fix metrics path

See 03da5cc6b382f6f7aad69395d9f8a9d29d18ec26 in installer

We now use the cgroupfs driver instead of systemd cgroup driver

box.js

@@ -14,9 +14,9 @@ var appHealthMonitor = require('./src/apphealthmonitor.js'),
     async = require('async'),
     config = require('./src/config.js'),
     ldap = require('./src/ldap.js'),
-    simpleauth = require('./src/simpleauth.js'),
     oauthproxy = require('./src/oauthproxy.js'),
-    server = require('./src/server.js');
+    server = require('./src/server.js'),
+    simpleauth = require('./src/simpleauth.js');
 
 console.log();
 console.log('==========================================');
@@ -26,7 +26,6 @@ console.log();
 console.log(' Environment:                    ', config.CLOUDRON ? 'CLOUDRON' : 'TEST');
 console.log(' Version:                        ', config.version());
 console.log(' Admin Origin:                   ', config.adminOrigin());
-console.log(' Appstore token:                 ', config.token());
 console.log(' Appstore API server origin:     ', config.apiServerOrigin());
 console.log(' Appstore Web server origin:     ', config.webServerOrigin());
 console.log();

package.json

@@ -14,6 +14,7 @@
   ],
   "dependencies": {
     "async": "^1.2.1",
+    "attempt": "^1.0.1",
     "aws-sdk": "^2.1.46",
     "body-parser": "^1.13.1",
     "bytes": "^2.1.0",
@@ -51,18 +52,19 @@
     "passport-http-bearer": "^1.0.1",
     "passport-local": "^1.0.0",
     "passport-oauth2-client-password": "^0.1.2",
-    "password-generator": "^1.0.0",
+    "password-generator": "^2.0.2",
     "proxy-middleware": "^0.13.0",
-    "safetydance": "0.0.19",
+    "safetydance": "^0.1.0",
     "semver": "^4.3.6",
     "serve-favicon": "^2.2.0",
     "split": "^1.0.0",
-    "superagent": "~0.21.0",
+    "superagent": "^1.5.0",
     "supererror": "^0.7.1",
     "tail-stream": "https://registry.npmjs.org/tail-stream/-/tail-stream-0.2.1.tgz",
     "underscore": "^1.7.0",
+    "ursa": "^0.9.1",
     "valid-url": "^1.0.9",
-    "validator": "^3.30.0",
+    "validator": "^4.4.0",
     "x509": "^0.2.2"
   },
   "devDependencies": {
@@ -83,9 +85,9 @@
     "istanbul": "*",
     "js2xmlparser": "^1.0.0",
     "mocha": "*",
-    "nock": "^2.6.0",
+    "nock": "^3.4.0",
     "node-sass": "^3.0.0-alpha.0",
-    "redis": "^0.12.1",
+    "redis": "^2.4.2",
     "request": "^2.65.0",
     "sinon": "^1.12.2",
     "yargs": "^3.15.0"

setup/argparser.sh

@@ -11,6 +11,7 @@ arg_is_custom_domain="false"
 arg_restore_key=""
 arg_restore_url=""
 arg_retire="false"
+arg_tls_config=""
 arg_tls_cert=""
 arg_tls_key=""
 arg_token=""
@@ -37,6 +38,9 @@ EOF
         arg_tls_cert=$(echo "$2" | $json tlsCert)
         arg_tls_key=$(echo "$2" | $json tlsKey)
 
+        arg_tls_config=$(echo "$2" | $json tlsConfig)
+        [[ "${arg_tls_config}" == "null" ]] && arg_tls_config=""
+
         arg_restore_url=$(echo "$2" | $json restore.url)
         [[ "${arg_restore_url}" == "null" ]] && arg_restore_url=""
 
@@ -66,5 +70,6 @@ echo "restore url: ${arg_restore_url}"
 echo "tls cert: ${arg_tls_cert}"
 echo "tls key: ${arg_tls_key}"
 echo "token: ${arg_token}"
+echo "tlsConfig: ${arg_tls_config}"
 echo "version: ${arg_version}"
 echo "web server: ${arg_web_server_origin}"

setup/container/systemd/box.service

@@ -14,4 +14,6 @@ User=yellowtent
 Group=yellowtent
 MemoryLimit=200M
 TimeoutStopSec=5s
+StartLimitInterval=1
+StartLimitBurst=60
 

setup/start.sh

@@ -40,6 +40,7 @@ set_progress "10" "Ensuring directories"
 mkdir -p "${DATA_DIR}/box/appicons"
 mkdir -p "${DATA_DIR}/box/certs"
 mkdir -p "${DATA_DIR}/box/mail"
+mkdir -p "${DATA_DIR}/box/acme" # acme keys
 mkdir -p "${DATA_DIR}/graphite"
 
 mkdir -p "${DATA_DIR}/mysql"
@@ -48,7 +49,7 @@ mkdir -p "${DATA_DIR}/mongodb"
 mkdir -p "${DATA_DIR}/snapshots"
 mkdir -p "${DATA_DIR}/addons"
 mkdir -p "${DATA_DIR}/collectd/collectd.conf.d"
-mkdir -p "${DATA_DIR}/acme"
+mkdir -p "${DATA_DIR}/acme" # acme challenges
 
 # bookkeep the version as part of data
 echo "{ \"version\": \"${arg_version}\", \"boxVersionsUrl\": \"${arg_box_versions_url}\" }" > "${DATA_DIR}/box/version"
@@ -98,20 +99,16 @@ ln -sfF "df-disk_by-uuid_${vda1_id}" "${DATA_DIR}/graphite/whisper/collectd/loca
 service collectd restart
 
 set_progress "30" "Setup nginx"
-# setup naked domain to use admin by default. app restoration will overwrite this config
 mkdir -p "${DATA_DIR}/nginx/applications"
+cp "${script_dir}/start/nginx/nginx.conf" "${DATA_DIR}/nginx/nginx.conf"
 cp "${script_dir}/start/nginx/mime.types" "${DATA_DIR}/nginx/mime.types"
 
-# generate the main nginx config file
-${BOX_SRC_DIR}/node_modules/.bin/ejs-cli -f "${script_dir}/start/nginx/nginx.ejs" \
-    -O "{ \"sourceDir\": \"${BOX_SRC_DIR}\" }" > "${DATA_DIR}/nginx/nginx.conf"
-
 # generate these for update code paths as well to overwrite splash
-admin_cert_file="cert/host.cert"
-admin_key_file="cert/host.key"
-if [[ -f "${DATA_DIR}/box/certs/admin.cert" && -f "${DATA_DIR}/box/certs/admin.key" ]]; then
-    admin_cert_file="${DATA_DIR}/box/certs/admin.cert"
-    admin_key_file="${DATA_DIR}/box/certs/admin.key"
+admin_cert_file="${DATA_DIR}/nginx/cert/host.cert"
+admin_key_file="${DATA_DIR}/nginx/cert/host.key"
+if [[ -f "${DATA_DIR}/box/certs/${admin_fqdn}.cert" && -f "${DATA_DIR}/box/certs/${admin_fqdn}.key" ]]; then
+    admin_cert_file="${DATA_DIR}/box/certs/${admin_fqdn}.cert"
+    admin_key_file="${DATA_DIR}/box/certs/${admin_fqdn}.key"
 fi
 ${BOX_SRC_DIR}/node_modules/.bin/ejs-cli -f "${script_dir}/start/nginx/appconfig.ejs" \
     -O "{ \"vhost\": \"${admin_fqdn}\", \"adminOrigin\": \"${admin_origin}\", \"endpoint\": \"admin\", \"sourceDir\": \"${BOX_SRC_DIR}\", \"certFilePath\": \"${admin_cert_file}\", \"keyFilePath\": \"${admin_key_file}\" }" > "${DATA_DIR}/nginx/applications/admin.conf"
@@ -180,6 +177,14 @@ if [[ ! -z "${arg_dns_config}" ]]; then
         -e "REPLACE INTO settings (name, value) VALUES (\"dns_config\", '$arg_dns_config')" box
 fi
 
+# Add TLS Configuration
+if [[ ! -z "${arg_tls_config}" ]]; then
+    echo "Add TLS Config"
+
+    mysql -u root -p${mysql_root_password} \
+        -e "REPLACE INTO settings (name, value) VALUES (\"tls_config\", '$arg_tls_config')" box
+fi
+
 # Add webadmin oauth client
 # The domain might have changed, therefor we have to update the record
 # !!! This needs to be in sync with the webadmin, specifically login_callback.js

setup/start/nginx/nginx.conf

@@ -40,6 +40,7 @@ http {
 
         # acme challenges
         location /.well-known/acme-challenge/ {
+            default_type text/plain;
             alias /home/yellowtent/data/acme/;
         }
 
@@ -60,7 +61,7 @@ http {
         error_page 404 = @fallback;
         location @fallback {
             internal;
-            root <%= sourceDir %>/webadmin/dist;
+            root /home/yellowtent/box/webadmin/dist;
             rewrite ^/$ /nakeddomain.html break;
         }
 

src/apphealthmonitor.js

@@ -92,8 +92,10 @@ function checkAppHealth(app, callback) {
             .redirects(0)
             .timeout(HEALTHCHECK_INTERVAL)
             .end(function (error, res) {
-
-            if (error || res.status >= 400) { // 2xx and 3xx are ok
+            if (error && !error.response) {
+                debugApp(app, 'not alive (network error): %s', error.message);
+                setHealth(app, appdb.HEALTH_UNHEALTHY, callback);
+            } else if (res.statusCode >= 400) { // 2xx and 3xx are ok
                 debugApp(app, 'not alive : %s', error || res.status);
                 setHealth(app, appdb.HEALTH_UNHEALTHY, callback);
             } else {

src/apps.js

@@ -48,6 +48,7 @@ var addons = require('./addons.js'),
     async = require('async'),
     backups = require('./backups.js'),
     BackupsError = require('./backups.js').BackupsError,
+    certificates = require('./certificates.js'),
     config = require('./config.js'),
     constants = require('./constants.js'),
     DatabaseError = require('./databaseerror.js'),
@@ -59,7 +60,6 @@ var addons = require('./addons.js'),
     path = require('path'),
     paths = require('./paths.js'),
     safe = require('safetydance'),
-    settings = require('./settings.js'),
     semver = require('semver'),
     shell = require('./shell.js'),
     spawn = require('child_process').spawn,
@@ -291,10 +291,10 @@ function purchase(appStoreId, callback) {
     var url = config.apiServerOrigin() + '/api/v1/apps/' + appStoreId + '/purchase';
 
     superagent.post(url).query({ token: config.token() }).end(function (error, res) {
-        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
-        if (res.status === 402) return callback(new AppsError(AppsError.BILLING_REQUIRED));
-        if (res.status === 404) return callback(new AppsError(AppsError.NOT_FOUND));
-        if (res.status !== 201 && res.status !== 200) return callback(new Error(util.format('App purchase failed. %s %j', res.status, res.body)));
+        if (error && !error.response) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error));
+        if (res.statusCode === 402) return callback(new AppsError(AppsError.BILLING_REQUIRED));
+        if (res.statusCode === 404) return callback(new AppsError(AppsError.NOT_FOUND));
+        if (res.statusCode !== 201 && res.statusCode !== 200) return callback(new Error(util.format('App purchase failed. %s %j', res.status, res.body)));
 
         callback(null);
     });
@@ -340,7 +340,7 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
         }
     }
 
-    error = settings.validateCertificate(cert, key, config.appFqdn(location));
+    error = certificates.validateCertificate(cert, key, config.appFqdn(location));
     if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));
 
     debug('Will install app with id : ' + appId);
@@ -381,7 +381,7 @@ function configure(appId, location, portBindings, accessRestriction, oauthProxy,
     error = validateAccessRestriction(accessRestriction);
     if (error) return callback(new AppsError(AppsError.BAD_FIELD, error.message));
 
-    error = settings.validateCertificate(cert, key, config.appFqdn(location));
+    error = certificates.validateCertificate(cert, key, config.appFqdn(location));
     if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));
 
     appdb.get(appId, function (error, app) {

src/apptask.js

@@ -9,7 +9,7 @@ exports = module.exports = {
     startTask: startTask,
 
     // exported for testing
-    _getFreePort: getFreePort,
+    _reserveHttpPort: reserveHttpPort,
     _configureNginx: configureNginx,
     _unconfigureNginx: unconfigureNginx,
     _createVolume: createVolume,
@@ -19,7 +19,6 @@ exports = module.exports = {
     _verifyManifest: verifyManifest,
     _registerSubdomain: registerSubdomain,
     _unregisterSubdomain: unregisterSubdomain,
-    _reloadNginx: reloadNginx,
     _waitForDnsPropagation: waitForDnsPropagation
 };
 
@@ -36,6 +35,7 @@ var addons = require('./addons.js'),
     apps = require('./apps.js'),
     assert = require('assert'),
     async = require('async'),
+    certificates = require('./certificates.js'),
     clientdb = require('./clientdb.js'),
     config = require('./config.js'),
     database = require('./database.js'),
@@ -47,6 +47,7 @@ var addons = require('./addons.js'),
     hat = require('hat'),
     manifestFormat = require('cloudron-manifestformat'),
     net = require('net'),
+    nginx = require('./nginx.js'),
     path = require('path'),
     paths = require('./paths.js'),
     safe = require('safetydance'),
@@ -59,9 +60,7 @@ var addons = require('./addons.js'),
     uuid = require('node-uuid'),
     _ = require('underscore');
 
-var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
-    COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
-    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh'),
+var COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
     RELOAD_COLLECTD_CMD = path.join(__dirname, 'scripts/reloadcollectd.sh'),
     RMAPPDIR_CMD = path.join(__dirname, 'scripts/rmappdir.sh'),
     CREATEAPPDIR_CMD = path.join(__dirname, 'scripts/createappdir.sh');
@@ -77,66 +76,34 @@ function debugApp(app, args) {
     debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }
 
-// We expect conflicts to not happen despite closing the port (parallel app installs, app update does not reconfigure nginx etc)
-// https://tools.ietf.org/html/rfc6056#section-3.5 says linux uses random ephemeral port allocation
-function getFreePort(callback) {
+function reserveHttpPort(app, callback) {
     var server = net.createServer();
     server.listen(0, function () {
         var port = server.address().port;
-        server.close(function () {
-            return callback(null, port);
+        updateApp(app, { httpPort: port }, function (error) {
+            if (error) {
+                server.close();
+                return callback(error);
+            }
+
+            server.close(callback);
         });
     });
 }
 
-function reloadNginx(callback) {
-    shell.sudo('reloadNginx', [ RELOAD_NGINX_CMD ], callback);
-}
+function configureNginx(app, callback) {    
+    var vhost = config.appFqdn(app.location);
 
-function configureNginx(app, callback) {
-    getFreePort(function (error, freePort) {
+    certificates.ensureCertificate(vhost, function (error, certFilePath, keyFilePath) {
         if (error) return callback(error);
 
-        var sourceDir = path.resolve(__dirname, '..');
-        var endpoint = app.oauthProxy ? 'oauthproxy' : 'app';
-        var vhost = config.appFqdn(app.location);
-        var certFilePath = safe.fs.statSync(path.join(paths.APP_CERTS_DIR, vhost + '.cert')) ? path.join(paths.APP_CERTS_DIR, vhost + '.cert') : 'cert/host.cert';
-        var keyFilePath = safe.fs.statSync(path.join(paths.APP_CERTS_DIR, vhost + '.key')) ? path.join(paths.APP_CERTS_DIR, vhost + '.key') : 'cert/host.key';
-
-        var data = {
-            sourceDir: sourceDir,
-            adminOrigin: config.adminOrigin(),
-            vhost: vhost,
-            port: freePort,
-            endpoint: endpoint,
-            certFilePath: certFilePath,
-            keyFilePath: keyFilePath
-        };
-        var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
-
-        var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
-        debugApp(app, 'writing config to %s', nginxConfigFilename);
-
-        if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
-            debugApp(app, 'Error creating nginx config : %s', safe.error.message);
-            return callback(safe.error);
-        }
-
-        async.series([
-            exports._reloadNginx,
-            updateApp.bind(null, app, { httpPort: freePort })
-        ], callback);
+        nginx.configureApp(app, certFilePath, keyFilePath, callback);
     });
 }
 
 function unconfigureNginx(app, callback) {
-    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
-    if (!safe.fs.unlinkSync(nginxConfigFilename)) {
-        debugApp(app, 'Error removing nginx configuration : %s', safe.error.message);
-        return callback(null);
-    }
-
-    exports._reloadNginx(callback);
+    // TODO: maybe revoke the cert
+    nginx.unconfigureApp(app, callback);
 }
 
 function createContainer(app, callback) {
@@ -234,8 +201,8 @@ function downloadIcon(app, callback) {
         .get(iconUrl)
         .buffer(true)
         .end(function (error, res) {
-            if (error) return callback(new Error('Error downloading icon:' + error.message));
-            if (res.status !== 200) return callback(null); // ignore error. this can also happen for apps installed with cloudron-cli
+            if (error && !error.response) return callback(new Error('Network error downloading icon:' + error.message));
+            if (res.statusCode !== 200) return callback(null); // ignore error. this can also happen for apps installed with cloudron-cli
 
             if (!safe.fs.writeFileSync(path.join(paths.APPICONS_DIR, app.id + '.png'), res.body)) return callback(new Error('Error saving icon:' + safe.error.message));
 
@@ -343,6 +310,7 @@ function install(app, callback) {
 
         // teardown for re-installs
         updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
+        unconfigureNginx.bind(null, app),
         removeCollectdProfile.bind(null, app),
         stopApp.bind(null, app),
         deleteContainers.bind(null, app),
@@ -351,10 +319,8 @@ function install(app, callback) {
         unregisterSubdomain.bind(null, app, app.location),
         removeOAuthProxyCredentials.bind(null, app),
         // removeIcon.bind(null, app), // do not remove icon for non-appstore installs
-        unconfigureNginx.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '15, Configure nginx' }),
-        configureNginx.bind(null, app),
+        reserveHttpPort.bind(null, app),
 
         updateApp.bind(null, app, { installationProgress: '20, Downloading icon' }),
         downloadIcon.bind(null, app),
@@ -385,6 +351,9 @@ function install(app, callback) {
         updateApp.bind(null, app, { installationProgress: '90, Waiting for DNS propagation' }),
         exports._waitForDnsPropagation.bind(null, app),
 
+        updateApp.bind(null, app, { installationProgress: '95, Configure nginx' }),
+        configureNginx.bind(null, app),
+
         // done!
         function (callback) {
             debugApp(app, 'installed');
@@ -429,6 +398,7 @@ function restore(app, callback) {
 
     async.series([
         updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
+        unconfigureNginx.bind(null, app),
         removeCollectdProfile.bind(null, app),
         stopApp.bind(null, app),
         deleteContainers.bind(null, app),
@@ -442,10 +412,8 @@ function restore(app, callback) {
         },
         removeOAuthProxyCredentials.bind(null, app),
         removeIcon.bind(null, app),
-        unconfigureNginx.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '30, Configuring Nginx' }),
-        configureNginx.bind(null, app),
+        reserveHttpPort.bind(null, app),
 
         updateApp.bind(null, app, { installationProgress: '40, Downloading icon' }),
         downloadIcon.bind(null, app),
@@ -476,6 +444,9 @@ function restore(app, callback) {
         updateApp.bind(null, app, { installationProgress: '90, Waiting for DNS propagation' }),
         exports._waitForDnsPropagation.bind(null, app),
 
+        updateApp.bind(null, app, { installationProgress: '95, Configuring Nginx' }),
+        configureNginx.bind(null, app),
+
         // done!
         function (callback) {
             debugApp(app, 'restored');
@@ -495,6 +466,7 @@ function restore(app, callback) {
 function configure(app, callback) {
     async.series([
         updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
+        unconfigureNginx.bind(null, app),
         removeCollectdProfile.bind(null, app),
         stopApp.bind(null, app),
         deleteContainers.bind(null, app),
@@ -504,10 +476,8 @@ function configure(app, callback) {
             unregisterSubdomain(app, app.oldConfig.location, next);
         },
         removeOAuthProxyCredentials.bind(null, app),
-        unconfigureNginx.bind(null, app),
 
-        updateApp.bind(null, app, { installationProgress: '25, Configuring Nginx' }),
-        configureNginx.bind(null, app),
+        reserveHttpPort.bind(null, app),
 
         updateApp.bind(null, app, { installationProgress: '30, Create OAuth proxy credentials' }),
         allocateOAuthProxyCredentials.bind(null, app),
@@ -530,6 +500,9 @@ function configure(app, callback) {
         updateApp.bind(null, app, { installationProgress: '80, Waiting for DNS propagation' }),
         exports._waitForDnsPropagation.bind(null, app),
 
+        updateApp.bind(null, app, { installationProgress: '90, Configuring Nginx' }),
+        configureNginx.bind(null, app),
+
         // done!
         function (callback) {
             debugApp(app, 'configured');
@@ -723,4 +696,3 @@ if (require.main === module) {
         });
     });
 }
-

src/cert/acme.js

@@ -4,21 +4,21 @@
 
 var assert = require('assert'),
     async = require('async'),
-    config = require('./config.js'),
+    config = require('../config.js'),
     crypto = require('crypto'),
-    debug = require('debug')('acme'),
-    execSync = require('child_process').execSync,
+    debug = require('debug')('box:cert/acme'),
     fs = require('fs'),
     path = require('path'),
-    paths = require('./paths.js'),
+    paths = require('../paths.js'),
+    safe = require('safetydance'),
     superagent = require('superagent'),
-    urlBase64Encode = require('url-base64-node').escape,
     ursa = require('ursa'),
     util = require('util'),
     _ = require('underscore');
 
-var CA_STAGING = 'https://acme-v01.api.letsencrypt.org',
-    CA_STAGING = 'https://acme-staging.api.letsencrypt.org/',
+var CA_PROD = 'https://acme-v01.api.letsencrypt.org',
+    CA_STAGING = 'https://acme-staging.api.letsencrypt.org',
+    CA_ORIGIN = CA_PROD,
     LE_AGREEMENT = 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf';
 
 exports = module.exports = {
@@ -55,7 +55,7 @@ AcmeError.FORBIDDEN = 'Forbidden';
 // https://community.letsencrypt.org/t/list-of-client-implementations/2103
 
 function getNonce(callback) {
-    superagent.get(CA_STAGING + '/directory', function (error, response) {
+    superagent.get(CA_ORIGIN + '/directory', function (error, response) {
         if (error) return callback(error);
         if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
 
@@ -64,18 +64,22 @@ function getNonce(callback) {
 }
 
 // urlsafe base64 encoding (jose)
+function urlBase64Encode(string) {
+    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+
 function b64(str) {
     var buf = util.isBuffer(str) ? str : new Buffer(str);
    return urlBase64Encode(buf.toString('base64'));
 }
 
-function sendSignedRequest(url, privateKeyPem, payload, callback) {
+function sendSignedRequest(url, accountKeyPem, payload, callback) {
     assert.strictEqual(typeof url, 'string');
-    assert(util.isBuffer(privateKeyPem));
+    assert(util.isBuffer(accountKeyPem));
     assert.strictEqual(typeof payload, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    var privateKey = ursa.createPrivateKey(privateKeyPem);
+    var privateKey = ursa.createPrivateKey(accountKeyPem);
 
     var header = {
         alg: 'RS256',
@@ -91,7 +95,7 @@ function sendSignedRequest(url, privateKeyPem, payload, callback) {
     getNonce(function (error, nonce) {
         if (error) return callback(error);
 
-        debug('Using nonce %s', nonce);
+        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
 
         var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
 
@@ -106,7 +110,7 @@ function sendSignedRequest(url, privateKeyPem, payload, callback) {
             signature: signature64
         };
 
-        superagent.post(url).set('Content-Type', 'application/x-www-form-urlencoded').send(JSON.stringify(data)).buffer().end(function (error, res) {
+        superagent.post(url).set('Content-Type', 'application/x-www-form-urlencoded').send(JSON.stringify(data)).end(function (error, res) {
             if (error && !error.response) return callback(error); // network errors
 
             callback(null, res);
@@ -114,8 +118,8 @@ function sendSignedRequest(url, privateKeyPem, payload, callback) {
     });
 }
 
-function registerUser(privateKeyPem, email, callback) {
-    assert(util.isBuffer(privateKeyPem));
+function registerUser(accountKeyPem, email, callback) {
+    assert(util.isBuffer(accountKeyPem));
     assert.strictEqual(typeof email, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -127,7 +131,7 @@ function registerUser(privateKeyPem, email, callback) {
 
     debug('registerUser: %s', email);
 
-    sendSignedRequest(CA_STAGING + '/acme/new-reg', privateKeyPem, JSON.stringify(payload), function (error, result) {
+    sendSignedRequest(CA_ORIGIN + '/acme/new-reg', accountKeyPem, JSON.stringify(payload), function (error, result) {
         if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
         if (result.statusCode === 409) return callback(new AcmeError(AcmeError.ALREADY_EXISTS, result.body.detail));
         if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
@@ -138,8 +142,8 @@ function registerUser(privateKeyPem, email, callback) {
     });
 }
 
-function registerDomain(privateKeyPem, domain, callback) {
-    assert(util.isBuffer(privateKeyPem));
+function registerDomain(accountKeyPem, domain, callback) {
+    assert(util.isBuffer(accountKeyPem));
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -153,7 +157,7 @@ function registerDomain(privateKeyPem, domain, callback) {
 
     debug('registerDomain: %s', domain);
 
-    sendSignedRequest(CA_STAGING + '/acme/new-authz', privateKeyPem, JSON.stringify(payload), function (error, result) {
+    sendSignedRequest(CA_ORIGIN + '/acme/new-authz', accountKeyPem, JSON.stringify(payload), function (error, result) {
         if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
         if (result.statusCode === 403) return callback(new AcmeError(AcmeError.FORBIDDEN, result.body.detail));
         if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
@@ -164,8 +168,8 @@ function registerDomain(privateKeyPem, domain, callback) {
     });
 }
 
-function prepareHttpChallenge(privateKeyPem, challenge, callback) {
-    assert(util.isBuffer(privateKeyPem));
+function prepareHttpChallenge(accountKeyPem, challenge, callback) {
+    assert(util.isBuffer(accountKeyPem));
     assert.strictEqual(typeof challenge, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -173,7 +177,7 @@ function prepareHttpChallenge(privateKeyPem, challenge, callback) {
 
     var token = challenge.token;
 
-    var privateKey = ursa.createPrivateKey(privateKeyPem);
+    var privateKey = ursa.createPrivateKey(accountKeyPem);
 
     var jwk = {
         e: b64(privateKey.getExponent()),
@@ -195,8 +199,8 @@ function prepareHttpChallenge(privateKeyPem, challenge, callback) {
     });
 }
 
-function notifyChallengeReady(privateKeyPem, challenge, callback) {
-    assert(util.isBuffer(privateKeyPem));
+function notifyChallengeReady(accountKeyPem, challenge, callback) {
+    assert(util.isBuffer(accountKeyPem));
     assert.strictEqual(typeof challenge, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -209,7 +213,7 @@ function notifyChallengeReady(privateKeyPem, challenge, callback) {
         keyAuthorization: keyAuthorization
     };
 
-    sendSignedRequest(challenge.uri, privateKeyPem, JSON.stringify(payload), function (error, result) {
+    sendSignedRequest(challenge.uri, accountKeyPem, JSON.stringify(payload), function (error, result) {
         if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
         if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 202, got %s %s', result.statusCode, result.text)));
 
@@ -242,93 +246,169 @@ function waitForChallenge(challenge, callback) {
             else if (result.body.status === 'valid') return retryCallback();
             else return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
         });
-    }, callback);
-}
-
-// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
-function signCertificate(privateKeyPem, certificateDer, callback) {
-    assert(util.isBuffer(privateKeyPem));
-    assert(util.isBuffer(certificateDer));
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-cert',
-        csr: b64(certificateDer)
-    };
-
-    debug('signCertificate: signing %s', payload.csr);
-
-    sendSignedRequest(CA_STAGING + '/acme/new-cert', privateKeyPem, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        // TODO: result.body can be empty in which case it has to be polled for from this location
-        debug('signCertificate: certificate is available at ', result.headers['location']);
-
-        callback(null, result.text);
+    }, function retryFinished(error) {
+        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
+        callback(error);
     });
 }
 
-function acmeFlow(domain, email, privateKeyPem, callback) {
+// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
+function signCertificate(accountKeyPem, domain, csrDer, callback) {
+    assert(util.isBuffer(accountKeyPem));
     assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof email, 'string');
-    assert(util.isBuffer(privateKeyPem));
+    assert(util.isBuffer(csrDer));
     assert.strictEqual(typeof callback, 'function');
 
-    registerUser(privateKeyPem, email, function (error) {
+    var outdir = paths.APP_CERTS_DIR;
+
+    var payload = {
+        resource: 'new-cert',
+        csr: b64(csrDer)
+    };
+
+    debug('signCertificate: sending new-cert request');
+
+    sendSignedRequest(CA_ORIGIN + '/acme/new-cert', accountKeyPem, JSON.stringify(payload), function (error, result) {
+        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
+        // 429 means we reached the cert limit for this domain
+        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
+
+        var certUrl = result.headers.location;
+
+        if (!certUrl) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Missing location in downloadCertificate'));
+
+        safe.fs.writeFileSync(path.join(outdir, domain + '.url'), certUrl, 'utf8'); // for renewal
+
+        return callback(null, result.headers.location);
+    });
+}
+
+function createKeyAndCsr(domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+    var execSync = safe.child_process.execSync;
+
+    var privateKeyFile = path.join(outdir, domain + '.key');
+    var key = execSync('openssl genrsa 4096');
+    if (!key) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+    if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+
+    debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
+
+    var csrDer = execSync(util.format('openssl req -new -key %s -outform DER -subj /CN=%s', privateKeyFile, domain));
+    if (!csrDer) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+    var csrFile = path.join(outdir, domain + '.csr');
+    if (!safe.fs.writeFileSync(csrFile, csrFile)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+
+    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
+
+    callback(null, csrDer);
+}
+
+function downloadCertificate(domain, certUrl, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof certUrl, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var outdir = paths.APP_CERTS_DIR;
+
+    superagent.get(certUrl).buffer().parse(function (res, done) {
+        var data = [ ];
+        res.on('data', function(chunk) { data.push(chunk); });
+        res.on('end', function () { res.text = Buffer.concat(data); done(); });
+    }).end(function (error, result) {
+        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
+        if (result.statusCode === 202) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, 'Retry not implemented yet'));
+        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
+
+        var certificateDer = result.text;
+        var execSync = safe.child_process.execSync;
+
+        safe.fs.writeFileSync(path.join(outdir, domain + '.der'), certificateDer);
+        debug('downloadCertificate: cert der file saved');
+
+        var certificatePem = execSync('openssl x509 -inform DER -outform PEM', { input: certificateDer }); // this is really just base64 encoding with header
+        if (!certificatePem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+
+        var chainPem = safe.fs.readFileSync(__dirname + '/lets-encrypt-x1-cross-signed.pem.txt');
+        if (!chainPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+
+        var certificateFile = path.join(outdir, domain + '.cert');
+        var fullChainPem = Buffer.concat([certificatePem, chainPem]);
+        if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+
+        debug('downloadCertificate: cert file saved at %s', certificateFile);
+
+        callback();
+    });
+}
+
+function acmeFlow(domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    // registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
+    // we cannot use admin@fqdn because the user might not have set it up.
+    // we cannot use owner email because we don't have it yet (the admin cert is fetched before activation)
+    // one option is to update the owner email when a second cert is requested (https://github.com/ietf-wg-acme/acme/issues/30)
+    var email = 'admin@cloudron.io';
+    var accountKeyPem;
+
+    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
+        debug('getCertificate: generating acme account key on first run');
+        accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
+        if (!accountKeyPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
+
+        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, accountKeyPem);
+    } else {
+        debug('getCertificate: using existing acme account key');
+        accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
+    }
+
+    registerUser(accountKeyPem, email, function (error) {
         if (error && error.reason !== AcmeError.ALREADY_EXISTS) return callback(error);
 
-        registerDomain(privateKeyPem, domain, function (error, result) {
+        registerDomain(accountKeyPem, domain, function (error, result) {
             if (error) return callback(error);
 
-            debug('getCertificate: challenges: %j', result);
+            debug('acmeFlow: challenges: %j', result);
 
             var httpChallenges = result.challenges.filter(function(x) { return x.type === 'http-01'; });
             if (httpChallenges.length === 0) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'no http challenges'));
             var challenge = httpChallenges[0];
 
-            prepareHttpChallenge(privateKeyPem, challenge, function (error) {
-                if (error) return callback(error);
-
-                notifyChallengeReady(privateKeyPem, challenge, function (error) {
-                    if (error) return callback(error);
-
-                    waitForChallenge(challenge, function (error) {
-                        if (error) return callback(error);
-
-                        var serverKey = execSync('openssl genrsa 4096');
-                        var certificateDer = execSync(util.format('openssl req -nodes -outform DER -subj /CN=%s', domain), { stdio: [ serverKey, null, null ] });
-
-                        signCertificate(privateKeyPem, certificateDer, function (error, certificateDer) {
-                            if (error) return callback(error);
-                            var certificatePem = execSync('openssl x509 -inform DER -outform PEM', { stdio: [ certificateDer, null, null ] });
-
-                            callback(null, serverKey, certificatePem);
-                        });
-                    });
-                });
-            });
+            async.waterfall([
+                prepareHttpChallenge.bind(null, accountKeyPem, challenge),
+                notifyChallengeReady.bind(null, accountKeyPem, challenge),
+                waitForChallenge.bind(null, challenge),
+                createKeyAndCsr.bind(null, domain),
+                signCertificate.bind(null, accountKeyPem, domain),
+                downloadCertificate.bind(null, domain)
+            ], callback);
         });
     });
 }
 
 function getCertificate(domain, callback) {
-    var email = 'admin@' + config.fqdn();
-    var privateKeyPem;
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
 
-    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
-        debug('getCertificate: generating acme account key on first run');
-        privateKeyPem = execSync('openssl genrsa 4096');
-        fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, privateKeyPem);
+    var outdir = paths.APP_CERTS_DIR;
+    var certUrl = safe.fs.readFileSync(path.join(outdir, domain + '.url'), 'utf8');
+    var certificateGetter;
+    if (certUrl) {
+        debug('getCertificate: renewing existing cert for %s from %s', domain, certUrl);
+        certificateGetter = downloadCertificate.bind(null, domain, certUrl);
     } else {
-        privateKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
+        debug('getCertificate: start acme flow for %s', domain);
+        certificateGetter = acmeFlow.bind(null, domain);
     }
 
-    acmeFlow(domain, email, privateKeyPem, callback);
-}
+    certificateGetter(function (error) {
+        if (error) return callback(error);
 
-getCertificate('foobar.girish.in', function (error, key, cert) {
-    console.dir(error);
-    console.dir(key);
-    console.dir(cert);
-});
+        callback(null, path.join(outdir, domain + '.cert'), path.join(outdir, domain + '.key'));
+    });
+}

src/cert/caas.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports = module.exports = {
+    getCertificate: getCertificate
+};
+
+var assert = require('assert'),
+	debug = require('debug')('box:cert/caas.js');
+
+function getCertificate(domain, callback) {
+	assert.strictEqual(typeof domain, 'string');
+	assert.strictEqual(typeof callback, 'function');
+
+    debug('getCertificate: using fallback certificate', domain);
+
+    return callback(null, 'cert/host.cert', 'cert/host.key');
+}

src/cert/lets-encrypt-x1-cross-signed.pem.txt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
+BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
+PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
+dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
+gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
+4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
+EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
+BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
+b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
+ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
+MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
+AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
+MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
+LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
+pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
+v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
+ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
+ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
+6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
+f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
+-----END CERTIFICATE-----

src/certificates.js

@@ -0,0 +1,241 @@
+/* jslint node:true */
+
+'use strict';
+
+var acme = require('./cert/acme.js'),
+    assert = require('assert'),
+    async = require('async'),
+    caas = require('./cert/caas.js'),
+    cloudron = require('./cloudron.js'),
+    config = require('./config.js'),
+    constants = require('./constants.js'),
+    debug = require('debug')('box:src/certificates'),
+    fs = require('fs'),
+    nginx = require('./nginx.js'),
+    path = require('path'),
+    paths = require('./paths.js'),
+    safe = require('safetydance'),
+    settings = require('./settings.js'),
+    sysinfo = require('./sysinfo.js'),
+    util = require('util'),
+    waitForDns = require('./waitfordns.js'),
+    x509 = require('x509');
+
+exports = module.exports = {
+    installAdminCertificate: installAdminCertificate,
+    autoRenew: autoRenew,
+    setFallbackCertificate: setFallbackCertificate,
+    setAdminCertificate: setAdminCertificate,
+    CertificatesError: CertificatesError,
+    validateCertificate: validateCertificate,
+    ensureCertificate: ensureCertificate
+};
+
+var NOOP_CALLBACK = function (error) { if (error) debug(error); };
+
+function CertificatesError(reason, errorOrMessage) {
+    assert.strictEqual(typeof reason, 'string');
+    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+
+    Error.call(this);
+    Error.captureStackTrace(this, this.constructor);
+
+    this.name = this.constructor.name;
+    this.reason = reason;
+    if (typeof errorOrMessage === 'undefined') {
+        this.message = reason;
+    } else if (typeof errorOrMessage === 'string') {
+        this.message = errorOrMessage;
+    } else {
+        this.message = 'Internal error';
+        this.nestedError = errorOrMessage;
+    }
+}
+util.inherits(CertificatesError, Error);
+CertificatesError.INTERNAL_ERROR = 'Internal Error';
+CertificatesError.INVALID_CERT = 'Invalid certificate';
+
+function getApi(callback) {
+    settings.getTlsConfig(function (error, tlsConfig) {
+        if (error) return callback(error);
+
+        var api = tlsConfig.provider === 'caas' ? caas : acme;
+
+        callback(null, api);
+    });
+}
+
+function installAdminCertificate(callback) {
+    if (cloudron.isConfiguredSync()) return callback();
+
+    settings.getTlsConfig(function (error, tlsConfig) {
+        if (error) return callback(error);
+
+        if (tlsConfig.provider === 'caas') return callback();
+
+        waitForDns(config.adminFqdn(), sysinfo.getIp(), config.fqdn(), function (error) {
+            if (error) return callback(error); // this cannot happen because we retry forever
+
+            ensureCertificate(config.adminFqdn(), function (error, certFilePath, keyFilePath) {
+                if (error) { // currently, this can never happen
+                    debug('Error obtaining certificate. Proceed anyway', error);
+                    return callback();
+                }
+
+                nginx.configureAdmin(certFilePath, keyFilePath, callback);
+            });
+        });
+    });
+}
+
+function needsRenewalSync(certFilePath) {
+    var result = safe.child_process.execSync('openssl x509 -checkend %s -in %s', 60 * 60 * 24 * 5, certFilePath);
+
+    return result === null; // command errored
+}
+
+function autoRenew(callback) {
+    debug('autoRenew: Checking certificates for renewal');
+    callback = callback || NOOP_CALLBACK;
+
+    var filenames = safe.fs.readdirSync(paths.APP_CERTS_DIR);
+    if (!filenames) {
+        debug('autoRenew: Error getting filenames: %s', safe.error.message);
+        return;
+    }
+
+    var certs = filenames.filter(function (f) {
+        return f.match(/\.cert$/) !== null && needsRenewalSync(path.join(paths.APP_CERTS_DIR, f));
+    });
+
+    debug('autoRenew: %j needs to be renewed', certs);
+
+    getApi(function (error, api) {
+        if (error) return callback(error);
+
+        async.eachSeries(certs, function iterator(cert, iteratorCallback) {
+            var domain = cert.match(/^(.*)\.cert$/)[1];
+            if (domain === 'host') return iteratorCallback(); // cannot renew fallback cert
+
+            api.getCertificate(domain, function (error) {
+                if (error) debug('autoRenew: could not renew cert for %s', domain, error);
+
+                iteratorCallback(); // move on to next cert
+            });
+        });
+    });
+}
+
+// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
+// servers certificate appears first (and not the intermediate cert)
+function validateCertificate(cert, key, fqdn) {
+    assert(cert === null || typeof cert === 'string');
+    assert(key === null || typeof key === 'string');
+    assert.strictEqual(typeof fqdn, 'string');
+
+    if (cert === null && key === null) return null;
+    if (!cert && key) return new Error('missing cert');
+    if (cert && !key) return new Error('missing key');
+
+    var content;
+    try {
+        content = x509.parseCert(cert);
+    } catch (e) {
+        return new Error('invalid cert: ' + e.message);
+    }
+
+    // check expiration
+    if (content.notAfter < new Date()) return new Error('cert expired');
+
+    function matchesDomain(domain) {
+        if (domain === fqdn) return true;
+        if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;
+
+        return false;
+    }
+
+    // check domain
+    var domains = content.altNames.concat(content.subject.commonName);
+    if (!domains.some(matchesDomain)) return new Error(util.format('cert is not valid for this domain. Expecting %s in %j', fqdn, domains));
+
+    // http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
+    var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
+    var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
+    if (certModulus !== keyModulus) return new Error('key does not match the cert');
+
+    return null;
+}
+
+function setFallbackCertificate(cert, key, callback) {
+    assert.strictEqual(typeof cert, 'string');
+    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var error = validateCertificate(cert, key, '*.' + config.fqdn());
+    if (error) return callback(new CertificatesError(CertificatesError.INVALID_CERT, error.message));
+
+    // backup the cert
+    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, 'host.cert'), cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, 'host.key'), key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+
+    // copy over fallback cert
+    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.cert'), cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+
+    nginx.reload(function (error) {
+        if (error) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, error));
+
+        return callback(null);
+    });
+}
+
+function setAdminCertificate(cert, key, callback) {
+    assert.strictEqual(typeof cert, 'string');
+    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var vhost = config.appFqdn(constants.ADMIN_LOCATION);
+    var certFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.cert');
+    var keyFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.key');
+
+    var error = validateCertificate(cert, key, vhost);
+    if (error) return callback(new CertificatesError(CertificatesError.INVALID_CERT, error.message));
+
+    // backup the cert
+    if (!safe.fs.writeFileSync(certFilePath, cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+    if (!safe.fs.writeFileSync(keyFilePath, key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
+
+    nginx.configureAdmin(certFilePath, keyFilePath, callback);
+}
+
+function ensureCertificate(domain, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    // check if user uploaded a specific cert. ideally, we should not mix user certs and automatic certs as we do here...
+    var userCertFilePath = path.join(paths.APP_CERTS_DIR, domain + '.cert');
+    var userKeyFilePath = path.join(paths.APP_CERTS_DIR, domain + '.key');
+
+    if (fs.existsSync(userCertFilePath) && fs.existsSync(userKeyFilePath)) {
+        debug('ensureCertificate: %s. certificate already exists at %s', domain, userKeyFilePath);
+
+        if (!needsRenewalSync(userCertFilePath)) return callback(null, userCertFilePath, userKeyFilePath);
+
+        debug('ensureCertificate: %s cert require renewal', domain);
+    }
+
+    getApi(function (error, api) {
+        if (error) return callback(error);
+
+        debug('ensureCertificate: getting certificate for %s', domain);
+
+        api.getCertificate(domain, function (error, certFilePath, keyFilePath) {
+            if (error) {
+                debug('ensureCertificate: could not get certificate. using fallback certs', error);
+                return callback(null, 'cert/host.cert', 'cert/host.key'); // use fallback certs
+            }
+
+            callback(null, certFilePath, keyFilePath);
+        });
+    });
+}

src/cloudron.js

@@ -178,7 +178,7 @@ function setTimeZone(ip, callback) {
     debug('setTimeZone ip:%s', ip);
 
     superagent.get('http://www.telize.com/geoip/' + ip).end(function (error, result) {
-        if (error || result.statusCode !== 200) {
+        if ((error && !error.response) || result.statusCode !== 200) {
             debug('Failed to get geo location', error);
             return callback(null);
         }
@@ -260,8 +260,8 @@ function getCloudronDetails(callback) {
         .get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn())
         .query({ token: config.token() })
         .end(function (error, result) {
-            if (error) return callback(error);
-            if (result.status !== 200) return callback(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error && !error.response) return callback(error);
+            if (result.statusCode !== 200) return callback(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
 
             gCloudronDetails = result.body.box;
 
@@ -318,7 +318,7 @@ function sendHeartbeat() {
     var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/heartbeat';
 
     superagent.post(url).query({ token: config.token(), version: config.version() }).timeout(10000).end(function (error, result) {
-        if (error) debug('Error sending heartbeat.', error);
+        if (error && !error.response) debug('Network error sending heartbeat.', error);
         else if (result.statusCode !== 200) debug('Server responded to heartbeat with %s %s', result.statusCode, result.text);
         else debug('Heartbeat sent to %s', url);
     });
@@ -466,10 +466,10 @@ function migrate(size, region, callback) {
           .query({ token: config.token() })
           .send({ size: size, region: region, restoreKey: restoreKey })
           .end(function (error, result) {
-            if (error) return unlock(error);
-            if (result.status === 409) return unlock(new CloudronError(CloudronError.BAD_STATE));
-            if (result.status === 404) return unlock(new CloudronError(CloudronError.NOT_FOUND));
-            if (result.status !== 202) return unlock(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error && !error.response) return unlock(error);
+            if (result.statusCode === 409) return unlock(new CloudronError(CloudronError.BAD_STATE));
+            if (result.statusCode === 404) return unlock(new CloudronError(CloudronError.NOT_FOUND));
+            if (result.statusCode !== 202) return unlock(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
 
             return unlock(null);
         });
@@ -526,8 +526,8 @@ function doUpgrade(boxUpdateInfo, callback) {
           .query({ token: config.token() })
           .send({ version: boxUpdateInfo.version })
           .end(function (error, result) {
-            if (error) return upgradeError(new Error('Error making upgrade request: ' + error));
-            if (result.status !== 202) return upgradeError(new Error(util.format('Server not ready to upgrade. statusCode: %s body: %j', result.status, result.body)));
+            if (error && !error.response) return upgradeError(new Error('Network error making upgrade request: ' + error));
+            if (result.statusCode !== 202) return upgradeError(new Error(util.format('Server not ready to upgrade. statusCode: %s body: %j', result.status, result.body)));
 
             progress.set(progress.UPDATE, 10, 'Updating base system');
 
@@ -555,8 +555,8 @@ function doUpdate(boxUpdateInfo, callback) {
         superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/sourcetarballurl')
           .query({ token: config.token(), boxVersion: boxUpdateInfo.version })
           .end(function (error, result) {
-            if (error) return updateError(new Error('Error fetching sourceTarballUrl: ' + error));
-            if (result.status !== 200) return updateError(new Error('Error fetching sourceTarballUrl status: ' + result.status));
+            if (error && !error.response) return updateError(new Error('Network error fetching sourceTarballUrl: ' + error));
+            if (result.statusCode !== 200) return updateError(new Error('Error fetching sourceTarballUrl status: ' + result.statusCode));
             if (!safe.query(result, 'body.url')) return updateError(new Error('Error fetching sourceTarballUrl response: ' + JSON.stringify(result.body)));
 
             // NOTE: the args here are tied to the installer revision, box code and appstore provisioning logic
@@ -582,11 +582,6 @@ function doUpdate(boxUpdateInfo, callback) {
                         apiServerOrigin: config.apiServerOrigin(),
                         webServerOrigin: config.webServerOrigin()
                     },
-                    tlsConfig: {
-                        provider: 'caas',
-                        cert: fs.readFileSync(path.join(paths.NGINX_CERT_DIR, 'host.cert'), 'utf8'),
-                        key: fs.readFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), 'utf8'),
-                    },
 
                     version: boxUpdateInfo.version,
                     boxVersionsUrl: config.get('boxVersionsUrl')
@@ -596,8 +591,8 @@ function doUpdate(boxUpdateInfo, callback) {
             debug('updating box %j', args);
 
             superagent.post(INSTALLER_UPDATE_URL).send(args).end(function (error, result) {
-                if (error) return updateError(error);
-                if (result.status !== 202) return updateError(new Error('Error initiating update: ' + JSON.stringify(result.body)));
+                if (error && !error.response) return updateError(error);
+                if (result.statusCode !== 202) return updateError(new Error('Error initiating update: ' + JSON.stringify(result.body)));
 
                 progress.set(progress.UPDATE, 10, 'Updating cloudron software');
 

src/collectd.config.ejs

@@ -1,6 +1,6 @@
 LoadPlugin "table"
 <Plugin table>
-  <Table "/sys/fs/cgroup/memory/system.slice/docker-<%= containerId %>.scope/memory.stat">
+  <Table "/sys/fs/cgroup/memory/system.slice/docker.service/docker/<%= containerId %>/memory.stat">
     Instance "<%= appId %>-memory"
     Separator " \\n"
     <Result>
@@ -10,7 +10,7 @@ LoadPlugin "table"
     </Result>
   </Table>
 
-  <Table "/sys/fs/cgroup/memory/system.slice/docker-<%= containerId %>.scope/memory.max_usage_in_bytes">
+  <Table "/sys/fs/cgroup/memory/system.slice/docker.service/docker/<%= containerId %>/memory.max_usage_in_bytes">
     Instance "<%= appId %>-memory"
     Separator "\\n"
     <Result>
@@ -20,7 +20,7 @@ LoadPlugin "table"
     </Result>
   </Table>
 
-  <Table "/sys/fs/cgroup/cpuacct/system.slice/docker-<%= containerId %>.scope/cpuacct.stat">
+  <Table "/sys/fs/cgroup/cpuacct/docker/<%= containerId %>/cpuacct.stat">
     Instance "<%= appId %>-cpu"
     Separator " \\n"
     <Result>

src/config.js

@@ -28,6 +28,7 @@ exports = module.exports = {
     // these values are derived
     adminOrigin: adminOrigin,
     internalAdminOrigin: internalAdminOrigin,
+    adminFqdn: adminFqdn,
     appFqdn: appFqdn,
     zoneName: zoneName,
 
@@ -155,6 +156,10 @@ function appFqdn(location) {
     return isCustomDomain() ? location + '.' + fqdn() : location + '-' + fqdn();
 }
 
+function adminFqdn() {
+    return appFqdn(constants.ADMIN_LOCATION);
+}
+
 function adminOrigin() {
     return 'https://' + appFqdn(constants.ADMIN_LOCATION);
 }

src/cron.js

@@ -7,6 +7,7 @@ exports = module.exports = {
 
 var apps = require('./apps.js'),
     assert = require('assert'),
+    certificates = require('./certificates.js'),
     cloudron = require('./cloudron.js'),
     config = require('./config.js'),
     CronJob = require('cron').CronJob,
@@ -23,7 +24,8 @@ var gAutoupdaterJob = null,
     gBackupJob = null,
     gCleanupTokensJob = null,
     gDockerVolumeCleanerJob = null,
-    gSchedulerSyncJob = null;
+    gSchedulerSyncJob = null,
+    gCertificateRenewJob = null;
 
 var NOOP_CALLBACK = function (error) { if (error) console.error(error); };
 
@@ -107,6 +109,14 @@ function recreateJobs(unusedTimeZone, callback) {
             timeZone: allSettings[settings.TIME_ZONE_KEY]
         });
 
+        if (gCertificateRenewJob) gCertificateRenewJob.stop();
+        gCertificateRenewJob = new CronJob({
+            cronTime: '00 00 */12 * * *', // every 12 hours
+            onTick: certificates.autoRenew,
+            start: true,
+            timeZone: allSettings[settings.TIME_ZONE_KEY]
+        });
+
         settings.events.removeListener(settings.AUTOUPDATE_PATTERN_KEY, autoupdatePatternChanged);
         settings.events.on(settings.AUTOUPDATE_PATTERN_KEY, autoupdatePatternChanged);
         autoupdatePatternChanged(allSettings[settings.AUTOUPDATE_PATTERN_KEY]);
@@ -179,5 +189,8 @@ function uninitialize(callback) {
     if (gSchedulerSyncJob) gSchedulerSyncJob.stop();
     gSchedulerSyncJob = null;
 
+    if (gCertificateRenewJob) gCertificateRenewJob.stop();
+    gCertificateRenewJob = null;
+
     callback();
 }

src/developer.js

@@ -38,6 +38,7 @@ function DeveloperError(reason, errorOrMessage) {
 }
 util.inherits(DeveloperError, Error);
 DeveloperError.INTERNAL_ERROR = 'Internal Error';
+DeveloperError.EXTERNAL_ERROR = 'External Error';
 
 function enabled(callback) {
     assert.strictEqual(typeof callback, 'function');
@@ -77,8 +78,8 @@ function getNonApprovedApps(callback) {
 
     var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/apps';
     superagent.get(url).query({ token: config.token(), boxVersion: config.version() }).end(function (error, result) {
-        if (error) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, error));
-        if (result.status !== 200) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, util.format('App listing failed. %s %j', result.status, result.body)));
+        if (error && !error.response) return callback(new DeveloperError(DeveloperError.EXTERNAL_ERROR, error));
+        if (result.statusCode !== 200) return callback(new DeveloperError(DeveloperError.EXTERNAL_ERROR, util.format('App listing failed. %s %j', result.status, result.body)));
 
         callback(null, result.body.apps || []);
     });

src/dns/caas.js

@@ -40,9 +40,9 @@ function add(dnsConfig, zoneName, subdomain, type, values, callback) {
         .query({ token: dnsConfig.token })
         .send(data)
         .end(function (error, result) {
-            if (error) return callback(error);
-            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
-            if (result.status !== 201) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error && !error.response) return callback(error);
+            if (result.statusCode === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.statusCode !== 201) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
 
             return callback(null, result.body.changeId);
         });
@@ -63,8 +63,8 @@ function get(dnsConfig, zoneName, subdomain, type, callback) {
         .get(config.apiServerOrigin() + '/api/v1/domains/' + fqdn)
         .query({ token: dnsConfig.token, type: type })
         .end(function (error, result) {
-            if (error) return callback(error);
-            if (result.status !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error && !error.response) return callback(error);
+            if (result.statusCode !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
 
             return callback(null, result.body.values);
         });
@@ -107,10 +107,10 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
         .query({ token: dnsConfig.token })
         .send(data)
         .end(function (error, result) {
-            if (error) return callback(error);
-            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
-            if (result.status === 404) return callback(new SubdomainError(SubdomainError.NOT_FOUND));
-            if (result.status !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error && !error.response) return callback(error);
+            if (result.statusCode === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.statusCode === 404) return callback(new SubdomainError(SubdomainError.NOT_FOUND));
+            if (result.statusCode !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
 
             return callback(null);
         });
@@ -127,8 +127,8 @@ function getChangeStatus(dnsConfig, changeId, callback) {
         .get(config.apiServerOrigin() + '/api/v1/domains/' + config.fqdn() + '/status/' + changeId)
         .query({ token: dnsConfig.token })
         .end(function (error, result) {
-            if (error) return callback(error);
-            if (result.status !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error && !error.response) return callback(error);
+            if (result.statusCode !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
 
             return callback(null, result.body.status);
         });

src/nginx.js

@@ -0,0 +1,93 @@
+/* jslint node:true */
+
+'use strict';
+
+var assert = require('assert'),
+    config = require('./config.js'),
+    debug = require('debug')('box:src/nginx'),
+    ejs = require('ejs'),
+    fs = require('fs'),
+    path = require('path'),
+    paths = require('./paths.js'),
+    safe = require('safetydance'),
+    shell = require('./shell.js');
+
+exports = module.exports = {
+    configureAdmin: configureAdmin,
+    configureApp: configureApp,
+    unconfigureApp: unconfigureApp,
+    reload: reload
+};
+
+var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
+    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
+
+function configureAdmin(certFilePath, keyFilePath, callback) {
+    assert.strictEqual(typeof certFilePath, 'string');
+    assert.strictEqual(typeof keyFilePath, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var data = {
+        sourceDir: path.resolve(__dirname, '..'),
+        adminOrigin: config.adminOrigin(),
+        vhost: config.adminFqdn(),
+        endpoint: 'admin',
+        certFilePath: certFilePath,
+        keyFilePath: keyFilePath
+    };
+    var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
+    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, 'admin.conf');
+
+    if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);
+
+    reload(callback);
+}
+
+function configureApp(app, certFilePath, keyFilePath, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof certFilePath, 'string');
+    assert.strictEqual(typeof keyFilePath, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var sourceDir = path.resolve(__dirname, '..');
+    var endpoint = app.oauthProxy ? 'oauthproxy' : 'app';
+    var vhost = config.appFqdn(app.location);
+
+    var data = {
+        sourceDir: sourceDir,
+        adminOrigin: config.adminOrigin(),
+        vhost: vhost,
+        port: app.httpPort,
+        endpoint: endpoint,
+        certFilePath: certFilePath,
+        keyFilePath: keyFilePath
+    };
+    var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
+
+    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
+    debug('writing config for "%s" to %s', app.location, nginxConfigFilename);
+
+    if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
+        debug('Error creating nginx config for "%s" : %s', app.location, safe.error.message);
+        return callback(safe.error);
+    }
+
+    reload(callback);
+}
+
+function unconfigureApp(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
+    if (!safe.fs.unlinkSync(nginxConfigFilename)) {
+        debug('Error removing nginx configuration of "%s": %s', app.location, safe.error.message);
+        return callback(null);
+    }
+
+    reload(callback);
+}
+
+function reload(callback) {
+    shell.sudo('reload', [ RELOAD_NGINX_CMD ], callback);
+}

src/oauthproxy.js

@@ -92,7 +92,7 @@ function authenticate(req, res, next) {
             .post(config.internalAdminOrigin() + '/api/v1/oauth/token')
             .query(query).send(data)
             .end(function (error, result) {
-            if (error) {
+            if (error && !error.response) {
                 console.error(error);
                 return res.send(500, 'Unable to contact the oauth server.');
             }

src/paths.js

@@ -31,5 +31,5 @@ exports = module.exports = {
     UPDATE_CHECKER_FILE: path.join(config.baseDir(), 'data/box/updatechecker.json'),
 
     ACME_CHALLENGES_DIR: path.join(config.baseDir(), 'data/acme'),
-    ACME_ACCOUNT_KEY_FILE: path.join(config.baseDir(), 'data/box/acme.key')
+    ACME_ACCOUNT_KEY_FILE: path.join(config.baseDir(), 'data/box/acme/acme.key')
 };

src/routes/cloudron.js

@@ -59,7 +59,7 @@ function activate(req, res, next) {
 
         // Now let the api server know we got activated
         superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/done').query({ setupToken:req.query.setupToken }).end(function (error, result) {
-            if (error) return next(new HttpError(500, error));
+            if (error && !error.response) return next(new HttpError(500, error));
             if (result.statusCode === 403) return next(new HttpError(403, 'Invalid token'));
             if (result.statusCode === 409) return next(new HttpError(409, 'Already setup'));
             if (result.statusCode !== 201) return next(new HttpError(500, result.text ? result.text.message : 'Internal error'));
@@ -75,7 +75,7 @@ function setupTokenAuth(req, res, next) {
     if (typeof req.query.setupToken !== 'string') return next(new HttpError(400, 'no setupToken provided'));
 
     superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/verify').query({ setupToken:req.query.setupToken }).end(function (error, result) {
-        if (error) return next(new HttpError(500, error));
+        if (error && !error.response) return next(new HttpError(500, error));
         if (result.statusCode === 403) return next(new HttpError(403, 'Invalid token'));
         if (result.statusCode === 409) return next(new HttpError(409, 'Already setup'));
         if (result.statusCode !== 200) return next(new HttpError(500, result.text ? result.text.message : 'Internal error'));

src/routes/settings.js

@@ -23,6 +23,8 @@ exports = module.exports = {
 };
 
 var assert = require('assert'),
+    certificates = require('../certificates.js'),
+    CertificatesError = require('../certificates.js').CertificatesError,
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess,
     safe = require('safetydance'),
@@ -142,8 +144,8 @@ function setCertificate(req, res, next) {
     if (!req.body.cert || typeof req.body.cert !== 'string') return next(new HttpError(400, 'cert must be a string'));
     if (!req.body.key || typeof req.body.key !== 'string') return next(new HttpError(400, 'key must be a string'));
 
-    settings.setCertificate(req.body.cert, req.body.key, function (error) {
-        if (error && error.reason === SettingsError.INVALID_CERT) return next(new HttpError(400, error.message));
+    certificates.setFallbackCertificate(req.body.cert, req.body.key, function (error) {
+        if (error && error.reason === CertificatesError.INVALID_CERT) return next(new HttpError(400, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(202, {}));
@@ -157,8 +159,8 @@ function setAdminCertificate(req, res, next) {
     if (!req.body.cert || typeof req.body.cert !== 'string') return next(new HttpError(400, 'cert must be a string'));
     if (!req.body.key || typeof req.body.key !== 'string') return next(new HttpError(400, 'key must be a string'));
 
-    settings.setAdminCertificate(req.body.cert, req.body.key, function (error) {
-        if (error && error.reason === SettingsError.INVALID_CERT) return next(new HttpError(400, error.message));
+    certificates.setAdminCertificate(req.body.cert, req.body.key, function (error) {
+        if (error && error.reason === CertificatesError.INVALID_CERT) return next(new HttpError(400, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(202, {}));

src/routes/test/apps-test.js

@@ -27,7 +27,7 @@ var appdb = require('../../appdb.js'),
     nock = require('nock'),
     paths = require('../../paths.js'),
     redis = require('redis'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     safe = require('safetydance'),
     server = require('../../server.js'),
     settings = require('../../settings.js'),
@@ -114,11 +114,10 @@ function setup(done) {
             var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
             var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result).to.be.ok();
                 expect(result.statusCode).to.eql(201);
                 expect(scope1.isDone()).to.be.ok();
@@ -137,11 +136,10 @@ function setup(done) {
         },
 
         function (callback) {
-            request.post(SERVER_URL + '/api/v1/users')
+            superagent.post(SERVER_URL + '/api/v1/users')
                    .query({ access_token: token })
                    .send({ username: USERNAME_1, email: EMAIL_1 })
                    .end(function (err, res) {
-                expect(err).to.not.be.ok();
                 expect(res.statusCode).to.equal(201);
 
                 callback(null);
@@ -156,6 +154,7 @@ function setup(done) {
         },
 
         settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' }),
+        settings.setTlsConfig.bind(null, { provider: 'caas' }),
         settings.setBackupConfig.bind(null, { provider: 'caas', token: 'BACKUP_TOKEN', bucket: 'Bucket', prefix: 'Prefix' })
     ], done);
 }
@@ -197,174 +196,174 @@ describe('App API', function () {
     });
 
     it('app install fails - missing manifest', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('manifest is required');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - missing appId', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ manifest: APP_MANIFEST, password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('appStoreId is required');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - invalid json', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send('garbage')
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
-            done(err);
+            done();
         });
     });
 
     it('app install fails - invalid location', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: '!awesome', accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('Hostname can only contain alphanumerics and hyphen');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - invalid location type', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: 42, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('location is required');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - reserved admin location', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.ADMIN_LOCATION, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql(constants.ADMIN_LOCATION + ' is reserved');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - reserved api location', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.API_LOCATION, accessRestriction: null, oauthProxy: true })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql(constants.API_LOCATION + ' is reserved');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - portBindings must be object', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: 23, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('portBindings must be an object');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - accessRestriction is required', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('accessRestriction is required');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - accessRestriction type is wrong', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('accessRestriction is required');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - accessRestriction no users not allowed', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST_1, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('accessRestriction must specify one user');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - accessRestriction too many users not allowed', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST_1, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: { users: [ 'one', 'two' ] }, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('accessRestriction must specify one user');
-            done(err);
+            done();
         });
     });
 
     it('app install fails - oauthProxy is required', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: null })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('oauthProxy must be a boolean');
-            done(err);
+            done();
         });
     });
 
     it('app install fails for non admin', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token_1 })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('app install fails due to purchase failure', function (done) {
         var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(402, {});
 
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(402);
             expect(fake.isDone()).to.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('app install succeeds with purchase', function (done) {
         var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(201, {});
 
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
@@ -372,14 +371,14 @@ describe('App API', function () {
             expect(res.body.id).to.be.a('string');
             APP_ID = res.body.id;
             expect(fake.isDone()).to.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('app install fails because of conflicting location', function (done) {
         var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(201, {});
 
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
@@ -390,120 +389,120 @@ describe('App API', function () {
     });
 
     it('can get app status', function (done) {
-        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
                .query({ access_token: token })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.id).to.eql(APP_ID);
             expect(res.body.installationState).to.be.ok();
-            done(err);
+            done();
          });
     });
 
     it('cannot get invalid app status', function (done) {
-        request.get(SERVER_URL + '/api/v1/apps/kubachi')
+        superagent.get(SERVER_URL + '/api/v1/apps/kubachi')
                .query({ access_token: token })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(404);
-            done(err);
+            done();
          });
     });
 
     it('can get all apps', function (done) {
-        request.get(SERVER_URL + '/api/v1/apps')
+        superagent.get(SERVER_URL + '/api/v1/apps')
                .query({ access_token: token })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.apps).to.be.an('array');
             expect(res.body.apps[0].id).to.eql(APP_ID);
             expect(res.body.apps[0].installationState).to.be.ok();
-            done(err);
+            done();
          });
     });
 
     it('non admin can get all apps', function (done) {
-        request.get(SERVER_URL + '/api/v1/apps')
+        superagent.get(SERVER_URL + '/api/v1/apps')
                .query({ access_token: token_1 })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.apps).to.be.an('array');
             expect(res.body.apps[0].id).to.eql(APP_ID);
             expect(res.body.apps[0].installationState).to.be.ok();
-            done(err);
+            done();
          });
     });
 
     it('can get appBySubdomain', function (done) {
-        request.get(SERVER_URL + '/api/v1/subdomains/' + APP_LOCATION)
+        superagent.get(SERVER_URL + '/api/v1/subdomains/' + APP_LOCATION)
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.id).to.eql(APP_ID);
             expect(res.body.installationState).to.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('cannot get invalid app by Subdomain', function (done) {
-        request.get(SERVER_URL + '/api/v1/subdomains/tikaloma')
+        superagent.get(SERVER_URL + '/api/v1/subdomains/tikaloma')
                .end(function (err, res) {
             expect(res.statusCode).to.equal(404);
-            done(err);
+            done();
         });
     });
 
     it('cannot uninstall invalid app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/whatever/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/whatever/uninstall')
             .send({ password: PASSWORD })
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(404);
-            done(err);
+            done();
         });
     });
 
     it('cannot uninstall app without password', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
-            done(err);
+            done();
         });
     });
 
     it('cannot uninstall app with wrong password', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .send({ password: PASSWORD+PASSWORD })
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('non admin cannot uninstall app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .send({ password: PASSWORD })
             .query({ access_token: token_1 })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('can uninstall app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .send({ password: PASSWORD })
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
-            done(err);
+            done();
         });
     });
 
     it('app install succeeds already purchased', function (done) {
         var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(200, {});
 
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
                .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION_2, portBindings: null, accessRestriction: null, oauthProxy: false })
                .end(function (err, res) {
@@ -511,7 +510,7 @@ describe('App API', function () {
             expect(res.body.id).to.be.a('string');
             APP_ID = res.body.id;
             expect(fake.isDone()).to.be.ok();
-            done(err);
+            done();
         });
     });
 
@@ -521,7 +520,7 @@ describe('App API', function () {
         settings.setDeveloperMode(true, function (error) {
             expect(error).to.be(null);
 
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: USERNAME, password: PASSWORD })
                    .end(function (error, result) {
                 expect(error).to.not.be.ok();
@@ -532,7 +531,7 @@ describe('App API', function () {
                 // overwrite non dev token
                 token = result.body.token;
 
-                request.post(SERVER_URL + '/api/v1/apps/install')
+                superagent.post(SERVER_URL + '/api/v1/apps/install')
                        .query({ access_token: token })
                        .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, location: APP_LOCATION+APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                        .end(function (err, res) {
@@ -540,18 +539,18 @@ describe('App API', function () {
                     expect(res.body.id).to.be.a('string');
                     expect(fake.isDone()).to.be.ok();
                     APP_ID = res.body.id;
-                    done(err);
+                    done();
                 });
             });
         });
     });
 
     it('can uninstall app without password but developer token', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
-            done(err);
+            done();
         });
     });
 });
@@ -628,7 +627,7 @@ describe('App installation', function () {
 
         var count = 0;
         function checkInstallStatus() {
-            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
                .query({ access_token: token })
                .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
@@ -639,7 +638,7 @@ describe('App installation', function () {
             });
         }
 
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
@@ -705,7 +704,7 @@ describe('App installation', function () {
     it('installation - is up and running', function (done) {
         expect(appResult.httpPort).to.be(undefined);
         setTimeout(function () {
-            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                 .end(function (err, res) {
                 expect(!err).to.be.ok();
                 expect(res.statusCode).to.equal(200);
@@ -842,7 +841,7 @@ describe('App installation', function () {
     });
 
     xit('logs - stdout and stderr', function (done) {
-        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logs')
+        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logs')
             .query({ access_token: token })
             .end(function (err, res) {
             var data = '';
@@ -856,7 +855,7 @@ describe('App installation', function () {
     });
 
     xit('logStream - requires event-stream accept header', function (done) {
-        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logstream')
+        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logstream')
             .query({ access_token: token, fromLine: 0 })
             .end(function (err, res) {
             expect(res.statusCode).to.be(400);
@@ -895,7 +894,7 @@ describe('App installation', function () {
     });
 
     it('non admin cannot stop app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
             .query({ access_token: token_1 })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
@@ -904,7 +903,7 @@ describe('App installation', function () {
     });
 
     it('can stop app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
@@ -915,7 +914,7 @@ describe('App installation', function () {
     it('did stop the app', function (done) {
         // give the app a couple of seconds to die
         setTimeout(function () {
-            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                 .end(function (err, res) {
                 expect(err).to.be.ok();
                 done();
@@ -924,7 +923,7 @@ describe('App installation', function () {
     });
 
     it('nonadmin cannot start app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
             .query({ access_token: token_1 })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
@@ -933,7 +932,7 @@ describe('App installation', function () {
     });
 
     it('can start app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
@@ -943,7 +942,7 @@ describe('App installation', function () {
 
     it('did start the app', function (done) {
         setTimeout(function () {
-            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                 .end(function (err, res) {
                 expect(!err).to.be.ok();
                 expect(res.statusCode).to.equal(200);
@@ -955,7 +954,7 @@ describe('App installation', function () {
     it('can uninstall app', function (done) {
         var count = 0;
         function checkUninstallStatus() {
-            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
                .query({ access_token: token })
                .end(function (err, res) {
                 if (res.statusCode === 404) return done(null);
@@ -964,7 +963,7 @@ describe('App installation', function () {
             });
         }
 
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .send({ password: PASSWORD })
             .query({ access_token: token })
             .end(function (err, res) {
@@ -1064,6 +1063,8 @@ describe('App installation - port bindings', function () {
 
             settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' }),
 
+            settings.setTlsConfig.bind(null, { provider: 'caas' }),
+
             function (callback) {
                 awsHockInstance
                     .get('/2013-04-01/hostedzone')
@@ -1096,7 +1097,7 @@ describe('App installation - port bindings', function () {
 
         var count = 0;
         function checkInstallStatus() {
-            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
                .query({ access_token: token })
                .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
@@ -1107,7 +1108,7 @@ describe('App installation - port bindings', function () {
             });
         }
 
-        request.post(SERVER_URL + '/api/v1/apps/install')
+        superagent.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: { ECHO_SERVER_PORT: 7171 }, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
@@ -1163,7 +1164,7 @@ describe('App installation - port bindings', function () {
         var tryCount = 20;
         expect(appResult.httpPort).to.be(undefined);
         (function healthCheck() {
-            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                 .end(function (err, res) {
                 if (err || res.statusCode !== 200) {
                     if (--tryCount === 0) return done(new Error('Timedout'));
@@ -1253,7 +1254,7 @@ describe('App installation - port bindings', function () {
         assert.strictEqual(typeof count, 'number');
         assert.strictEqual(typeof done, 'function');
 
-        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
            .query({ access_token: token })
            .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
@@ -1265,7 +1266,7 @@ describe('App installation - port bindings', function () {
     }
 
     it('cannot reconfigure app with missing location', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
               .end(function (err, res) {
@@ -1275,7 +1276,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('cannot reconfigure app with missing accessRestriction', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, oauthProxy: false })
               .end(function (err, res) {
@@ -1285,7 +1286,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('cannot reconfigure app with missing oauthProxy', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null })
               .end(function (err, res) {
@@ -1295,7 +1296,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('cannot reconfigure app with only the cert, no key', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: validCert1 })
               .end(function (err, res) {
@@ -1305,7 +1306,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('cannot reconfigure app with only the key, no cert', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, key: validKey1 })
               .end(function (err, res) {
@@ -1315,7 +1316,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('cannot reconfigure app with cert not bein a string', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: 1234, key: validKey1 })
               .end(function (err, res) {
@@ -1325,7 +1326,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('cannot reconfigure app with key not bein a string', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: validCert1, key: 1234 })
               .end(function (err, res) {
@@ -1335,7 +1336,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('non admin cannot reconfigure app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token_1 })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
               .end(function (err, res) {
@@ -1345,7 +1346,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('can reconfigure app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
               .end(function (err, res) {
@@ -1429,7 +1430,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('can reconfigure app with custom certificate', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
               .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: validCert1, key: validKey1 })
               .end(function (err, res) {
@@ -1439,7 +1440,7 @@ describe('App installation - port bindings', function () {
     });
 
     it('can stop app', function (done) {
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
             .query({ access_token: token })
             .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
@@ -1464,7 +1465,7 @@ describe('App installation - port bindings', function () {
     it('can uninstall app', function (done) {
         var count = 0;
         function checkUninstallStatus() {
-            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
                .query({ access_token: token })
                .end(function (err, res) {
                 if (res.statusCode === 404) return done(null);
@@ -1473,7 +1474,7 @@ describe('App installation - port bindings', function () {
             });
         }
 
-        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
             .send({ password: PASSWORD })
             .query({ access_token: token })
             .end(function (err, res) {

src/routes/test/backups-test.js

@@ -11,7 +11,7 @@ var appdb = require('../../appdb.js'),
     config = require('../../config.js'),
     database = require('../../database.js'),
     expect = require('expect.js'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     server = require('../../server.js'),
     settings = require('../../settings.js'),
     nock = require('nock'),
@@ -33,11 +33,10 @@ function setup(done) {
             var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
             var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result).to.be.ok();
                 expect(result.statusCode).to.eql(201);
                 expect(scope1.isDone()).to.be.ok();
@@ -74,22 +73,22 @@ describe('Backups API', function () {
     after(cleanup);
 
     describe('get', function () {
-        it('cannot get backups with appstore request failing', function (done) {
+        it('cannot get backups with appstore superagent failing', function (done) {
             var req = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/backups?token=BACKUP_TOKEN').reply(401, {});
 
-            request.get(SERVER_URL + '/api/v1/backups')
+            superagent.get(SERVER_URL + '/api/v1/backups')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(503);
                 expect(req.isDone()).to.be.ok();
-                done(err);
+                done();
             });
         });
 
         it('can get backups', function (done) {
             var req = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/backups?token=BACKUP_TOKEN').reply(200, { backups: ['foo', 'bar']});
 
-            request.get(SERVER_URL + '/api/v1/backups')
+            superagent.get(SERVER_URL + '/api/v1/backups')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
@@ -97,26 +96,24 @@ describe('Backups API', function () {
                 expect(res.body.backups).to.be.an(Array);
                 expect(res.body.backups[0]).to.eql('foo');
                 expect(res.body.backups[1]).to.eql('bar');
-                done(err);
+                done();
             });
         });
     });
 
     describe('create', function () {
         it('fails due to mising token', function (done) {
-            request.post(SERVER_URL + '/api/v1/backups')
+            superagent.post(SERVER_URL + '/api/v1/backups')
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails due to wrong token', function (done) {
-            request.post(SERVER_URL + '/api/v1/backups')
+            superagent.post(SERVER_URL + '/api/v1/backups')
                    .query({ access_token: token.toUpperCase() })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -127,10 +124,9 @@ describe('Backups API', function () {
                         .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=BACKUP_TOKEN')
                         .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey', SessionToken: 'sessionToken' } });
 
-            request.post(SERVER_URL + '/api/v1/backups')
+            superagent.post(SERVER_URL + '/api/v1/backups')
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(202);
 
                 function checkAppstoreServerCalled() {

src/routes/test/clients-test.js

@@ -46,7 +46,6 @@ describe('OAuth Clients API', function () {
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(result.statusCode).to.equal(201);
                         expect(scope1.isDone()).to.be.ok();
@@ -73,7 +72,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(412);
                     done();
                 });
@@ -89,7 +87,6 @@ describe('OAuth Clients API', function () {
                 superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                        .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(401);
                     done();
                 });
@@ -100,7 +97,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ redirectURI: 'http://foobar.com', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -111,7 +107,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: '', redirectURI: 'http://foobar.com', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -122,7 +117,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', redirectURI: 'http://foobar.com' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -133,7 +127,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: '' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -144,7 +137,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -155,7 +147,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', redirectURI: '', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -166,7 +157,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', redirectURI: 'foobar', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(400);
                     done();
                 });
@@ -177,7 +167,6 @@ describe('OAuth Clients API', function () {
                        .query({ access_token: token })
                        .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(201);
                     expect(result.body.id).to.be.a('string');
                     expect(result.body.appId).to.be.a('string');
@@ -211,7 +200,6 @@ describe('OAuth Clients API', function () {
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -230,7 +218,6 @@ describe('OAuth Clients API', function () {
                            .query({ access_token: token })
                            .send({ appId: CLIENT_0.appId, redirectURI: CLIENT_0.redirectURI, scope: CLIENT_0.scope })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result.statusCode).to.equal(201);
 
                         CLIENT_0 = result.body;
@@ -252,7 +239,6 @@ describe('OAuth Clients API', function () {
                 superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(412);
                     done();
                 });
@@ -267,7 +253,6 @@ describe('OAuth Clients API', function () {
             it('fails without token', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(401);
                     done();
                 });
@@ -278,7 +263,6 @@ describe('OAuth Clients API', function () {
                 superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id.toUpperCase())
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(404);
                     done();
                 });
@@ -288,7 +272,6 @@ describe('OAuth Clients API', function () {
                 superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(200);
                     expect(result.body).to.eql(CLIENT_0);
                     done();
@@ -318,7 +301,6 @@ describe('OAuth Clients API', function () {
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -337,7 +319,6 @@ describe('OAuth Clients API', function () {
                            .query({ access_token: token })
                            .send({ appId: CLIENT_0.appId, redirectURI: CLIENT_0.redirectURI, scope: CLIENT_0.scope })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result.statusCode).to.equal(201);
 
                         CLIENT_0 = result.body;
@@ -359,7 +340,6 @@ describe('OAuth Clients API', function () {
                 superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(412);
                     done();
                 });
@@ -374,7 +354,6 @@ describe('OAuth Clients API', function () {
             it('fails without token', function (done) {
                 superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(401);
                     done();
                 });
@@ -385,7 +364,6 @@ describe('OAuth Clients API', function () {
                 superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id.toUpperCase())
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(404);
                     done();
                 });
@@ -395,13 +373,11 @@ describe('OAuth Clients API', function () {
                 superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(204);
 
                     superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                            .query({ access_token: token })
                            .end(function (error, result) {
-                        expect(error).to.be(null);
                         expect(result.statusCode).to.equal(404);
 
                         done();
@@ -443,7 +419,6 @@ describe('Clients', function () {
                        .query({ setupToken: 'somesetuptoken' })
                        .send({ username: USER_0.username, password: USER_0.password, email: USER_0.email })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result).to.be.ok();
                     expect(result.statusCode).to.eql(201);
                     expect(scope1.isDone()).to.be.ok();
@@ -473,7 +448,6 @@ describe('Clients', function () {
         it('fails due to missing token', function (done) {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -483,7 +457,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients')
             .query({ access_token: '' })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -493,7 +466,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients')
             .query({ access_token: token.toUpperCase() })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -503,7 +475,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients')
             .query({ access_token: token })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
 
                 expect(result.body.clients.length).to.eql(1);
@@ -521,7 +492,6 @@ describe('Clients', function () {
         it('fails due to missing token', function (done) {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -531,7 +501,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .query({ access_token: '' })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -541,7 +510,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .query({ access_token: token.toUpperCase() })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -551,7 +519,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients/CID-WEBADMIN/tokens')
             .query({ access_token: token })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(404);
                 done();
             });
@@ -561,7 +528,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .query({ access_token: token })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
 
                 expect(result.body.tokens.length).to.eql(1);
@@ -579,7 +545,6 @@ describe('Clients', function () {
         it('fails due to missing token', function (done) {
             superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -589,7 +554,6 @@ describe('Clients', function () {
             superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .query({ access_token: '' })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -599,7 +563,6 @@ describe('Clients', function () {
             superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .query({ access_token: token.toUpperCase() })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -609,7 +572,6 @@ describe('Clients', function () {
             superagent.del(SERVER_URL + '/api/v1/oauth/clients/CID-WEBADMIN/tokens')
             .query({ access_token: token })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(404);
                 done();
             });
@@ -619,7 +581,6 @@ describe('Clients', function () {
             superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
             .query({ access_token: token })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
 
                 expect(result.body.tokens.length).to.eql(1);
@@ -628,14 +589,12 @@ describe('Clients', function () {
                 superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
                 .query({ access_token: token })
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(204);
 
                     // further calls with this token should not work
                     superagent.get(SERVER_URL + '/api/v1/profile')
                     .query({ access_token: token })
                     .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result.statusCode).to.equal(401);
                         done();
                     });

src/routes/test/cloudron-test.js

@@ -11,7 +11,7 @@ var async = require('async'),
     database = require('../../database.js'),
     expect = require('expect.js'),
     nock = require('nock'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     server = require('../../server.js'),
     shell = require('../../shell.js');
 
@@ -54,10 +54,9 @@ describe('Cloudron', function () {
         after(cleanup);
 
         it('fails due to missing setupToken', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .send({ username: '', password: 'somepassword', email: 'admin@foo.bar' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -66,11 +65,10 @@ describe('Cloudron', function () {
         it('fails due to empty username', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: '', password: 'somepassword', email: 'admin@foo.bar' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 expect(scope.isDone()).to.be.ok();
                 done();
@@ -80,11 +78,10 @@ describe('Cloudron', function () {
         it('fails due to empty password', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: 'someuser', password: '', email: 'admin@foo.bar' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 expect(scope.isDone()).to.be.ok();
                 done();
@@ -94,11 +91,10 @@ describe('Cloudron', function () {
         it('fails due to empty email', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: 'someuser', password: 'somepassword', email: '' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 expect(scope.isDone()).to.be.ok();
                 done();
@@ -108,11 +104,10 @@ describe('Cloudron', function () {
         it('fails due to empty name', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: 'someuser', password: '', email: 'admin@foo.bar', name: '' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 expect(scope.isDone()).to.be.ok();
                 done();
@@ -122,11 +117,10 @@ describe('Cloudron', function () {
         it('fails due to invalid email', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: 'someuser', password: 'somepassword', email: 'invalidemail' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 expect(scope.isDone()).to.be.ok();
                 done();
@@ -137,11 +131,10 @@ describe('Cloudron', function () {
             var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
             var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: 'someuser', password: 'somepassword', email: 'admin@foo.bar', name: 'tester' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(201);
                 expect(scope1.isDone()).to.be.ok();
                 expect(scope2.isDone()).to.be.ok();
@@ -152,11 +145,10 @@ describe('Cloudron', function () {
         it('fails the second time', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: 'someuser', password: 'somepassword', email: 'admin@foo.bar' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(409);
                 expect(scope.isDone()).to.be.ok();
                 done();
@@ -175,11 +167,10 @@ describe('Cloudron', function () {
 
                     config._reset();
 
-                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -196,19 +187,17 @@ describe('Cloudron', function () {
         after(cleanup);
 
         it('cannot get without token', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/config')
+            superagent.get(SERVER_URL + '/api/v1/cloudron/config')
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('succeeds without appstore', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/config')
+            superagent.get(SERVER_URL + '/api/v1/cloudron/config')
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.apiServerOrigin).to.eql('http://localhost:6060');
                 expect(result.body.webServerOrigin).to.eql(null);
@@ -230,10 +219,9 @@ describe('Cloudron', function () {
         it('succeeds', function (done) {
             var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/localhost?token=' + config.token()).reply(200, { box: { region: 'sfo', size: '1gb' }});
 
-            request.get(SERVER_URL + '/api/v1/cloudron/config')
+            superagent.get(SERVER_URL + '/api/v1/cloudron/config')
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.apiServerOrigin).to.eql('http://localhost:6060');
                 expect(result.body.webServerOrigin).to.eql(null);
@@ -267,11 +255,10 @@ describe('Cloudron', function () {
 
                     config._reset();
 
-                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -284,11 +271,10 @@ describe('Cloudron', function () {
                 },
 
                 function setupBackupConfig(callback) {
-                    request.post(SERVER_URL + '/api/v1/settings/backup_config')
+                    superagent.post(SERVER_URL + '/api/v1/settings/backup_config')
                            .send({ provider: 'caas', token: 'BACKUP_TOKEN', bucket: 'Bucket', prefix: 'Prefix' })
                            .query({ access_token: token })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result.statusCode).to.equal(200);
 
                         callback();
@@ -301,65 +287,59 @@ describe('Cloudron', function () {
         after(cleanup);
 
         it('fails without token', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 'small', region: 'sfo'})
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails without password', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 'small', region: 'sfo'})
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with missing size', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ region: 'sfo', password: PASSWORD })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with wrong size type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 4, region: 'sfo', password: PASSWORD })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with missing region', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 'small', password: PASSWORD })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with wrong region type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 'small', region: 4, password: PASSWORD })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -383,11 +363,10 @@ describe('Cloudron', function () {
 
             injectShellMock();
 
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 'small', region: 'sfo', password: PASSWORD })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(202);
 
                 function checkAppstoreServerCalled() {
@@ -420,11 +399,10 @@ describe('Cloudron', function () {
 
             injectShellMock();
 
-            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
                    .send({ size: 'small', region: 'sfo', password: PASSWORD })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(202);
 
                 function checkAppstoreServerCalled() {
@@ -452,11 +430,10 @@ describe('Cloudron', function () {
 
                     config._reset();
 
-                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -473,125 +450,112 @@ describe('Cloudron', function () {
         after(cleanup);
 
         it('fails without token', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'ticket', subject: 'some subject', description: 'some description' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails without type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ subject: 'some subject', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with empty type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: '', subject: 'some subject', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with unknown type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'foobar', subject: 'some subject', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('succeeds with ticket type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'ticket', subject: 'some subject', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(201);
                 done();
             });
         });
 
         it('succeeds with app type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'app', subject: 'some subject', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(201);
                 done();
             });
         });
 
         it('fails without description', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'ticket', subject: 'some subject' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with empty subject', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'ticket', subject: '', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with empty description', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'ticket', subject: 'some subject', description: '' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('succeeds with feedback type', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'feedback', subject: 'some subject', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(201);
                 done();
             });
         });
 
         it('fails without subject', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
                    .send({ type: 'ticket', description: 'some description' })
                    .query({ access_token: token })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
     });
 });
-
-

src/routes/test/developer-test.js

@@ -11,7 +11,7 @@ var async = require('async'),
     database = require('../../database.js'),
     expect = require('expect.js'),
     nock = require('nock'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     server = require('../../server.js'),
     settings = require('../../settings.js');
 
@@ -43,11 +43,10 @@ describe('Developer API', function () {
                     var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                     var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -67,9 +66,8 @@ describe('Developer API', function () {
             settings.setDeveloperMode(true, function (error) {
                 expect(error).to.be(null);
 
-                request.get(SERVER_URL + '/api/v1/developer')
+                superagent.get(SERVER_URL + '/api/v1/developer')
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(401);
                     done();
                 });
@@ -80,10 +78,9 @@ describe('Developer API', function () {
             settings.setDeveloperMode(true, function (error) {
                 expect(error).to.be(null);
 
-                request.get(SERVER_URL + '/api/v1/developer')
+                superagent.get(SERVER_URL + '/api/v1/developer')
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(200);
                     done();
                 });
@@ -94,10 +91,9 @@ describe('Developer API', function () {
             settings.setDeveloperMode(false, function (error) {
                 expect(error).to.be(null);
 
-                request.get(SERVER_URL + '/api/v1/developer')
+                superagent.get(SERVER_URL + '/api/v1/developer')
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(412);
                     done();
                 });
@@ -114,11 +110,10 @@ describe('Developer API', function () {
                     var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                     var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -135,82 +130,74 @@ describe('Developer API', function () {
         after(cleanup);
 
         it('fails without token', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .send({ enabled: true })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails due to missing password', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ enabled: true })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails due to empty password', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ password: '', enabled: true })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(403);
                 done();
             });
         });
 
         it('fails due to wrong password', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ password: PASSWORD.toUpperCase(), enabled: true })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(403);
                 done();
             });
         });
 
         it('fails due to missing enabled property', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ password: PASSWORD })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails due to wrong enabled property type', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ password: PASSWORD, enabled: 'true' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('succeeds enabling', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ password: PASSWORD, enabled: true })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
 
-                request.get(SERVER_URL + '/api/v1/developer')
+                superagent.get(SERVER_URL + '/api/v1/developer')
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(200);
                     done();
                 });
@@ -218,17 +205,15 @@ describe('Developer API', function () {
         });
 
         it('succeeds disabling', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer')
+            superagent.post(SERVER_URL + '/api/v1/developer')
                    .query({ access_token: token })
                    .send({ password: PASSWORD, enabled: false })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
 
-                request.get(SERVER_URL + '/api/v1/developer')
+                superagent.get(SERVER_URL + '/api/v1/developer')
                        .query({ access_token: token })
                        .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(412);
                     done();
                 });
@@ -247,11 +232,10 @@ describe('Developer API', function () {
                     var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                     var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                            .query({ setupToken: 'somesetuptoken' })
                            .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                            .end(function (error, result) {
-                        expect(error).to.not.be.ok();
                         expect(result).to.be.ok();
                         expect(scope1.isDone()).to.be.ok();
                         expect(scope2.isDone()).to.be.ok();
@@ -268,79 +252,71 @@ describe('Developer API', function () {
         after(cleanup);
 
         it('fails without body', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails without username', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ password: PASSWORD })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails without password', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: USERNAME })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails with empty username', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: '', password: PASSWORD })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails with empty password', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: USERNAME, password: '' })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails with unknown username', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: USERNAME.toUpperCase(), password: PASSWORD })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('fails with wrong password', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: USERNAME, password: PASSWORD.toUpperCase() })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('with username succeeds', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: USERNAME, password: PASSWORD })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.expiresAt).to.be.a('number');
                 expect(result.body.token).to.be.a('string');
@@ -349,10 +325,9 @@ describe('Developer API', function () {
         });
 
         it('with email succeeds', function (done) {
-            request.post(SERVER_URL + '/api/v1/developer/login')
+            superagent.post(SERVER_URL + '/api/v1/developer/login')
                    .send({ username: EMAIL, password: PASSWORD })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.expiresAt).to.be.a('number');
                 expect(result.body.token).to.be.a('string');

src/routes/test/oauth2-test.js

@@ -319,7 +319,6 @@ describe('OAuth2', function () {
             it('fails due to missing redirect_uri param', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                     expect(result.text.indexOf('Invalid request. redirect_uri query param is not set.')).to.not.equal(-1);
                     expect(result.statusCode).to.equal(200);
@@ -330,7 +329,6 @@ describe('OAuth2', function () {
             it('fails due to missing client_id param', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                     expect(result.text.indexOf('Invalid request. client_id query param is not set.')).to.not.equal(-1);
                     expect(result.statusCode).to.equal(200);
@@ -341,7 +339,6 @@ describe('OAuth2', function () {
             it('fails due to missing response_type param', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                     expect(result.text.indexOf('Invalid request. response_type query param is not set.')).to.not.equal(-1);
                     expect(result.statusCode).to.equal(200);
@@ -352,7 +349,6 @@ describe('OAuth2', function () {
             it('fails for unkown grant type', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid&response_type=foobar')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                     expect(result.text.indexOf('Invalid request. Only token and code response types are supported.')).to.not.equal(-1);
                     expect(result.statusCode).to.equal(200);
@@ -363,7 +359,6 @@ describe('OAuth2', function () {
             it('succeeds for grant type code', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid&response_type=code')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text).to.eql('<script>window.location.href = "/api/v1/session/login?returnTo=http://someredirect";</script>');
                     expect(result.statusCode).to.equal(200);
                     done();
@@ -373,7 +368,6 @@ describe('OAuth2', function () {
             it('succeeds for grant type token', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid&response_type=token')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text).to.eql('<script>window.location.href = "/api/v1/session/login?returnTo=http://someredirect";</script>');
                     expect(result.statusCode).to.equal(200);
                     done();
@@ -388,7 +382,6 @@ describe('OAuth2', function () {
             it('fails without prior authentication call and not returnTo query', function (done) {
                 superagent.get(SERVER_URL + '/api/v1/session/login')
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                     expect(result.text.indexOf('Invalid login request. No returnTo provided.')).to.not.equal(-1);
                     expect(result.statusCode).to.equal(200);
@@ -401,7 +394,6 @@ describe('OAuth2', function () {
                 superagent.get(SERVER_URL + '/api/v1/session/login?returnTo=http://someredirect')
                 .redirects(0)
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(302);
                     expect(result.headers.location).to.eql('http://someredirect');
 
@@ -413,7 +405,6 @@ describe('OAuth2', function () {
                 superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&response_type=code')
                 .redirects(0)
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                     expect(result.text.indexOf('Invalid request. client_id query param is not set.')).to.not.equal(-1);
                     expect(result.statusCode).to.equal(200);
@@ -1289,7 +1280,6 @@ describe('Password', function () {
         it('reset request succeeds', function (done) {
             superagent.get(SERVER_URL + '/api/v1/session/password/resetRequest.html')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                 expect(result.statusCode).to.equal(200);
                 done();
@@ -1299,7 +1289,6 @@ describe('Password', function () {
         it('setup fails due to missing reset_token', function (done) {
             superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -1309,7 +1298,6 @@ describe('Password', function () {
             superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
             .query({ reset_token: hat(256) })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -1319,7 +1307,6 @@ describe('Password', function () {
             superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
             .query({ reset_token: USER_0.resetToken })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(200);
                 expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                 done();
@@ -1329,7 +1316,6 @@ describe('Password', function () {
         it('reset fails due to missing reset_token', function (done) {
             superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -1339,7 +1325,6 @@ describe('Password', function () {
             superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
             .query({ reset_token: hat(256) })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -1349,7 +1334,6 @@ describe('Password', function () {
             superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
             .query({ reset_token: USER_0.resetToken })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                 expect(result.statusCode).to.equal(200);
                 done();
@@ -1359,7 +1343,6 @@ describe('Password', function () {
         it('sent succeeds', function (done) {
             superagent.get(SERVER_URL + '/api/v1/session/password/sent.html')
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                 expect(result.statusCode).to.equal(200);
                 done();
@@ -1375,7 +1358,6 @@ describe('Password', function () {
             superagent.post(SERVER_URL + '/api/v1/session/password/resetRequest')
             .send({ identifier: USER_0.email })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                 expect(result.statusCode).to.equal(200);
                 done();
@@ -1391,7 +1373,6 @@ describe('Password', function () {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
             .send({ password: 'somepassword' })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -1401,7 +1382,6 @@ describe('Password', function () {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
             .send({ resetToken: hat(256) })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -1411,7 +1391,6 @@ describe('Password', function () {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
             .send({ password: '', resetToken: hat(256) })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -1421,7 +1400,6 @@ describe('Password', function () {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
             .send({ password: '', resetToken: '' })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -1439,7 +1417,6 @@ describe('Password', function () {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
             .send({ password: 'somepassword', resetToken: USER_0.resetToken })
             .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(scope.isDone()).to.be.ok();
                 expect(result.statusCode).to.equal(200);
                 done();

src/routes/test/settings-test.js

@@ -13,7 +13,7 @@ var appdb = require('../../appdb.js'),
     expect = require('expect.js'),
     path = require('path'),
     paths = require('../../paths.js'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     server = require('../../server.js'),
     settings = require('../../settings.js'),
     fs = require('fs'),
@@ -38,11 +38,10 @@ function setup(done) {
             var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
             var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                    .query({ setupToken: 'somesetuptoken' })
                    .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result).to.be.ok();
                 expect(result.statusCode).to.eql(201);
                 expect(scope1.isDone()).to.be.ok();
@@ -78,17 +77,17 @@ describe('Settings API', function () {
 
     describe('autoupdate_pattern', function () {
         it('can get auto update pattern (default)', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            superagent.get(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 expect(res.body.pattern).to.be.ok();
-                done(err);
+                done();
             });
         });
 
         it('cannot set autoupdate_pattern without pattern', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(400);
@@ -102,7 +101,7 @@ describe('Settings API', function () {
                 eventPattern = pattern;
             });
 
-            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                    .query({ access_token: token })
                    .send({ pattern: '00 30 11 * * 1-5' })
                    .end(function (err, res) {
@@ -118,7 +117,7 @@ describe('Settings API', function () {
                 eventPattern = pattern;
             });
 
-            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                    .query({ access_token: token })
                    .send({ pattern: 'never' })
                    .end(function (err, res) {
@@ -129,7 +128,7 @@ describe('Settings API', function () {
         });
 
         it('cannot set invalid autoupdate_pattern', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                    .query({ access_token: token })
                    .send({ pattern: '1 3 x 5 6' })
                    .end(function (err, res) {
@@ -143,17 +142,17 @@ describe('Settings API', function () {
         var name = 'foobar';
 
         it('get default succeeds', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/cloudron_name')
+            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_name')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 expect(res.body.name).to.be.ok();
-                done(err);
+                done();
             });
         });
 
         it('cannot set without name', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/cloudron_name')
+            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_name')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(400);
@@ -162,7 +161,7 @@ describe('Settings API', function () {
         });
 
         it('cannot set empty name', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/cloudron_name')
+            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_name')
                    .query({ access_token: token })
                    .send({ name: '' })
                    .end(function (err, res) {
@@ -172,7 +171,7 @@ describe('Settings API', function () {
         });
 
         it('set succeeds', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/cloudron_name')
+            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_name')
                    .query({ access_token: token })
                    .send({ name: name })
                    .end(function (err, res) {
@@ -182,29 +181,29 @@ describe('Settings API', function () {
         });
 
         it('get succeeds', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/cloudron_name')
+            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_name')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 expect(res.body.name).to.eql(name);
-                done(err);
+                done();
             });
         });
     });
 
     describe('cloudron_avatar', function () {
         it('get default succeeds', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 expect(res.body).to.be.a(Buffer);
-                done(err);
+                done();
             });
         });
 
         it('cannot set without data', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(400);
@@ -213,7 +212,7 @@ describe('Settings API', function () {
         });
 
         it('set succeeds', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                    .query({ access_token: token })
                    .attach('avatar', paths.CLOUDRON_DEFAULT_AVATAR_FILE)
                    .end(function (err, res) {
@@ -223,7 +222,7 @@ describe('Settings API', function () {
         });
 
         it('get succeeds', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
@@ -235,17 +234,17 @@ describe('Settings API', function () {
 
     describe('dns_config', function () {
         it('get dns_config fails', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/dns_config')
+            superagent.get(SERVER_URL + '/api/v1/settings/dns_config')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 expect(res.body).to.eql({});
-                done(err);
+                done();
             });
         });
 
         it('cannot set without data', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/dns_config')
+            superagent.post(SERVER_URL + '/api/v1/settings/dns_config')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(400);
@@ -254,7 +253,7 @@ describe('Settings API', function () {
         });
 
         it('set succeeds', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/dns_config')
+            superagent.post(SERVER_URL + '/api/v1/settings/dns_config')
                    .query({ access_token: token })
                    .send({ provider: 'route53', accessKeyId: 'accessKey', secretAccessKey: 'secretAccessKey' })
                    .end(function (err, res) {
@@ -264,12 +263,12 @@ describe('Settings API', function () {
         });
 
         it('get succeeds', function (done) {
-            request.get(SERVER_URL + '/api/v1/settings/dns_config')
+            superagent.get(SERVER_URL + '/api/v1/settings/dns_config')
                    .query({ access_token: token })
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 expect(res.body).to.eql({ provider: 'route53', accessKeyId: 'accessKey', secretAccessKey: 'secretAccessKey', region: 'us-east-1', endpoint: null });
-                done(err);
+                done();
             });
         });
     });
@@ -284,75 +283,68 @@ describe('Settings API', function () {
         var validKey1 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBALQUp/TtlYxwAEWVnD4bNcr0SJmuUnWWme7rhGE333PsxdGvxwWd\nlWBjeOBq27JHmzdZ3NS/J7Z4nSs2JyXYRkkCAwEAAQJALV2eykcoC48TonQEPmkg\nbhaIS57syw67jMLsQImQ02UABKzqHPEKLXPOZhZPS9hsC/hGIehwiYCXMUlrl+WF\nAQIhAOntBI6qaecNjAAVG7UbZclMuHROUONmZUF1KNq6VyV5AiEAxRLkfHWy52CM\njOQrX347edZ30f4QczvugXwsyuU9A1ECIGlGZ8Sk4OBA8n6fAUcyO06qnmCJVlHg\npTUeOvKk5c9RAiBs28+8dCNbrbhVhx/yQr9FwNM0+ttJW/yWJ+pyNQhr0QIgJTT6\nxwCWYOtbioyt7B9l+ENy3AMSO3Uq+xmIKkvItK4=\n-----END RSA PRIVATE KEY-----';
 
         it('cannot set certificate without token', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('cannot set certificate without certificate', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .query({ access_token: token })
                    .send({ key: validKey1 })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('cannot set certificate without key', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .query({ access_token: token })
                    .send({ cert: validCert1 })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('cannot set certificate with cert not being a string', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .query({ access_token: token })
                    .send({ cert: 1234, key: validKey1 })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('cannot set certificate with key not being a string', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .query({ access_token: token })
                    .send({ cert: validCert1, key: true })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('cannot set non wildcard certificate', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .query({ access_token: token })
                    .send({ cert: validCert0, key: validKey0 })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('can set certificate', function (done) {
-            request.post(SERVER_URL + '/api/v1/settings/certificate')
+            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
                    .query({ access_token: token })
                    .send({ cert: validCert1, key: validKey1 })
                    .end(function (error, result) {
-                expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(202);
                 done();
             });

src/routes/test/simpleauth-test.js

@@ -12,7 +12,7 @@ var clientdb = require('../../clientdb.js'),
     config = require('../../config.js'),
     database = require('../../database.js'),
     expect = require('expect.js'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     server = require('../../server.js'),
     simpleauth = require('../../simpleauth.js'),
     nock = require('nock');
@@ -109,7 +109,7 @@ describe('SimpleAuth API', function () {
                 var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                 var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-                request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                        .query({ setupToken: 'somesetuptoken' })
                        .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                        .end(function (error, result) {
@@ -146,10 +146,9 @@ describe('SimpleAuth API', function () {
         it('cannot login without clientId', function (done) {
             var body = {};
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -160,10 +159,9 @@ describe('SimpleAuth API', function () {
                 clientId: 'someclientid'
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -175,10 +173,9 @@ describe('SimpleAuth API', function () {
                 username: USERNAME
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(400);
                 done();
             });
@@ -191,10 +188,9 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -207,10 +203,9 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -223,10 +218,9 @@ describe('SimpleAuth API', function () {
                 password: ''
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -239,10 +233,9 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD+PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -255,10 +248,9 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -271,10 +263,9 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -287,7 +278,7 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
                 expect(error).to.be(null);
@@ -299,7 +290,7 @@ describe('SimpleAuth API', function () {
                 expect(result.body.user.email).to.be.a('string');
                 expect(result.body.user.admin).to.be.a('boolean');
 
-                request.get(SERVER_URL + '/api/v1/profile')
+                superagent.get(SERVER_URL + '/api/v1/profile')
                 .query({ access_token: result.body.accessToken })
                 .end(function (error, result) {
                     expect(error).to.be(null);
@@ -318,7 +309,7 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
                 expect(error).to.be(null);
@@ -330,7 +321,7 @@ describe('SimpleAuth API', function () {
                 expect(result.body.user.email).to.be.a('string');
                 expect(result.body.user.admin).to.be.a('boolean');
 
-                request.get(SERVER_URL + '/api/v1/profile')
+                superagent.get(SERVER_URL + '/api/v1/profile')
                 .query({ access_token: result.body.accessToken })
                 .end(function (error, result) {
                     expect(error).to.be(null);
@@ -349,10 +340,9 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
@@ -369,7 +359,7 @@ describe('SimpleAuth API', function () {
                 password: PASSWORD
             };
 
-            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
             .send(body)
             .end(function (error, result) {
                 expect(error).to.be(null);
@@ -382,35 +372,32 @@ describe('SimpleAuth API', function () {
         });
 
         it('fails without access_token', function (done) {
-            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(400);
                 done();
             });
         });
 
         it('fails with unkonwn access_token', function (done) {
-            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
             .query({ access_token: accessToken+accessToken })
             .end(function (error, result) {
-                expect(error).to.be(null);
                 expect(result.statusCode).to.equal(401);
                 done();
             });
         });
 
         it('succeeds', function (done) {
-            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
             .query({ access_token: accessToken })
             .end(function (error, result) {
                 expect(error).to.be(null);
                 expect(result.statusCode).to.equal(200);
 
-                request.get(SERVER_URL + '/api/v1/profile')
+                superagent.get(SERVER_URL + '/api/v1/profile')
                 .query({ access_token: accessToken })
                 .end(function (error, result) {
-                    expect(error).to.be(null);
                     expect(result.statusCode).to.equal(401);
 
                     done();

src/routes/test/user-test.js

@@ -10,7 +10,7 @@ var config = require('../../config.js'),
     database = require('../../database.js'),
     tokendb = require('../../tokendb.js'),
     expect = require('expect.js'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     nock = require('nock'),
     server = require('../../server.js'),
     userdb = require('../../userdb.js');
@@ -50,7 +50,7 @@ describe('User API', function () {
     after(cleanup);
 
     it('device is in first time mode', function (done) {
-        request.get(SERVER_URL + '/api/v1/cloudron/status')
+        superagent.get(SERVER_URL + '/api/v1/cloudron/status')
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.activated).to.not.be.ok();
@@ -61,21 +61,21 @@ describe('User API', function () {
     it('create admin fails due to missing parameters', function (done) {
         var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
 
-        request.post(SERVER_URL + '/api/v1/cloudron/activate')
+        superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                .query({ setupToken: 'somesetuptoken' })
                .send({ username: USERNAME_0 })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(scope.isDone()).to.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('create admin fails because only POST is allowed', function (done) {
-        request.get(SERVER_URL + '/api/v1/cloudron/activate')
+        superagent.get(SERVER_URL + '/api/v1/cloudron/activate')
                .end(function (err, res) {
             expect(res.statusCode).to.equal(404);
-            done(err);
+            done();
         });
     });
 
@@ -83,7 +83,7 @@ describe('User API', function () {
         var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
         var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
 
-        request.post(SERVER_URL + '/api/v1/cloudron/activate')
+        superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                .query({ setupToken: 'somesetuptoken' })
                .send({ username: USERNAME_0, password: PASSWORD, email: EMAIL })
                .end(function (err, res) {
@@ -99,16 +99,16 @@ describe('User API', function () {
     });
 
     it('device left first time mode', function (done) {
-        request.get(SERVER_URL + '/api/v1/cloudron/status')
+        superagent.get(SERVER_URL + '/api/v1/cloudron/status')
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.activated).to.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('can get userInfo with token', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
         .query({ access_token: token })
         .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
@@ -119,7 +119,7 @@ describe('User API', function () {
             // stash for further use
             user_0 = res.body;
 
-            done(err);
+            done();
         });
     });
 
@@ -131,10 +131,9 @@ describe('User API', function () {
             expect(error).to.not.be.ok();
 
             setTimeout(function () {
-                request.get(SERVER_URL + '/api/v1/users/' + user_0.username)
+                superagent.get(SERVER_URL + '/api/v1/users/' + user_0.username)
                 .query({ access_token: token })
                 .end(function (error, result) {
-                    expect(error).to.not.be.ok();
                     expect(result.statusCode).to.equal(401);
                     done();
                 });
@@ -143,46 +142,46 @@ describe('User API', function () {
     });
 
     it('can get userInfo with token', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
             expect(res.body.username).to.equal(USERNAME_0);
             expect(res.body.email).to.equal(EMAIL);
             expect(res.body.admin).to.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('cannot get userInfo only with basic auth', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .auth(USERNAME_0, PASSWORD)
                .end(function (err, res) {
             expect(res.statusCode).to.equal(401);
-            done(err);
+            done();
         });
     });
 
     it('cannot get userInfo with invalid token (token length)', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: 'x' + token })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(401);
-            done(err);
+            done();
         });
     });
 
     it('cannot get userInfo with invalid token (wrong token)', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token.toUpperCase() })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(401);
-            done(err);
+            done();
         });
     });
 
     it('can get userInfo with token in auth header', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .set('Authorization', 'Bearer ' + token)
                .end(function (err, res) {
             expect(res.statusCode).to.equal(200);
@@ -191,30 +190,30 @@ describe('User API', function () {
             expect(res.body.admin).to.be.ok();
             expect(res.body.password).to.not.be.ok();
             expect(res.body.salt).to.not.be.ok();
-            done(err);
+            done();
         });
     });
 
     it('cannot get userInfo with invalid token in auth header', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .set('Authorization', 'Bearer ' + 'x' + token)
                .end(function (err, res) {
             expect(res.statusCode).to.equal(401);
-            done(err);
+            done();
         });
     });
 
     it('cannot get userInfo with invalid token (wrong token)', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .set('Authorization', 'Bearer ' + 'x' + token.toUpperCase())
                .end(function (err, res) {
             expect(res.statusCode).to.equal(401);
-            done(err);
+            done();
         });
     });
 
     it('create second user succeeds', function (done) {
-        request.post(SERVER_URL + '/api/v1/users')
+        superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
                .send({ username: USERNAME_1, email: EMAIL_1 })
                .end(function (err, res) {
@@ -228,90 +227,86 @@ describe('User API', function () {
 
     it('set second user as admin succeeds', function (done) {
         // TODO is USERNAME_1 in body and url redundant?
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
                .query({ access_token: token })
                .send({ username: USERNAME_1, admin: true })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(204);
-            done(err);
+            done();
         });
     });
 
     it('remove first user from admins succeeds', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
                .query({ access_token: token_1 })
                .send({ username: USERNAME_0, admin: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(204);
-            done(err);
+            done();
         });
     });
 
     it('remove second user by first, now normal, user fails', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_1)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_1)
                .query({ access_token: token })
                .send({ password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('remove second user from admins and thus last admin fails', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
                .query({ access_token: token_1 })
                .send({ username: USERNAME_1, admin: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('reset first user as admin succeeds', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
                .query({ access_token: token_1 })
                .send({ username: USERNAME_0, admin: true })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(204);
-            done(err);
+            done();
         });
     });
 
     it('create user missing username fails', function (done) {
-        request.post(SERVER_URL + '/api/v1/users')
+        superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
                .send({ email: EMAIL_2 })
                .end(function (error, result) {
-            expect(error).to.not.be.ok();
             expect(result.statusCode).to.equal(400);
             done();
         });
     });
 
     it('create user missing email fails', function (done) {
-        request.post(SERVER_URL + '/api/v1/users')
+        superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
                .send({ username: USERNAME_2 })
                .end(function (error, result) {
-            expect(error).to.not.be.ok();
             expect(result.statusCode).to.equal(400);
             done();
         });
     });
 
     it('create second and third user', function (done) {
-        request.post(SERVER_URL + '/api/v1/users')
+        superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
                .send({ username: USERNAME_2, email: EMAIL_2 })
                .end(function (error, res) {
-            expect(error).to.not.be.ok();
             expect(res.statusCode).to.equal(201);
 
-            request.post(SERVER_URL + '/api/v1/users')
+            superagent.post(SERVER_URL + '/api/v1/users')
                    .query({ access_token: token })
                    .send({ username: USERNAME_3, email: EMAIL_3 })
                    .end(function (error, res) {
-                expect(error).to.not.be.ok();
                 expect(res.statusCode).to.equal(201);
 
                 // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
@@ -321,10 +316,9 @@ describe('User API', function () {
     });
 
     it('second user userInfo', function (done) {
-        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_2)
+        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_2)
                .query({ access_token: token_1 })
                .end(function (error, result) {
-            expect(error).to.be(null);
             expect(result.statusCode).to.equal(200);
             expect(result.body.username).to.equal(USERNAME_2);
             expect(result.body.email).to.equal(EMAIL_2);
@@ -335,17 +329,17 @@ describe('User API', function () {
     });
 
     it('create user with same username should fail', function (done) {
-        request.post(SERVER_URL + '/api/v1/users')
+        superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
                .send({ username: USERNAME_2, email: EMAIL })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(409);
-            done(err);
+            done();
         });
     });
 
     it('list users', function (done) {
-        request.get(SERVER_URL + '/api/v1/users')
+        superagent.get(SERVER_URL + '/api/v1/users')
         .query({ access_token: token_2 })
         .end(function (error, res) {
             expect(error).to.be(null);
@@ -367,106 +361,106 @@ describe('User API', function () {
     });
 
     it('user removes himself is not allowed', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .send({ password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('admin cannot remove normal user without giving a password', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
                .query({ access_token: token })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
-            done(err);
+            done();
         });
     });
 
     it('admin cannot remove normal user with empty password', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
                .query({ access_token: token })
                .send({ password: '' })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('admin cannot remove normal user with giving wrong password', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
                .query({ access_token: token })
                .send({ password: PASSWORD + PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('admin removes normal user', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
                .query({ access_token: token })
                .send({ password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(204);
-            done(err);
+            done();
         });
     });
 
     it('admin removes himself should not be allowed', function (done) {
-        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .send({ password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     // Change email
     it('change email fails due to missing token', function (done) {
-        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .send({ password: PASSWORD, email: EMAIL_0_NEW })
                .end(function (error, result) {
             expect(result.statusCode).to.equal(401);
-            done(error);
+            done();
         });
     });
 
     it('change email fails due to missing password', function (done) {
-        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .send({ email: EMAIL_0_NEW })
                .end(function (error, result) {
             expect(result.statusCode).to.equal(400);
-            done(error);
+            done();
         });
     });
 
     it('change email fails due to wrong password', function (done) {
-        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .send({ password: PASSWORD+PASSWORD, email: EMAIL_0_NEW })
                .end(function (error, result) {
             expect(result.statusCode).to.equal(403);
-            done(error);
+            done();
         });
     });
 
     it('change email fails due to invalid email', function (done) {
-        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .send({ password: PASSWORD, email: 'foo@bar' })
                .end(function (error, result) {
             expect(result.statusCode).to.equal(400);
-            done(error);
+            done();
         });
     });
 
     it('change email succeeds', function (done) {
-        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
                .query({ access_token: token })
                .send({ password: PASSWORD, email: EMAIL_0_NEW })
                .end(function (error, result) {
@@ -477,52 +471,52 @@ describe('User API', function () {
 
     // Change password
     it('change password fails due to missing current password', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
                .query({ access_token: token })
                .send({ newPassword: 'some wrong password' })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
-            done(err);
+            done();
         });
     });
 
     it('change password fails due to missing new password', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
                .query({ access_token: token })
                .send({ password: PASSWORD })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
-            done(err);
+            done();
         });
     });
 
     it('change password fails due to wrong password', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
                .query({ access_token: token })
                .send({ password: 'some wrong password', newPassword: 'newpassword' })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
-            done(err);
+            done();
         });
     });
 
     it('change password fails due to invalid password', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
                .query({ access_token: token })
                .send({ password: PASSWORD, newPassword: 'five' })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
-            done(err);
+            done();
         });
     });
 
     it('change password succeeds', function (done) {
-        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
                .query({ access_token: token })
                .send({ password: PASSWORD, newPassword: 'new_password' })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(204);
-            done(err);
+            done();
         });
     });
 });

src/server.js

@@ -10,6 +10,7 @@ exports = module.exports = {
 var assert = require('assert'),
     async = require('async'),
     auth = require('./auth.js'),
+    certificates = require('./certificates.js'),
     cloudron = require('./cloudron.js'),
     cron = require('./cron.js'),
     config = require('./config.js'),
@@ -235,6 +236,7 @@ function start(callback) {
         auth.initialize,
         database.initialize,
         cloudron.initialize, // keep this here because it reads activation state that others depend on
+        certificates.installAdminCertificate, // keep this before cron to block heartbeats until cert is ready
         taskmanager.initialize,
         mailer.initialize,
         cron.initialize,

src/settings.js

@@ -26,37 +26,31 @@ exports = module.exports = {
     getBackupConfig: getBackupConfig,
     setBackupConfig: setBackupConfig,
 
+    getTlsConfig: getTlsConfig,
+    setTlsConfig: setTlsConfig,
+
     getDefaultSync: getDefaultSync,
     getAll: getAll,
 
-    validateCertificate: validateCertificate,
-    setCertificate: setCertificate,
-    setAdminCertificate: setAdminCertificate,
-
     AUTOUPDATE_PATTERN_KEY: 'autoupdate_pattern',
     TIME_ZONE_KEY: 'time_zone',
     CLOUDRON_NAME_KEY: 'cloudron_name',
     DEVELOPER_MODE_KEY: 'developer_mode',
     DNS_CONFIG_KEY: 'dns_config',
     BACKUP_CONFIG_KEY: 'backup_config',
+    TLS_CONFIG_KEY: 'tls_config',
 
     events: new (require('events').EventEmitter)()
 };
 
 var assert = require('assert'),
     config = require('./config.js'),
-    constants = require('./constants.js'),
     CronJob = require('cron').CronJob,
     DatabaseError = require('./databaseerror.js'),
-    ejs = require('ejs'),
-    fs = require('fs'),
-    path = require('path'),
     paths = require('./paths.js'),
     safe = require('safetydance'),
     settingsdb = require('./settingsdb.js'),
-    shell = require('./shell.js'),
     util = require('util'),
-    x509 = require('x509'),
     _ = require('underscore');
 
 var gDefaults = (function () {
@@ -67,13 +61,11 @@ var gDefaults = (function () {
     result[exports.DEVELOPER_MODE_KEY] = false;
     result[exports.DNS_CONFIG_KEY] = { };
     result[exports.BACKUP_CONFIG_KEY] = { };
+    result[exports.TLS_CONFIG_KEY] = { provider: 'caas' };
 
     return result;
 })();
 
-var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
-    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
-
 if (config.TEST) {
     // avoid noisy warnings during npm test
     exports.events.setMaxListeners(100);
@@ -101,7 +93,6 @@ util.inherits(SettingsError, Error);
 SettingsError.INTERNAL_ERROR = 'Internal Error';
 SettingsError.NOT_FOUND = 'Not Found';
 SettingsError.BAD_FIELD = 'Bad Field';
-SettingsError.INVALID_CERT = 'Invalid certificate';
 
 function setAutoupdatePattern(pattern, callback) {
     assert.strictEqual(typeof pattern, 'string');
@@ -276,6 +267,34 @@ function setDnsConfig(dnsConfig, callback) {
     });
 }
 
+function getTlsConfig(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    settingsdb.get(exports.TLS_CONFIG_KEY, function (error, value) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, gDefaults[exports.TLS_CONFIG_KEY]);
+        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
+
+        callback(null, JSON.parse(value)); // provider
+    });
+}
+
+function setTlsConfig(tlsConfig, callback) {
+    assert.strictEqual(typeof tlsConfig, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('le-') !== 0) {
+        return callback(new SettingsError(SettingsError.BAD_FIELD, 'provider must be caas or le-*'));
+    }
+
+    settingsdb.set(exports.TLS_CONFIG_KEY, JSON.stringify(tlsConfig), function (error) {
+        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
+
+        exports.events.emit(exports.TLS_CONFIG_KEY, tlsConfig);
+
+        callback(null);
+    });
+}
+
 function getBackupConfig(callback) {
     assert.strictEqual(typeof callback, 'function');
 
@@ -322,104 +341,3 @@ function getAll(callback) {
         callback(null, result);
     });
 }
-
-// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
-// servers certificate appears first (and not the intermediate cert)
-function validateCertificate(cert, key, fqdn) {
-    assert(cert === null || typeof cert === 'string');
-    assert(key === null || typeof key === 'string');
-    assert.strictEqual(typeof fqdn, 'string');
-
-    if (cert === null && key === null) return null;
-    if (!cert && key) return new Error('missing cert');
-    if (cert && !key) return new Error('missing key');
-
-    var content;
-    try {
-        content = x509.parseCert(cert);
-    } catch (e) {
-        return new Error('invalid cert: ' + e.message);
-    }
-
-    // check expiration
-    if (content.notAfter < new Date()) return new Error('cert expired');
-
-    function matchesDomain(domain) {
-        if (domain === fqdn) return true;
-        if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;
-
-        return false;
-    }
-
-    // check domain
-    var domains = content.altNames.concat(content.subject.commonName);
-    if (!domains.some(matchesDomain)) return new Error(util.format('cert is not valid for this domain. Expecting %s in %j', fqdn, domains));
-
-    // http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
-    var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
-    var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
-    if (certModulus !== keyModulus) return new Error('key does not match the cert');
-
-    return null;
-}
-
-function setCertificate(cert, key, callback) {
-    assert.strictEqual(typeof cert, 'string');
-    assert.strictEqual(typeof key, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var error = validateCertificate(cert, key, '*.' + config.fqdn());
-    if (error) return callback(new SettingsError(SettingsError.INVALID_CERT, error.message));
-
-    // backup the cert
-    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, 'host.cert'), cert)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, 'host.key'), key)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
-
-    // copy over fallback cert
-    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.cert'), cert)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), key)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
-
-    shell.sudo('setCertificate', [ RELOAD_NGINX_CMD ], function (error) {
-        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
-
-        return callback(null);
-    });
-}
-
-function setAdminCertificate(cert, key, callback) {
-    assert.strictEqual(typeof cert, 'string');
-    assert.strictEqual(typeof key, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var sourceDir = path.resolve(__dirname, '..');
-    var endpoint = 'admin';
-    var vhost = config.appFqdn(constants.ADMIN_LOCATION);
-    var certFilePath = path.join(paths.APP_CERTS_DIR, 'admin.cert');
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, 'admin.key');
-
-    var error = validateCertificate(cert, key, vhost);
-    if (error) return callback(new SettingsError(SettingsError.INVALID_CERT, error.message));
-
-    // backup the cert
-    if (!safe.fs.writeFileSync(certFilePath, cert)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(keyFilePath, key)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
-
-    var data = {
-        sourceDir: sourceDir,
-        adminOrigin: config.adminOrigin(),
-        vhost: vhost,
-        endpoint: endpoint,
-        certFilePath: certFilePath,
-        keyFilePath: keyFilePath
-    };
-    var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
-    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, 'admin.conf');
-
-    if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);
-
-    shell.sudo('setAdminCertificate', [ RELOAD_NGINX_CMD ], function (error) {
-        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
-
-        return callback(null);
-    });
-}

src/storage/caas.js

@@ -24,7 +24,7 @@ function getBackupCredentials(backupConfig, callback) {
 
     var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/awscredentials';
     superagent.post(url).query({ token: backupConfig.token }).end(function (error, result) {
-        if (error) return callback(error);
+        if (error && !error.response) return callback(error);
         if (result.statusCode !== 201) return callback(new Error(result.text));
         if (!result.body || !result.body.credentials) return callback(new Error('Unexpected response'));
 
@@ -49,7 +49,7 @@ function getAllPaged(backupConfig, page, perPage, callback) {
 
     var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/backups';
     superagent.get(url).query({ token: backupConfig.token }).end(function (error, result) {
-        if (error) return callback(error);
+        if (error && !error.response) return callback(error);
         if (result.statusCode !== 200) return callback(new Error(result.text));
         if (!result.body || !util.isArray(result.body.backups)) return callback(new Error('Unexpected response'));
 

src/taskmanager.js

@@ -97,10 +97,11 @@ function startAppTask(appId) {
     var pid = gActiveTasks[appId].pid;
     debug('Started task of %s pid: %s', appId, pid);
 
-    gActiveTasks[appId].once('exit', function (code) {
+    gActiveTasks[appId].once('exit', function (code, signal) {
         debug('Task for %s pid %s completed with status %s', appId, pid, code);
-        if (code && code !== 50) { // apptask crashed
-            appdb.update(appId, { installationState: appdb.ISTATE_ERROR, installationProgress: 'Apptask crashed with code ' + code }, NOOP_CALLBACK);
+        if (code === null /* signal */ || (code !== 0 && code !== 50)) { // apptask crashed
+            debug('Apptask crashed with code %s and signal %s', code, signal);
+            appdb.update(appId, { installationState: appdb.ISTATE_ERROR, installationProgress: 'Apptask crashed with code ' + code + ' and signal ' + signal }, NOOP_CALLBACK);
         }
         delete gActiveTasks[appId];
         locker.unlock(locker.OP_APPTASK); // unlock event will trigger next task

src/test/apptask-test.js

@@ -85,7 +85,8 @@ describe('apptask', function () {
         async.series([
             database.initialize,
             appdb.add.bind(null, APP.id, APP.appStoreId, APP.manifest, APP.location, APP.portBindings, APP.accessRestriction, APP.oauthProxy),
-            settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' })
+            settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' }),
+            settings.setTlsConfig.bind(null, { provider: 'caas' })
         ], done);
     });
 
@@ -97,12 +98,12 @@ describe('apptask', function () {
         apptask.initialize(done);
     });
 
-    it('free port', function (done) {
-        apptask._getFreePort(function (error, port) {
-            expect(error).to.be(null);
-            expect(port).to.be.a('number');
-            var client = net.connect(port);
-            client.on('connect', function () { done(new Error('Port is not free:' + port)); });
+    it('reserve port', function (done) {
+        apptask._reserveHttpPort(APP, function (error) {
+            expect(error).to.not.be.ok();
+            expect(APP.httpPort).to.be.a('number');
+            var client = net.connect(APP.httpPort);
+            client.on('connect', function () { done(new Error('Port is not free:' + APP.httpPort)); });
             client.on('error', function (error) { done(); });
         });
     });

src/test/certificates-test.js

@@ -0,0 +1,90 @@
+/* jslint node:true */
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var certificates = require('../certificates.js'),
+    expect = require('expect.js');
+
+describe('Certificates', function () {
+    describe('validateCertificate', function () {
+        /*
+          Generate these with:
+            openssl genrsa -out server.key 512
+            openssl req -new -key server.key -out server.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=Nebulon/OU=CTO/CN=baz.foobar.com"
+            openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+        */
+
+        // foobar.com
+        var validCert0 = '-----BEGIN CERTIFICATE-----\nMIIBujCCAWQCCQCjLyTKzAJ4FDANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzETMBEGA1UEAwwKZm9vYmFyLmNvbTAeFw0xNTEw\nMjgxMjM5MjZaFw0xNjEwMjcxMjM5MjZaMGQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI\nDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEQMA4GA1UECgwHTmVidWxvbjEMMAoG\nA1UECwwDQ1RPMRMwEQYDVQQDDApmb29iYXIuY29tMFwwDQYJKoZIhvcNAQEBBQAD\nSwAwSAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9Z7b6\n+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAATANBgkqhkiG9w0BAQsFAANBAJI7\nFUUHXjR63UFk8pgxp0c7hEGqj4VWWGsmo8oZnnX8jGVmQDKbk8o3MtDujfqupmMR\nMo7tSAFlG7zkm3GYhpw=\n-----END CERTIFICATE-----';
+        var validKey0 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9\nZ7b6+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAAQJBAJS59Sb8o6i8JT9NJxvQ\nMQCkSJGqEaosZJ0uccSZ7aE48v+H7HiPzXAueitohcEif2Wp1EZ1RbRMURhznNiZ\neLECIQDxxqhakO6wc7H68zmpRXJ5ZxGUNbM24AMtpONAtEw9iwIhANNWtp6P74OV\ntvfOmtubbqw768fmGskFCOcp5oF8oF29AiBkTAf9AhCyjFwyAYJTEScq67HkLN66\njfVjkvpfFixmfwIgI+xldmZ5DCDyzQSthg7RrS0yUvRmMS1N6h1RNUl96PECIQDl\nit4lFcytbqNo1PuBZvzQE+plCjiJqXHYo3WCst1Jbg==\n-----END RSA PRIVATE KEY-----';
+
+        // *.foobar.com
+        var validCert1 = '-----BEGIN CERTIFICATE-----\nMIIBvjCCAWgCCQCg957GWuHtbzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEVMBMGA1UEAwwMKi5mb29iYXIuY29tMB4XDTE1\nMTAyODEzMDI1MFoXDTE2MTAyNzEzMDI1MFowZjELMAkGA1UEBhMCREUxDzANBgNV\nBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRAwDgYDVQQKDAdOZWJ1bG9uMQww\nCgYDVQQLDANDVE8xFTATBgNVBAMMDCouZm9vYmFyLmNvbTBcMA0GCSqGSIb3DQEB\nAQUAA0sAMEgCQQC0FKf07ZWMcABFlZw+GzXK9EiZrlJ1lpnu64RhN99z7MXRr8cF\nnZVgY3jgatuyR5s3WdzUvye2eJ0rNicl2EZJAgMBAAEwDQYJKoZIhvcNAQELBQAD\nQQAw4bteMZAeJWl2wgNLw+wTwAH96E0jyxwreCnT5AxJLmgimyQ0XOF4FsssdRFj\nxD9WA+rktelBodJyPeTDNhIh\n-----END CERTIFICATE-----';
+        var validKey1 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBALQUp/TtlYxwAEWVnD4bNcr0SJmuUnWWme7rhGE333PsxdGvxwWd\nlWBjeOBq27JHmzdZ3NS/J7Z4nSs2JyXYRkkCAwEAAQJALV2eykcoC48TonQEPmkg\nbhaIS57syw67jMLsQImQ02UABKzqHPEKLXPOZhZPS9hsC/hGIehwiYCXMUlrl+WF\nAQIhAOntBI6qaecNjAAVG7UbZclMuHROUONmZUF1KNq6VyV5AiEAxRLkfHWy52CM\njOQrX347edZ30f4QczvugXwsyuU9A1ECIGlGZ8Sk4OBA8n6fAUcyO06qnmCJVlHg\npTUeOvKk5c9RAiBs28+8dCNbrbhVhx/yQr9FwNM0+ttJW/yWJ+pyNQhr0QIgJTT6\nxwCWYOtbioyt7B9l+ENy3AMSO3Uq+xmIKkvItK4=\n-----END RSA PRIVATE KEY-----';
+
+        // baz.foobar.com
+        var validCert2 = '-----BEGIN CERTIFICATE-----\nMIIBwjCCAWwCCQDIKtL9RCDCkDANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wHhcN\nMTUxMDI4MTMwNTMzWhcNMTYxMDI3MTMwNTMzWjBoMQswCQYDVQQGEwJERTEPMA0G\nA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05lYnVsb24x\nDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wXDANBgkqhkiG\n9w0BAQEFAANLADBIAkEAw7UWW/VoQePv2l92l3XcntZeyw1nBiHxk1axZwC6auOW\n2/zfA//Tg7fv4q5qKnV1n/71IiMAheeFcpfogY5rTwIDAQABMA0GCSqGSIb3DQEB\nCwUAA0EAtluL6dGNfOdNkzoO/UwzRaIvEm2reuqe+Ik4WR/k+DJ4igrmRCQqXwjW\nJaGYsFWsuk3QLOWQ9YgCKlcIYd+1/A==\n-----END CERTIFICATE-----';
+        var validKey2 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBAMO1Flv1aEHj79pfdpd13J7WXssNZwYh8ZNWsWcAumrjltv83wP/\n04O37+Kuaip1dZ/+9SIjAIXnhXKX6IGOa08CAwEAAQJAUPD3Y2cXDJFaJQXwhWnw\nqhzdLbvITUgCor5rNr+dWhE2MopGPpRHiabA1PeWEPx8CfblyTZGd8KUR/2W1c0r\naQIhAP4ZxB3+uhuzzMfyRrn/khr12pFn/FCIDbwnDbyUxLrTAiEAxSuVOFs+Mupt\nYCz/pPrDCx3eid0wyXRObbkLHOxJiBUCIBTp5fxaBNNW3xnt1OhmIo5Zgd3J4zh1\nmjvMMxM8Y1zFAiAxOP0qsZSoj1+41+MGY9fXaaCJ2F96m3+M4tpEYTTGNQIgdESZ\nz+hzHBeYVbWJpIR8uaNkx7wveUF90FpipXyeTsA=\n-----END RSA PRIVATE KEY-----';
+
+        it('allows both null', function () {
+            expect(certificates.validateCertificate(null, null, 'foobar.com')).to.be(null);
+        });
+
+        it('does not allow only cert', function () {
+            expect(certificates.validateCertificate('cert', null, 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow only key', function () {
+            expect(certificates.validateCertificate(null, 'key', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow empty string for cert', function () {
+            expect(certificates.validateCertificate('', 'key', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow empty string for key', function () {
+            expect(certificates.validateCertificate('cert', '', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow invalid cert', function () {
+            expect(certificates.validateCertificate('someinvalidcert', validKey0, 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow invalid key', function () {
+            expect(certificates.validateCertificate(validCert0, 'invalidkey', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow cert without matching domain', function () {
+            expect(certificates.validateCertificate(validCert0, validKey0, 'cloudron.io')).to.be.an(Error);
+        });
+
+        it('allows valid cert with matching domain', function () {
+            expect(certificates.validateCertificate(validCert0, validKey0, 'foobar.com')).to.be(null);
+        });
+
+        it('allows valid cert with matching domain (wildcard)', function () {
+            expect(certificates.validateCertificate(validCert1, validKey1, 'abc.foobar.com')).to.be(null);
+        });
+
+        it('does now allow cert without matching domain (wildcard)', function () {
+            expect(certificates.validateCertificate(validCert1, validKey1, 'foobar.com')).to.be.an(Error);
+            expect(certificates.validateCertificate(validCert1, validKey1, 'bar.abc.foobar.com')).to.be.an(Error);
+        });
+
+        it('allows valid cert with matching domain (subdomain)', function () {
+            expect(certificates.validateCertificate(validCert2, validKey2, 'baz.foobar.com')).to.be(null);
+        });
+
+        it('does not allow cert without matching domain (subdomain)', function () {
+            expect(certificates.validateCertificate(validCert0, validKey0, 'baz.foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow invalid cert/key tuple', function () {
+            expect(certificates.validateCertificate(validCert0, validKey1, 'foobar.com')).to.be.an(Error);
+        });
+    });
+});

src/test/server-test.js

@@ -11,7 +11,7 @@ var progress = require('../progress.js'),
     database = require('../database.js'),
     expect = require('expect.js'),
     nock = require('nock'),
-    request = require('superagent'),
+    superagent = require('superagent'),
     server = require('../server.js');
 
 var SERVER_URL = 'http://localhost:' + config.get('port');
@@ -46,7 +46,7 @@ describe('Server', function () {
         });
 
         it('is reachable', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
+            superagent.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
                 expect(res.statusCode).to.equal(200);
                 done(err);
             });
@@ -79,32 +79,32 @@ describe('Server', function () {
             });
         });
 
-        it('random bad requests', function (done) {
-            request.get(SERVER_URL + '/random', function (err, res) {
-                expect(err).to.not.be.ok();
+        it('random bad superagents', function (done) {
+            superagent.get(SERVER_URL + '/random', function (err, res) {
+                expect(err).to.be.ok();
                 expect(res.statusCode).to.equal(404);
-                done(err);
+                done();
             });
         });
 
         it('version', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
+            superagent.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
                 expect(err).to.not.be.ok();
                 expect(res.statusCode).to.equal(200);
                 expect(res.body.version).to.equal('0.5.0');
-                done(err);
+                done();
             });
         });
 
         it('status route is GET', function (done) {
-            request.post(SERVER_URL + '/api/v1/cloudron/status')
+            superagent.post(SERVER_URL + '/api/v1/cloudron/status')
                    .end(function (err, res) {
                 expect(res.statusCode).to.equal(404);
 
-                request.get(SERVER_URL + '/api/v1/cloudron/status')
+                superagent.get(SERVER_URL + '/api/v1/cloudron/status')
                        .end(function (err, res) {
                     expect(res.statusCode).to.equal(200);
-                    done(err);
+                    done();
                 });
             });
         });
@@ -122,18 +122,16 @@ describe('Server', function () {
         });
 
         it('config fails due missing token', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/config', function (err, res) {
-                expect(err).to.not.be.ok();
+            superagent.get(SERVER_URL + '/api/v1/cloudron/config', function (err, res) {
                 expect(res.statusCode).to.equal(401);
-                done(err);
+                done();
             });
         });
 
         it('config fails due wrong token', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/config').query({ access_token: 'somewrongtoken' }).end(function (err, res) {
-                expect(err).to.not.be.ok();
+            superagent.get(SERVER_URL + '/api/v1/cloudron/config').query({ access_token: 'somewrongtoken' }).end(function (err, res) {
                 expect(res.statusCode).to.equal(401);
-                done(err);
+                done();
             });
         });
     });
@@ -150,8 +148,7 @@ describe('Server', function () {
         });
 
         it('succeeds with no progress', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
-                expect(error).to.not.be.ok();
+            superagent.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.update).to.be(null);
                 expect(result.body.backup).to.be(null);
@@ -162,8 +159,7 @@ describe('Server', function () {
         it('succeeds with update progress', function (done) {
             progress.set(progress.UPDATE, 13, 'This is some status string');
 
-            request.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
-                expect(error).to.not.be.ok();
+            superagent.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.update).to.be.an('object');
                 expect(result.body.update.percent).to.be.a('number');
@@ -179,8 +175,7 @@ describe('Server', function () {
         it('succeeds with no progress after clearing the update', function (done) {
             progress.clear(progress.UPDATE);
 
-            request.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
-                expect(error).to.not.be.ok();
+            superagent.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
                 expect(result.statusCode).to.equal(200);
                 expect(result.body.update).to.be(null);
                 expect(result.body.backup).to.be(null);
@@ -211,8 +206,9 @@ describe('Server', function () {
         });
 
         it('is not reachable anymore', function (done) {
-            request.get(SERVER_URL + '/api/v1/cloudron/status', function (error, result) {
+            superagent.get(SERVER_URL + '/api/v1/cloudron/status', function (error, result) {
                 expect(error).to.not.be(null);
+                expect(!error.response).to.be.ok();
                 done();
             });
         });
@@ -226,15 +222,15 @@ describe('Server', function () {
         });
 
         it('responds to OPTIONS', function (done) {
-            request('OPTIONS', SERVER_URL + '/api/v1/cloudron/status')
+            superagent('OPTIONS', SERVER_URL + '/api/v1/cloudron/status')
                 .set('Access-Control-Request-Method', 'GET')
-                .set('Access-Control-Request-Headers', 'accept, origin, x-requested-with')
+                .set('Access-Control-Request-Headers', 'accept, origin, x-superagented-with')
                 .set('Origin', 'http://localhost')
-                .end(function (res) {
+                .end(function (error, res) {
                 expect(res.headers['access-control-allow-methods']).to.be('GET, PUT, DELETE, POST, OPTIONS');
                 expect(res.headers['access-control-allow-credentials']).to.be('true');
-                expect(res.headers['access-control-allow-headers']).to.be('accept, origin, x-requested-with'); // mirrored from request
-                expect(res.headers['access-control-allow-origin']).to.be('http://localhost'); // mirrors from request
+                expect(res.headers['access-control-allow-headers']).to.be('accept, origin, x-superagented-with'); // mirrored from superagent
+                expect(res.headers['access-control-allow-origin']).to.be('http://localhost'); // mirrors from superagent
                 done();
             });
         });

src/test/settings-test.js

@@ -100,6 +100,21 @@ describe('Settings', function () {
             });
         });
 
+        it('can set tls config', function (done) {
+            settings.setTlsConfig({ provider: 'caas' }, function (error) {
+                expect(error).to.be(null);
+                done();
+            });
+        });
+
+        it('can get tls config', function (done) {
+            settings.getTlsConfig(function (error, dnsConfig) {
+                expect(error).to.be(null);
+                expect(dnsConfig.provider).to.be('caas');
+                done();
+            });
+        });
+
         it('can set backup config', function (done) {
             settings.setBackupConfig({ provider: 'caas', token: 'TOKEN' }, function (error) {
                 expect(error).to.be(null);
@@ -126,85 +141,4 @@ describe('Settings', function () {
             });
         });
     });
-
-    describe('validateCertificate', function () {
-        before(setup);
-        after(cleanup);
-
-        /*
-          Generate these with:
-            openssl genrsa -out server.key 512
-            openssl req -new -key server.key -out server.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=Nebulon/OU=CTO/CN=baz.foobar.com"
-            openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
-        */
-
-        // foobar.com
-        var validCert0 = '-----BEGIN CERTIFICATE-----\nMIIBujCCAWQCCQCjLyTKzAJ4FDANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzETMBEGA1UEAwwKZm9vYmFyLmNvbTAeFw0xNTEw\nMjgxMjM5MjZaFw0xNjEwMjcxMjM5MjZaMGQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI\nDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEQMA4GA1UECgwHTmVidWxvbjEMMAoG\nA1UECwwDQ1RPMRMwEQYDVQQDDApmb29iYXIuY29tMFwwDQYJKoZIhvcNAQEBBQAD\nSwAwSAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9Z7b6\n+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAATANBgkqhkiG9w0BAQsFAANBAJI7\nFUUHXjR63UFk8pgxp0c7hEGqj4VWWGsmo8oZnnX8jGVmQDKbk8o3MtDujfqupmMR\nMo7tSAFlG7zkm3GYhpw=\n-----END CERTIFICATE-----';
-        var validKey0 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9\nZ7b6+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAAQJBAJS59Sb8o6i8JT9NJxvQ\nMQCkSJGqEaosZJ0uccSZ7aE48v+H7HiPzXAueitohcEif2Wp1EZ1RbRMURhznNiZ\neLECIQDxxqhakO6wc7H68zmpRXJ5ZxGUNbM24AMtpONAtEw9iwIhANNWtp6P74OV\ntvfOmtubbqw768fmGskFCOcp5oF8oF29AiBkTAf9AhCyjFwyAYJTEScq67HkLN66\njfVjkvpfFixmfwIgI+xldmZ5DCDyzQSthg7RrS0yUvRmMS1N6h1RNUl96PECIQDl\nit4lFcytbqNo1PuBZvzQE+plCjiJqXHYo3WCst1Jbg==\n-----END RSA PRIVATE KEY-----';
-
-        // *.foobar.com
-        var validCert1 = '-----BEGIN CERTIFICATE-----\nMIIBvjCCAWgCCQCg957GWuHtbzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEVMBMGA1UEAwwMKi5mb29iYXIuY29tMB4XDTE1\nMTAyODEzMDI1MFoXDTE2MTAyNzEzMDI1MFowZjELMAkGA1UEBhMCREUxDzANBgNV\nBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRAwDgYDVQQKDAdOZWJ1bG9uMQww\nCgYDVQQLDANDVE8xFTATBgNVBAMMDCouZm9vYmFyLmNvbTBcMA0GCSqGSIb3DQEB\nAQUAA0sAMEgCQQC0FKf07ZWMcABFlZw+GzXK9EiZrlJ1lpnu64RhN99z7MXRr8cF\nnZVgY3jgatuyR5s3WdzUvye2eJ0rNicl2EZJAgMBAAEwDQYJKoZIhvcNAQELBQAD\nQQAw4bteMZAeJWl2wgNLw+wTwAH96E0jyxwreCnT5AxJLmgimyQ0XOF4FsssdRFj\nxD9WA+rktelBodJyPeTDNhIh\n-----END CERTIFICATE-----';
-        var validKey1 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBALQUp/TtlYxwAEWVnD4bNcr0SJmuUnWWme7rhGE333PsxdGvxwWd\nlWBjeOBq27JHmzdZ3NS/J7Z4nSs2JyXYRkkCAwEAAQJALV2eykcoC48TonQEPmkg\nbhaIS57syw67jMLsQImQ02UABKzqHPEKLXPOZhZPS9hsC/hGIehwiYCXMUlrl+WF\nAQIhAOntBI6qaecNjAAVG7UbZclMuHROUONmZUF1KNq6VyV5AiEAxRLkfHWy52CM\njOQrX347edZ30f4QczvugXwsyuU9A1ECIGlGZ8Sk4OBA8n6fAUcyO06qnmCJVlHg\npTUeOvKk5c9RAiBs28+8dCNbrbhVhx/yQr9FwNM0+ttJW/yWJ+pyNQhr0QIgJTT6\nxwCWYOtbioyt7B9l+ENy3AMSO3Uq+xmIKkvItK4=\n-----END RSA PRIVATE KEY-----';
-
-        // baz.foobar.com
-        var validCert2 = '-----BEGIN CERTIFICATE-----\nMIIBwjCCAWwCCQDIKtL9RCDCkDANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wHhcN\nMTUxMDI4MTMwNTMzWhcNMTYxMDI3MTMwNTMzWjBoMQswCQYDVQQGEwJERTEPMA0G\nA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05lYnVsb24x\nDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wXDANBgkqhkiG\n9w0BAQEFAANLADBIAkEAw7UWW/VoQePv2l92l3XcntZeyw1nBiHxk1axZwC6auOW\n2/zfA//Tg7fv4q5qKnV1n/71IiMAheeFcpfogY5rTwIDAQABMA0GCSqGSIb3DQEB\nCwUAA0EAtluL6dGNfOdNkzoO/UwzRaIvEm2reuqe+Ik4WR/k+DJ4igrmRCQqXwjW\nJaGYsFWsuk3QLOWQ9YgCKlcIYd+1/A==\n-----END CERTIFICATE-----';
-        var validKey2 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBAMO1Flv1aEHj79pfdpd13J7WXssNZwYh8ZNWsWcAumrjltv83wP/\n04O37+Kuaip1dZ/+9SIjAIXnhXKX6IGOa08CAwEAAQJAUPD3Y2cXDJFaJQXwhWnw\nqhzdLbvITUgCor5rNr+dWhE2MopGPpRHiabA1PeWEPx8CfblyTZGd8KUR/2W1c0r\naQIhAP4ZxB3+uhuzzMfyRrn/khr12pFn/FCIDbwnDbyUxLrTAiEAxSuVOFs+Mupt\nYCz/pPrDCx3eid0wyXRObbkLHOxJiBUCIBTp5fxaBNNW3xnt1OhmIo5Zgd3J4zh1\nmjvMMxM8Y1zFAiAxOP0qsZSoj1+41+MGY9fXaaCJ2F96m3+M4tpEYTTGNQIgdESZ\nz+hzHBeYVbWJpIR8uaNkx7wveUF90FpipXyeTsA=\n-----END RSA PRIVATE KEY-----';
-
-        it('allows both null', function () {
-            expect(settings.validateCertificate(null, null, 'foobar.com')).to.be(null);
-        });
-
-        it('does not allow only cert', function () {
-            expect(settings.validateCertificate('cert', null, 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow only key', function () {
-            expect(settings.validateCertificate(null, 'key', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow empty string for cert', function () {
-            expect(settings.validateCertificate('', 'key', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow empty string for key', function () {
-            expect(settings.validateCertificate('cert', '', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow invalid cert', function () {
-            expect(settings.validateCertificate('someinvalidcert', validKey0, 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow invalid key', function () {
-            expect(settings.validateCertificate(validCert0, 'invalidkey', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow cert without matching domain', function () {
-            expect(settings.validateCertificate(validCert0, validKey0, 'cloudron.io')).to.be.an(Error);
-        });
-
-        it('allows valid cert with matching domain', function () {
-            expect(settings.validateCertificate(validCert0, validKey0, 'foobar.com')).to.be(null);
-        });
-
-        it('allows valid cert with matching domain (wildcard)', function () {
-            expect(settings.validateCertificate(validCert1, validKey1, 'abc.foobar.com')).to.be(null);
-        });
-
-        it('does now allow cert without matching domain (wildcard)', function () {
-            expect(settings.validateCertificate(validCert1, validKey1, 'foobar.com')).to.be.an(Error);
-            expect(settings.validateCertificate(validCert1, validKey1, 'bar.abc.foobar.com')).to.be.an(Error);
-        });
-
-        it('allows valid cert with matching domain (subdomain)', function () {
-            expect(settings.validateCertificate(validCert2, validKey2, 'baz.foobar.com')).to.be(null);
-        });
-
-        it('does not allow cert without matching domain (subdomain)', function () {
-            expect(settings.validateCertificate(validCert0, validKey0, 'baz.foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow invalid cert/key tuple', function () {
-            expect(settings.validateCertificate(validCert0, validKey1, 'foobar.com')).to.be.an(Error);
-        });
-    });
 });

src/updatechecker.js

@@ -53,7 +53,7 @@ function getAppUpdates(callback) {
             .timeout(10 * 1000)
             .end(function (error, result) {
 
-            if (error) return callback(error);
+            if (error && !error.response) return callback(error);
 
             if (result.statusCode !== 200 || !result.body.appVersions) {
                 return callback(new Error(util.format('Error checking app update: %s %s', result.statusCode, result.text)));
@@ -88,8 +88,8 @@ function getBoxUpdates(callback) {
         .get(config.get('boxVersionsUrl'))
         .timeout(10 * 1000)
         .end(function (error, result) {
-        if (error) return callback(error);
-        if (result.status !== 200) return callback(new Error(util.format('Bad status: %s %s', result.status, result.text)));
+        if (error && !error.response) return callback(error);
+        if (result.statusCode !== 200) return callback(new Error(util.format('Bad status: %s %s', result.statusCode, result.text)));
 
         var versions = safe.JSON.parse(result.text);
 

src/waitfordns.js

@@ -0,0 +1,89 @@
+/* jslint node:true */
+
+'use strict';
+
+exports = module.exports = waitForDns;
+
+var assert = require('assert'),
+    async = require('async'),
+    attempt = require('attempt'),
+    debug = require('debug')('box:src/waitfordns'),
+    dns = require('native-dns');
+
+// the first arg to callback is not an error argument; this is required for async.every
+function isChangeSynced(domain, ip, nameserver, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof nameserver, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    // ns records cannot have cname
+    dns.resolve4(nameserver, function (error, nsIps) {
+        if (error || !nsIps || nsIps.length === 0) return callback(false);
+
+        async.every(nsIps, function (nsIp, iteratorCallback) {
+            var req = dns.Request({
+                question: dns.Question({ name: domain, type: 'A' }),
+                server: { address: nsIp },
+                timeout: 5000
+            });
+
+            req.on('timeout', function () { return iteratorCallback(false); });
+
+            req.on('message', function (error, message) {
+                if (error || !message.answer || message.answer.length === 0) return iteratorCallback(false);
+
+                debug('isChangeSynced: ns: %s (%s), name:%s Actual:%j Expecting:%s', nameserver, nsIp, domain, message.answer[0], ip);
+
+                if (message.answer[0].address !== ip) return iteratorCallback(false);
+
+                iteratorCallback(true); // done
+            });
+
+            req.send();
+        }, callback);
+    });
+ }
+
+// check if IP change has propagated to every nameserver
+function waitForDns(domain, ip, zoneName, options, callback) {
+    assert.strictEqual(typeof domain, 'string');
+    assert.strictEqual(typeof ip, 'string');
+    assert.strictEqual(typeof zoneName, 'string');
+
+    var defaultOptions = {
+        retryInterval: 5000,
+        retries: Infinity
+    };
+
+    if (typeof options === 'function') {
+        callback = options;
+        options = defaultOptions;
+    } else {
+        assert.strictEqual(typeof options, 'object');
+        assert.strictEqual(typeof callback, 'function');
+    }
+
+    debug('waitForDNS: domain %s to be %s in zone %s.', domain, ip, zoneName);
+
+    attempt(function (attempts) {
+        var callback = this; // gross
+        debug('waitForDNS: %s attempt %s.', domain, attempts);
+
+        dns.resolveNs(zoneName, function (error, nameservers) {
+            if (error || !nameservers) return callback(error || new Error('Unable to get nameservers'));
+
+            async.every(nameservers, isChangeSynced.bind(null, domain, ip), function (synced) {
+                debug('waitForDNS: %s %s ns: %j', domain, synced ? 'done' : 'not done', nameservers);
+
+                callback(synced ? null : new Error('ETRYAGAIN'));
+            });
+        });
+    }, { interval: options.retryInterval, retries: options.retries }, function (error) {
+         if (error) return callback(error);
+
+        debug('waitForDNS: %s done.', domain);
+
+        callback(null);
+     });
+}

src/webhooks.js

@@ -32,7 +32,7 @@ function backupDone(filename, app, appBackupIds, callback) {
         };
 
         superagent.post(url).send(data).query({ token: config.token() }).end(function (error, result) {
-            if (error) return callback(error);
+            if (error && !error.response) return callback(error);
             if (result.statusCode !== 200) return callback(new Error(result.text));
             if (!result.body) return callback(new Error('Unexpected response'));
 

webadmin/src/views/apps.html

@@ -119,6 +119,24 @@
     </div>
 </div>
 
+<!-- Modal error app -->
+<div class="modal fade" id="appErrorModal" tabindex="-1" role="dialog">
+    <div class="modal-dialog">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h4 class="modal-title">{{ appError.app.location }}</h4>
+            </div>
+            <div class="modal-body">
+                <p>There was an error installing this app</p>
+                <p>{{appError.app.installationProgress}}</p>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">OK</button>
+            </div>
+        </div>
+    </div>
+</div>
+
 <!-- Modal uninstall app -->
 <div class="modal fade" id="appUninstallModal" tabindex="-1" role="dialog">
     <div class="modal-dialog">
@@ -219,7 +237,7 @@
     <div class="row animateMeOpacity ng-hide" ng-show="installedApps.length > 0">
         <div class="col-sm-1 grid-item" ng-repeat="app in installedApps">
             <div style="background-color: white;" class="highlight grid-item-content">
-                <a ng-href="{{app | applicationLink}}" target="_blank">
+                <a ng-href="{{app | applicationLink}}" ng-click="(app | installError) === true && showError(app)" target="_blank">
                     <div class="grid-item-top">
                         <div class="row">
                             <div class="col-xs-12 text-center" style="padding-left: 5px; padding-right: 5px;">

webadmin/src/views/apps.js

@@ -1,4 +1,5 @@
 /* global ISTATES:false */
+/* global HSTATES:false */
 
 'use strict';
 
@@ -40,6 +41,10 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         password: ''
     };
 
+    $scope.appError = {
+        app: {}
+    };
+
     $scope.appUpdate = {
         busy: false,
         error: {},
@@ -201,6 +206,16 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         });
     };
 
+    $scope.showError = function (app) {
+        $scope.reset();
+
+        $scope.appError.app = app;
+
+        $('#appErrorModal').modal('show');
+
+        return false; // prevent propagation and default
+    };
+
     $scope.showRestore = function (app) {
         $scope.reset();
 

webadmin/src/views/certs.html

@@ -65,7 +65,7 @@
             <form name="defaultCertForm" ng-submit="setDefaultCert()">
                 <fieldset>
                     <label class="control-label" for="defaultCertInput">Fallback Certificate</label>
-                    <p>This certificate has to be wildcard certificates and will be used for all apps, which were not configured to use a specific certificate.</p>
+                    <p>A wildcard certificate that will be used for apps installed without a specific certificate.</p>
                     <div class="has-error text-center" ng-show="defaultCert.error">{{ defaultCert.error }}</div>
                     <div class="text-success text-center" ng-show="defaultCert.success"><b>Upload successful</b></div>
                     <div class="form-group" ng-class="{ 'has-error': (!defaultCert.cert.$dirty && defaultCert.error) }">