Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox

# Conflicts:
#	management/auth.py
#	management/daemon.py
#	management/templates/index.html
#	setup/management.sh

tests/fail2ban.py

@@ -232,7 +232,7 @@ if __name__ == "__main__":
 	run_test(managesieve_test, [], 20, 30, 4)
 
 	# Mail-in-a-Box control panel
-	run_test(http_test, ["/admin/me", 200], 20, 30, 1)
+	run_test(http_test, ["/admin/login", 200], 20, 30, 1)
 
 	# Munin via the Mail-in-a-Box control panel
 	run_test(http_test, ["/admin/munin/", 401], 20, 30, 1)

tests/suites/_mgmt-functions.sh

@@ -358,17 +358,17 @@ mgmt_assert_mfa_disable() {
 	return 0
 }
 
-mgmt_assert_admin_me() {
+mgmt_assert_admin_login() {
 	local user="$1"
 	local pw="$2"
 	local expected_status="${3:-ok}"
 	shift; shift; shift;  # remaining arguments are data
 
-	# note: GET /admin/me always returns http status 200, but errors are in
+	# note: POST /admin/login always returns http status 200, but errors are in
 	# the json payload
-	record "[Get /admin/me as $user]"
-	if ! mgmt_rest_as_user "GET" "/admin/me" "$user" "$pw" "$@"; then
-		test_failure "GET /admin/me as $user failed: $REST_ERROR"
+	record "[POST /admin/login as $user]"
+	if ! mgmt_rest_as_user "POST" "/admin/login" "$user" "$pw" "$@"; then
+		test_failure "POST /admin/login as $user failed: $REST_ERROR"
 		return 1
 
 	else
@@ -376,11 +376,11 @@ mgmt_assert_admin_me() {
 		status="$(/usr/bin/jq -r '.status' <<<"$REST_OUTPUT")"
 		code=$?
 		if [ $code -ne 0 ]; then
-			test_failure "Unable to run jq ($code) on /admin/me json"
+			test_failure "Unable to run jq ($code) on /admin/login json"
 			return 1
 				
 		elif [ "$status" == "null" ]; then
-			test_failure "No 'status' in /admin/me json"
+			test_failure "No 'status' in /admin/login json"
 			return 1
 
 		elif [ "$status" != "$expected_status" ]; then

tests/suites/management-users.sh

@@ -231,7 +231,7 @@ test_totp() {
 	# logging in with just the password should now fail
 	if ! have_test_failures; then
 		record "Expect a login failure..."
-		mgmt_assert_admin_me "$alice" "$alice_pw" "missing-totp-token"
+		mgmt_assert_admin_login "$alice" "$alice_pw" "missing-totp-token"
 	fi
 	
 
@@ -248,7 +248,7 @@ test_totp() {
 		else
 			# we have a new token, try logging in ...
 			# the token must be placed in the header "x-auth-token"
-			if mgmt_assert_admin_me "$alice" "$alice_pw" "ok" "--header=x-auth-token: $TOTP_TOKEN"
+			if mgmt_assert_admin_login "$alice" "$alice_pw" "ok" "--header=x-auth-token: $TOTP_TOKEN"
 			then
 				api_key="$(/usr/bin/jq -r '.api_key' <<<"$REST_OUTPUT")"
 				record "Success: login with TOTP token successful. api_key=$api_key"
@@ -265,15 +265,19 @@ test_totp() {
 
 	# we should be able to login using the user's api key
 	if ! have_test_failures; then		
-		record "Login using the user's api key"
-		mgmt_assert_admin_me "$alice" "$api_key" "ok"
+		record "[Use the session key to enum users]"
+		if ! mgmt_rest_as_user "GET" "/admin/mail/users?format=json" "$alice" "$api_key"; then
+			test_failure "Unable to use the session key to issue a rest call: $REST_ERROR"
+		else
+			record "Success: $REST_OUTPUT"
+		fi
 	fi
 
 	# disable totp on the account - login should work with just the password
 	# and the ldap entry should not have the 'totpUser' objectClass
 	if ! have_test_failures; then		
 		if mgmt_assert_mfa_disable "$alice" "$api_key"; then
-			mgmt_assert_admin_me "$alice" "$alice_pw" "ok"
+			mgmt_assert_admin_login "$alice" "$alice_pw" "ok"
 		fi
 	fi