From 1241cb8f13e6d0752b67521e8385b62d7fbcc882 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 15 May 2014 10:40:21 +0200 Subject: basic integration test for cert API --- test/integration/api/cert_test.rb | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 test/integration/api/cert_test.rb (limited to 'test/integration') diff --git a/test/integration/api/cert_test.rb b/test/integration/api/cert_test.rb new file mode 100644 index 0000000..74d439a --- /dev/null +++ b/test/integration/api/cert_test.rb @@ -0,0 +1,30 @@ +require 'test_helper' + +class CertTest < ApiIntegrationTest + + test "retrieve eip cert" do + login + get '/1/cert', {}, RACK_ENV + assert_text_response + assert_response_includes "BEGIN RSA PRIVATE KEY" + assert_response_includes "END RSA PRIVATE KEY" + assert_response_includes "BEGIN CERTIFICATE" + assert_response_includes "END CERTIFICATE" + end + + test "fetching certs requires login by default" do + get '/1/cert', {}, RACK_ENV + assert_json_response error: I18n.t(:not_authorized) + end + + test "retrieve anonymous eip cert" do + with_config allow_anonymous_certs: true do + get '/1/cert', {}, RACK_ENV + assert_text_response + assert_response_includes "BEGIN RSA PRIVATE KEY" + assert_response_includes "END RSA PRIVATE KEY" + assert_response_includes "BEGIN CERTIFICATE" + assert_response_includes "END CERTIFICATE" + end + end +end -- cgit v1.2.3 From 71dcf3f4e5d423b78b47f675297fc98b28ef3442 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 15 May 2014 11:17:47 +0200 Subject: SmtpCertsController, routes and tests --- test/integration/api/smtp_cert_test.rb | 51 ++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 test/integration/api/smtp_cert_test.rb (limited to 'test/integration') diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb new file mode 100644 index 0000000..a579d93 --- /dev/null +++ b/test/integration/api/smtp_cert_test.rb @@ -0,0 +1,51 @@ +require 'test_helper' +require 'openssl' + +class SmtpCertTest < ApiIntegrationTest + + test "retrieve smtp cert" do + @user = FactoryGirl.create :user, effective_service_level_code: 2 + login + get '/1/smtp_cert', {}, RACK_ENV + assert_text_response + assert_response_includes "BEGIN RSA PRIVATE KEY" + assert_response_includes "END RSA PRIVATE KEY" + assert_response_includes "BEGIN CERTIFICATE" + assert_response_includes "END CERTIFICATE" + end + + test "key matches the cert" do + @user = FactoryGirl.create :user, effective_service_level_code: 2 + login + get '/1/smtp_cert', {}, RACK_ENV + assert_text_response + cert = OpenSSL::X509::Certificate.new(get_response.body) + key = OpenSSL::PKey::RSA.new(get_response.body) + assert cert.check_private_key(key) + end + + # we'll store the fingerprint later. + test "fingerprint matches" do + @user = FactoryGirl.create :user, effective_service_level_code: 2 + login + get '/1/smtp_cert', {}, RACK_ENV + assert_text_response + cert = OpenSSL::X509::Certificate.new(get_response.body) + fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') + skip "we're not storing the fingerprints yet" + assert_equal fingerprint, @user.identity.cert_fingerprints.last + end + + test "fetching smtp certs requires email account" do + login + get '/1/smtp_cert', {}, RACK_ENV + assert_json_response error: I18n.t(:not_authorized) + end + + test "no anonymous smtp certs" do + with_config allow_anonymous_certs: true do + get '/1/smtp_cert', {}, RACK_ENV + assert_json_response error: I18n.t(:not_authorized) + end + end +end -- cgit v1.2.3 From 17b67aeda81dee2273ce1161ac7292a328c3efaa Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 15 May 2014 16:29:49 +0200 Subject: store cert fingerprint with main user identity --- test/integration/api/smtp_cert_test.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'test/integration') diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb index a579d93..4f0f4a6 100644 --- a/test/integration/api/smtp_cert_test.rb +++ b/test/integration/api/smtp_cert_test.rb @@ -14,7 +14,7 @@ class SmtpCertTest < ApiIntegrationTest assert_response_includes "END CERTIFICATE" end - test "key matches the cert" do + test "cert and key" do @user = FactoryGirl.create :user, effective_service_level_code: 2 login get '/1/smtp_cert', {}, RACK_ENV @@ -22,17 +22,17 @@ class SmtpCertTest < ApiIntegrationTest cert = OpenSSL::X509::Certificate.new(get_response.body) key = OpenSSL::PKey::RSA.new(get_response.body) assert cert.check_private_key(key) + prefix = "/CN=#{@user.email_address}" + assert_equal prefix, cert.subject.to_s.slice(0,prefix.size) end - # we'll store the fingerprint later. - test "fingerprint matches" do + test "fingerprint is stored with identity" do @user = FactoryGirl.create :user, effective_service_level_code: 2 login get '/1/smtp_cert', {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') - skip "we're not storing the fingerprints yet" assert_equal fingerprint, @user.identity.cert_fingerprints.last end -- cgit v1.2.3 From 3a84578cf33685800c9216cfb4da12ea1fb0032f Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 19 May 2014 15:07:02 +0200 Subject: store fingerprints with timestamp Only storing the date as that should suffice for normal expiry and is less useful for identifying users by timestamps --- test/integration/api/smtp_cert_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb index 4f0f4a6..992249b 100644 --- a/test/integration/api/smtp_cert_test.rb +++ b/test/integration/api/smtp_cert_test.rb @@ -33,7 +33,8 @@ class SmtpCertTest < ApiIntegrationTest assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') - assert_equal fingerprint, @user.identity.cert_fingerprints.last + today = DateTime.now.to_date.to_s + assert_equal({fingerprint => today}, @user.identity.cert_fingerprints) end test "fetching smtp certs requires email account" do -- cgit v1.2.3 From 00d5adc90ccadc7f4a2a0d54a5a31a1ad02f05be Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 26 May 2014 09:31:36 +0200 Subject: change from GET to POST for certs We create them. let's reflect that in the verb. --- test/integration/api/smtp_cert_test.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'test/integration') diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb index 992249b..04e6f31 100644 --- a/test/integration/api/smtp_cert_test.rb +++ b/test/integration/api/smtp_cert_test.rb @@ -6,7 +6,7 @@ class SmtpCertTest < ApiIntegrationTest test "retrieve smtp cert" do @user = FactoryGirl.create :user, effective_service_level_code: 2 login - get '/1/smtp_cert', {}, RACK_ENV + post '/1/smtp_cert', {}, RACK_ENV assert_text_response assert_response_includes "BEGIN RSA PRIVATE KEY" assert_response_includes "END RSA PRIVATE KEY" @@ -17,7 +17,7 @@ class SmtpCertTest < ApiIntegrationTest test "cert and key" do @user = FactoryGirl.create :user, effective_service_level_code: 2 login - get '/1/smtp_cert', {}, RACK_ENV + post '/1/smtp_cert', {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) key = OpenSSL::PKey::RSA.new(get_response.body) @@ -29,7 +29,7 @@ class SmtpCertTest < ApiIntegrationTest test "fingerprint is stored with identity" do @user = FactoryGirl.create :user, effective_service_level_code: 2 login - get '/1/smtp_cert', {}, RACK_ENV + post '/1/smtp_cert', {}, RACK_ENV assert_text_response cert = OpenSSL::X509::Certificate.new(get_response.body) fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') @@ -39,13 +39,13 @@ class SmtpCertTest < ApiIntegrationTest test "fetching smtp certs requires email account" do login - get '/1/smtp_cert', {}, RACK_ENV + post '/1/smtp_cert', {}, RACK_ENV assert_json_response error: I18n.t(:not_authorized) end test "no anonymous smtp certs" do with_config allow_anonymous_certs: true do - get '/1/smtp_cert', {}, RACK_ENV + post '/1/smtp_cert', {}, RACK_ENV assert_json_response error: I18n.t(:not_authorized) end end -- cgit v1.2.3 From 5764daae090227bf4c5967900b708392c967be47 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 1 May 2014 10:45:57 +0200 Subject: hash token with sha512 against timing attacs #3398 --- test/integration/api/token_test.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 test/integration/api/token_test.rb (limited to 'test/integration') diff --git a/test/integration/api/token_test.rb b/test/integration/api/token_test.rb new file mode 100644 index 0000000..ad3ac22 --- /dev/null +++ b/test/integration/api/token_test.rb @@ -0,0 +1,15 @@ +require 'test_helper' +require_relative 'srp_test' + +class TokenTest < SrpTest + + setup do + register_user + end + + test "stores token SHA512 encoded" do + authenticate + token = server_auth['token'] + assert Token.find(Digest::SHA512.hexdigest(token)) + end +end -- cgit v1.2.3 From bbeb4b629dc38d82b3b3200706dd25b8def8892e Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 24 May 2014 13:39:10 +0200 Subject: sorting translation keys some --- test/integration/browser/account_test.rb | 6 +++--- test/integration/browser/session_test.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'test/integration') diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_test.rb index 491a9e1..8dc3043 100644 --- a/test/integration/browser/account_test.rb +++ b/test/integration/browser/account_test.rb @@ -9,7 +9,7 @@ class AccountTest < BrowserIntegrationTest test "signup successfully" do username, password = submit_signup assert page.has_content?("Welcome #{username}") - click_on 'Logout' + click_on 'Log Out' assert page.has_content?("Log In") assert_equal '/', current_path assert user = User.find_by_login(username) @@ -24,7 +24,7 @@ class AccountTest < BrowserIntegrationTest test "successful login" do username, password = submit_signup - click_on 'Logout' + click_on 'Log Out' attempt_login(username, password) assert page.has_content?("Welcome #{username}") within('.sidenav li.active') do @@ -83,7 +83,7 @@ class AccountTest < BrowserIntegrationTest fill_in 'Password confirmation', with: "other password" click_on 'Save' end - click_on 'Logout' + click_on 'Log Out' attempt_login(@user.login, "other password") assert page.has_content?("Welcome #{@user.login}") end diff --git a/test/integration/browser/session_test.rb b/test/integration/browser/session_test.rb index fb20847..d52508a 100644 --- a/test/integration/browser/session_test.rb +++ b/test/integration/browser/session_test.rb @@ -4,7 +4,7 @@ class SessionTest < BrowserIntegrationTest test "valid session" do login - assert page.has_content?("Logout") + assert page.has_content?("Log Out") end test "expired session" do -- cgit v1.2.3 From 154d32bbc7cfe21d83141ff2c9a3d805165231b8 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 28 May 2014 10:45:14 +0200 Subject: use Identity for testing login availability We create an identity alongside each user. Make sure the identity is valid when creating the user. This also ensures that the login picked is available because otherwise the identities address would not be available anymore. --- test/integration/browser/account_test.rb | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'test/integration') diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_test.rb index 491a9e1..82bb043 100644 --- a/test/integration/browser/account_test.rb +++ b/test/integration/browser/account_test.rb @@ -22,6 +22,12 @@ class AccountTest < BrowserIntegrationTest assert page.has_content?("Welcome #{username}") end + test "signup with reserved username" do + username = 'certmaster' + submit_signup username + assert page.has_content?("is reserved.") + end + test "successful login" do username, password = submit_signup click_on 'Logout' @@ -44,6 +50,7 @@ class AccountTest < BrowserIntegrationTest click_on I18n.t('account_settings') click_on I18n.t('destroy_my_account') assert page.has_content?(I18n.t('account_destroyed')) + assert_equal 1, Identity.by_address.key("#{username}@test.me").count attempt_login(username, password) assert_invalid_login(page) end -- cgit v1.2.3 From 682b4060cb86c52ffda638f4f9a837f107540610 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 28 May 2014 11:44:12 +0200 Subject: ensure identity is cleared on user.reload - fixes test --- test/integration/browser/account_test.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_test.rb index 82bb043..8e6d433 100644 --- a/test/integration/browser/account_test.rb +++ b/test/integration/browser/account_test.rb @@ -109,7 +109,8 @@ class AccountTest < BrowserIntegrationTest # at some point we're done: page.assert_no_selector 'input[value="Saving..."]' assert page.has_field? 'Public key', with: pgp_key.to_s - assert_equal pgp_key, @user.reload.public_key + @user.reload + assert_equal pgp_key, @user.public_key end end -- cgit v1.2.3 From bbe7b3b7deb2b44d34f7c39dda2c3db284e2bf10 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 29 May 2014 11:19:21 +0200 Subject: clearify identity validations Identity.new.valid? should not crash. So validate presence where needed and skip the other validations if the value is absent. --- test/integration/api/smtp_cert_test.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/api/smtp_cert_test.rb b/test/integration/api/smtp_cert_test.rb index 04e6f31..f72362d 100644 --- a/test/integration/api/smtp_cert_test.rb +++ b/test/integration/api/smtp_cert_test.rb @@ -34,7 +34,7 @@ class SmtpCertTest < ApiIntegrationTest cert = OpenSSL::X509::Certificate.new(get_response.body) fingerprint = OpenSSL::Digest::SHA1.hexdigest(cert.to_der).scan(/../).join(':') today = DateTime.now.to_date.to_s - assert_equal({fingerprint => today}, @user.identity.cert_fingerprints) + assert_equal({fingerprint => today}, @user.reload.identity.cert_fingerprints) end test "fetching smtp certs requires email account" do -- cgit v1.2.3