+    assert_response :redirect
+  end
+
+  protected
+
+  def expect_cert(prefix)
+    cert = stub :to_s => "#{prefix.downcase} cert"
+    ClientCertificate.expects(:new).
+      with(:prefix => prefix).
+      returns(cert)
+    return cert
+  end
+
+  # overwrite defaults from ApiController because we don't do json here.
+  def add_api_defaults(args)
+    add_defaults args, version: '2'
+  end
+
+end
diff --git a/test/functional/api/identities_controller_test.rb b/test/functional/api/identities_controller_test.rb
new file mode 100644
index 0000000..57345c8
--- /dev/null
+++ b/test/functional/api/identities_controller_test.rb
@@ -0,0 +1,24 @@
+require_relative '../../test_helper'
+
+class Api::IdentitiesControllerTest < ApiControllerTest
+
+  test "api monitor can fetch identity" do
+    monitor_auth do
+      identity = FactoryGirl.create :identity
+      api_get :show, :id => identity.address, :format => 'json'
+      assert_response :success
+      assert_equal identity, assigns(:identity)
+
+      api_get :show, :id => "blahblahblah", :format => 'json'
+      assert_response :not_found
+    end
+  end
+
+
+  test "anonymous cannot fetch identity" do
+    identity = FactoryGirl.create :identity
+    api_get :show, :id => identity.address, :format => 'json'
+    assert_response :forbidden
+  end
+
+end
diff --git a/test/functional/api/messages_controller_test.rb b/test/functional/api/messages_controller_test.rb
new file mode 100644
index 0000000..e586980
--- /dev/null
+++ b/test/functional/api/messages_controller_test.rb
@@ -0,0 +1,99 @@
+require 'test_helper'
+
+class Api::MessagesControllerTest < ApiControllerTest
+
+  setup do
+    @user = FactoryGirl.build(:user)
+    @user.save
+  end
+
+  # NOTE: the available languages for test are :en and :de
+  # so :es will result in english response.
+
+  test "get the motd" do
+    with_config("customization_directory" => Rails.root+'test/files') do
+      login @user
+      api_get :index, :locale => 'es'
+      body = JSON.parse(response.body)
+      message1 = "<p>\"This\" is a <strong>very</strong> fine message. <a href=\"https://bitmask.net\">https://bitmask.net</a></p>\n"
+      assert_equal 2, body.size, 'there should be two messages'
+      assert_equal message1, body.first["text"], 'first message text should match files/motd/1.en.md'
+    end
+  end
+
+  test "get localized motd" do
+    with_config("customization_directory" => Rails.root+'test/files') do
+      login @user
+      api_get :index, :locale => 'de'
+      body = JSON.parse(response.body)
+      message1 = "<p>Dies ist eine sehr feine Nachricht. <a href=\"https://bitmask.net\">https://bitmask.net</a></p>\n"
+      assert_equal message1, body.first["text"], 'first message text should match files/motd/1.de.md'
+    end
+  end
+
+  test "get empty motd" do
+    login @user
+    api_get :index
+    assert_equal "[]", response.body, "motd response should be empty if no motd directory exists"
+  end
+
+  ##
+  ## For now, only the static file MOTD is supported, not messages in the db.
+  ## so, this is disabled:
+  ##
+=begin
+  setup do
+    InviteCodeValidator.any_instance.stubs(:validate)
+    @user = FactoryGirl.build(:user)
+    @user.save
+    @message = Message.new(:text => 'a test message')
+    @message.user_ids_to_show << @user.id
+    @message.save
+  end
+
+  teardown do
+    @message.destroy
+    @user.destroy
+  end
+
+  test "get messages for user" do
+    login @user
+    api_get :index
+    assert response.body.include? @message.text
+    assert response.body.include? @message.id
+  end
+
+  test "mark message read for user" do
+    login @user
+    assert @message.user_ids_to_show.include?(@user.id)
+    assert !@message.user_ids_have_shown.include?(@user.id)
+    put :update, :id => @message.id
+    @message.reload
+    assert !@message.user_ids_to_show.include?(@user.id)
+    assert @message.user_ids_have_shown.include?(@user.id)
+    assert_success :marked_as_read
+  end
+
+  test "do not get seen messages" do
+    login @user
+    put :update, :id => @message.id
+    @message.reload
+    api_get :index
+    assert !(response.body.include? @message.text)
+    assert !(response.body.include? @message.id)
+  end
+
+
+  test "mark read responds even with bad inputs" do
+    login @user
+    put :update, :id => 'more nonsense'
+    assert_not_found
+ end
+
+  test "fails if not authenticated" do
+    api_get :index, :format => :json
+    assert_login_required
+  end
+=end
+
+end
diff --git a/test/functional/api/services_controller_test.rb b/test/functional/api/services_controller_test.rb
new file mode 100644
index 0000000..cb85edf
--- /dev/null
+++ b/test/functional/api/services_controller_test.rb
@@ -0,0 +1,28 @@
+require 'test_helper'
+
+class Api::ServicesControllerTest < ApiControllerTest
+
+  test "anonymous user gets login required service info" do
+    api_get :show, format: :json
+    assert_json_response error: 'not_authorized_login',
+      message: 'Please log in to perform that action.'
+  end
+
+  test "anonymous user gets vpn service info" do
+    with_config allow_anonymous_certs: true do
+      api_get :show, format: :json
+      assert_json_response name: 'anonymous',
+        eip_rate_limit: false,
+        description: 'anonymous access to the VPN'
+    end
+  end
+
+  test "user can see their service info" do
+    login
+    api_get :show, format: :json
+    default_level = APP_CONFIG[:default_service_level]
+    assert_json_response APP_CONFIG[:service_levels][default_level]
+  end
+
+end
+
diff --git a/test/functional/api/sessions_controller_test.rb b/test/functional/api/sessions_controller_test.rb
new file mode 100644
index 0000000..06a3c22
--- /dev/null
+++ b/test/functional/api/sessions_controller_test.rb
@@ -0,0 +1,63 @@
+require 'test_helper'
+
+# This is a simple controller unit test.
+# We're stubbing out both warden and srp.
+# There's an integration test testing the full rack stack and srp
+class Api::SessionsControllerTest < ApiControllerTest
+
+  setup do
+    @request.env['HTTP_HOST'] = 'api.lvh.me'
+    @user = stub_record :user, {}, true
+    @client_hex = 'a123'
+  end
+
+  test "renders json" do
+    api_get :new, :format => :json
+    assert_response :success
+    assert_json_error nil
+  end
+
+  test "renders warden errors" do
+    request.env['warden.options'] = {attempted_path: 'path/to/controller'}
+    strategy = stub :message => {:field => :translate_me}
+    request.env['warden'].stubs(:winning_strategy).returns(strategy)
+    I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub")
+    api_get :new, :format => :json
+    assert_response 422
+    assert_json_error :field => "translation stub"
+  end
+
+  # Warden takes care of parsing the params and
+  # rendering the response. So not much to test here.
+  test "should perform handshake" do
+    request.env['warden'].expects(:authenticate!)
+    # make sure we don't get a template missing error:
+    @controller.stubs(:render)
+    api_post :create, :login => @user.login, 'A' => @client_hex
+  end
+
+  test "should authenticate" do
+    request.env['warden'].expects(:authenticate!)
+    @controller.stubs(:current_user).returns(@user)
+    handshake = stub(:to_hash => {h: "ash"})
+    session[:handshake] = handshake
+
+    api_post :update, :id => @user.login, :client_auth => @client_hex
+
+    assert_nil session[:handshake],
+      'session should be cleared to prevent session fixation attacks'
+    assert_response :success
+    assert json_response.keys.include?("id")
+    assert json_response.keys.include?("token")
+    assert token = Token.find_by_token(json_response['token'])
+    assert_equal @user.id, token.user_id
+  end
+
+  test "destroy should logout" do
+    login
+    expect_logout
+    api_delete :destroy
+    assert_response 204
+  end
+
+end
diff --git a/test/functional/api/smtp_certs_controller_test.rb b/test/functional/api/smtp_certs_controller_test.rb
new file mode 100644
index 0000000..393f090
--- /dev/null
+++ b/test/functional/api/smtp_certs_controller_test.rb
@@ -0,0 +1,43 @@
+require 'test_helper'
+
+class Api::SmtpCertsControllerTest < ApiControllerTest
+
+  test "no smtp cert without login" do
+    with_config allow_anonymous_certs: true do
+      api_post :create
+      assert_login_required
+    end
+  end
+
+  test "require service level with email" do
+    login
+    api_post :create
+    assert_access_denied
+  end
+
+  test "send cert with username" do
+    login effective_service_level: ServiceLevel.new(id: 2)
+    cert = expect_cert(@current_user.email_address)
+    cert.expects(:fingerprint).returns('fingerprint')
+    api_post :create
+    assert_response :success
+    assert_equal cert.to_s, @response.body
+  end
+
+  test "fail to create cert when disabled" do
+    login :enabled? => false
+    api_post :create
+    assert_access_denied
+  end
+
+  protected
+
+  def expect_cert(email)
+    cert = stub to_s: "#{email.downcase} cert",
+      expiry: 1.month.from_now.utc.at_midnight
+    ClientCertificate.expects(:new).
+      with(:common_name => email).
+      returns(cert)
+    return cert
+  end
+end
diff --git a/test/functional/api/token_auth_test.rb b/test/functional/api/token_auth_test.rb
new file mode 100644
index 0000000..c7f91c7
--- /dev/null
+++ b/test/functional/api/token_auth_test.rb
@@ -0,0 +1,40 @@
+#
+# tests for authenticating an admin or monitor user
+# via static configured tokens.
+#
+
+require 'test_helper'
+
+class Api::TokenAuthTest < ApiControllerTest
+  tests Api::ConfigsController
+
+  def test_login_via_api_token
+    with_config(:allow_anonymous_certs => false) do
+      monitor_auth do
+        api_get :index
+        assert assigns(:token), 'should have authenticated via api token'
+        assert assigns(:token).is_a? ApiToken
+        assert @controller.send(:current_user).is_a? ApiMonitorUser
+      end
+    end
+  end
+
+  def test_fail_api_auth_when_ip_not_allowed
+    with_config(:allow_anonymous_certs => false) do
+      allowed = "99.99.99.99"
+      new_config = {api_tokens: APP_CONFIG["api_tokens"].merge(allowed_ips: [allowed])}
+      with_config(new_config) do
+        monitor_auth do
+          request.env['REMOTE_ADDR'] = "1.1.1.1"
+          api_get :index
+          assert_nil assigns(:token), "should not be able to auth with api token when ip restriction doesn't allow it"
+          request.env['REMOTE_ADDR'] = allowed
+          api_get :index
+          assert assigns(:token), "should have authenticated via api token"
+        end
+      end
+    end
+  end
+
+end
+
diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
new file mode 100644
index 0000000..b69770d
--- /dev/null
+++ b/test/functional/api/users_controller_test.rb
@@ -0,0 +1,143 @@
+require 'test_helper'
+
+class Api::UsersControllerTest < ApiControllerTest
+
+  test "user can change settings" do
+    user = find_record :user
+    changed_attribs = record_attributes_for :user_with_settings
+    account_settings = stub
+    account_settings.expects(:update).with(changed_attribs)
+    Account.expects(:new).with(user).returns(account_settings)
+
+    login user
+    api_put :update, :user => changed_attribs, :id => user.id, :format => :json
+
+    assert_equal user, assigns[:user]
+    assert_response 204
+    assert @response.body.blank?, "Response should be blank"
+  end
+
+  test "admin can update user" do
+    user = find_record :user
+    changed_attribs = record_attributes_for :user_with_settings
+    account_settings = stub
+    account_settings.expects(:update).with(changed_attribs)
+    Account.expects(:new).with(user).returns(account_settings)
+
+    login :is_admin? => true
+    api_put :update, :user => changed_attribs, :id => user.id, :format => :json
+
+    assert_equal user, assigns[:user]
+    assert_response 204
+  end
+
+  test "user cannot update other user" do
+    user = find_record :user
+    login
+    api_put :update, id: user.id,
+      user: record_attributes_for(:user_with_settings),
+      :format => :json
+    assert_access_denied
+  end
+
+  test "should create new user" do
+    user_attribs = record_attributes_for :user
+    user = User.new(user_attribs)
+    Account.expects(:create).with(user_attribs).returns(user)
+
+    api_post :create, :user => user_attribs, :format => :json
+
+    assert_nil session[:user_id]
+    assert_json_response user
+    assert_response :success
+  end
+
+  test "should redirect to signup form on failed attempt" do
+    user_attribs = record_attributes_for :user
+    user_attribs.slice!('login')
+    user = User.new(user_attribs)
+    assert !user.valid?
+    Account.expects(:create).with(user_attribs).returns(user)
+
+    api_post :create, :user => user_attribs, :format => :json
+
+    assert_json_error user.errors.messages
+    assert_response 422
+  end
+
+  test "admin can autocomplete users" do
+    login :is_admin? => true
+    api_get :index, :query => 'a', :format => :json
+
+    assert_response :success
+    assert assigns(:users)
+  end
+
+  test "create returns forbidden if registration is closed" do
+    user_attribs = record_attributes_for :user
+    with_config(allow_registration: false) do
+      api_post :create, :user => user_attribs, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+  test "admin can show user" do
+    user = FactoryGirl.create :user
+    login :is_admin? => true
+    api_get :show, :id => 0, :login => user.login, :format => :json
+    assert_response :success
+    assert_json_response user.to_hash
+    api_get :show, :id => user.id, :format => :json
+    assert_response :success
+    assert_json_response user.to_hash
+    api_get :show, :id => "0", :format => :json
+    assert_response :not_found
+  end
+
+  test "admin can show is_admin property" do
+    user = FactoryGirl.create :user, login: "admin2"
+    login user
+    api_get :show, :id => user.id, :format => :json
+    assert_response :success
+    assert_json_response user.to_hash.merge(:is_admin => true)
+  end
+
+  test "normal users cannot show user" do
+    user = find_record :user
+    login
+    api_get :show, :id => 0, :login => user.login, :format => :json
+    assert_access_denied
+  end
+
+  test "api monitor auth can create and destroy test users" do
+    # should work even with registration off and/or invites required
+    with_config(allow_registration: false, invite_required: true) do
+      monitor_auth do
+        user_attribs = record_attributes_for :test_user
+        api_post :create, :user => user_attribs, :format => :json
+        assert_response :success
+        api_delete :destroy, :id => assigns(:user).id, :format => :json
+        assert_response :success
+      end
+    end
+  end
+
+  test "api monitor auth cannot create normal users" do
+    monitor_auth do
+      user_attribs = record_attributes_for :user
+      api_post :create, :user => user_attribs, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+  test "api monitor auth cannot api_delete normal users" do
+    api_post :create, :user => record_attributes_for(:user), :format => :json
+    assert_response :success
+    normal_user_id = assigns(:user).id
+    monitor_auth do
+      api_delete :destroy, :id => normal_user_id, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+end