test: Add TLS tracking integration test

This patch adds a new test, which verifies the TLS tracking. Because we need to simulate SPF records, and Go does not support fully intercepting DNS lookups yet, this test relies on dnsmasq to provide a DNS resolver. In the future, once Go supports DNS lookup interception, we can get rid of this additional dependency.
2025-12-17 14:37:02 +00:00 · 2018-06-02 11:30:17 +01:00
parent 4373f56a82
commit 029bca7013
14 changed files with 203 additions and 3 deletions
--- a/test/t-14-tls_tracking/A/chasquid.conf
+++ b/test/t-14-tls_tracking/A/chasquid.conf
@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-A"
+mail_log_path: "../.logs-A/mail_log"
--- a/test/t-14-tls_tracking/A/domains/srv-A/.keep
+++ b/test/t-14-tls_tracking/A/domains/srv-A/.keep
--- a/test/t-14-tls_tracking/B/chasquid.conf
+++ b/test/t-14-tls_tracking/B/chasquid.conf
@@ -0,0 +1,10 @@
+smtp_address: ":2025"
+submission_address: ":2587"
+submission_over_tls_address: ":2465"
+monitoring_address: ":2099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-B"
+mail_log_path: "../.logs-B/mail_log"
--- a/test/t-14-tls_tracking/B/domains/srv-B/.keep
+++ b/test/t-14-tls_tracking/B/domains/srv-B/.keep
--- a/test/t-14-tls_tracking/config/chasquid.conf
+++ b/test/t-14-tls_tracking/config/chasquid.conf
@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data"
+mail_log_path: "../.logs/mail_log"
--- a/test/t-14-tls_tracking/content
+++ b/test/t-14-tls_tracking/content
@@ -0,0 +1,4 @@
+Subject: Prueba desde el test
+
+Crece desde el test el futuro
+Crece desde el test
--- a/test/t-14-tls_tracking/dnsmasq.conf
+++ b/test/t-14-tls_tracking/dnsmasq.conf
@@ -0,0 +1,24 @@
+# Configuration for dnsmasq, for testing purposes.
+
+interface=lo
+port=9053
+no-resolv
+no-poll
+no-hosts
+
+log-queries
+
+# Note we need both ipv4 and ipv6 A record because some test environments may
+# not support one or the other.
+
+# srv-a zone
+address=/srv-a/::1
+address=/srv-a/127.0.0.1
+mx-host=srv-a,srv-a,10
+txt-record=srv-a,"v=spf1 a"
+
+# srv-b zone
+address=/srv-b/::1
+address=/srv-b/127.0.0.1
+mx-host=srv-b,srv-b,10
+txt-record=srv-b,"v=spf1 a"
--- a/test/t-14-tls_tracking/hosts
+++ b/test/t-14-tls_tracking/hosts
@@ -0,0 +1,2 @@
+srv-A localhost
+srv-B localhost
--- a/test/t-14-tls_tracking/msmtprc
+++ b/test/t-14-tls_tracking/msmtprc
@@ -0,0 +1,14 @@
+account default
+
+host srv-A
+port 1587
+
+tls on
+tls_trust_file A/certs/srv-A/fullchain.pem
+
+from userA@srv-A
+
+auth on
+user userA@srv-A
+password userA
+
--- a/test/t-14-tls_tracking/run.sh
+++ b/test/t-14-tls_tracking/run.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Test TLS tracking features, which require faking SPF.
+
+set -e
+. $(dirname ${0})/../util/lib.sh
+
+init
+
+if ! dnsmasq --version > /dev/null; then
+        skip "dnsmasq binary is not functional"
+        exit 0
+fi
+
+# To fake SPF we need to override the resolver, which is only supported in Go
+# >= 1.8, so this test depends on that version.
+# TODO: remove this once we only support go >= 1.8.
+MAJOR=$(go version | sed 's/.*go\([0-9]\)\..*/\1/')
+MINOR=$(go version | sed 's/.*go[0-9]\.\([0-9]\+\).*/\1/')
+DEVEL=$(go version | sed 's/.* devel .*/devel/g')
+if [ "$DEVEL" != "devel" ] && [ "$MAJOR" -eq 1 ] && [ "$MINOR" -le 7 ]; then
+	skip "go version ($MAJOR.$MINOR) too old to run this test"
+fi
+
+# Build with the DNS override, so we can fake DNS records.
+export GOTAGS="dnsoverride"
+
+# Launch dnsmasq in the background using our configuration.
+# We run with -d as it takes care of a lot of options (log file, pid file,
+# etc.) for our use case.
+# It listens on localhost:9053 as  configuration.
+dnsmasq --conf-file=dnsmasq.conf -d >> .dnsmasq.log 2>&1 &
+
+
+# Two chasquid servers:
+# A - listens on :1025, hosts srv-A
+# B - listens on :2025, hosts srv-B
+
+CONFDIR=A generate_certs_for srv-A
+CONFDIR=A add_user userA@srv-A userA
+
+CONFDIR=B generate_certs_for srv-B
+CONFDIR=B add_user userB@srv-B userB
+
+rm -rf .data-A .data-B .mail .certs
+mkdir -p .logs-A .logs-B .mail .certs
+
+# Put public certs in .certs, and use it as our trusted cert dir.
+cp A/certs/srv-A/fullchain.pem .certs/srv-a.pem
+cp B/certs/srv-B/fullchain.pem .certs/srv-b.pem
+export SSL_CERT_DIR=$PWD/.certs/
+
+chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__max_received_headers=5 \
+	--testing__outgoing_smtp_port=2025 &
+chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=1025 &
+
+wait_until_ready 1025
+wait_until_ready 2025
+wait_until_ready 9053
+
+run_msmtp userB@srv-B < content
+
+wait_for_file .mail/userb@srv-b
+mail_diff content .mail/userb@srv-b
+
+# A should have a secure outgoing connection to srv-b.
+if ! grep -q "outgoing_sec_level: TLS_SECURE" ".data-A/domaininfo/s:srv-b";
+then
+	fail "A is missing the domaininfo for srv-b"
+fi
+
+# B should have a secure incoming connection from srv-a.
+if ! grep -q "incoming_sec_level: TLS_CLIENT" ".data-B/domaininfo/s:srv-a";
+then
+	fail "B is missing the domaininfo for srv-a"
+fi
+
+success
+