Merge branch 'main' of https://github.com/mail-in-a-box/mailinabox

# Conflicts: # management/auth.py # management/daemon.py # management/templates/index.html # setup/management.sh
2026-03-04 15:54:48 +01:00 · 2021-09-14 08:16:08 -04:00
parent 4bf71e68be e5909a6287
commit 402207714b
12 changed files with 247 additions and 162 deletions
--- a/tests/suites/_mgmt-functions.sh
+++ b/tests/suites/_mgmt-functions.sh
@@ -358,17 +358,17 @@ mgmt_assert_mfa_disable() {
 	return 0
 }

-mgmt_assert_admin_me() {
+mgmt_assert_admin_login() {
 	local user="$1"
 	local pw="$2"
 	local expected_status="${3:-ok}"
 	shift; shift; shift;  # remaining arguments are data

-	# note: GET /admin/me always returns http status 200, but errors are in
+	# note: POST /admin/login always returns http status 200, but errors are in
 	# the json payload
-	record "[Get /admin/me as $user]"
-	if ! mgmt_rest_as_user "GET" "/admin/me" "$user" "$pw" "$@"; then
-		test_failure "GET /admin/me as $user failed: $REST_ERROR"
+	record "[POST /admin/login as $user]"
+	if ! mgmt_rest_as_user "POST" "/admin/login" "$user" "$pw" "$@"; then
+		test_failure "POST /admin/login as $user failed: $REST_ERROR"
 		return 1

 	else
@@ -376,11 +376,11 @@ mgmt_assert_admin_me() {
 		status="$(/usr/bin/jq -r '.status' <<<"$REST_OUTPUT")"
 		code=$?
 		if [ $code -ne 0 ]; then
-			test_failure "Unable to run jq ($code) on /admin/me json"
+			test_failure "Unable to run jq ($code) on /admin/login json"
 			return 1
 				
 		elif [ "$status" == "null" ]; then
-			test_failure "No 'status' in /admin/me json"
+			test_failure "No 'status' in /admin/login json"
 			return 1

 		elif [ "$status" != "$expected_status" ]; then
--- a/tests/suites/management-users.sh
+++ b/tests/suites/management-users.sh
@@ -231,7 +231,7 @@ test_totp() {
 	# logging in with just the password should now fail
 	if ! have_test_failures; then
 		record "Expect a login failure..."
-		mgmt_assert_admin_me "$alice" "$alice_pw" "missing-totp-token"
+		mgmt_assert_admin_login "$alice" "$alice_pw" "missing-totp-token"
 	fi
 	

@@ -248,7 +248,7 @@ test_totp() {
 		else
 			# we have a new token, try logging in ...
 			# the token must be placed in the header "x-auth-token"
-			if mgmt_assert_admin_me "$alice" "$alice_pw" "ok" "--header=x-auth-token: $TOTP_TOKEN"
+			if mgmt_assert_admin_login "$alice" "$alice_pw" "ok" "--header=x-auth-token: $TOTP_TOKEN"
 			then
 				api_key="$(/usr/bin/jq -r '.api_key' <<<"$REST_OUTPUT")"
 				record "Success: login with TOTP token successful. api_key=$api_key"
@@ -265,15 +265,19 @@ test_totp() {

 	# we should be able to login using the user's api key
 	if ! have_test_failures; then		
-		record "Login using the user's api key"
-		mgmt_assert_admin_me "$alice" "$api_key" "ok"
+		record "[Use the session key to enum users]"
+		if ! mgmt_rest_as_user "GET" "/admin/mail/users?format=json" "$alice" "$api_key"; then
+			test_failure "Unable to use the session key to issue a rest call: $REST_ERROR"
+		else
+			record "Success: $REST_OUTPUT"
+		fi
 	fi

 	# disable totp on the account - login should work with just the password
 	# and the ldap entry should not have the 'totpUser' objectClass
 	if ! have_test_failures; then		
 		if mgmt_assert_mfa_disable "$alice" "$api_key"; then
-			mgmt_assert_admin_me "$alice" "$alice_pw" "ok"
+			mgmt_assert_admin_login "$alice" "$alice_pw" "ok"
 		fi
 	fi