git » chasquid » commit 029bca7

test: Add TLS tracking integration test

author Alberto Bertogli
2018-06-02 10:30:17 UTC
committer Alberto Bertogli
2018-06-02 18:31:28 UTC
parent 4373f56a82b15643d000f0d313f1cce8e7c9eda9

test: Add TLS tracking integration test

This patch adds a new test, which verifies the TLS tracking.

Because we need to simulate SPF records, and Go does not support fully
intercepting DNS lookups yet, this test relies on dnsmasq to provide a
DNS resolver.

In the future, once Go supports DNS lookup interception, we can get rid
of this additional dependency.

dnsoverride.go +36 -0
test/Dockerfile +4 -0
test/cover.sh +2 -0
test/t-14-tls_tracking/A/chasquid.conf +10 -0
test/t-14-tls_tracking/A/domains/srv-A/.keep +0 -0
test/t-14-tls_tracking/B/chasquid.conf +10 -0
test/t-14-tls_tracking/B/domains/srv-B/.keep +0 -0
test/t-14-tls_tracking/config/chasquid.conf +10 -0
test/t-14-tls_tracking/content +4 -0
test/t-14-tls_tracking/dnsmasq.conf +24 -0
test/t-14-tls_tracking/hosts +2 -0
test/t-14-tls_tracking/msmtprc +14 -0
test/t-14-tls_tracking/run.sh +83 -0
test/util/lib.sh +4 -3

diff --git a/dnsoverride.go b/dnsoverride.go
new file mode 100644
index 0000000..02972a5
--- /dev/null
+++ b/dnsoverride.go
@@ -0,0 +1,36 @@
+// Support for overriding DNS lookups, for testing purposes.
+// This is only used in tests, when the "dnsoverride" tag is active.
+// It requires Go >= 1.8.
+//
+// +build dnsoverride
+
+package main
+
+import (
+	"context"
+	"flag"
+	"net"
+	"time"
+)
+
+var (
+	dnsAddr = flag.String("testing__dns_addr", "127.0.0.1:9053",
+		"DNS server address to use, for testing purposes only")
+)
+
+var dialer = &net.Dialer{
+	// We're going to talk to localhost, so have a short timeout so we fail
+	// fast. Otherwise the callers might hang indefinitely when trying to
+	// dial the DNS server.
+	Timeout: 2 * time.Second,
+}
+
+func dial(ctx context.Context, network, address string) (net.Conn, error) {
+	return dialer.DialContext(ctx, network, *dnsAddr)
+}
+
+func init() {
+	// Override the resolver to talk with our local server for testing.
+	net.DefaultResolver.PreferGo = true
+	net.DefaultResolver.Dial = dial
+}
diff --git a/test/Dockerfile b/test/Dockerfile
index 8f61212..41c0d5d 100644
--- a/test/Dockerfile
+++ b/test/Dockerfile
@@ -29,6 +29,10 @@ RUN apt-get install -y -q gettext-base dovecot-imapd
 RUN apt-get install -y -q exim4-daemon-light
 RUN cd test/t-02-exim && mkdir -p .exim4 && ln -s /usr/sbin/exim4 .exim4/
 
+# Packages for the (optional) TLS tracking test.
+RUN apt-get install -y -q dnsmasq
+
+
 RUN go get -d ./...
 RUN go install ./...
 
diff --git a/test/cover.sh b/test/cover.sh
index d64b0eb..657f21e 100755
--- a/test/cover.sh
+++ b/test/cover.sh
@@ -42,6 +42,8 @@ go run "${UTILDIR}/gocovcat.go" .coverage/*.out \
 go tool cover -func="$COVER_DIR/all.out" | sort -k 3 -n > "$COVER_DIR/func.txt"
 go tool cover -html="$COVER_DIR/all.out" -o "$COVER_DIR/chasquid.html"
 
+echo
+grep total .coverage/func.txt
 echo
 echo "Coverage report can be found in:"
 echo file://$COVER_DIR/chasquid.html
diff --git a/test/t-14-tls_tracking/A/chasquid.conf b/test/t-14-tls_tracking/A/chasquid.conf
new file mode 100644
index 0000000..3120200
--- /dev/null
+++ b/test/t-14-tls_tracking/A/chasquid.conf
@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-A"
+mail_log_path: "../.logs-A/mail_log"
diff --git a/test/t-14-tls_tracking/A/domains/srv-A/.keep b/test/t-14-tls_tracking/A/domains/srv-A/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/test/t-14-tls_tracking/B/chasquid.conf b/test/t-14-tls_tracking/B/chasquid.conf
new file mode 100644
index 0000000..7cd0d88
--- /dev/null
+++ b/test/t-14-tls_tracking/B/chasquid.conf
@@ -0,0 +1,10 @@
+smtp_address: ":2025"
+submission_address: ":2587"
+submission_over_tls_address: ":2465"
+monitoring_address: ":2099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-B"
+mail_log_path: "../.logs-B/mail_log"
diff --git a/test/t-14-tls_tracking/B/domains/srv-B/.keep b/test/t-14-tls_tracking/B/domains/srv-B/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/test/t-14-tls_tracking/config/chasquid.conf b/test/t-14-tls_tracking/config/chasquid.conf
new file mode 100644
index 0000000..cf76e8a
--- /dev/null
+++ b/test/t-14-tls_tracking/config/chasquid.conf
@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data"
+mail_log_path: "../.logs/mail_log"
diff --git a/test/t-14-tls_tracking/content b/test/t-14-tls_tracking/content
new file mode 100644
index 0000000..76a8b16
--- /dev/null
+++ b/test/t-14-tls_tracking/content
@@ -0,0 +1,4 @@
+Subject: Prueba desde el test
+
+Crece desde el test el futuro
+Crece desde el test
diff --git a/test/t-14-tls_tracking/dnsmasq.conf b/test/t-14-tls_tracking/dnsmasq.conf
new file mode 100644
index 0000000..2b69bb1
--- /dev/null
+++ b/test/t-14-tls_tracking/dnsmasq.conf
@@ -0,0 +1,24 @@
+# Configuration for dnsmasq, for testing purposes.
+
+interface=lo
+port=9053
+no-resolv
+no-poll
+no-hosts
+
+log-queries
+
+# Note we need both ipv4 and ipv6 A record because some test environments may
+# not support one or the other.
+
+# srv-a zone
+address=/srv-a/::1
+address=/srv-a/127.0.0.1
+mx-host=srv-a,srv-a,10
+txt-record=srv-a,"v=spf1 a"
+
+# srv-b zone
+address=/srv-b/::1
+address=/srv-b/127.0.0.1
+mx-host=srv-b,srv-b,10
+txt-record=srv-b,"v=spf1 a"
diff --git a/test/t-14-tls_tracking/hosts b/test/t-14-tls_tracking/hosts
new file mode 100644
index 0000000..b2ae8db
--- /dev/null
+++ b/test/t-14-tls_tracking/hosts
@@ -0,0 +1,2 @@
+srv-A localhost
+srv-B localhost
diff --git a/test/t-14-tls_tracking/msmtprc b/test/t-14-tls_tracking/msmtprc
new file mode 100644
index 0000000..a46c7eb
--- /dev/null
+++ b/test/t-14-tls_tracking/msmtprc
@@ -0,0 +1,14 @@
+account default
+
+host srv-A
+port 1587
+
+tls on
+tls_trust_file A/certs/srv-A/fullchain.pem
+
+from userA@srv-A
+
+auth on
+user userA@srv-A
+password userA
+
diff --git a/test/t-14-tls_tracking/run.sh b/test/t-14-tls_tracking/run.sh
new file mode 100755
index 0000000..2fd25ef
--- /dev/null
+++ b/test/t-14-tls_tracking/run.sh
@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Test TLS tracking features, which require faking SPF.
+
+set -e
+. $(dirname ${0})/../util/lib.sh
+
+init
+
+if ! dnsmasq --version > /dev/null; then
+        skip "dnsmasq binary is not functional"
+        exit 0
+fi
+
+# To fake SPF we need to override the resolver, which is only supported in Go
+# >= 1.8, so this test depends on that version.
+# TODO: remove this once we only support go >= 1.8.
+MAJOR=$(go version | sed 's/.*go\([0-9]\)\..*/\1/')
+MINOR=$(go version | sed 's/.*go[0-9]\.\([0-9]\+\).*/\1/')
+DEVEL=$(go version | sed 's/.* devel .*/devel/g')
+if [ "$DEVEL" != "devel" ] && [ "$MAJOR" -eq 1 ] && [ "$MINOR" -le 7 ]; then
+	skip "go version ($MAJOR.$MINOR) too old to run this test"
+fi
+
+# Build with the DNS override, so we can fake DNS records.
+export GOTAGS="dnsoverride"
+
+# Launch dnsmasq in the background using our configuration.
+# We run with -d as it takes care of a lot of options (log file, pid file,
+# etc.) for our use case.
+# It listens on localhost:9053 as  configuration.
+dnsmasq --conf-file=dnsmasq.conf -d >> .dnsmasq.log 2>&1 &
+
+
+# Two chasquid servers:
+# A - listens on :1025, hosts srv-A
+# B - listens on :2025, hosts srv-B
+
+CONFDIR=A generate_certs_for srv-A
+CONFDIR=A add_user userA@srv-A userA
+
+CONFDIR=B generate_certs_for srv-B
+CONFDIR=B add_user userB@srv-B userB
+
+rm -rf .data-A .data-B .mail .certs
+mkdir -p .logs-A .logs-B .mail .certs
+
+# Put public certs in .certs, and use it as our trusted cert dir.
+cp A/certs/srv-A/fullchain.pem .certs/srv-a.pem
+cp B/certs/srv-B/fullchain.pem .certs/srv-b.pem
+export SSL_CERT_DIR=$PWD/.certs/
+
+chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__max_received_headers=5 \
+	--testing__outgoing_smtp_port=2025 &
+chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=1025 &
+
+wait_until_ready 1025
+wait_until_ready 2025
+wait_until_ready 9053
+
+run_msmtp userB@srv-B < content
+
+wait_for_file .mail/userb@srv-b
+mail_diff content .mail/userb@srv-b
+
+# A should have a secure outgoing connection to srv-b.
+if ! grep -q "outgoing_sec_level: TLS_SECURE" ".data-A/domaininfo/s:srv-b";
+then
+	fail "A is missing the domaininfo for srv-b"
+fi
+
+# B should have a secure incoming connection from srv-a.
+if ! grep -q "incoming_sec_level: TLS_CLIENT" ".data-B/domaininfo/s:srv-a";
+then
+	fail "B is missing the domaininfo for srv-a"
+fi
+
+success
+
diff --git a/test/util/lib.sh b/test/util/lib.sh
index 6e1b4ea..3c86ac5 100644
--- a/test/util/lib.sh
+++ b/test/util/lib.sh
@@ -11,7 +11,7 @@ function init() {
 	cd ${TBASE}
 
 	if [ "${RACE}" == "1" ]; then
-		RACE="-race"
+		GOFLAGS="$GOFLAGS -race"
 	fi
 
 	# Remove the directory where test-mda will deliver mail, so previous
@@ -30,7 +30,7 @@ function chasquid() {
 		return
 	fi
 
-	( cd ${TBASE}/../../; go build ${RACE} . )
+	( cd ${TBASE}/../../; go build $GOFLAGS -tags="$GOTAGS" . )
 
 	# HOSTALIASES: so we "fake" hostnames.
 	# PATH: so chasquid can call test-mda without path issues.
@@ -45,7 +45,8 @@ function chasquid_cover() {
 	# Build the coverage-enabled binary.
 	# See coverage_test.go for more details.
 	( cd ${TBASE}/../../;
-	  go test -covermode=count -coverpkg=./... -c -tags coveragebin )
+	  go test -covermode=count -coverpkg=./... -c \
+		  -tags="coveragebin $GOTAGS" $GOFLAGS )
 
 	# Run the coverage-enabled binary, named "chasquid.test" for hacky
 	# reasons.  See the chasquid function above for details on the