add: defense-in-depth mechanism to prevent unauthorized adding of groups

[gigi.git] / tests / org / cacert / gigi / pages / account / TestCertificateRequest.java

diff --git a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
index 4d668b74caba6b6740d0086613876ec6355078dc..0beaef87998a8b24e1e4a7387bd9534329390094 100644 (file)
--- a/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
+++ b/tests/org/cacert/gigi/pages/account/TestCertificateRequest.java
@@ -11,22 +11,24 @@ import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.pages.account.certs.CertificateRequest;
 import org.cacert.gigi.testUtils.ClientTest;
+import org.cacert.gigi.util.AuthorizationContext;
 import org.junit.Test;
 
 public class TestCertificateRequest extends ClientTest {
 
     KeyPair kp = generateKeypair();
 
-    public TestCertificateRequest() throws GeneralSecurityException, IOException {
-        makeAssurer(u.getId());
-        grant(email, Group.CODESIGNING);
+    AuthorizationContext ac;
 
+    public TestCertificateRequest() throws GeneralSecurityException, IOException, GigiApiException {
+        ac = new AuthorizationContext(u, u);
+        makeAssurer(u.getId());
     }
 
     @Test
     public void testIssuingOtherName() throws Exception {
         try {
-            new CertificateRequest(u, generatePEMCSR(kp, "CN=hansi")).draft();
+            new CertificateRequest(ac, generatePEMCSR(kp, "CN=hansi")).draft();
             fail();
         } catch (GigiApiException e) {
             assertThat(e.getMessage(), containsString("name you entered was invalid"));
@@ -35,18 +37,18 @@ public class TestCertificateRequest extends ClientTest {
 
     @Test
     public void testIssuingDefault() throws Exception {
-        new CertificateRequest(u, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
+        new CertificateRequest(ac, generatePEMCSR(kp, "CN=" + CertificateRequest.DEFAULT_CN + ",EMAIL=" + email)).draft();
     }
 
     @Test
     public void testIssuingRealName() throws Exception {
-        new CertificateRequest(u, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
+        new CertificateRequest(ac, generatePEMCSR(kp, "CN=a b,EMAIL=" + email)).draft();
     }
 
     @Test
     public void testIssuingModifiedName() throws Exception {
         try {
-            new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab")).draft();
+            new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab")).draft();
             fail();
         } catch (GigiApiException e) {
             assertThat(e.getMessage(), containsString("name you entered was invalid"));
@@ -58,11 +60,28 @@ public class TestCertificateRequest extends ClientTest {
     @Test
     public void testCodesignModifiedName() throws Exception {
         try {
-            CertificateRequest cr = new CertificateRequest(u, generatePEMCSR(kp, "CN=a ab"));
-            cr.update("name", "SHA512", "code-a", null, null, "email:" + email, null, null);
+            u.grantGroup(getSupporter(), Group.CODESIGNING);
+            CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
+            cr.update("name", "SHA512", "code-a", null, null, "email:" + email);
+            cr.draft();
+            fail();
         } catch (GigiApiException e) {
             assertThat(e.getMessage(), containsString("does not match the details"));
         }
 
     }
+
+    // TODO annotate that this depends on default config
+    @Test
+    public void testCodesignNoPermModifiedName() throws Exception {
+        try {
+            CertificateRequest cr = new CertificateRequest(ac, generatePEMCSR(kp, "CN=a ab"));
+            cr.update("name", "SHA512", "code-a", null, null, "email:" + email);
+            cr.draft();
+            fail();
+        } catch (GigiApiException e) {
+            assertThat(e.getMessage(), containsString("Certificate Profile is invalid."));
+        }
+
+    }
 }