spf 0.0.0

data/.document

@@ -0,0 +1,6 @@
+lib/**/*.rb
+lib/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1 @@
+--color

data/.ruby-version

@@ -0,0 +1 @@
+1.9

data/Gemfile

@@ -0,0 +1,13 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rspec", "~> 2.8.0"
+  gem "rdoc", "~> 3.12"
+  gem "bundler", "~> 1.0"
+  gem "jeweler", "~> 1.8.7"
+end

data/Gemfile.lock

@@ -0,0 +1,63 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    addressable (2.3.5)
+    builder (3.2.2)
+    diff-lcs (1.1.3)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
+    git (1.2.6)
+    github_api (0.10.1)
+      addressable
+      faraday (~> 0.8.1)
+      hashie (>= 1.2)
+      multi_json (~> 1.4)
+      nokogiri (~> 1.5.2)
+      oauth2
+    hashie (2.0.5)
+    highline (1.6.19)
+    httpauth (0.2.0)
+    jeweler (1.8.8)
+      builder
+      bundler (~> 1.0)
+      git (>= 1.2.5)
+      github_api (= 0.10.1)
+      highline (>= 1.6.15)
+      nokogiri (= 1.5.10)
+      rake
+      rdoc
+    json (1.8.0)
+    jwt (0.1.8)
+      multi_json (>= 1.5)
+    multi_json (1.8.2)
+    multi_xml (0.5.5)
+    multipart-post (1.2.0)
+    nokogiri (1.5.10)
+    oauth2 (0.9.2)
+      faraday (~> 0.8)
+      httpauth (~> 0.2)
+      jwt (~> 0.1.4)
+      multi_json (~> 1.0)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    rack (1.5.2)
+    rake (10.1.0)
+    rdoc (3.12.2)
+      json (~> 1.4)
+    rspec (2.8.0)
+      rspec-core (~> 2.8.0)
+      rspec-expectations (~> 2.8.0)
+      rspec-mocks (~> 2.8.0)
+    rspec-core (2.8.0)
+    rspec-expectations (2.8.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.8.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0)
+  jeweler (~> 1.8.7)
+  rdoc (~> 3.12)
+  rspec (~> 2.8.0)

data/README.rdoc

@@ -0,0 +1,13 @@
+= SPF
+
+The +spf+ Ruby gem, also known as +spf-ruby+, is an implementation of the Sender Policy Framework (SPF) e-mail sender authentication system.
+
+See <http://www.openspf.org> for more information about SPF.
+
+== Contributing
+
+Agari currently does not accept contributions of code to spf-ruby.
+
+== Copyright
+
+(C) 2013 Agari Data, Inc.  All rights reserved.  Distribution prohibited.

data/Rakefile

@@ -0,0 +1,56 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'jeweler'
+require './lib/spf/version.rb'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name        = 'spf'
+  gem.version     = SPF::VERSION
+  gem.homepage    = 'https://github.com/agaridata/spf-ruby'
+  gem.authors     = ['Andrew Flury', 'Julian Mehnle']
+  gem.email       = ['code@agari.com', 'aflury@agari.com', 'jmehnle@agari.com']
+  gem.license     = 'none (all rights reserved)'
+  gem.summary     = 'Implementation of the Sender Policy Framework'
+  gem.description = <<-DESCRIPTION
+    An object-oriented Ruby implementation of the Sender Policy Framework (SPF)
+    e-mail sender authentication system, fully compliant with RFC 4408.
+  DESCRIPTION
+  # dependencies defined in Gemfile
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :default => :spec
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "spf-ruby #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# vim:sw=2 sts=2

data/lib/spf/error.rb

@@ -0,0 +1,50 @@
+module SPF
+
+  # Generic Exceptions
+  ##############################################################################
+
+  class Error                           < StandardError;            end
+    class OptionRequiredError             < Error;                  end  # Missing required method option
+                                                                         # XXX Replace with ArgumentError?
+    class InvalidOptionValueError         < Error;                  end  # Invalid value for method option
+                                                                         # XXX Replace with ArgumentError!
+
+  # Miscellaneous Errors
+  ##############################################################################
+
+    class DNSError                        < Error;                  end  # DNS error
+      class DNSTimeoutError                 < DNSError;             end  # DNS timeout
+    class RecordSelectionError            < Error;                  end  # Record selection error
+      class NoAcceptableRecordError         < RecordSelectionError; end  # No acceptable record found
+      class RedundantAcceptableRecordsError < RecordSelectionError; end  # Redundant acceptable records found
+    class NoUnparsedTextError             < Error;                  end  # No unparsed text available
+    class UnexpectedTermObjectError       < Error;                  end  # Unexpected term object encountered
+    class ProcessingLimitExceededError    < Error;                  end  # Processing limit exceeded
+    class MacroExpansionCtxRequiredError    < OptionRequiredError;  end  # Missing required context for macro expansion
+
+  # Parser Errors
+  ##############################################################################
+
+    class NothingToParseError             < Error;                  end  # Nothing to parse
+    class SyntaxError                     < Error;                  end  # Generic syntax error
+      class InvalidRecordVersionError       < SyntaxError;          end  # Invalid record version
+      class InvalidScopeError               < SyntaxError;          end  # Invalid scope
+      class JunkInRecordError               < SyntaxError;          end  # Junk encountered in record
+      class InvalidModError                 < SyntaxError;          end  # Invalid modifier
+      class InvalidTermError                < SyntaxError;          end  # Invalid term
+      class JunkInTermError                 < SyntaxError;          end  # Junk encountered in term
+      class DuplicateGlobalMod                < InvalidModError;    end  # Duplicate global modifier
+      class InvalidMechError                  < InvalidTermError;   end  # Invalid mechanism
+      class InvalidMechQualifierError         < InvalidMechError;   end  # Invalid mechanism qualifier
+      class TermDomainSpecExpectedError     < SyntaxError;          end  # Missing required <domain-spec> in term
+      class TermIPv4AddressExpectedError    < SyntaxError;          end  # Missing required <ip4-network> in term
+      class TermIPv4PrefixLengthExpected    < SyntaxError;          end  # Missing required <ip4-cidr-length> in term
+      class TermIPv6AddressExpected         < SyntaxError;          end  # Missing required <ip6-network> in term
+      class TermIPv6PrefixLengthExpected    < SyntaxError;          end  # Missing required <ip6-cidr-length> in term
+      class InvalidMacroStringError         < SyntaxError;          end  # Invalid macro string
+      class InvalidMacroError                 < InvalidMacroStringError
+                                                                    end  # Invalid macro
+
+end
+
+# vim:sw=2 sts=2

data/lib/spf/eval.rb

@@ -0,0 +1,285 @@
+require 'ip'
+require 'resolv'
+
+require 'spf/model'
+require 'spf/result'
+
+class Resolv::DNS::Resource::IN::SPF < Resolv::DNS::Resource::IN::TXT
+  # resolv.rb doesn't define an SPF resource type.
+  TypeValue = 99
+end
+
+class SPF::Server
+
+  attr_accessor \
+    :default_authority_explanation,
+    :hostname,
+    :dns_resolver,
+    :query_rr_types,
+    :max_dns_interactive_terms,
+    :max_name_lookups_per_term,
+    :max_name_lookups_per_mx_mech,
+    :max_name_lookups_per_ptr_mech,
+    :max_void_dns_lookups
+
+  RECORD_CLASSES_BY_VERSION = {
+    1 => SPF::Record::V1,
+    2 => SPF::Record::V2
+  }
+
+  RESULT_BASE_CLASS = SPF::Result
+
+  QUERY_RR_TYPE_ALL = 0
+  QUERY_RR_TYPE_TXT = 1
+  QUERY_RR_TYPE_SPF = 2
+
+  DEFAULT_DEFAULT_AUTHORITY_EXPLANATION =
+    'Please see http://www.openspf.org/Why?s=%{_scope};id=%{S};ip=%{C};r=%{R}'
+
+  DEFAULT_MAX_DNS_INTERACTIVE_TERMS     = 10 # RFC 4408, 10.1/6
+  DEFAULT_MAX_NAME_LOOKUPS_PER_TERM     = 10 # RFC 4408, 10.1/7
+  DEFAULT_QUERY_RR_TYPES                = QUERY_RR_TYPE_TXT
+  DEFAULT_MAX_NAME_LOOKUPS_PER_MX_MECH  = DEFAULT_MAX_NAME_LOOKUPS_PER_TERM
+  DEFAULT_MAX_NAME_LOOKUPS_PER_PTR_MECH = DEFAULT_MAX_NAME_LOOKUPS_PER_TERM
+  DEFAULT_MAX_VOID_DNS_LOOKUPS          = 2
+
+  def initialize(options = {})
+    @default_authority_explanation = options[:default_authority_explanation] ||
+      DEFAULT_DEFAULT_AUTHORITY_EXPLANATION
+    unless @default_authority_explanation.is_a?(SPF::MacroString)
+      @default_authority_explanation = SPF::MacroString.new({
+        :text           => @default_authority_explanation,
+        :server         => self,
+        :is_explanation => true
+      })
+    end
+    @hostname                      = options[:hostname]     || SPF::Util.hostname
+    @dns_resolver                  = options[:dns_resolver] || Resolv::DNS.new
+    @query_rr_types                = options[:query_rr_types]                ||
+      DEFAULT_QUERY_RR_TYPES
+    @max_dns_interactive_terms     = options[:max_dns_interactive_terms]     ||
+      DEFAULT_MAX_DNS_INTERACTIVE_TERMS
+    @max_name_lookups_per_term     = options[:max_name_lookups_per_term]     ||
+      DEFAULT_MAX_NAME_LOOKUPS_PER_TERM
+    @max_name_lookups_per_mx_mech  = options[:max_name_lookups_per_mx_mech]  ||
+      DEFAULT_MAX_NAME_LOOKUPS_PER_MX_MECH
+    @max_name_lookups_per_ptr_mech = options[:max_name_lookups_per_ptr_mech] ||
+      DEFAULT_MAX_NAME_LOOKUPS_PER_PTR_MECH
+    @max_void_dns_lookups          = options[:max_void_dns_lookups]          ||
+      DEFAULT_MAX_VOID_DNS_LOOKUPS
+
+  end
+
+  def result_class(name = nil)
+    if name
+      return RESULT_BASE_CLASS::RESULT_CLASSES[name]
+    else
+      return RESULT_BASE_CLASS
+    end
+  end
+
+  def throw_result(name, request, text)
+    raise self.result_class(name).new(self, request, text)
+  end
+
+  def process(request)
+    request.state(:authority_explanation,      nil)
+    request.state(:dns_interactive_term_count, 0)
+    request.state(:void_dns_lookups_count,     0)
+
+    result = nil
+
+    begin
+      record = self.select_record(request)
+      request.record = record
+      record.eval(self, request)
+    rescue SPF::Result => r
+      result = r
+    rescue SPF::DNSError => e
+      result = self.result_class(:temperror).new(self, request, e.message)
+    rescue SPF::NoAcceptableRecordError => e
+      result = self.result_class(:none     ).new(self, request, e.message)
+    rescue SPF::RedundantAcceptableRecordsError, SPF::SyntaxError, SPF::ProcessingLimitExceededError => e
+      result = self.result_class(:permerror).new([self, request, e.message])
+    end
+    # Propagate other, unknown errors.
+    # This should not happen, but if it does, it helps exposing the bug!
+
+    return result
+  end
+
+  def resource_typeclass_for_rr_type(rr_type)
+    return case rr_type
+      when 'TXT'  then Resolv::DNS::Resource::IN::TXT
+      when 'SPF'  then Resolv::DNS::Resource::IN::SPF
+      when 'ANY'  then Resolv::DNS::Resource::IN::ANY
+      when 'A'    then Resolv::DNS::Resource::IN::A
+      when 'AAAA' then Resolv::DNS::Resource::IN::AAAA
+      when 'PTR'  then Resolv::DNS::Resource::IN::PTR
+      else
+        raise ArgumentError, "Uknown RR type: #{rr_type}"
+      end
+  end
+
+  def dns_lookup(domain, rr_type)
+    if domain.is_a?(SPF::MacroString)
+      domain = domain.expand
+      # Truncate overlong labels at 63 bytes (RFC 4408, 8.1/27)
+      domain.gsub!(/([^.]{63})[^.]+/, "#{$1}")
+      # Drop labels from the head of domain if longer than 253 bytes (RFC 4408, 8.1/25):
+      domain.sub!(/^[^.]+\.(.*)$/, "#{$1}") while domain.length > 253
+    end
+
+    rr_type = self.resource_typeclass_for_rr_type(rr_type)
+    
+    domain.sub(/^(.*?)\.?$/, $1 ? "#{$1}".downcase : '')
+
+    packet = @dns_resolver.getresources(domain, rr_type)
+
+    # Raise DNS exception unless an answer packet with RCODE 0 or 3 (NXDOMAIN)
+    # was received (thereby treating NXDOMAIN as an acceptable but empty answer packet):
+    #if @dns_resolver.errorstring =~ /^(timeout|query timed out)$/
+    #  raise SPF::DNSTimeoutError.new(
+    #    "Time-out on DNS '#{rr_type}' lookup of '#{domain}'")
+    #end
+
+    unless packet
+      raise SPF::DNSError.new(
+        "Unknown error on DNS '#{rr_type}' lookup of '#{domain}'")
+    end
+
+    #unless packet.header.rcode =~ /^(NOERROR|NXDOMAIN)$/
+    #  raise SPF::DNSError.new(
+    #    "'#{packet.header.rcode}' error on DNS '#{rr_type}' lookup of '#{domain}'")
+    #end
+    return packet
+  end
+
+  def select_record(request)
+    domain   = request.authority_domain
+    versions = request.versions
+    scope    = request.scope
+
+    # Employ identical behavior for 'v=spf1' and 'spf2.0' records, both of
+    # which support SPF (code 99) and TXT type records (this may be different
+    # in future revisions of SPF):
+    # Query for SPF type records first, then fall back to TXT type records.
+
+    records     = []
+    query_count = 0
+    dns_errors  = []
+
+    # Query for SPF-type RRs first:
+    if (@query_rr_types == QUERY_RR_TYPE_ALL or
+        @query_rr_types & QUERY_RR_TYPE_SPF)
+      begin
+        query_count += 1
+        packet = self.dns_lookup(domain, 'SPF')
+        records << self.get_acceptable_records_from_packet(
+          packet, 'SPF', versions, scope, domain)
+      rescue SPF::DNSError => e
+        dns_errors << e
+      #rescue SPF::DNSTimeout => e
+      #  # FIXME: Ignore DNS timeouts on SPF type lookups?
+      #  # Apparently some brain-dead DNS servers time out on SPF-type queries.
+      end
+    end
+
+    if (not records.any? and
+        @query_rr_types == QUERY_RR_TYPES_ALL or
+        @query_rr_types & QUERY_RR_TYPE_TXT)
+      # NOTE:
+      #   This deliberately violates RFC 4406 (Sender ID), 4.4/3 (4.4.1):
+      #   TXT-type RRs are still tried if there _are_ SPF-type RRs but all
+      #   of them are inapplicable (e.g. "Hi!", or even "spf2/pra" for an
+      #   'mfrom' scope request).  This conforms to the spirit of the more
+      #   sensible algorithm in RFC 4408 (SPF), 4.5.
+      #   Implication:  Sender ID processing may make use of existing TXT-
+      #   type records where a result of "None" would normally be returned
+      #   under a strict interpretation of RFC 4406.
+     
+      begin
+        query_count += 1
+        packet = self.dns_lookup(domain, 'TXT')
+        records << self.get_acceptable_records_from_packet(
+          packet, 'TXT', versions, scope, domain)
+      rescue SPF::DNSError => e
+        dns_errors << e
+      end
+
+      # Unless at least one query succeeded, re-raise the first DNS error that occured.
+      raise dns_errors[0] unless dns_errors.length < query_count
+
+      records.flatten!
+
+      if records.empty?
+        # RFC 4408, 4.5/7
+        raise SPF::NoAcceptableRecordError('No applicable sender policy available')
+      end
+
+      # Discard all records but the highest acceptable version:
+      preferred_record_class = records[0].class
+
+      records = records.select { |record| record.is_a?(preferred_record_class) }
+
+      if records.length != 1
+        # RFC 4408, 4.5/6
+        raise SPF::RedundantAcceptableRecordsError.new(
+          "Redundant applicable '#{preferred_record_class.version_tag}' sender policies found"
+        )
+      end
+
+      return records[0]
+    end
+  end
+
+  def get_acceptable_records_from_packet(packet, rr_type, versions, scope, domain)
+
+    # Try higher record versions first.
+    # (This may be too simplistic for future revisions of SPF.)
+    versions = versions.sort { |x, y| y <=> x }
+
+    rr_type = resource_typeclass_for_rr_type(rr_type)
+    records = []
+    packet.each do |rr|
+      next unless rr.is_a?(rr_type)
+      text = rr.strings.join('')
+      record = false
+      versions.each do |version|
+        klass = RECORD_CLASSES_BY_VERSION[version]
+        begin
+          record = klass.new_from_string(text)
+        rescue SPF::InvalidRecordVersionError
+          # Ignore non-SPF and unknown-version records.
+          # Propagate other errors (including syntax errors), though.
+        end
+      end
+      if record
+        if record.scopes.select{|x| scope == x}.any?
+          # Record covers requested scope.
+          records << record
+        end
+        break
+      end
+    end
+    return records
+  end
+
+  def count_dns_interactive_term(request)
+    dns_interactive_terms_count = request.root_request.state(:dns_interactive_terms_count, 1)
+    if (@max_dns_interactive_terms and
+        dns_interactive_terms_count > @max_dns_interactive_terms)
+      raise SPF::ProcessingLimitExceededError.new(
+        "Maximum DNS-interactive terms limit (#{@max_dns_interactive_terms}) exceeded")
+    end
+  end
+
+  def count_void_dns_lookup(request)
+    void_dns_lookups_count = request.root_request.state(:void_dns_lookups_count, 1)
+    if (@max_void_dns_lookups and
+        void_dns_lookups_count > @max_void_dns_lookups)
+      raise SPF::ProcessingLimitExceeded.new(
+        "Maximum void DNS look-ups limit (#{@max_void_dns_lookups}) exceeded")
+    end
+  end
+end

data/lib/spf/macro_string.rb

@@ -0,0 +1,73 @@
+require 'spf/util'
+
+module SPF
+  class MacroString
+
+    def self.default_split_delimiters
+      '.'
+    end
+
+    def self.default_join_delimiter
+      '.'
+    end
+
+    def self.uri_unreserved_chars
+      'A-Za-z0-9\-._~'
+    end
+
+    def initialize(options = {})
+      super()
+      @text     = options[:text] \
+        or raise ArgumentError, "Missing required 'text' option"
+      @server   = options[:server]
+      @request  = options[:request]
+      @expanded = nil
+      self.expand
+    end
+
+    attr_reader :text, :server, :request
+
+    def context(server, request)
+      valid_context(true, server, request)
+      @server   = server
+      @request  = request
+      @expanded = nil
+      return
+    end
+
+    def expand(context = nil)
+      return @expanded if @expanded
+
+      return nil unless @text
+      return (@expanded = @text) unless @text =~ /%/
+        # Short-circuit expansion if text has no '%' characters.
+
+      expanded = ''
+      # TODO
+      return (@expanded = @text)
+    end
+
+    def to_s
+      if valid_context(false)
+        return expand
+      else
+        return @text
+      end
+    end
+
+    def valid_context(required, server = self.server, request = self.request)
+      if not SPF::Server === server
+        raise MacroExpansionCtxRequired, 'SPF server object required' if required
+        return false
+      end
+      if not SPF::Request === request
+        raise MacroExpansionCtxRequired, 'SPF request object required' if required
+        return false
+      end
+      return true
+    end
+
+  end
+end
+
+# vim:sw=2 sts=2