From 2ffcc64d86204e40ead0bdca7c48dff6286805c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Thu, 4 May 2017 07:38:49 +0000
Subject: [PATCH] tests: Test CRL checks on client side

---
 .travis.yml           |  3 +--
 certidude/__init__.py |  6 -----
 tests/test_cli.py     | 61 +++++++++++++++++++++++++++++--------------
 3 files changed, 42 insertions(+), 28 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 71f04be..e90f744 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,9 +19,8 @@ install:
 script:
   - sudo find /home/ -type d -exec chmod 755 {} \; # Allow certidude serve to read templates
   - sudo useradd adminbot -G sudo -p '$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1'
-  - sudo useradd userbot -G users -p '$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1'
+  - sudo useradd userbot -G users -p '$1$PBkf5waA$n9EV6WJ7PS6lyGWkgeTPf1' -c "User Bot,,,"
   - sudo chmod 777 . # Allow forked processes to write .coverage files
-  - sudo mkdir -p /etc/NetworkManager/system-connections/ # Allow config file creation without having NM installed
   - sudo coverage run --parallel-mode --source certidude -m py.test tests
   - sudo coverage combine
   - sudo coverage report
diff --git a/certidude/__init__.py b/certidude/__init__.py
index 3c6d6f7..e69de29 100644
--- a/certidude/__init__.py
+++ b/certidude/__init__.py
@@ -1,6 +0,0 @@
-
-try:
-    from future.standard_library import install_aliases
-    install_aliases()
-except ImportError:
-    pass
diff --git a/tests/test_cli.py b/tests/test_cli.py
index 09eeac5..69ff252 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -168,6 +168,10 @@ def test_cli_setup_authority():
     assert r.headers.get('content-type') == "application/x-x509-ca-cert"
     assert r.text == buf
 
+    r = client().simulate_get("/api/certificate")
+    assert r.status_code == 200
+    assert r.headers.get('content-type') == "application/x-x509-ca-cert"
+    assert r.text == buf
 
     # Password is bot, users created by Travis
     usertoken = "Basic dXNlcmJvdDpib3Q="
@@ -191,6 +195,15 @@ def test_cli_setup_authority():
     assert r.status_code == 200, r.text # if this breaks certidude serve has no read access to static folder
     r = requests.get("http://ca.example.lan/nonexistant.html")
     assert r.status_code == 404, r.text
+    r = requests.get("http://ca.example.lan/../nonexistant.html")
+    assert r.status_code == 403, r.text
+
+    r = client().simulate_get("/index.html")
+    assert r.status_code == 200, r.text
+    r = client().simulate_get("/nonexistant.html")
+    assert r.status_code == 404, r.text
+    r = client().simulate_get("/../nonexistant.html")
+    assert r.status_code == 403, r.text
 
     # Test request submission
     buf = generate_csr(cn=u"test")
@@ -301,20 +314,6 @@ def test_cli_setup_authority():
     assert "Stored request " in inbox.pop(), inbox
     assert not inbox
 
-    # Test session API call
-    r = client().simulate_get("/api/", headers={"Authorization":usertoken})
-    assert r.status_code == 200
-
-    r = client().simulate_get("/api/", headers={"Authorization":admintoken})
-    assert r.status_code == 200
-
-    r = client().simulate_get("/api/", headers={"Accept":"text/plain", "Authorization":admintoken})
-    assert r.status_code == 415 # invalid media type
-
-    r = client().simulate_get("/api/")
-    assert r.status_code == 401
-
-
     # Test signed certificate API call
     r = client().simulate_get("/api/signed/nonexistant/")
     assert r.status_code == 404, r.text
@@ -357,9 +356,9 @@ def test_cli_setup_authority():
 
     # Insert lease as if VPN gateway had submitted it
     path, _, _ = authority.get_signed("test")
-    from xattr import setxattr
+    from xattr import setxattr, getxattr, listxattr
     setxattr(path, "user.lease.address", b"127.0.0.1")
-    setxattr(path, "user.lease.last_seen", b"random")
+    setxattr(path, "user.lease.last_seen", datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z")
     r = client().simulate_get("/api/signed/test/attr/")
     assert r.status_code == 200, r.text
 
@@ -393,12 +392,12 @@ def test_cli_setup_authority():
     assert r.status_code == 200, r.text
 
     # Tags can be overwritten only by admin
-    r = client().simulate_put("/api/signed/test/tag/other/")
+    r = client().simulate_put("/api/signed/test/tag/something/")
     assert r.status_code == 401, r.text
-    r = client().simulate_put("/api/signed/test/tag/other/",
+    r = client().simulate_put("/api/signed/test/tag/something/",
         headers={"Authorization":usertoken})
     assert r.status_code == 403, r.text
-    r = client().simulate_put("/api/signed/test/tag/other/",
+    r = client().simulate_put("/api/signed/test/tag/something/",
         body="value=else",
         headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
     assert r.status_code == 200, r.text
@@ -412,6 +411,7 @@ def test_cli_setup_authority():
     r = client().simulate_delete("/api/signed/test/tag/else/",
         headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
     assert r.status_code == 200, r.text
+    assert "user.xdg.tags" not in listxattr(path, "user.xdg.tags")
 
 
     # Test revocation
@@ -437,6 +437,21 @@ def test_cli_setup_authority():
     assert r.status_code == 200, r.text
     assert r.headers.get('content-type') == "application/json; charset=UTF-8"
 
+
+    # Test session API call
+    r = client().simulate_get("/api/", headers={"Authorization":usertoken})
+    assert r.status_code == 200
+
+    r = client().simulate_get("/api/", headers={"Authorization":admintoken})
+    assert r.status_code == 200
+
+    r = client().simulate_get("/api/", headers={"Accept":"text/plain", "Authorization":admintoken})
+    assert r.status_code == 415 # invalid media type
+
+    r = client().simulate_get("/api/")
+    assert r.status_code == 401
+
+
     # Test token mech
     r = client().simulate_post("/api/token/")
     assert r.status_code == 404, r.text
@@ -663,12 +678,18 @@ def test_cli_setup_authority():
     # Test revocation on command-line
     child_pid = os.fork()
     if not child_pid:
-        result = runner.invoke(cli, ['revoke', 'www.example.lan'])
+        result = runner.invoke(cli, ['revoke', 'roadwarrior4'])
         assert not result.exception, result.output
         return
     else:
         os.waitpid(child_pid, 0)
 
+    # Test revocation check on client side
+    result = runner.invoke(cli, ["request", "--no-wait"])
+    assert not result.exception, result.output
+    assert "Certificate has been revoked, wiping keys and certificates" in result.output, result.output
+    assert "Writing certificate to:" in result.output, result.output
+
     result = runner.invoke(cli, ['list', '-srv'])
     assert not result.exception, result.output
     result = runner.invoke(cli, ['cron'])