mirror of
https://github.com/foxcpp/maddy.git
synced 2025-04-05 05:57:39 +03:00
9915c8a881
Allows to use macro expansion like $(local_domains) to configure DKIM for all domains. Closes #199.
237 lines
6.4 KiB
Go
237 lines
6.4 KiB
Go
package dkim
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"io/ioutil"
|
|
"net"
|
|
"os"
|
|
"path/filepath"
|
|
"reflect"
|
|
"sort"
|
|
"testing"
|
|
|
|
"github.com/emersion/go-message/textproto"
|
|
"github.com/emersion/go-msgauth/dkim"
|
|
"github.com/foxcpp/go-mockdns"
|
|
"github.com/foxcpp/maddy/internal/buffer"
|
|
"github.com/foxcpp/maddy/internal/config"
|
|
"github.com/foxcpp/maddy/internal/module"
|
|
"github.com/foxcpp/maddy/internal/testutils"
|
|
)
|
|
|
|
func newTestModifier(t *testing.T, dir, keyAlgo string, domains []string) *Modifier {
|
|
mod, err := New("", "test", nil, nil)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
m := mod.(*Modifier)
|
|
m.log = testutils.Logger(t, m.Name())
|
|
|
|
err = m.Init(config.NewMap(nil, config.Node{
|
|
Children: []config.Node{
|
|
{
|
|
Name: "domains",
|
|
Args: domains,
|
|
},
|
|
{
|
|
Name: "selector",
|
|
Args: []string{"default"},
|
|
},
|
|
{
|
|
Name: "key_path",
|
|
Args: []string{filepath.Join(dir, "{domain}.key")},
|
|
},
|
|
{
|
|
Name: "require_sender_match",
|
|
Args: []string{"off"},
|
|
},
|
|
{
|
|
Name: "newkey_algo",
|
|
Args: []string{keyAlgo},
|
|
},
|
|
},
|
|
}))
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
return m
|
|
}
|
|
|
|
func signTestMsg(t *testing.T, m *Modifier, envelopeFrom string) (textproto.Header, []byte) {
|
|
t.Helper()
|
|
|
|
state, err := m.ModStateForMsg(context.Background(), &module.MsgMetadata{})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
testHdr := textproto.Header{}
|
|
testHdr.Add("From", "<hello@hello>")
|
|
testHdr.Add("Subject", "heya")
|
|
testHdr.Add("To", "<heya@heya>")
|
|
body := []byte("hello there\r\n")
|
|
|
|
// sign_dkim expects RewriteSender to be called to get envelope sender
|
|
// (see module.Modifier docs)
|
|
state.RewriteSender(context.Background(), envelopeFrom)
|
|
err = state.RewriteBody(context.Background(), &testHdr, buffer.MemoryBuffer{Slice: body})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
return testHdr, body
|
|
}
|
|
|
|
func verifyTestMsg(t *testing.T, keysPath string, expectedDomains []string, hdr textproto.Header, body []byte) {
|
|
t.Helper()
|
|
|
|
domainsMap := make(map[string]bool)
|
|
zones := map[string]mockdns.Zone{}
|
|
for _, domain := range expectedDomains {
|
|
dnsRecord, err := ioutil.ReadFile(filepath.Join(keysPath, domain+".dns"))
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
t.Log("DNS record:", string(dnsRecord))
|
|
zones["default._domainkey."+domain+"."] = mockdns.Zone{TXT: []string{string(dnsRecord)}}
|
|
domainsMap[domain] = false
|
|
}
|
|
|
|
// dkim.Verify does not allow to override its lookup routine, so we have to
|
|
// hjack the global resolver object.
|
|
srv, err := mockdns.NewServer(zones)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer srv.Close()
|
|
srv.PatchNet(net.DefaultResolver)
|
|
defer mockdns.UnpatchNet(net.DefaultResolver)
|
|
|
|
var fullBody bytes.Buffer
|
|
if err := textproto.WriteHeader(&fullBody, hdr); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if _, err := fullBody.Write(body); err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
verifs, err := dkim.Verify(bytes.NewReader(fullBody.Bytes()))
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
for _, v := range verifs {
|
|
if v.Err != nil {
|
|
t.Errorf("Verification error for %s: %v", v.Domain, v.Err)
|
|
}
|
|
if _, ok := domainsMap[v.Domain]; !ok {
|
|
t.Errorf("Unexpected verification for domain %s", v.Domain)
|
|
}
|
|
|
|
domainsMap[v.Domain] = true
|
|
}
|
|
for domain, ok := range domainsMap {
|
|
if !ok {
|
|
t.Errorf("Missing verification for domain %s", domain)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestGenerateSignVerify(t *testing.T) {
|
|
// This test verifies whether a freshly generated key can be used for
|
|
// signing and verification.
|
|
//
|
|
// It is a kind of "integration" test for DKIM modifier, as it tests
|
|
// whether everything works correctly together.
|
|
//
|
|
// Additionally it also tests whether key selection works correctly.
|
|
|
|
test := func(domains []string, envelopeFrom string, expectDomain []string, keyAlgo string, headerCanon, bodyCanon dkim.Canonicalization, reload bool) {
|
|
t.Helper()
|
|
|
|
dir, err := ioutil.TempDir("", "maddy-tests-dkim-")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
defer os.RemoveAll(dir)
|
|
|
|
m := newTestModifier(t, dir, keyAlgo, domains)
|
|
if reload {
|
|
m = newTestModifier(t, dir, keyAlgo, domains)
|
|
}
|
|
|
|
testHdr, body := signTestMsg(t, m, envelopeFrom)
|
|
verifyTestMsg(t, dir, expectDomain, testHdr, body)
|
|
|
|
}
|
|
|
|
for _, algo := range [2]string{"rsa2048", "ed25519"} {
|
|
for _, hdrCanon := range [2]dkim.Canonicalization{dkim.CanonicalizationSimple, dkim.CanonicalizationRelaxed} {
|
|
for _, bodyCanon := range [2]dkim.Canonicalization{dkim.CanonicalizationSimple, dkim.CanonicalizationRelaxed} {
|
|
test([]string{"maddy.test"}, "test@maddy.test", []string{"maddy.test"}, algo, hdrCanon, bodyCanon, false)
|
|
test([]string{"maddy.test"}, "test@maddy.test", []string{"maddy.test"}, algo, hdrCanon, bodyCanon, true)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Key selection tests
|
|
test(
|
|
[]string{"maddy.test"}, // Generated keys.
|
|
"test@maddy.test", // Envelope sender.
|
|
[]string{"maddy.test"}, // Expected signature domains.
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
test(
|
|
[]string{"maddy.test"},
|
|
"test@unrelated.maddy.test",
|
|
[]string{},
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
test(
|
|
[]string{"maddy.test", "related.maddy.test"},
|
|
"test@related.maddy.test",
|
|
[]string{"related.maddy.test"},
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
test(
|
|
[]string{"fallback.maddy.test", "maddy.test"},
|
|
"postmaster",
|
|
[]string{"fallback.maddy.test"},
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
test(
|
|
[]string{"fallback.maddy.test", "maddy.test"},
|
|
"",
|
|
[]string{"fallback.maddy.test"},
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
test(
|
|
[]string{"another.maddy.test", "another.maddy.test", "maddy.test"},
|
|
"test@another.maddy.test",
|
|
[]string{"another.maddy.test"},
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
test(
|
|
[]string{"another.maddy.test", "another.maddy.test", "maddy.test"},
|
|
"",
|
|
[]string{"another.maddy.test"},
|
|
"ed25519", dkim.CanonicalizationRelaxed, dkim.CanonicalizationRelaxed, false)
|
|
}
|
|
|
|
func TestFieldsToSign(t *testing.T) {
|
|
h := textproto.Header{}
|
|
h.Add("A", "1")
|
|
h.Add("c", "2")
|
|
h.Add("C", "3")
|
|
h.Add("a", "4")
|
|
h.Add("b", "5")
|
|
h.Add("unrelated", "6")
|
|
|
|
m := Modifier{
|
|
oversignHeader: []string{"A", "B"},
|
|
signHeader: []string{"C"},
|
|
}
|
|
fields := m.fieldsToSign(&h)
|
|
sort.Strings(fields)
|
|
expected := []string{"A", "A", "A", "B", "B", "C", "C"}
|
|
|
|
if !reflect.DeepEqual(fields, expected) {
|
|
t.Errorf("incorrect set of fields to sign\nwant: %v\ngot: %v", expected, fields)
|
|
}
|
|
}
|