From a75fb58cb596b280b5f1d6d5b6dc44a933b3faa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri.vosandi@gmail.com>
Date: Thu, 4 May 2017 10:02:14 +0000
Subject: [PATCH] tests: Lease and attribute API call fixes

---
 certidude/api/attrib.py |  1 +
 tests/test_cli.py       | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/certidude/api/attrib.py b/certidude/api/attrib.py
index 0d0c50e..53465a8 100644
--- a/certidude/api/attrib.py
+++ b/certidude/api/attrib.py
@@ -15,6 +15,7 @@ class AttributeResource(object):
         Return extended attributes stored on the server.
         This not only contains tags and lease information,
         but might also contain some other sensitive information.
+        Results made available only to lease IP address.
         """
         try:
             path, buf, cert = authority.get_signed(cn)
diff --git a/tests/test_cli.py b/tests/test_cli.py
index c843866..9cc8502 100644
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -245,6 +245,9 @@ def test_cli_setup_authority():
     r = client().simulate_delete("/api/request/test/",
         headers={"Authorization":admintoken})
     assert r.status_code == 200, r.text
+    r = client().simulate_delete("/api/request/nonexistant/",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 404, r.text
 
     # Test request submission corner cases
     r = client().simulate_post("/api/request/",
@@ -376,6 +379,8 @@ def test_cli_setup_authority():
     # Test attribute fetching API call
     r = client().simulate_get("/api/signed/test/attr/")
     assert r.status_code == 403, r.text
+    r = client().simulate_get("/api/signed/nonexistant/attr/")
+    assert r.status_code == 404, r.text
     r = client().simulate_get("/api/signed/test/lease/", headers={"Authorization":admintoken})
     assert r.status_code == 404, r.text
 
@@ -383,9 +388,20 @@ def test_cli_setup_authority():
     r = client().simulate_post("/api/lease/",
         query_string = "client=test&address=127.0.0.1",
         headers={"Authorization":admintoken})
-    assert r.status_code == 200, r.text
+    assert r.status_code == 200, r.text # lease update ok
+    r = client().simulate_post("/api/lease/",
+        query_string = "client=test&address=127.0.0.1&serial=0",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 403, r.text # invalid serial number supplied
     r = client().simulate_get("/api/signed/test/attr/")
-    assert r.status_code == 200, r.text
+    assert r.status_code == 200, r.text # read okay from own address
+    r = client().simulate_post("/api/lease/",
+        query_string = "client=test&address=1.2.3.4",
+        headers={"Authorization":admintoken})
+    assert r.status_code == 200, r.text # lease update ok
+    r = client().simulate_get("/api/signed/test/attr/")
+    assert r.status_code == 403, r.text # read failed from other address
+
 
     # Test lease retrieval
     r = client().simulate_get("/api/signed/test/lease/")