1package webaccount
2
3import (
4 "archive/tar"
5 "archive/zip"
6 "bytes"
7 "compress/gzip"
8 "context"
9 "crypto/ed25519"
10 cryptorand "crypto/rand"
11 "crypto/x509"
12 "encoding/json"
13 "encoding/pem"
14 "fmt"
15 "io"
16 "math/big"
17 "mime/multipart"
18 "net/http"
19 "net/http/httptest"
20 "net/url"
21 "os"
22 "path"
23 "path/filepath"
24 "reflect"
25 "runtime/debug"
26 "sort"
27 "strings"
28 "testing"
29 "time"
30
31 "github.com/mjl-/bstore"
32 "github.com/mjl-/sherpa"
33
34 "github.com/mjl-/mox/config"
35 "github.com/mjl-/mox/dns"
36 "github.com/mjl-/mox/junk"
37 "github.com/mjl-/mox/mlog"
38 "github.com/mjl-/mox/mox-"
39 "github.com/mjl-/mox/queue"
40 "github.com/mjl-/mox/store"
41 "github.com/mjl-/mox/webauth"
42 "github.com/mjl-/mox/webhook"
43)
44
45var ctxbg = context.Background()
46
47func init() {
48 mox.LimitersInit()
49 webauth.BadAuthDelay = 0
50}
51
52func tcheck(t *testing.T, err error, msg string) {
53 t.Helper()
54 if err != nil {
55 t.Fatalf("%s: %s", msg, err)
56 }
57}
58
59func readBody(r io.Reader) string {
60 buf, err := io.ReadAll(r)
61 if err != nil {
62 return fmt.Sprintf("read error: %s", err)
63 }
64 return fmt.Sprintf("data: %q", buf)
65}
66
67func tneedErrorCode(t *testing.T, code string, fn func()) {
68 t.Helper()
69 defer func() {
70 t.Helper()
71 x := recover()
72 if x == nil {
73 debug.PrintStack()
74 t.Fatalf("expected sherpa user error, saw success")
75 }
76 if err, ok := x.(*sherpa.Error); !ok {
77 debug.PrintStack()
78 t.Fatalf("expected sherpa error, saw %#v", x)
79 } else if err.Code != code {
80 debug.PrintStack()
81 t.Fatalf("expected sherpa error code %q, saw other sherpa error %#v", code, err)
82 }
83 }()
84
85 fn()
86}
87
88func tcompare(t *testing.T, got, expect any) {
89 t.Helper()
90 if !reflect.DeepEqual(got, expect) {
91 t.Fatalf("got:\n%#v\nexpected:\n%#v", got, expect)
92 }
93}
94
95func TestAccount(t *testing.T) {
96 log := mlog.New("webaccount", nil)
97 os.RemoveAll("../testdata/httpaccount/data")
98 mox.ConfigStaticPath = filepath.FromSlash("../testdata/httpaccount/mox.conf")
99 mox.ConfigDynamicPath = filepath.Join(filepath.Dir(mox.ConfigStaticPath), "domains.conf")
100 mox.MustLoadConfig(true, false)
101 err := store.Init(ctxbg)
102 tcheck(t, err, "store init")
103 defer func() {
104 err := store.Close()
105 tcheck(t, err, "store close")
106 }()
107 defer store.Switchboard()()
108
109 acc, err := store.OpenAccount(log, "mjl☺", false)
110 tcheck(t, err, "open account")
111 err = acc.SetPassword(log, "test1234")
112 tcheck(t, err, "set password")
113 defer func() {
114 err = acc.Close()
115 tcheck(t, err, "closing account")
116 acc.WaitClosed()
117 }()
118
119 api := Account{cookiePath: "/account/"}
120 apiHandler, err := makeSherpaHandler(api.cookiePath, false)
121 tcheck(t, err, "sherpa handler")
122
123 // Record HTTP response to get session cookie for login.
124 respRec := httptest.NewRecorder()
125 reqInfo := requestInfo{"", "", "", respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}}
126 ctx := context.WithValue(ctxbg, requestInfoCtxKey, reqInfo)
127
128 // Missing login token.
129 tneedErrorCode(t, "user:error", func() { api.Login(ctx, "", "mjl☺@mox.example", "test1234") })
130
131 // Login with loginToken.
132 loginCookie := &http.Cookie{Name: "webaccountlogin"}
133 loginCookie.Value = api.LoginPrep(ctx)
134 reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}}
135
136 csrfToken := api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "test1234")
137 var sessionCookie *http.Cookie
138 for _, c := range respRec.Result().Cookies() {
139 if c.Name == "webaccountsession" {
140 sessionCookie = c
141 break
142 }
143 }
144 if sessionCookie == nil {
145 t.Fatalf("missing session cookie")
146 }
147
148 // Valid loginToken, but bad credentials.
149 loginCookie.Value = api.LoginPrep(ctx)
150 reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}}
151 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "badauth") })
152 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@mox.example", "badauth") })
153 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@baddomain.example", "badauth") })
154
155 acc2, err := store.OpenAccount(log, "disabled", false)
156 tcheck(t, err, "open account")
157 err = acc2.SetPassword(log, "test1234")
158 tcheck(t, err, "set password")
159 acc2.Close()
160 tcheck(t, err, "close account")
161
162 loginReqInfo2 := requestInfo{"", "", "", httptest.NewRecorder(), &http.Request{RemoteAddr: "1.1.1.1:1234"}}
163 loginctx2 := context.WithValue(ctxbg, requestInfoCtxKey, loginReqInfo2)
164 loginCookie2 := &http.Cookie{Name: "webaccountlogin"}
165 loginCookie2.Value = api.LoginPrep(loginctx2)
166 loginReqInfo2.Request.Header = http.Header{"Cookie": []string{loginCookie2.String()}}
167 tneedErrorCode(t, "user:loginFailed", func() { api.Login(loginctx2, loginCookie2.Value, "disabled@mox.example", "test1234") })
168 tneedErrorCode(t, "user:loginFailed", func() { api.Login(loginctx2, loginCookie2.Value, "disabled@mox.example", "bogus") })
169
170 type httpHeaders [][2]string
171 ctJSON := [2]string{"Content-Type", "application/json; charset=utf-8"}
172
173 cookieOK := &http.Cookie{Name: "webaccountsession", Value: sessionCookie.Value}
174 cookieBad := &http.Cookie{Name: "webaccountsession", Value: "AAAAAAAAAAAAAAAAAAAAAA mjl"}
175 hdrSessionOK := [2]string{"Cookie", cookieOK.String()}
176 hdrSessionBad := [2]string{"Cookie", cookieBad.String()}
177 hdrCSRFOK := [2]string{"x-mox-csrf", string(csrfToken)}
178 hdrCSRFBad := [2]string{"x-mox-csrf", "AAAAAAAAAAAAAAAAAAAAAA"}
179
180 testHTTP := func(method, path string, headers httpHeaders, expStatusCode int, expHeaders httpHeaders, check func(resp *http.Response)) {
181 t.Helper()
182
183 req := httptest.NewRequest(method, path, nil)
184 for _, kv := range headers {
185 req.Header.Add(kv[0], kv[1])
186 }
187 rr := httptest.NewRecorder()
188 rr.Body = &bytes.Buffer{}
189 handle(apiHandler, false, rr, req)
190 if rr.Code != expStatusCode {
191 t.Fatalf("got status %d, expected %d (%s)", rr.Code, expStatusCode, readBody(rr.Body))
192 }
193
194 resp := rr.Result()
195 for _, h := range expHeaders {
196 if resp.Header.Get(h[0]) != h[1] {
197 t.Fatalf("for header %q got value %q, expected %q", h[0], resp.Header.Get(h[0]), h[1])
198 }
199 }
200
201 if check != nil {
202 check(resp)
203 }
204 }
205 testHTTPAuthAPI := func(method, path string, expStatusCode int, expHeaders httpHeaders, check func(resp *http.Response)) {
206 t.Helper()
207 testHTTP(method, path, httpHeaders{hdrCSRFOK, hdrSessionOK}, expStatusCode, expHeaders, check)
208 }
209
210 userAuthError := func(resp *http.Response, expCode string) {
211 t.Helper()
212
213 var response struct {
214 Error *sherpa.Error `json:"error"`
215 }
216 err := json.NewDecoder(resp.Body).Decode(&response)
217 tcheck(t, err, "parsing response as json")
218 if response.Error == nil {
219 t.Fatalf("expected sherpa error with code %s, no error", expCode)
220 }
221 if response.Error.Code != expCode {
222 t.Fatalf("got sherpa error code %q, expected %s", response.Error.Code, expCode)
223 }
224 }
225 badAuth := func(resp *http.Response) {
226 t.Helper()
227 userAuthError(resp, "user:badAuth")
228 }
229 noAuth := func(resp *http.Response) {
230 t.Helper()
231 userAuthError(resp, "user:noAuth")
232 }
233
234 testHTTP("POST", "/api/Bogus", httpHeaders{}, http.StatusOK, nil, noAuth)
235 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad}, http.StatusOK, nil, noAuth)
236 testHTTP("POST", "/api/Bogus", httpHeaders{hdrSessionBad}, http.StatusOK, nil, noAuth)
237 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad, hdrSessionBad}, http.StatusOK, nil, badAuth)
238 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFOK}, http.StatusOK, nil, noAuth)
239 testHTTP("POST", "/api/Bogus", httpHeaders{hdrSessionOK}, http.StatusOK, nil, noAuth)
240 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad, hdrSessionOK}, http.StatusOK, nil, badAuth)
241 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFOK, hdrSessionBad}, http.StatusOK, nil, badAuth)
242 testHTTPAuthAPI("GET", "/api/Types", http.StatusMethodNotAllowed, nil, nil)
243 testHTTPAuthAPI("POST", "/api/Types", http.StatusOK, httpHeaders{ctJSON}, nil)
244
245 testHTTP("POST", "/import", httpHeaders{}, http.StatusForbidden, nil, nil)
246 testHTTP("POST", "/import", httpHeaders{hdrSessionBad}, http.StatusForbidden, nil, nil)
247 testHTTP("GET", "/export", httpHeaders{}, http.StatusForbidden, nil, nil)
248 testHTTP("GET", "/export", httpHeaders{hdrSessionBad}, http.StatusForbidden, nil, nil)
249 testHTTP("GET", "/export", httpHeaders{hdrSessionOK}, http.StatusForbidden, nil, nil)
250
251 // SetPassword needs the token.
252 sessionToken := store.SessionToken(strings.SplitN(sessionCookie.Value, " ", 2)[0])
253 reqInfo = requestInfo{"mjl☺@mox.example", "mjl☺", sessionToken, respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}}
254 ctx = context.WithValue(ctxbg, requestInfoCtxKey, reqInfo)
255
256 api.SetPassword(ctx, "test1234")
257
258 err = queue.Init() // For DB.
259 tcheck(t, err, "queue init")
260 defer queue.Shutdown()
261
262 account, _, _, _ := api.Account(ctx)
263
264 // Check we don't see the alias member list.
265 tcompare(t, len(account.Aliases), 1)
266 tcompare(t, account.Aliases[0], config.AddressAlias{
267 SubscriptionAddress: "mjl☺@mox.example",
268 Alias: config.Alias{
269 LocalpartStr: "support",
270 Domain: dns.Domain{ASCII: "mox.example"},
271 AllowMsgFrom: true,
272 },
273 })
274
275 api.DestinationSave(ctx, "mjl☺@mox.example", account.Destinations["mjl☺@mox.example"], account.Destinations["mjl☺@mox.example"]) // todo: save modified value and compare it afterwards
276
277 api.AccountSaveFullName(ctx, account.FullName+" changed") // todo: check if value was changed
278 api.AccountSaveFullName(ctx, account.FullName)
279
280 go ImportManage()
281 defer func() {
282 importers.Stop <- struct{}{}
283 }()
284
285 // Import mbox/maildir tgz/zip.
286 testImport := func(filename string, expect int) {
287 t.Helper()
288
289 var reqBody bytes.Buffer
290 mpw := multipart.NewWriter(&reqBody)
291 part, err := mpw.CreateFormFile("file", path.Base(filename))
292 tcheck(t, err, "creating form file")
293 buf, err := os.ReadFile(filename)
294 tcheck(t, err, "reading file")
295 _, err = part.Write(buf)
296 tcheck(t, err, "write part")
297 err = mpw.Close()
298 tcheck(t, err, "close multipart writer")
299
300 r := httptest.NewRequest("POST", "/import", &reqBody)
301 r.Header.Add("Content-Type", mpw.FormDataContentType())
302 r.Header.Add("x-mox-csrf", string(csrfToken))
303 r.Header.Add("Cookie", cookieOK.String())
304 w := httptest.NewRecorder()
305 handle(apiHandler, false, w, r)
306 if w.Code != http.StatusOK {
307 t.Fatalf("import, got status code %d, expected 200: %s", w.Code, w.Body.Bytes())
308 }
309 var m ImportProgress
310 if err := json.Unmarshal(w.Body.Bytes(), &m); err != nil {
311 t.Fatalf("parsing import response: %v", err)
312 }
313
314 l := importListener{m.Token, make(chan importEvent, 100), make(chan bool)}
315 importers.Register <- &l
316 if !<-l.Register {
317 t.Fatalf("register failed")
318 }
319 defer func() {
320 importers.Unregister <- &l
321 }()
322 count := 0
323 loop:
324 for {
325 e := <-l.Events
326 if e.Event == nil {
327 continue
328 }
329 switch x := e.Event.(type) {
330 case importCount:
331 count += x.Count
332 case importProblem:
333 t.Fatalf("unexpected problem: %q", x.Message)
334 case importStep:
335 case importDone:
336 break loop
337 case importAborted:
338 t.Fatalf("unexpected aborted import")
339 default:
340 panic(fmt.Sprintf("missing case for Event %#v", e))
341 }
342 }
343 if count != expect {
344 t.Fatalf("imported %d messages, expected %d", count, expect)
345 }
346 }
347 testImport(filepath.FromSlash("../testdata/importtest.mbox.zip"), 2)
348 testImport(filepath.FromSlash("../testdata/importtest.maildir.tgz"), 2)
349
350 // Check there are messages, with the right flags.
351 acc.DB.Read(ctxbg, func(tx *bstore.Tx) error {
352 _, err = bstore.QueryTx[store.Message](tx).FilterEqual("Expunged", false).FilterIn("Keywords", "other").FilterIn("Keywords", "test").Get()
353 tcheck(t, err, `fetching message with keywords "other" and "test"`)
354
355 mb, err := acc.MailboxFind(tx, "importtest")
356 tcheck(t, err, "looking up mailbox importtest")
357 if mb == nil {
358 t.Fatalf("missing mailbox importtest")
359 }
360 sort.Strings(mb.Keywords)
361 if strings.Join(mb.Keywords, " ") != "other test" {
362 t.Fatalf(`expected mailbox keywords "other" and "test", got %v`, mb.Keywords)
363 }
364
365 n, err := bstore.QueryTx[store.Message](tx).FilterEqual("Expunged", false).FilterIn("Keywords", "custom").Count()
366 tcheck(t, err, `fetching message with keyword "custom"`)
367 if n != 2 {
368 t.Fatalf(`got %d messages with keyword "custom", expected 2`, n)
369 }
370
371 mb, err = acc.MailboxFind(tx, "maildir")
372 tcheck(t, err, "looking up mailbox maildir")
373 if mb == nil {
374 t.Fatalf("missing mailbox maildir")
375 }
376 if strings.Join(mb.Keywords, " ") != "custom" {
377 t.Fatalf(`expected mailbox keywords "custom", got %v`, mb.Keywords)
378 }
379
380 return nil
381 })
382
383 testExport := func(format, archive string, expectFiles int) {
384 t.Helper()
385
386 fields := url.Values{
387 "csrf": []string{string(csrfToken)},
388 "format": []string{format},
389 "archive": []string{archive},
390 "mailbox": []string{""},
391 "recursive": []string{"on"},
392 }
393 r := httptest.NewRequest("POST", "/export", strings.NewReader(fields.Encode()))
394 r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
395 r.Header.Add("Cookie", cookieOK.String())
396 w := httptest.NewRecorder()
397 handle(apiHandler, false, w, r)
398 if w.Code != http.StatusOK {
399 t.Fatalf("export, got status code %d, expected 200: %s", w.Code, w.Body.Bytes())
400 }
401 var count int
402 if archive == "zip" {
403 buf := w.Body.Bytes()
404 zr, err := zip.NewReader(bytes.NewReader(buf), int64(len(buf)))
405 tcheck(t, err, "reading zip")
406 for _, f := range zr.File {
407 if !strings.HasSuffix(f.Name, "/") {
408 count++
409 }
410 }
411 } else {
412 var src io.Reader = w.Body
413 if archive == "tgz" {
414 gzr, err := gzip.NewReader(src)
415 tcheck(t, err, "gzip reader")
416 src = gzr
417 }
418 tr := tar.NewReader(src)
419 for {
420 h, err := tr.Next()
421 if err == io.EOF {
422 break
423 }
424 tcheck(t, err, "next file in tar")
425 if !strings.HasSuffix(h.Name, "/") {
426 count++
427 }
428 _, err = io.Copy(io.Discard, tr)
429 tcheck(t, err, "reading from tar")
430 }
431 }
432 if count != expectFiles {
433 t.Fatalf("export, has %d files, expected %d", count, expectFiles)
434 }
435 }
436
437 testExport("maildir", "tgz", 6) // 2 mailboxes, each with 2 messages and a dovecot-keyword file
438 testExport("maildir", "zip", 6)
439 testExport("mbox", "tar", 2+6) // 2 imported plus 6 default mailboxes (Inbox, Draft, etc)
440 testExport("mbox", "zip", 2+6)
441
442 sl := api.SuppressionList(ctx)
443 tcompare(t, len(sl), 0)
444
445 api.SuppressionAdd(ctx, "mjl@mox.example", true, "testing")
446 tneedErrorCode(t, "user:error", func() { api.SuppressionAdd(ctx, "mjl@mox.example", true, "testing") }) // Duplicate.
447 tneedErrorCode(t, "user:error", func() { api.SuppressionAdd(ctx, "bogus", true, "testing") }) // Bad address.
448
449 sl = api.SuppressionList(ctx)
450 tcompare(t, len(sl), 1)
451
452 api.SuppressionRemove(ctx, "mjl@mox.example")
453 tneedErrorCode(t, "user:error", func() { api.SuppressionRemove(ctx, "mjl@mox.example") }) // Absent.
454 tneedErrorCode(t, "user:error", func() { api.SuppressionRemove(ctx, "bogus") }) // Not an address.
455
456 var hooks int
457 hookServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
458 fmt.Fprintln(w, "ok")
459 hooks++
460 }))
461 defer hookServer.Close()
462
463 api.OutgoingWebhookSave(ctx, "http://localhost:1234", "Basic base64", []string{"delivered"})
464 api.OutgoingWebhookSave(ctx, "http://localhost:1234", "Basic base64", []string{})
465 tneedErrorCode(t, "user:error", func() {
466 api.OutgoingWebhookSave(ctx, "http://localhost:1234/outgoing", "Basic base64", []string{"bogus"})
467 })
468 tneedErrorCode(t, "user:error", func() { api.OutgoingWebhookSave(ctx, "invalid", "Basic base64", nil) })
469 api.OutgoingWebhookSave(ctx, "", "", nil) // Restore.
470
471 code, response, errmsg := api.OutgoingWebhookTest(ctx, hookServer.URL, "", webhook.Outgoing{})
472 tcompare(t, code, 200)
473 tcompare(t, response, "ok\n")
474 tcompare(t, errmsg, "")
475 tneedErrorCode(t, "user:error", func() { api.OutgoingWebhookTest(ctx, "bogus", "", webhook.Outgoing{}) })
476
477 api.IncomingWebhookSave(ctx, "http://localhost:1234", "Basic base64")
478 tneedErrorCode(t, "user:error", func() { api.IncomingWebhookSave(ctx, "invalid", "Basic base64") })
479 api.IncomingWebhookSave(ctx, "", "") // Restore.
480
481 code, response, errmsg = api.IncomingWebhookTest(ctx, hookServer.URL, "", webhook.Incoming{})
482 tcompare(t, code, 200)
483 tcompare(t, response, "ok\n")
484 tcompare(t, errmsg, "")
485 tneedErrorCode(t, "user:error", func() { api.IncomingWebhookTest(ctx, "bogus", "", webhook.Incoming{}) })
486
487 api.FromIDLoginAddressesSave(ctx, []string{"mjl☺@mox.example"})
488 api.FromIDLoginAddressesSave(ctx, []string{"mjl☺@mox.example", "mjl☺+fromid@mox.example"})
489 api.FromIDLoginAddressesSave(ctx, []string{})
490 tneedErrorCode(t, "user:error", func() { api.FromIDLoginAddressesSave(ctx, []string{"bogus@other.example"}) })
491
492 api.KeepRetiredPeriodsSave(ctx, time.Minute, time.Minute)
493 api.KeepRetiredPeriodsSave(ctx, 0, 0) // Restore.
494
495 api.AutomaticJunkFlagsSave(ctx, true, "^(junk|spam)", "^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects)", "")
496 api.AutomaticJunkFlagsSave(ctx, false, "", "", "")
497
498 api.JunkFilterSave(ctx, nil)
499 jf := config.JunkFilter{
500 Threshold: 0.95,
501 Params: junk.Params{
502 Twograms: true,
503 MaxPower: 0.1,
504 TopWords: 10,
505 IgnoreWords: 0.1,
506 },
507 }
508 api.JunkFilterSave(ctx, &jf)
509
510 api.RejectsSave(ctx, "Rejects", true)
511 api.RejectsSave(ctx, "Rejects", false)
512 api.RejectsSave(ctx, "", false) // Restore.
513
514 // Make cert for TLSPublicKey.
515 certBuf := fakeCert(t)
516 var b bytes.Buffer
517 err = pem.Encode(&b, &pem.Block{Type: "CERTIFICATE", Bytes: certBuf})
518 tcheck(t, err, "encoding certificate as pem")
519 certPEM := b.String()
520
521 tpkl, err := api.TLSPublicKeys(ctx)
522 tcheck(t, err, "list tls public keys")
523 tcompare(t, len(tpkl), 0)
524
525 tpk, err := api.TLSPublicKeyAdd(ctx, "mjl☺@mox.example", "", false, certPEM)
526 tcheck(t, err, "add tls public key")
527 // Key already exists.
528 tneedErrorCode(t, "user:error", func() { api.TLSPublicKeyAdd(ctx, "mjl☺@mox.example", "", false, certPEM) })
529
530 tpkl, err = api.TLSPublicKeys(ctx)
531 tcheck(t, err, "list tls public keys")
532 tcompare(t, tpkl, []store.TLSPublicKey{tpk})
533
534 tpk.NoIMAPPreauth = true
535 err = api.TLSPublicKeyUpdate(ctx, tpk)
536 tcheck(t, err, "tls public key update")
537 badtpk := tpk
538 badtpk.Fingerprint = "bogus"
539 tneedErrorCode(t, "user:error", func() { api.TLSPublicKeyUpdate(ctx, badtpk) })
540
541 tpkl, err = api.TLSPublicKeys(ctx)
542 tcheck(t, err, "list tls public keys")
543 tcompare(t, len(tpkl), 1)
544 tcompare(t, tpkl[0].NoIMAPPreauth, true)
545
546 err = api.TLSPublicKeyRemove(ctx, tpk.Fingerprint)
547 tcheck(t, err, "tls public key remove")
548 tneedErrorCode(t, "user:error", func() { api.TLSPublicKeyRemove(ctx, tpk.Fingerprint) })
549
550 tpkl, err = api.TLSPublicKeys(ctx)
551 tcheck(t, err, "list tls public keys")
552 tcompare(t, len(tpkl), 0)
553
554 api.Logout(ctx)
555 tneedErrorCode(t, "server:error", func() { api.Logout(ctx) })
556}
557
558func fakeCert(t *testing.T) []byte {
559 t.Helper()
560 seed := make([]byte, ed25519.SeedSize)
561 privKey := ed25519.NewKeyFromSeed(seed) // Fake key, don't use this for real!
562 template := &x509.Certificate{
563 SerialNumber: big.NewInt(1), // Required field...
564 }
565 localCertBuf, err := x509.CreateCertificate(cryptorand.Reader, template, template, privKey.Public(), privKey)
566 tcheck(t, err, "making certificate")
567 return localCertBuf
568}
569