coppertone 0.0.1

data/spec/mechanism/mx_spec.rb

@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+describe Coppertone::Mechanism::MX do
+  context '#new' do
+    it 'should not fail if called with a nil argument' do
+      mech = Coppertone::Mechanism::MX.new(nil)
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+      expect(mech.ip_v4_cidr_length).to eq(32)
+      expect(mech.ip_v6_cidr_length).to eq(128)
+    end
+
+    it 'should not fail if called with a blank argument' do
+      mech = Coppertone::Mechanism::MX.new('')
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+      expect(mech.ip_v4_cidr_length).to eq(32)
+      expect(mech.ip_v6_cidr_length).to eq(128)
+    end
+
+    it 'should fail if called with an invalid macrostring' do
+      expect do
+        Coppertone::Mechanism::MX.new('abc%:def')
+      end.to raise_error(Coppertone::InvalidMechanismError)
+    end
+  end
+
+  context '#create' do
+    it 'should fail if called with a nil argument' do
+      mech = Coppertone::Mechanism::MX.create(nil)
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+      expect(mech.ip_v4_cidr_length).to eq(32)
+      expect(mech.ip_v6_cidr_length).to eq(128)
+    end
+
+    it 'should fail if called with a blank argument' do
+      mech = Coppertone::Mechanism::MX.create('')
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+      expect(mech.ip_v4_cidr_length).to eq(32)
+      expect(mech.ip_v6_cidr_length).to eq(128)
+    end
+
+    it 'should fail if called with an argument invalid macrostring' do
+      expect do
+        Coppertone::Mechanism::MX.create('abc%:def')
+      end.to raise_error(Coppertone::InvalidMechanismError)
+    end
+  end
+end

data/spec/mechanism/ptr_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Coppertone::Mechanism::Ptr do
+  context '#new' do
+    it 'should not fail if called with a nil argument' do
+      mech = Coppertone::Mechanism::Ptr.new(nil)
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+    end
+
+    it 'should not fail if called with a blank argument' do
+      mech = Coppertone::Mechanism::Ptr.new('')
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+    end
+
+    it 'should fail if called with an invalid macrostring' do
+      expect do
+        Coppertone::Mechanism::Ptr.new('abc%:def')
+      end.to raise_error(Coppertone::InvalidMechanismError)
+    end
+  end
+
+  context '#create' do
+    it 'should fail if called with a nil argument' do
+      mech = Coppertone::Mechanism::Ptr.create(nil)
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+    end
+
+    it 'should fail if called with a blank argument' do
+      mech = Coppertone::Mechanism::Ptr.create('')
+      expect(mech).not_to be_nil
+      expect(mech.domain_spec).to be_nil
+    end
+
+    it 'should fail if called with an argument invalid macrostring' do
+      expect do
+        Coppertone::Mechanism::Ptr.create('abc%:def')
+      end.to raise_error(Coppertone::InvalidMechanismError)
+    end
+  end
+end

data/spec/mechanism_spec.rb

@@ -0,0 +1,4 @@
+require 'spec_helper'
+
+describe Coppertone::Mechanism do
+end

data/spec/modifier_spec.rb

@@ -0,0 +1,4 @@
+require 'spec_helper'
+
+describe Coppertone::Modifier do
+end

data/spec/open_spf/ALL_mechanism_syntax_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe 'ALL mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 -all.' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 -all:foobar' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 -all/8' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 ?all' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 all -all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'all              = "all" ' do
+    # At least one implementation got this wrong
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'all              = "all" ' do
+    # At least one implementation got this wrong
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'all              = "all" ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'all              = "all" ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'all              = "all" ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+end

data/spec/open_spf/A_mechanism_syntax_spec.rb

@@ -0,0 +1,159 @@
+require 'spec_helper'
+
+describe 'A mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 a/0 -all' }], 'e2.example.com' => [{ 'A' => '1.1.1.1' }, { 'AAAA' => '1234::2' }, { 'TXT' => 'v=spf1 a/0 -all' }], 'e2a.example.com' => [{ 'AAAA' => '1234::1' }, { 'TXT' => 'v=spf1 a//0 -all' }], 'e2b.example.com' => [{ 'A' => '1.1.1.1' }, { 'TXT' => 'v=spf1 a//0 -all' }], 'ipv6.example.com' => [{ 'AAAA' => '1234::1' }, { 'A' => '1.1.1.1' }, { 'TXT' => 'v=spf1 a -all' }], 'e3.example.com' => [{ 'TXT' => "v=spf1 a:foo.example.com\u0000" }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 a:111.222.33.44' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 a:abc.123' }], 'e5a.example.com' => [{ 'TXT' => 'v=spf1 a:museum' }], 'e5b.example.com' => [{ 'TXT' => 'v=spf1 a:museum.' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 a//33 -all' }], 'e6a.example.com' => [{ 'TXT' => 'v=spf1 a/33 -all' }], 'e7.example.com' => [{ 'TXT' => 'v=spf1 a//129 -all' }], 'e8.example.com' => [{ 'A' => '1.2.3.5' }, { 'AAAA' => '2001:db8:1234::dead:beef' }, { 'TXT' => 'v=spf1 a/24//64 -all' }], 'e8e.example.com' => [{ 'A' => '1.2.3.5' }, { 'AAAA' => '2001:db8:1234::dead:beef' }, { 'TXT' => 'v=spf1 a/24/64 -all' }], 'e8a.example.com' => [{ 'A' => '1.2.3.5' }, { 'AAAA' => '2001:db8:1234::dead:beef' }, { 'TXT' => 'v=spf1 a/24 -all' }], 'e8b.example.com' => [{ 'A' => '1.2.3.5' }, { 'AAAA' => '2001:db8:1234::dead:beef' }, { 'TXT' => 'v=spf1 a//64 -all' }], 'e9.example.com' => [{ 'TXT' => 'v=spf1 a:example.com:8080' }], 'e10.example.com' => [{ 'TXT' => 'v=spf1 a:foo.example.com/24' }], 'foo.example.com' => [{ 'A' => '1.1.1.1' }, { 'A' => '1.2.3.5' }], 'e11.example.com' => [{ 'TXT' => 'v=spf1 a:foo:bar/baz.example.com' }], 'foo:bar/baz.example.com' => [{ 'A' => '1.2.3.4' }], 'e12.example.com' => [{ 'TXT' => 'v=spf1 a:example.-com' }], 'e13.example.com' => [{ 'TXT' => 'v=spf1 a:' }], 'e14.example.com' => [{ 'TXT' => 'v=spf1 a:foo.example.xn--zckzah -all' }], 'foo.example.xn--zckzah' => [{ 'A' => '1.2.3.4' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6a.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e7.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e8.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e8e.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('2001:db8:1234::cafe:babe', 'foo@e8.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e8b.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'A                = "a"      [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] ' do
+    result = Coppertone::SpfService.authenticate_email('2001:db8:1234::cafe:babe', 'foo@e8a.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'A matches any returned IP.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e10.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'A matches any returned IP.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e10.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'domain-spec must pass basic syntax checks; a : may appear in domain-spec, but not in top-label' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e9.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'If no ips are returned, A mechanism does not match, even with /0.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Matches if any A records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Matches if any A records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Would match if any AAAA records are present in DNS, but not for an IP4 connection.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2a.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Would match if any AAAA records are present in DNS, but not for an IP4 connection.' do
+    result = Coppertone::SpfService.authenticate_email('::FFFF:1.2.3.4', 'foo@e2a.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Matches if any AAAA records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@e2a.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Simple IP6 Address match with dual stack.' do
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@ipv6.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'No match if no AAAA records are present in DNS.' do
+    result = Coppertone::SpfService.authenticate_email('1234::1', 'foo@e2b.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Null octets not allowed in toplabel' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'toplabel may not be all numeric' do
+    # A common publishing mistake is using ip4 addresses with A mechanism. This should receive special diagnostic attention in the permerror.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'toplabel may not be all numeric' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'toplabel may contain dashes' do
+    # Going from the "toplabel" grammar definition, an implementation using regular expressions in incrementally parsing SPF records might erroneously try to match a TLD such as ".xn--zckzah" (cf. IDN TLDs!) to \'( *alphanum ALPHA *alphanum )\' first before trying the alternative \'( 1*alphanum "-" *( alphanum / "-" ) alphanum )\', essentially causing a non-greedy, and thus, incomplete match.  Make sure a greedy match is performed!
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e14.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'toplabel may not begin with a dash' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e12.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'domain-spec may not consist of only a toplabel.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5a.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'domain-spec may not consist of only a toplabel.' do
+    # "A trailing dot doesn\'t help."
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5b.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'domain-spec may contain any visible char except %' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e11.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'domain-spec may contain any visible char except %' do
+    result = Coppertone::SpfService.authenticate_email('::FFFF:1.2.3.4', 'foo@e11.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'domain-spec cannot be empty.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e13.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/EXISTS_mechanism_syntax_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe 'EXISTS mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'mail6.example.com' => [{ 'AAAA' => 'CAFE:BABE::4' }], 'err.example.com' => ['TIMEOUT'], 'e1.example.com' => [{ 'TXT' => 'v=spf1 exists:' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 exists' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 exists:mail.example.com/24' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 exists:mail.example.com' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 exists:mail6.example.com -all' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 exists:err.example.com -all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'domain-spec cannot be empty.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'exists           = "exists"   ":" domain-spec' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'exists           = "exists"   ":" domain-spec' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'mechanism matches if any DNS A RR exists' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'The lookup type is A even when the connection is ip6' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::3', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'The lookup type is A even when the connection is ip6' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::3', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'Result for DNS error clarified in RFC7208: MTAs or other processors  SHOULD impose a limit on the maximum amount of elapsed time to evaluate  check_host().  Such a limit SHOULD allow at least 20 seconds.  If such  a limit is exceeded, the result of authorization SHOULD be "temperror".' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE::3', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(temperror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/IP4_mechanism_syntax_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe 'IP4 mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.1.1.1/0 -all' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4/32 -all' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4/33 -all' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4/032 -all' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 ip4' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4//32' }], 'e7.example.com' => [{ 'TXT' => 'v=spf1 -ip4:1.2.3.4 ip6:::FFFF:1.2.3.4' }], 'e8.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.4:8080' }], 'e9.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'ip4-cidr-length  = "/" 1*DIGIT' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'ip4-cidr-length  = "/" 1*DIGIT' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Invalid CIDR should get permerror.' do
+    # The RFC4408 was silent on ip4 CIDR > 32 or ip6 CIDR > 128, but RFC7208  is explicit.  Invalid CIDR is prohibited.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Invalid CIDR should get permerror.' do
+    # Leading zeros are not explicitly prohibited by the RFC. However, since the RFC explicity prohibits leading zeros in ip4-network, our interpretation is that CIDR should be also.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length ]' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'IP4              = "ip4"      ":" ip4-network   [ ip4-cidr-length ]' do
+    # This has actually been published in SPF records.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e8.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'It is not permitted to omit parts of the IP address instead of using CIDR notations.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e9.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'dual-cidr-length not permitted on ip4' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'IP4 mapped IP6 connections MUST be treated as IP4' do
+    result = Coppertone::SpfService.authenticate_email('::FFFF:1.2.3.4', 'foo@e7.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+end

data/spec/open_spf/IP6_mechanism_syntax_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+
+describe 'IP6 mechanism syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 -all ip6' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 ip6:::1.1.1.1/0' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 ip6:::1.1.1.1/129' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 ip6:::1.1.1.1//33' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 ip6:CAFE:BABE:8000::/33' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 ip6::CAFE::BABE' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'IP6              = "ip6"      ":" ip6-network   [ ip6-cidr-length ]' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'IP4 connections do not match ip6.' do
+    # There was controversy over IPv4 mapped connections.  RFC7208 clearly states IPv4 mapped addresses only match ip4: mechanisms.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'Even if the SMTP connection is via IPv6, an IPv4-mapped IPv6 IP address (see RFC 3513, Section 2.5.5) MUST still be considered an IPv4 address.' do
+    # There was controversy over ip4 mapped connections.  RFC7208 clearly requires such connections to be considered as ip4 only.
+    result = Coppertone::SpfService.authenticate_email('::FFFF:1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it 'Match any IP6' do
+    result = Coppertone::SpfService.authenticate_email('DEAF:BABE::CAB:FEE', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'Invalid CIDR' do
+    # IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'dual-cidr syntax not used for ip6' do
+    # IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'make sure ip4 cidr restriction are not used for ip6' do
+    result = Coppertone::SpfService.authenticate_email('CAFE:BABE:8000::', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'make sure ip4 cidr restriction are not used for ip6' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(neutral)).to include(result.code)
+  end
+
+  it '' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Include_mechanism_semantics_and_syntax_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe 'Include mechanism semantics and syntax' do
+  let(:zonefile) do
+    { 'mail.example.com' => [{ 'A' => '1.2.3.4' }], 'ip5.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.5 -all' }], 'ip6.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.6 ~all' }], 'ip7.example.com' => [{ 'TXT' => 'v=spf1 ip4:1.2.3.7 ?all' }], 'ip8.example.com' => ['TIMEOUT'], 'erehwon.example.com' => [{ 'TXT' => 'v=spfl am not an SPF record' }], 'e1.example.com' => [{ 'TXT' => 'v=spf1 include:ip5.example.com ~all' }], 'e2.example.com' => [{ 'TXT' => 'v=spf1 include:ip6.example.com all' }], 'e3.example.com' => [{ 'TXT' => 'v=spf1 include:ip7.example.com -all' }], 'e4.example.com' => [{ 'TXT' => 'v=spf1 include:ip8.example.com -all' }], 'e5.example.com' => [{ 'TXT' => 'v=spf1 include:e6.example.com -all' }], 'e6.example.com' => [{ 'TXT' => 'v=spf1 include +all' }], 'e7.example.com' => [{ 'TXT' => 'v=spf1 include:erehwon.example.com -all' }], 'e8.example.com' => [{ 'TXT' => 'v=spf1 include: -all' }], 'e9.example.com' => [{ 'TXT' => 'v=spf1 include:ip5.example.com/24 -all' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'recursive check_host() result of fail causes include to not match.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e1.example.com', 'mail.example.com', options)
+    expect(%i(softfail)).to include(result.code)
+  end
+
+  it 'recursive check_host() result of softfail causes include to not match.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e2.example.com', 'mail.example.com', options)
+    expect(%i(pass)).to include(result.code)
+  end
+
+  it 'recursive check_host() result of neutral causes include to not match.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e3.example.com', 'mail.example.com', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'recursive check_host() result of temperror causes include to temperror' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e4.example.com', 'mail.example.com', options)
+    expect(%i(temperror)).to include(result.code)
+  end
+
+  it 'recursive check_host() result of permerror causes include to permerror' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e5.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'include          = "include"  ":" domain-spec' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e6.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'include          = "include"  ":" domain-spec' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e9.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'recursive check_host() result of none causes include to permerror' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e7.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'domain-spec cannot be empty.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foo@e8.example.com', 'mail.example.com', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end

data/spec/open_spf/Initial_processing_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+describe 'Initial processing' do
+  let(:zonefile) do
+    { 'example.com' => ['TIMEOUT'], 'example.net' => [{ 'TXT' => 'v=spf1 -all exp=exp.example.net' }], 'a.example.net' => [{ 'TXT' => 'v=spf1 -all exp=exp.example.net' }], 'exp.example.net' => [{ 'TXT' => '%{l}' }], 'a12345678901234567890123456789012345678901234567890123456789012.example.com' => [{ 'TXT' => 'v=spf1 -all' }], 'hosed.example.com' => [{ 'TXT' => 'v=spf1 a:garbage.example.net -all' }], 'hosed2.example.com' => [{ 'TXT' => "v=spf1 \u0080a:example.net -all" }], 'hosed3.example.com' => [{ 'TXT' => "v=spf1 a:example.net \u0096all" }], 'nothosed.example.com' => [{ 'TXT' => 'v=spf1 a:example.net -all' }, { 'TXT' => "\u0096" }], 'ctrl.example.com' => [{ 'TXT' => "v=spf1 a:ctrl.example.com\rptr -all" }, { 'A' => '192.0.2.3' }] }
+  end
+
+  let(:dns_client) { Coppertone::DNS::MockClient.new(zonefile) }
+  let(:options) { { dns_client: dns_client } }
+
+  it 'DNS labels limited to 63 chars.' do
+    # For initial processing, a long label results in None, not TempError
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'lyme.eater@A123456789012345678901234567890123456789012345678901234567890123.example.com', 'mail.example.net', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'DNS labels limited to 63 chars.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'lyme.eater@A12345678901234567890123456789012345678901234567890123456789012.example.com', 'mail.example.net', options)
+    expect(%i(fail)).to include(result.code)
+  end
+
+  it 'emptylabel' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'lyme.eater@A...example.com', 'mail.example.net', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'helo-not-fqdn' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', '', 'A2345678', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'helo-domain-literal' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', '', '[1.2.3.5]', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'nolocalpart' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', '@example.net', 'mail.example.net', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('postmaster')
+  end
+
+  it 'domain-literal' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.5', 'foo@[1.2.3.5]', 'OEMCOMPUTER', options)
+    expect(%i(none)).to include(result.code)
+  end
+
+  it 'SPF policies are restricted to 7-bit ascii.' do
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foobar@hosed.example.com', 'hosed', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'SPF policies are restricted to 7-bit ascii.' do
+    # Checking a possibly different code path for non-ascii chars.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foobar@hosed2.example.com', 'hosed', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'SPF policies are restricted to 7-bit ascii.' do
+    # Checking yet another code path for non-ascii chars.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foobar@hosed3.example.com', 'hosed', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+  it 'Non-ascii content in non-SPF related records.' do
+    # Non-SPF related TXT records are none of our business.
+    result = Coppertone::SpfService.authenticate_email('1.2.3.4', 'foobar@nothosed.example.com', 'hosed', options)
+    expect(%i(fail)).to include(result.code)
+    expect(result.explanation).to eq('DEFAULT')
+  end
+
+  it 'Mechanisms are separated by spaces only, not any control char.' do
+    result = Coppertone::SpfService.authenticate_email('192.0.2.3', 'foobar@ctrl.example.com', 'hosed', options)
+    expect(%i(permerror)).to include(result.code)
+  end
+
+end