From 029bca7013bf0f3610985c20c6afd6ba03dd0269 Mon Sep 17 00:00:00 2001 From: Alberto Bertogli Date: Sat, 2 Jun 2018 11:30:17 +0100 Subject: [PATCH] test: Add TLS tracking integration test This patch adds a new test, which verifies the TLS tracking. Because we need to simulate SPF records, and Go does not support fully intercepting DNS lookups yet, this test relies on dnsmasq to provide a DNS resolver. In the future, once Go supports DNS lookup interception, we can get rid of this additional dependency. --- dnsoverride.go | 36 +++++++++ test/Dockerfile | 4 + test/cover.sh | 2 + test/t-14-tls_tracking/A/chasquid.conf | 10 +++ test/t-14-tls_tracking/A/domains/srv-A/.keep | 0 test/t-14-tls_tracking/B/chasquid.conf | 10 +++ test/t-14-tls_tracking/B/domains/srv-B/.keep | 0 test/t-14-tls_tracking/config/chasquid.conf | 10 +++ test/t-14-tls_tracking/content | 4 + test/t-14-tls_tracking/dnsmasq.conf | 24 ++++++ test/t-14-tls_tracking/hosts | 2 + test/t-14-tls_tracking/msmtprc | 14 ++++ test/t-14-tls_tracking/run.sh | 83 ++++++++++++++++++++ test/util/lib.sh | 7 +- 14 files changed, 203 insertions(+), 3 deletions(-) create mode 100644 dnsoverride.go create mode 100644 test/t-14-tls_tracking/A/chasquid.conf create mode 100644 test/t-14-tls_tracking/A/domains/srv-A/.keep create mode 100644 test/t-14-tls_tracking/B/chasquid.conf create mode 100644 test/t-14-tls_tracking/B/domains/srv-B/.keep create mode 100644 test/t-14-tls_tracking/config/chasquid.conf create mode 100644 test/t-14-tls_tracking/content create mode 100644 test/t-14-tls_tracking/dnsmasq.conf create mode 100644 test/t-14-tls_tracking/hosts create mode 100644 test/t-14-tls_tracking/msmtprc create mode 100755 test/t-14-tls_tracking/run.sh diff --git a/dnsoverride.go b/dnsoverride.go new file mode 100644 index 0000000..02972a5 --- /dev/null +++ b/dnsoverride.go @@ -0,0 +1,36 @@ +// Support for overriding DNS lookups, for testing purposes. +// This is only used in tests, when the "dnsoverride" tag is active. +// It requires Go >= 1.8. +// +// +build dnsoverride + +package main + +import ( + "context" + "flag" + "net" + "time" +) + +var ( + dnsAddr = flag.String("testing__dns_addr", "127.0.0.1:9053", + "DNS server address to use, for testing purposes only") +) + +var dialer = &net.Dialer{ + // We're going to talk to localhost, so have a short timeout so we fail + // fast. Otherwise the callers might hang indefinitely when trying to + // dial the DNS server. + Timeout: 2 * time.Second, +} + +func dial(ctx context.Context, network, address string) (net.Conn, error) { + return dialer.DialContext(ctx, network, *dnsAddr) +} + +func init() { + // Override the resolver to talk with our local server for testing. + net.DefaultResolver.PreferGo = true + net.DefaultResolver.Dial = dial +} diff --git a/test/Dockerfile b/test/Dockerfile index 8f61212..41c0d5d 100644 --- a/test/Dockerfile +++ b/test/Dockerfile @@ -29,6 +29,10 @@ RUN apt-get install -y -q gettext-base dovecot-imapd RUN apt-get install -y -q exim4-daemon-light RUN cd test/t-02-exim && mkdir -p .exim4 && ln -s /usr/sbin/exim4 .exim4/ +# Packages for the (optional) TLS tracking test. +RUN apt-get install -y -q dnsmasq + + RUN go get -d ./... RUN go install ./... diff --git a/test/cover.sh b/test/cover.sh index d64b0eb..657f21e 100755 --- a/test/cover.sh +++ b/test/cover.sh @@ -42,6 +42,8 @@ go run "${UTILDIR}/gocovcat.go" .coverage/*.out \ go tool cover -func="$COVER_DIR/all.out" | sort -k 3 -n > "$COVER_DIR/func.txt" go tool cover -html="$COVER_DIR/all.out" -o "$COVER_DIR/chasquid.html" +echo +grep total .coverage/func.txt echo echo "Coverage report can be found in:" echo file://$COVER_DIR/chasquid.html diff --git a/test/t-14-tls_tracking/A/chasquid.conf b/test/t-14-tls_tracking/A/chasquid.conf new file mode 100644 index 0000000..3120200 --- /dev/null +++ b/test/t-14-tls_tracking/A/chasquid.conf @@ -0,0 +1,10 @@ +smtp_address: ":1025" +submission_address: ":1587" +submission_over_tls_address: ":1465" +monitoring_address: ":1099" + +mail_delivery_agent_bin: "test-mda" +mail_delivery_agent_args: "%to%" + +data_dir: "../.data-A" +mail_log_path: "../.logs-A/mail_log" diff --git a/test/t-14-tls_tracking/A/domains/srv-A/.keep b/test/t-14-tls_tracking/A/domains/srv-A/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/t-14-tls_tracking/B/chasquid.conf b/test/t-14-tls_tracking/B/chasquid.conf new file mode 100644 index 0000000..7cd0d88 --- /dev/null +++ b/test/t-14-tls_tracking/B/chasquid.conf @@ -0,0 +1,10 @@ +smtp_address: ":2025" +submission_address: ":2587" +submission_over_tls_address: ":2465" +monitoring_address: ":2099" + +mail_delivery_agent_bin: "test-mda" +mail_delivery_agent_args: "%to%" + +data_dir: "../.data-B" +mail_log_path: "../.logs-B/mail_log" diff --git a/test/t-14-tls_tracking/B/domains/srv-B/.keep b/test/t-14-tls_tracking/B/domains/srv-B/.keep new file mode 100644 index 0000000..e69de29 diff --git a/test/t-14-tls_tracking/config/chasquid.conf b/test/t-14-tls_tracking/config/chasquid.conf new file mode 100644 index 0000000..cf76e8a --- /dev/null +++ b/test/t-14-tls_tracking/config/chasquid.conf @@ -0,0 +1,10 @@ +smtp_address: ":1025" +submission_address: ":1587" +submission_over_tls_address: ":1465" +monitoring_address: ":1099" + +mail_delivery_agent_bin: "test-mda" +mail_delivery_agent_args: "%to%" + +data_dir: "../.data" +mail_log_path: "../.logs/mail_log" diff --git a/test/t-14-tls_tracking/content b/test/t-14-tls_tracking/content new file mode 100644 index 0000000..76a8b16 --- /dev/null +++ b/test/t-14-tls_tracking/content @@ -0,0 +1,4 @@ +Subject: Prueba desde el test + +Crece desde el test el futuro +Crece desde el test diff --git a/test/t-14-tls_tracking/dnsmasq.conf b/test/t-14-tls_tracking/dnsmasq.conf new file mode 100644 index 0000000..2b69bb1 --- /dev/null +++ b/test/t-14-tls_tracking/dnsmasq.conf @@ -0,0 +1,24 @@ +# Configuration for dnsmasq, for testing purposes. + +interface=lo +port=9053 +no-resolv +no-poll +no-hosts + +log-queries + +# Note we need both ipv4 and ipv6 A record because some test environments may +# not support one or the other. + +# srv-a zone +address=/srv-a/::1 +address=/srv-a/127.0.0.1 +mx-host=srv-a,srv-a,10 +txt-record=srv-a,"v=spf1 a" + +# srv-b zone +address=/srv-b/::1 +address=/srv-b/127.0.0.1 +mx-host=srv-b,srv-b,10 +txt-record=srv-b,"v=spf1 a" diff --git a/test/t-14-tls_tracking/hosts b/test/t-14-tls_tracking/hosts new file mode 100644 index 0000000..b2ae8db --- /dev/null +++ b/test/t-14-tls_tracking/hosts @@ -0,0 +1,2 @@ +srv-A localhost +srv-B localhost diff --git a/test/t-14-tls_tracking/msmtprc b/test/t-14-tls_tracking/msmtprc new file mode 100644 index 0000000..a46c7eb --- /dev/null +++ b/test/t-14-tls_tracking/msmtprc @@ -0,0 +1,14 @@ +account default + +host srv-A +port 1587 + +tls on +tls_trust_file A/certs/srv-A/fullchain.pem + +from userA@srv-A + +auth on +user userA@srv-A +password userA + diff --git a/test/t-14-tls_tracking/run.sh b/test/t-14-tls_tracking/run.sh new file mode 100755 index 0000000..2fd25ef --- /dev/null +++ b/test/t-14-tls_tracking/run.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +# Test TLS tracking features, which require faking SPF. + +set -e +. $(dirname ${0})/../util/lib.sh + +init + +if ! dnsmasq --version > /dev/null; then + skip "dnsmasq binary is not functional" + exit 0 +fi + +# To fake SPF we need to override the resolver, which is only supported in Go +# >= 1.8, so this test depends on that version. +# TODO: remove this once we only support go >= 1.8. +MAJOR=$(go version | sed 's/.*go\([0-9]\)\..*/\1/') +MINOR=$(go version | sed 's/.*go[0-9]\.\([0-9]\+\).*/\1/') +DEVEL=$(go version | sed 's/.* devel .*/devel/g') +if [ "$DEVEL" != "devel" ] && [ "$MAJOR" -eq 1 ] && [ "$MINOR" -le 7 ]; then + skip "go version ($MAJOR.$MINOR) too old to run this test" +fi + +# Build with the DNS override, so we can fake DNS records. +export GOTAGS="dnsoverride" + +# Launch dnsmasq in the background using our configuration. +# We run with -d as it takes care of a lot of options (log file, pid file, +# etc.) for our use case. +# It listens on localhost:9053 as configuration. +dnsmasq --conf-file=dnsmasq.conf -d >> .dnsmasq.log 2>&1 & + + +# Two chasquid servers: +# A - listens on :1025, hosts srv-A +# B - listens on :2025, hosts srv-B + +CONFDIR=A generate_certs_for srv-A +CONFDIR=A add_user userA@srv-A userA + +CONFDIR=B generate_certs_for srv-B +CONFDIR=B add_user userB@srv-B userB + +rm -rf .data-A .data-B .mail .certs +mkdir -p .logs-A .logs-B .mail .certs + +# Put public certs in .certs, and use it as our trusted cert dir. +cp A/certs/srv-A/fullchain.pem .certs/srv-a.pem +cp B/certs/srv-B/fullchain.pem .certs/srv-b.pem +export SSL_CERT_DIR=$PWD/.certs/ + +chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \ + --testing__dns_addr=127.0.0.1:9053 \ + --testing__max_received_headers=5 \ + --testing__outgoing_smtp_port=2025 & +chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \ + --testing__dns_addr=127.0.0.1:9053 \ + --testing__outgoing_smtp_port=1025 & + +wait_until_ready 1025 +wait_until_ready 2025 +wait_until_ready 9053 + +run_msmtp userB@srv-B < content + +wait_for_file .mail/userb@srv-b +mail_diff content .mail/userb@srv-b + +# A should have a secure outgoing connection to srv-b. +if ! grep -q "outgoing_sec_level: TLS_SECURE" ".data-A/domaininfo/s:srv-b"; +then + fail "A is missing the domaininfo for srv-b" +fi + +# B should have a secure incoming connection from srv-a. +if ! grep -q "incoming_sec_level: TLS_CLIENT" ".data-B/domaininfo/s:srv-a"; +then + fail "B is missing the domaininfo for srv-a" +fi + +success + diff --git a/test/util/lib.sh b/test/util/lib.sh index 6e1b4ea..3c86ac5 100644 --- a/test/util/lib.sh +++ b/test/util/lib.sh @@ -11,7 +11,7 @@ function init() { cd ${TBASE} if [ "${RACE}" == "1" ]; then - RACE="-race" + GOFLAGS="$GOFLAGS -race" fi # Remove the directory where test-mda will deliver mail, so previous @@ -30,7 +30,7 @@ function chasquid() { return fi - ( cd ${TBASE}/../../; go build ${RACE} . ) + ( cd ${TBASE}/../../; go build $GOFLAGS -tags="$GOTAGS" . ) # HOSTALIASES: so we "fake" hostnames. # PATH: so chasquid can call test-mda without path issues. @@ -45,7 +45,8 @@ function chasquid_cover() { # Build the coverage-enabled binary. # See coverage_test.go for more details. ( cd ${TBASE}/../../; - go test -covermode=count -coverpkg=./... -c -tags coveragebin ) + go test -covermode=count -coverpkg=./... -c \ + -tags="coveragebin $GOTAGS" $GOFLAGS ) # Run the coverage-enabled binary, named "chasquid.test" for hacky # reasons. See the chasquid function above for details on the