Add tests for token mechanism

tests/test_cli.py

@@ -258,11 +258,9 @@ def test_cli_setup_authority():
     # Test static
     r = client().simulate_delete("/nonexistant.html")
     assert r.status_code == 404
-
     r = client().simulate_delete("/index.html")
     assert r.status_code == 200
 
-
     # Log can be read only by admin
     r = client().simulate_get("/api/log/")
     assert r.status_code == 401
@@ -273,3 +271,29 @@ def test_cli_setup_authority():
         headers={"Authorization":admintoken})
     assert r.status_code == 200
     assert r.headers.get('content-type') == "application/json; charset=UTF-8"
+
+    # Test token mech
+    r = client().simulate_post("/api/token/")
+    assert r.status_code == 404
+
+    config.BUNDLE_FORMAT = "ovpn"
+    config.USER_ENROLLMENT_ALLOWED = True
+
+    r = client().simulate_post("/api/token/")
+    assert r.status_code == 401 # needs auth
+    r = client().simulate_post("/api/token/",
+        headers={"Authorization":usertoken})
+    assert r.status_code == 403 # regular user forbidden
+    r = client().simulate_post("/api/token/",
+        body="user=userbot", # TODO: test nonexistant user
+        headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
+    assert r.status_code == 200 # token generated by admin
+
+    r2 = client().simulate_get("/api/token/",
+        query_string="u=userbot&t=1493184342&c=ac9b71421d5741800c5a4905b20c1072594a2df863e60ba836464888786bf2a6",
+        headers={"content-type": "application/x-www-form-urlencoded", "Authorization":admintoken})
+    assert r2.status_code == 403 # invalid checksum/timestamp
+    r2 = client().simulate_get("/api/token/", query_string=r.content,
+        headers={"User-Agent":"Mozilla/5.0 (X11; Fedora; Linux x86_64) "
+            "AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"})
+    assert r2.status_code == 200 # token consumed by anyone