From 6c0f4e776332d0eabcc3cbeb779b4dc42abe70cc Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 3 Jul 2012 17:43:14 +0100
Subject: [PATCH] implement tests that ensure that an unverified email may not
 get a cert

---
 tests/forgotten-pass-test.js | 79 ++++++++++++++++++++++++++++--------
 1 file changed, 62 insertions(+), 17 deletions(-)

diff --git a/tests/forgotten-pass-test.js b/tests/forgotten-pass-test.js
index 42ea5f2c9..f9f97bb31 100755
--- a/tests/forgotten-pass-test.js
+++ b/tests/forgotten-pass-test.js
@@ -10,10 +10,15 @@ const assert = require('assert'),
 vows = require('vows'),
 start_stop = require('./lib/start-stop.js'),
 wsapi = require('./lib/wsapi.js'),
-email = require('../lib/email.js');
+email = require('../lib/email.js'),
+jwcrypto = require('jwcrypto');
 
 var suite = vows.describe('forgotten-email');
 
+// algs
+require("jwcrypto/lib/algs/ds");
+require("jwcrypto/lib/algs/rs");
+
 start_stop.addStartupBatches(suite);
 
 // every time a new token is sent out, let's update the global
@@ -169,6 +174,19 @@ suite.addBatch({
   }
 });
 
+suite.addBatch({
+  "given a token, getting an email": {
+    topic: function() {
+      wsapi.get('/wsapi/email_for_token', { token: token }).call(this);
+    },
+    "account created": function(err, r) {
+      assert.equal(r.code, 200);
+      var body = JSON.parse(r.body);
+      assert.strictEqual(body.success, true);
+    }
+  }
+});
+
 // verify that the old email address + password combinations are still
 // valid (this is so *until* someone clicks through)
 suite.addBatch({
@@ -201,20 +219,6 @@ suite.addBatch({
   }
 });
 
-suite.addBatch({
-  "given a token, getting an email": {
-    topic: function() {
-      wsapi.get('/wsapi/email_for_token', { token: token }).call(this);
-    },
-    "account created": function(err, r) {
-      assert.equal(r.code, 200);
-      var body = JSON.parse(r.body);
-      console.log(body);
-      assert.strictEqual(body.success, true);
-    }
-  }
-});
-
 // now let's complete the re-registration of first email address
 suite.addBatch({
   "complete password reset": {
@@ -297,12 +301,53 @@ suite.addBatch({
   }
 });
 
+// test that certification fails for unverified email addresses
 
-// XXX: test that verification of unverified emails fails
+// generate a keypair, we'll use this to sign assertions, as if
+// this keypair is stored in the browser localStorage
+var kp;
 
-// XXX: test that we can verify the remaining email ok
+suite.addBatch({
+  "generate a keypair": {
+    topic: function() {
+      jwcrypto.generateKeypair({algorithm: "RS", keysize: 64}, this.callback);
+    },
+    "works": function(err, keypair) {
+      assert.isNull(err);
+      assert.isObject(keypair);
+      kp = keypair;
+    },
+    "and cert a key for a verified email address": {
+      topic: function() {
+        wsapi.post('/wsapi/cert_key', {
+          email: 'first@fakeemail.com',
+          pubkey: kp.publicKey.serialize(),
+          ephemeral: false
+        }).call(this);
+      },
+      "returns a success response" : function(err, r) {
+        assert.strictEqual(r.code, 200);
+      }
+    },
+    "and cert a key for an unverified email address": {
+      topic: function() {
+        wsapi.post('/wsapi/cert_key', {
+          email: 'second@fakeemail.com',
+          pubkey: kp.publicKey.serialize(),
+          ephemeral: false
+        }).call(this);
+      },
+      "is forbidden" : function(err, r) {
+        assert.strictEqual(r.code, 401);
+        assert.strictEqual(JSON.parse(r.body).success, false);
+      }
+    }
+  }
+});
 
 
+// XXX: test that we can verify the remaining email ok
+
 start_stop.addShutdownBatches(suite);
 
 // run or export the suite.
-- 
GitLab