npm - Haraka - Versions diffs - 3.1.5 → 3.1.6 - Mend

Haraka 3.1.5 → 3.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

package/.prettierignore +1 -1
package/{Changes.md → CHANGELOG.md} +22 -2
package/CONTRIBUTORS.md +26 -26
package/README.md +68 -93
package/SECURITY.md +178 -0
package/bin/haraka +7 -14
package/config/plugins +0 -3
package/docs/Connection.md +126 -39
package/docs/CoreConfig.md +92 -74
package/docs/HAProxy.md +41 -25
package/docs/Logging.md +68 -38
package/docs/Outbound.md +124 -179
package/docs/Plugins.md +38 -59
package/docs/Transaction.md +78 -83
package/docs/Tutorial.md +122 -209
package/docs/plugins/aliases.md +1 -141
package/docs/plugins/auth/auth_ldap.md +2 -39
package/docs/plugins/max_unrecognized_commands.md +4 -18
package/docs/plugins/process_title.md +3 -3
package/docs/plugins/reseed_rng.md +11 -13
package/docs/plugins/tls.md +7 -7
package/docs/plugins/toobusy.md +10 -4
package/docs/tutorials/SettingUpOutbound.md +40 -48
package/endpoint.js +32 -2
package/outbound/hmail.js +3 -2
package/outbound/index.js +3 -0
package/package.json +19 -30
package/server.js +17 -7
package/test/connection.js +234 -0
package/test/endpoint.js +27 -0
package/test/outbound/hmail.js +19 -0
package/test/outbound/index.js +189 -0
package/test/outbound/queue.js +92 -0
package/test/server.js +172 -0
package/test/tls_socket.js +138 -0
package/tls_socket.js +2 -2

package/test/server.js CHANGED Viewed

@@ -6,6 +6,7 @@ const { createHmac } = require('node:crypto')
 const net = require('node:net')
 const path = require('node:path')
 const tls = require('node:tls')
+const constants = require('haraka-constants')
 const endpoint = require('../endpoint')
 const message = require('haraka-email-message')
@@ -254,6 +255,177 @@ describe('server', () => {
         })
     })
+    describe('lifecycle helpers', () => {
+        beforeEach(() => {
+            this.server = require('../server')
+            this.server.cfg = this.server.cfg || { main: {} }
+            this.server.cfg.main = this.server.cfg.main || {}
+        })
+        it('init_child_respond OK path starts HTTP listeners', () => {
+            let called = 0
+            const original = this.server.setup_http_listeners
+            this.server.setup_http_listeners = () => {
+                called++
+            }
+            try {
+                this.server.init_child_respond(constants.ok)
+                assert.equal(called, 1)
+            } finally {
+                this.server.setup_http_listeners = original
+            }
+        })
+        it('init_child_respond error path kills master and exits', () => {
+            process.env.CLUSTER_MASTER_PID = '12345'
+            const originalKill = process.kill
+            const originalDump = this.server.logger.dump_and_exit
+            let killed = null
+            let exitCode = null
+            process.kill = (pid) => {
+                killed = pid
+            }
+            this.server.logger.dump_and_exit = (code) => {
+                exitCode = code
+            }
+            try {
+                this.server.init_child_respond(constants.deny, 'nope')
+                assert.equal(killed, '12345')
+                assert.equal(exitCode, 1)
+            } finally {
+                process.kill = originalKill
+                this.server.logger.dump_and_exit = originalDump
+                delete process.env.CLUSTER_MASTER_PID
+            }
+        })
+        it('listening applies configured uid/gid and marks ready', () => {
+            this.server.cfg.main.group = 'staff'
+            this.server.cfg.main.user = 'nobody'
+            const originalGetGid = process.getgid
+            const originalSetGid = process.setgid
+            const originalGetUid = process.getuid
+            const originalSetUid = process.setuid
+            const calls = { setgid: 0, setuid: 0 }
+            process.getgid = () => 20
+            process.setgid = () => {
+                calls.setgid++
+            }
+            process.getuid = () => 501
+            process.setuid = () => {
+                calls.setuid++
+            }
+            try {
+                this.server.listening()
+                assert.equal(calls.setgid, 1)
+                assert.equal(calls.setuid, 1)
+                assert.equal(this.server.ready, 1)
+            } finally {
+                process.getgid = originalGetGid
+                process.setgid = originalSetGid
+                process.getuid = originalGetUid
+                process.setuid = originalSetUid
+                delete this.server.cfg.main.group
+                delete this.server.cfg.main.user
+            }
+        })
+        it('sendToMaster calls receiveAsMaster when not clustered', () => {
+            const originalCluster = this.server.cluster
+            const originalReceive = this.server.receiveAsMaster
+            const seen = []
+            this.server.cluster = null
+            this.server.receiveAsMaster = (cmd, params) => {
+                seen.push([cmd, params])
+            }
+            try {
+                this.server.sendToMaster('flushQueue', ['example.com'])
+                assert.deepEqual(seen[0], ['flushQueue', ['example.com']])
+            } finally {
+                this.server.cluster = originalCluster
+                this.server.receiveAsMaster = originalReceive
+            }
+        })
+        it('receiveAsMaster ignores invalid commands and executes valid ones', () => {
+            const errors = []
+            const originalLogError = this.server.logerror
+            this.server.logerror = (msg) => errors.push(msg)
+            this.server._testCommand = (a, b) => {
+                this.server.notes.received = [a, b]
+            }
+            try {
+                this.server.receiveAsMaster('notACommand', [])
+                assert.equal(errors.length > 0, true)
+                this.server.receiveAsMaster('_testCommand', ['x', 'y'])
+                assert.deepEqual(this.server.notes.received, ['x', 'y'])
+            } finally {
+                this.server.logerror = originalLogError
+                delete this.server._testCommand
+            }
+        })
+    })
+    describe('HTTP helpers', () => {
+        beforeEach(() => {
+            this.server = require('../server')
+        })
+        it('handle404 serves html/json/text based on request accepts', () => {
+            const makeReq = (kind) => ({
+                accepts(type) {
+                    return type === kind
+                },
+            })
+            const responses = []
+            const makeRes = () => ({
+                status(code) {
+                    responses.push({ code })
+                    return this
+                },
+                sendFile(name, opts) {
+                    responses.push({ type: 'html', name, opts })
+                },
+                send(body) {
+                    responses.push({ type: 'body', body })
+                },
+            })
+            this.server.handle404(makeReq('html'), makeRes())
+            this.server.handle404(makeReq('json'), makeRes())
+            this.server.handle404(makeReq('none'), makeRes())
+            assert.equal(responses[0].code, 404)
+            assert.equal(responses[1].type, 'html')
+            assert.equal(responses[3].type, 'body')
+            assert.deepEqual(responses[3].body, { err: 'Not found' })
+            assert.equal(responses[5].body, 'Not found!')
+        })
+        it('init_http_respond logs and returns when ws is unavailable', () => {
+            const Module = require('node:module')
+            const originalRequire = Module.prototype.require
+            const originalLogError = this.server.logerror
+            const errors = []
+            this.server.logerror = (msg) => {
+                errors.push(msg)
+            }
+            this.server.http = { server: {} }
+            Module.prototype.require = function (id) {
+                if (id === 'ws') throw new Error('ws missing')
+                return originalRequire.apply(this, arguments)
+            }
+            try {
+                this.server.init_http_respond()
+                assert.equal(errors.length > 0, true)
+            } finally {
+                Module.prototype.require = originalRequire
+                this.server.logerror = originalLogError
+            }
+        })
+    })
     // ── SMTP sessions ─────────────────────────────────────────────────────────
     describe('SMTP sessions', () => {
         beforeEach(async () => setupServer('127.0.0.1:2503'))

package/test/tls_socket.js CHANGED Viewed

@@ -6,6 +6,7 @@ const path = require('node:path')
 const net = require('node:net')
 const tls = require('node:tls')
 const fs = require('node:fs')
+const { EventEmitter } = require('node:events')
 // Mock dependencies before requiring the target
 const mock = require('node:test').mock
@@ -95,10 +96,147 @@ test('tls_socket', async (t) => {
                 await new Promise((resolve) => server.close(resolve))
             }
         })
+        await t.test('second error handler does not crash when first handler removes all listeners', () => {
+            // Regression test for issue #3553
+            const originalNetConnect = net.connect
+            const originalTlsConnect = tls.connect
+            const originalTlsValid = tls_socket.tls_valid
+            const fakeCrypto = new EventEmitter()
+            fakeCrypto.writable = true
+            fakeCrypto.removeAllListeners = EventEmitter.prototype.removeAllListeners
+            fakeCrypto.setTimeout = () => {}
+            fakeCrypto.setKeepAlive = () => {}
+            let capturedCleartext
+            net.connect = () => fakeCrypto
+            tls.connect = () => {
+                capturedCleartext = new EventEmitter()
+                capturedCleartext.writable = true
+                capturedCleartext.setTimeout = () => {}
+                capturedCleartext.setKeepAlive = () => {}
+                return capturedCleartext
+            }
+            tls_socket.tls_valid = false
+            try {
+                const socket = tls_socket.connect({ host: 'bad-tls.example.com', port: 25 })
+                // Simulate what release_client does: strip all listeners on first error
+                socket.once('error', () => socket.removeAllListeners())
+                socket.upgrade({}, () => {})
+                // capturedCleartext now has two 'error' handlers (on from upgrade, once from attach).
+                // Emitting error must NOT throw even though the first handler removes all
+                // listeners from the outer socket before the second fires.
+                const tlsError = new Error('dh key too small')
+                assert.doesNotThrow(() => capturedCleartext.emit('error', tlsError))
+            } finally {
+                net.connect = originalNetConnect
+                tls.connect = originalTlsConnect
+                tls_socket.tls_valid = originalTlsValid
+            }
+        })
     })
     await t.test('getSocketOpts', async (t) => {
         // Exercise the typo path (would requires failing config.getDir)
         assert.strictEqual(typeof tls_socket.getSocketOpts, 'function')
     })
+    await t.test('getSocketOpts handles missing tls dir', async () => {
+        const originalGetCertsDir = tls_socket.get_certs_dir
+        tls_socket.get_certs_dir = async () => {
+            const err = new Error('missing')
+            err.code = 'ENOENT'
+            throw err
+        }
+        try {
+            const opts = await tls_socket.getSocketOpts('*')
+            assert.ok(opts)
+        } finally {
+            tls_socket.get_certs_dir = originalGetCertsDir
+        }
+    })
+    await t.test('connect upgrade applies mutual auth cert and timeout/keepalive', async () => {
+        const originalNetConnect = net.connect
+        const originalTlsConnect = tls.connect
+        const originalTlsValid = tls_socket.tls_valid
+        const originalCfg = tls_socket.cfg
+        const originalCertMap = {
+            default: tls_socket.certsByHost['*'],
+            host: tls_socket.certsByHost['client-cert.example'],
+        }
+        const fakeSocket = new EventEmitter()
+        fakeSocket.remotePort = 2525
+        fakeSocket.remoteAddress = '127.0.0.1'
+        fakeSocket.localPort = 25
+        fakeSocket.localAddress = '127.0.0.1'
+        fakeSocket.writable = true
+        fakeSocket.removeAllListeners = EventEmitter.prototype.removeAllListeners
+        fakeSocket.setTimeout = () => {}
+        fakeSocket.setKeepAlive = () => {}
+        let capturedOptions
+        let timeoutSeen = null
+        let keepaliveSeen = null
+        net.connect = () => fakeSocket
+        tls.connect = (options) => {
+            capturedOptions = options
+            const clear = new EventEmitter()
+            clear.writable = true
+            clear.getCipher = () => ({ name: 'TLS_AES_256_GCM_SHA384' })
+            clear.getProtocol = () => 'TLSv1.3'
+            clear.getPeerCertificate = () => ({})
+            clear.setTimeout = (ms) => {
+                timeoutSeen = ms
+            }
+            clear.setKeepAlive = (value) => {
+                keepaliveSeen = value
+            }
+            process.nextTick(() => clear.emit('secureConnect'))
+            return clear
+        }
+        tls_socket.tls_valid = true
+        tls_socket.cfg = {
+            mutual_auth_hosts: { 'mx.example.com': 'client-cert.example' },
+            mutual_auth_hosts_exclude: {},
+            main: { mutual_tls: false },
+        }
+        tls_socket.certsByHost['*'] = { key: 'default-key', cert: 'default-cert' }
+        tls_socket.certsByHost['client-cert.example'] = { key: 'host-key', cert: 'host-cert' }
+        try {
+            const socket = tls_socket.connect({ host: 'mx.example.com', port: 25 })
+            socket.setTimeout(3210)
+            socket.setKeepAlive(true)
+            await new Promise((resolve) => {
+                socket.upgrade({ rejectUnauthorized: false }, () => resolve())
+            })
+            assert.equal(capturedOptions.key, 'host-key')
+            assert.equal(capturedOptions.cert, 'host-cert')
+            assert.equal(capturedOptions.socket, fakeSocket)
+            assert.equal(timeoutSeen, 3210)
+            assert.equal(keepaliveSeen, true)
+        } finally {
+            net.connect = originalNetConnect
+            tls.connect = originalTlsConnect
+            tls_socket.tls_valid = originalTlsValid
+            tls_socket.cfg = originalCfg
+            tls_socket.certsByHost['*'] = originalCertMap.default
+            if (originalCertMap.host === undefined) {
+                delete tls_socket.certsByHost['client-cert.example']
+            } else {
+                tls_socket.certsByHost['client-cert.example'] = originalCertMap.host
+            }
+        }
+    })
 })

package/tls_socket.js CHANGED Viewed

@@ -76,7 +76,7 @@ class pluggableStream extends stream.Stream {
         this.targetsocket.once('error', (exception) => {
             this.writable = this.targetsocket.writable
             exception.source = 'tls'
-            this.emit('error', exception)
+            if (this.listenerCount('error') > 0) this.emit('error', exception)
         })
         this.targetsocket.on('timeout', () => {
             this.emit('timeout')
@@ -225,7 +225,7 @@ exports.load_tls_ini = (opts) => {
     if (ocsp === undefined && cfg.main.requestOCSP) {
         try {
-            ocsp = require('ocsp')
+            ocsp = require('@haraka/ocsp')
             log.debug('ocsp loaded')
             ocspCache = new ocsp.Cache()
         } catch (ignore) {