make ldap tests pass

src/test/ldap-test.js

@@ -61,7 +61,7 @@ async function ldapSearch(dn, opts) {
 }
 
 describe('Ldap', function () {
-    const { setup, cleanup, ADMIN, USER, APP, DOMAIN, MAILBOX, ALIAS, MAILBOX_NAME } = common;
+    const { setup, cleanup, admin, user, app, domain, mailbox, mailAlias, mailboxName } = common;
     let group;
 
     before(function (done) {
@@ -70,11 +70,11 @@ describe('Ldap', function () {
             ldapServer.start.bind(null),
             async () => {
                 group = await groups.add({ name: 'ldap-test' });
-                await groups.setMembers(group.id, [ ADMIN.id, USER.id ]);
+                await groups.setMembers(group.id, [ admin.id, user.id ]);
             }
         ], done);
 
-        ldapServer._MOCK_APP = APP;
+        ldapServer._MOCK_APP = app;
     });
 
     after(function (done) {
@@ -91,53 +91,53 @@ describe('Ldap', function () {
         });
 
         it('cn= fails with wrong password', async function () {
-            const [error] = await safe(ldapBind(`cn=${ADMIN.id},ou=users,dc=cloudron`, 'wrongpassword'));
+            const [error] = await safe(ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, 'wrongpassword'));
             expect(error).to.be.a(ldap.InvalidCredentialsError);
         });
 
         it('cn= succeeds with id', async function () {
-            await ldapBind(`cn=${ADMIN.id},ou=users,dc=cloudron`, ADMIN.password);
+            await ldapBind(`cn=${admin.id},ou=users,dc=cloudron`, admin.password);
         });
 
         it('cn= succeeds with username', async function () {
-            await ldapBind(`cn=${ADMIN.username},ou=users,dc=cloudron`, ADMIN.password);
+            await ldapBind(`cn=${admin.username},ou=users,dc=cloudron`, admin.password);
         });
 
         it('cn= succeeds with email', async function () {
-            await ldapBind(`cn=${ADMIN.email},ou=users,dc=cloudron`, ADMIN.password);
+            await ldapBind(`cn=${admin.email},ou=users,dc=cloudron`, admin.password);
         });
 
         it('mail= fails with bad email', async function () {
-            const [error] = await safe(ldapBind('mail=random,ou=users,dc=cloudron', ADMIN.password));
+            const [error] = await safe(ldapBind('mail=random,ou=users,dc=cloudron', admin.password));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('mail= succeeds with email', async function () {
-            await ldapBind(`mail=${ADMIN.email},ou=users,dc=cloudron`, ADMIN.password);
+            await ldapBind(`mail=${admin.email},ou=users,dc=cloudron`, admin.password);
         });
     });
 
     describe('non-admin bind', function () {
         it('succeeds with null accessRestriction', async function () {
-            APP.accessRestriction = null;
-            await ldapBind(`cn=${USER.id},ou=users,dc=cloudron`, USER.password);
+            app.accessRestriction = null;
+            await ldapBind(`cn=${user.id},ou=users,dc=cloudron`, user.password);
         });
 
         it('fails without accessRestriction', async function () {
-            APP.accessRestriction = { users: [], groups: [] };
-            const [error] = await safe(ldapBind(`cn=${USER.id},ou=users,dc=cloudron`, USER.password));
+            app.accessRestriction = { users: [], groups: [] };
+            const [error] = await safe(ldapBind(`cn=${user.id},ou=users,dc=cloudron`, user.password));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('succeeds with accessRestriction', async function () {
-            APP.accessRestriction = { users: [ USER.id ], groups: [] };
-            await ldapBind(`cn=${USER.id},ou=users,dc=cloudron`, USER.password);
+            app.accessRestriction = { users: [ user.id ], groups: [] };
+            await ldapBind(`cn=${user.id},ou=users,dc=cloudron`, user.password);
         });
     });
 
     describe('search users', function () {
         it('fails for non existing tree', async function () {
-            const [error] = await safe(ldapSearch('o=example', { filter: '(&(l=Seattle)(email=*@' + DOMAIN.domain + '))' }));
+            const [error] = await safe(ldapSearch('o=example', { filter: '(&(l=Seattle)(email=*@' + domain.domain + '))' }));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
@@ -145,53 +145,53 @@ describe('Ldap', function () {
             const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' });
             expect(entries.length).to.equal(2);
             entries.sort(function (a, b) { return a.username > b.username; });
-            expect(entries[0].username).to.equal(ADMIN.username.toLowerCase());
-            expect(entries[0].mail).to.equal(ADMIN.email.toLowerCase());
-            expect(entries[1].username).to.equal(USER.username.toLowerCase());
-            expect(entries[1].mail).to.equal(USER.email.toLowerCase());
+            expect(entries[0].username).to.equal(admin.username.toLowerCase());
+            expect(entries[0].mail).to.equal(admin.email.toLowerCase());
+            expect(entries[1].username).to.equal(user.username.toLowerCase());
+            expect(entries[1].mail).to.equal(user.email.toLowerCase());
         });
 
         it('succeeds with pagination', async function () {
             const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person', paged: true });
             expect(entries.length).to.equal(2);
             entries.sort(function (a, b) { return a.username > b.username; });
-            expect(entries[0].username).to.equal(ADMIN.username.toLowerCase());
-            expect(entries[0].mail).to.equal(ADMIN.email.toLowerCase());
-            expect(entries[1].username).to.equal(USER.username.toLowerCase());
-            expect(entries[1].mail).to.equal(USER.email.toLowerCase());
+            expect(entries[0].username).to.equal(admin.username.toLowerCase());
+            expect(entries[0].mail).to.equal(admin.email.toLowerCase());
+            expect(entries[1].username).to.equal(user.username.toLowerCase());
+            expect(entries[1].mail).to.equal(user.email.toLowerCase());
         });
 
         it('succeeds with username wildcard filter', async function () {
-            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=*3)' });
+            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=*)' });
             expect(entries.length).to.equal(2);
             entries.sort(function (a, b) { return a.username > b.username; });
-            expect(entries[0].username).to.equal(ADMIN.username.toLowerCase());
-            expect(entries[1].username).to.equal(USER.username.toLowerCase());
+            expect(entries[0].username).to.equal(admin.username.toLowerCase());
+            expect(entries[1].username).to.equal(user.username.toLowerCase());
         });
 
         it('succeeds with username filter', async function () {
-            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=' + ADMIN.username + ')' });
+            const entries = await ldapSearch('ou=users,dc=cloudron', { filter: '&(objectcategory=person)(username=' + admin.username + ')' });
             expect(entries.length).to.equal(1);
-            expect(entries[0].username).to.equal(ADMIN.username.toLowerCase());
+            expect(entries[0].username).to.equal(admin.username.toLowerCase());
             expect(entries[0].memberof.length).to.equal(2);
         });
 
         it('can always lists admins', async function () {
-            APP.accessRestriction = { users: [], groups: [] };
+            app.accessRestriction = { users: [], groups: [] };
             const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' });
             expect(entries.length).to.equal(1);
-            expect(entries[0].username).to.equal(ADMIN.username.toLowerCase());
+            expect(entries[0].username).to.equal(admin.username.toLowerCase());
             expect(entries[0].memberof.length).to.equal(2);
         });
 
         it ('does only list users who have access', async function () {
-            APP.accessRestriction = { users: [], groups: [ group.id ] };
+            app.accessRestriction = { users: [], groups: [ group.id ] };
             const entries = await ldapSearch('ou=users,dc=cloudron', { filter: 'objectcategory=person' });
             expect(entries.length).to.equal(2);
             entries.sort(function (a, b) { return a.username > b.username; });
 
-            expect(entries[0].username).to.equal(ADMIN.username.toLowerCase());
-            expect(entries[1].username).to.equal(USER.username.toLowerCase());
+            expect(entries[0].username).to.equal(admin.username.toLowerCase());
+            expect(entries[1].username).to.equal(user.username.toLowerCase());
         });
     });
 
@@ -205,11 +205,11 @@ describe('Ldap', function () {
 
             expect(entries[0].cn).to.equal('users');
             expect(entries[0].memberuid.length).to.equal(2);
-            expect(entries[0].memberuid[0]).to.equal(ADMIN.id);
-            expect(entries[0].memberuid[1]).to.equal(USER.id);
+            expect(entries[0].memberuid[0]).to.equal(admin.id);
+            expect(entries[0].memberuid[1]).to.equal(user.id);
             expect(entries[1].cn).to.equal('admins');
             // if only one entry, the array becomes a string :-/
-            expect(entries[1].memberuid).to.equal(ADMIN.id);
+            expect(entries[1].memberuid).to.equal(admin.id);
         });
 
         it ('succeeds with cn wildcard filter', async function () {
@@ -217,35 +217,35 @@ describe('Ldap', function () {
             expect(entries.length).to.equal(2);
             expect(entries[0].cn).to.equal('users');
             expect(entries[0].memberuid.length).to.equal(2);
-            expect(entries[0].memberuid[0]).to.equal(ADMIN.id);
-            expect(entries[0].memberuid[1]).to.equal(USER.id);
+            expect(entries[0].memberuid[0]).to.equal(admin.id);
+            expect(entries[0].memberuid[1]).to.equal(user.id);
             expect(entries[1].cn).to.equal('admins');
             // if only one entry, the array becomes a string :-/
-            expect(entries[1].memberuid).to.equal(ADMIN.id);
+            expect(entries[1].memberuid).to.equal(admin.id);
         });
 
         it('succeeds with memberuid filter', async function () {
-            const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(memberuid=' + USER.id + ')' });
+            const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(memberuid=' + user.id + ')' });
             expect(entries.length).to.equal(1);
             expect(entries[0].cn).to.equal('users');
             expect(entries[0].memberuid.length).to.equal(2);
         });
 
         it ('does only list users who have access', async function () {
-            APP.accessRestriction = { users: [], groups: [ group.id ] };
+            app.accessRestriction = { users: [], groups: [ group.id ] };
             const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: '&(objectclass=group)(cn=*)' });
             expect(entries.length).to.equal(2);
             expect(entries[0].cn).to.equal('users');
             expect(entries[0].memberuid.length).to.equal(2);
-            expect(entries[0].memberuid[0]).to.equal(ADMIN.id);
-            expect(entries[0].memberuid[1]).to.equal(USER.id);
+            expect(entries[0].memberuid[0]).to.equal(admin.id);
+            expect(entries[0].memberuid[1]).to.equal(user.id);
             expect(entries[1].cn).to.equal('admins');
             // if only one entry, the array becomes a string :-/
-            expect(entries[1].memberuid).to.equal(ADMIN.id);
+            expect(entries[1].memberuid).to.equal(admin.id);
         });
 
         it ('succeeds with pagination', async function () {
-            APP.accessRestriction = null;
+            app.accessRestriction = null;
             const entries = await ldapSearch('ou=groups,dc=cloudron', { filter: 'objectclass=group', paged: true });
             expect(entries.length).to.equal(2);
 
@@ -254,78 +254,78 @@ describe('Ldap', function () {
 
             expect(entries[0].cn).to.equal('users');
             expect(entries[0].memberuid.length).to.equal(2);
-            expect(entries[0].memberuid[0]).to.equal(ADMIN.id);
-            expect(entries[0].memberuid[1]).to.equal(USER.id);
+            expect(entries[0].memberuid[0]).to.equal(admin.id);
+            expect(entries[0].memberuid[1]).to.equal(user.id);
             expect(entries[1].cn).to.equal('admins');
             // if only one entry, the array becomes a string :-/
-            expect(entries[1].memberuid).to.equal(ADMIN.id);
+            expect(entries[1].memberuid).to.equal(admin.id);
         });
     });
 
     describe('mailbox search', function () {
         it('get specific mailbox by email', async function () {
-            const entries = await ldapSearch(`cn=${MAILBOX},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox');
+            const entries = await ldapSearch(`cn=${mailbox},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox');
             expect(entries.length).to.equal(1);
-            expect(entries[0].cn).to.equal(MAILBOX);
+            expect(entries[0].cn).to.equal(mailbox);
         });
 
         it('cannot get mailbox with just name', async function () {
-            const [error] = await safe(ldapSearch(`cn=${MAILBOX_NAME},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
+            const [error] = await safe(ldapSearch(`cn=${mailboxName},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('cannot get alias as a mailbox', async function () {
-            const [error] = await safe(ldapSearch(`cn=${ALIAS},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
+            const [error] = await safe(ldapSearch(`cn=${mailAlias},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('non-existent mailbox', async function () {
-            const [error] = await safe(ldapSearch(`cn=random@${DOMAIN.domain},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
+            const [error] = await safe(ldapSearch(`cn=random@${domain.domain},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('cannot get inactive mailbox', async function () {
             const updateMailbox = util.promisify(mailboxdb.updateMailbox);
 
-            await updateMailbox(MAILBOX_NAME, DOMAIN.domain, { ownerId: USER.id, ownerType: mail.OWNERTYPE_USER, active: false });
-            const [error] = await safe(ldapSearch(`cn=${MAILBOX},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
+            await updateMailbox(mailboxName, domain.domain, { ownerId: user.id, ownerType: mail.OWNERTYPE_USER, active: false });
+            const [error] = await safe(ldapSearch(`cn=${mailbox},ou=mailboxes,dc=cloudron`, 'objectclass=mailbox'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
 
-            await updateMailbox(MAILBOX_NAME, DOMAIN.domain, { ownerId: USER.id, ownerType: mail.OWNERTYPE_USER, active: true });
+            await updateMailbox(mailboxName, domain.domain, { ownerId: user.id, ownerType: mail.OWNERTYPE_USER, active: true });
         });
     });
 
     describe('search aliases', function () {
         it('get specific alias', async function () {
-            const entries = await ldapSearch(`cn=${ALIAS},ou=mailaliases,dc=cloudron`, 'objectclass=nismailalias');
+            const entries = await ldapSearch(`cn=${mailAlias},ou=mailaliases,dc=cloudron`, 'objectclass=nismailalias');
             expect(entries.length).to.equal(1);
-            expect(entries[0].cn).to.equal(ALIAS);
-            expect(entries[0].rfc822MailMember).to.equal(MAILBOX);
+            expect(entries[0].cn).to.equal(mailAlias);
+            expect(entries[0].rfc822MailMember).to.equal(mailbox);
         });
 
         it('cannot get mailbox as alias', async function () {
-            const [error] = await safe(ldapSearch(`cn=${MAILBOX},ou=mailaliases,dc=cloudron`, 'objectclass=nismailalias'));
+            const [error] = await safe(ldapSearch(`cn=${mailbox},ou=mailaliases,dc=cloudron`, 'objectclass=nismailalias'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('non-existent alias', async function () {
-            const [error] = await safe(ldapSearch(`cn=random@${DOMAIN.domain},ou=mailaliases,dc=cloudron`, 'objectclass=mailbox'));
+            const [error] = await safe(ldapSearch(`cn=random@${domain.domain},ou=mailaliases,dc=cloudron`, 'objectclass=mailbox'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
     });
 
     describe('search mailing list', function () {
-        const LIST_NAME = 'devs', LIST = `devs@${DOMAIN.domain}`;
+        const LIST_NAME = 'devs', LIST = `devs@${domain.domain}`;
 
         before(function (done) {
-            mailboxdb.addList(LIST_NAME, DOMAIN.domain, { members: [ MAILBOX , 'outsider@external.com' ], membersOnly: false, active: true }, done);
+            mailboxdb.addList(LIST_NAME, domain.domain, { members: [ mailbox , 'outsider@external.com' ], membersOnly: false, active: true }, done);
         });
 
         it('get specific list', async function () {
             const entries = await ldapSearch(`cn=${LIST},ou=mailinglists,dc=cloudron`, 'objectclass=mailGroup');
             expect(entries.length).to.equal(1);
             expect(entries[0].cn).to.equal(LIST);
-            expect(entries[0].mgrpRFC822MailMember).to.eql([ MAILBOX, 'outsider@external.com' ]);
+            expect(entries[0].mgrpRFC822MailMember).to.eql([ mailbox, 'outsider@external.com' ]);
         });
 
         it('non-existent list', async function () {
@@ -336,7 +336,7 @@ describe('Ldap', function () {
         it('inactive list', async function () {
             const updateList = util.promisify(mailboxdb.updateList);
 
-            await updateList(LIST_NAME, DOMAIN.domain, { members: [ MAILBOX , 'outsider@external.com' ], membersOnly: false, active: false });
+            await updateList(LIST_NAME, domain.domain, { members: [ mailbox , 'outsider@external.com' ], membersOnly: false, active: false });
             const [error] = await safe(ldapSearch('cn=devs@example.com,ou=mailinglists,dc=cloudron', 'objectclass=mailGroup'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
@@ -344,136 +344,136 @@ describe('Ldap', function () {
 
     describe('user mailbox bind', function () {
         it('email disabled - cannot auth', async function () {
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},domain=example.com,ou=mailboxes,dc=cloudron`, 'badpassword'));
+            const [error] = await safe(ldapBind(`cn=${mailbox},domain=example.com,ou=mailboxes,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('email enabled - does not allow with invalid password', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},domain=example.com,ou=mailboxes,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: true });
+            const [error] = await safe(ldapBind(`cn=${mailbox},domain=example.com,ou=mailboxes,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.InvalidCredentialsError);
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
+            await mail._updateDomain(domain.domain, { enabled: false });
         });
 
         it('email enabled - allows with valid password', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            await ldapBind(`cn=${MAILBOX},domain=example.com,ou=mailboxes,dc=cloudron`, USER.password);
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
+            await mail._updateDomain(domain.domain, { enabled: true });
+            await ldapBind(`cn=${mailbox},domain=example.com,ou=mailboxes,dc=cloudron`, user.password);
+            await mail._updateDomain(domain.domain, { enabled: false });
         });
 
         it('email enabled - cannot auth with alias', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            const [error] = await safe(ldapBind(`cn=${ALIAS},domain=example.com,ou=mailboxes,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: true });
+            const [error] = await safe(ldapBind(`cn=${mailAlias},domain=example.com,ou=mailboxes,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
+            await mail._updateDomain(domain.domain, { enabled: false });
         });
     });
 
     describe('user sendmail bind', function () {
         it('email disabled - cannot find domain email', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},ou=sendmail,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: false });
+            const [error] = await safe(ldapBind(`cn=${mailbox},ou=sendmail,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.InvalidCredentialsError);
         });
 
         it('email enabled - allows with valid email', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            await ldapBind(`cn=${MAILBOX},ou=sendmail,dc=cloudron`, USER.password);
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
+            await mail._updateDomain(domain.domain, { enabled: true });
+            await ldapBind(`cn=${mailbox},ou=sendmail,dc=cloudron`, user.password);
+            await mail._updateDomain(domain.domain, { enabled: false });
         });
 
         it('email enabled - does not allow with invalid password', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},ou=sendmail,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: true });
+            const [error] = await safe(ldapBind(`cn=${mailbox},ou=sendmail,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.InvalidCredentialsError);
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
+            await mail._updateDomain(domain.domain, { enabled: false });
         });
 
         it('does not allow for inactive mailbox', async function () {
             const updateMailbox = util.promisify(mailboxdb.updateMailbox);
 
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            await updateMailbox(MAILBOX_NAME, DOMAIN.domain, { ownerId: USER.id, ownerType: mail.OWNERTYPE_USER, active: false });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},ou=sendmail,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: true });
+            await updateMailbox(mailboxName, domain.domain, { ownerId: user.id, ownerType: mail.OWNERTYPE_USER, active: false });
+            const [error] = await safe(ldapBind(`cn=${mailbox},ou=sendmail,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
-            await updateMailbox(MAILBOX_NAME, DOMAIN.domain, { ownerId: USER.id, ownerType: mail.OWNERTYPE_USER, active: true });
+            await updateMailbox(mailboxName, domain.domain, { ownerId: user.id, ownerType: mail.OWNERTYPE_USER, active: true });
         });
     });
 
     describe('app sendmail bind', function () {
         // these tests should work even when email is disabled
         before(async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
+            await mail._updateDomain(domain.domain, { enabled: false });
         });
 
         it('does not allow with invalid app', async function () {
-            const [error] = await safe(ldapBind(`cn=hacker.app@${DOMAIN.domain},ou=sendmail,dc=cloudron`, 'nope'));
+            const [error] = await safe(ldapBind(`cn=hacker.app@${domain.domain},ou=sendmail,dc=cloudron`, 'nope'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('does not allow with invalid password', async function () {
-            const [error] = await safe(ldapBind(`cn=${APP.location}.app@${DOMAIN.domain},ou=sendmail,dc=cloudron`, 'nope'));
+            const [error] = await safe(ldapBind(`cn=${app.location}.app@${domain.domain},ou=sendmail,dc=cloudron`, 'nope'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('allows with valid password', async function () {
             const setAddonConfig = util.promisify(appdb.setAddonConfig);
 
-            await setAddonConfig(APP.id, 'sendmail', [{ name: 'MAIL_SMTP_USERNAME', value : `${APP.location}.app@${DOMAIN.domain}` }, { name: 'MAIL_SMTP_PASSWORD', value : 'sendmailpassword' }]),
+            await setAddonConfig(app.id, 'sendmail', [{ name: 'MAIL_SMTP_USERNAME', value : `${app.location}.app@${domain.domain}` }, { name: 'MAIL_SMTP_PASSWORD', value : 'sendmailpassword' }]),
 
-            await ldapBind(`cn=${APP.location}.app@${DOMAIN.domain},ou=sendmail,dc=cloudron`, 'sendmailpassword');
+            await ldapBind(`cn=${app.location}.app@${domain.domain},ou=sendmail,dc=cloudron`, 'sendmailpassword');
         });
     });
 
     describe('user recvmail bind', function () {
         it('email disabled - cannot find domain email', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},ou=recvmail,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: false });
+            const [error] = await safe(ldapBind(`cn=${mailbox},ou=recvmail,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('email enabled - allows with valid email', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            await ldapBind(`cn=${MAILBOX},ou=recvmail,dc=cloudron`, USER.password);
+            await mail._updateDomain(domain.domain, { enabled: true });
+            await ldapBind(`cn=${mailbox},ou=recvmail,dc=cloudron`, user.password);
         });
 
         it('email enabled - does not allow with invalid password', async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},ou=recvmail,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: true });
+            const [error] = await safe(ldapBind(`cn=${mailbox},ou=recvmail,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.InvalidCredentialsError);
         });
 
         it('does not allow for inactive mailbox', async function () {
             const updateMailbox = util.promisify(mailboxdb.updateMailbox);
 
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
-            await updateMailbox(MAILBOX_NAME, DOMAIN.domain, { ownerId: USER.id, ownerType: mail.OWNERTYPE_USER, active: false });
-            const [error] = await safe(ldapBind(`cn=${MAILBOX},ou=recvmail,dc=cloudron`, 'badpassword'));
+            await mail._updateDomain(domain.domain, { enabled: true });
+            await updateMailbox(mailboxName, domain.domain, { ownerId: user.id, ownerType: mail.OWNERTYPE_USER, active: false });
+            const [error] = await safe(ldapBind(`cn=${mailbox},ou=recvmail,dc=cloudron`, 'badpassword'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
-            await mail._updateDomain(DOMAIN.domain, { enabled: false });
-            await updateMailbox(MAILBOX_NAME, DOMAIN.domain, { ownerId: USER.id, ownerType: mail.OWNERTYPE_USER, active: true });
+            await mail._updateDomain(domain.domain, { enabled: false });
+            await updateMailbox(mailboxName, domain.domain, { ownerId: user.id, ownerType: mail.OWNERTYPE_USER, active: true });
         });
     });
 
     describe('app recvmail bind', function () {
         before(async function () {
-            await mail._updateDomain(DOMAIN.domain, { enabled: true });
+            await mail._updateDomain(domain.domain, { enabled: true });
         });
 
         it('does not allow with invalid app', async function () {
-            const [error] = await safe(ldapBind(`cn=hacker.app@${DOMAIN.domain},ou=recvmail,dc=cloudron`, 'nope'));
+            const [error] = await safe(ldapBind(`cn=hacker.app@${domain.domain},ou=recvmail,dc=cloudron`, 'nope'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('does not allow with invalid password', async function () {
-            const [error] = await safe(ldapBind(`cn=${APP.location}.app@${DOMAIN.domain},ou=recvmail,dc=cloudron`, 'nope'));
+            const [error] = await safe(ldapBind(`cn=${app.location}.app@${domain.domain},ou=recvmail,dc=cloudron`, 'nope'));
             expect(error).to.be.a(ldap.NoSuchObjectError);
         });
 
         it('allows with valid password', async function () {
             const setAddonConfig = util.promisify(appdb.setAddonConfig);
-            await setAddonConfig(APP.id, 'recvmail', [{ name: 'MAIL_IMAP_USERNAME', value : `${APP.location}.app@${DOMAIN.domain}` }, { name: 'MAIL_IMAP_PASSWORD', value : 'recvmailpassword' }]),
-            await ldapBind(`cn=${APP.location}.app@${DOMAIN.domain},ou=recvmail,dc=cloudron`, 'recvmailpassword');
+            await setAddonConfig(app.id, 'recvmail', [{ name: 'MAIL_IMAP_USERNAME', value : `${app.location}.app@${domain.domain}` }, { name: 'MAIL_IMAP_PASSWORD', value : 'recvmailpassword' }]),
+            await ldapBind(`cn=${app.location}.app@${domain.domain},ou=recvmail,dc=cloudron`, 'recvmailpassword');
         });
     });
 });