Haraka 3.1.5 → 3.1.7

package/test/outbound/queue.js

@@ -230,4 +230,96 @@ describe('outbound/queue', () => {
             }
         })
     })
+
+    describe('queue maintenance', () => {
+        it('delete_dot_files removes leftover dot files only', async () => {
+            const tmpDir = path.join(os.tmpdir(), `haraka-dot-clean-${Date.now()}`)
+            fs.mkdirSync(tmpDir, { recursive: true })
+            const dotName = `${qfile.platformDOT}leftover`
+            const normalName = 'keep-me'
+            fs.writeFileSync(path.join(tmpDir, dotName), 'x')
+            fs.writeFileSync(path.join(tmpDir, normalName), 'x')
+
+            const originalQueueDir = queue.queue_dir
+            queue.queue_dir = tmpDir
+            try {
+                await queue.delete_dot_files()
+                assert.equal(fs.existsSync(path.join(tmpDir, dotName)), false)
+                assert.equal(fs.existsSync(path.join(tmpDir, normalName)), true)
+            } finally {
+                queue.queue_dir = originalQueueDir
+                fs.rmSync(tmpDir, { recursive: true, force: true })
+            }
+        })
+
+        it('_add_hmail pushes immediate items and schedules delayed ones', () => {
+            const originalPush = queue.delivery_queue.push
+            const originalAdd = queue.temp_fail_queue.add
+            const pushed = []
+            const delayed = []
+            let delayedCb
+
+            queue.delivery_queue.push = (item) => pushed.push(item)
+            queue.temp_fail_queue.add = (id, ms, cb) => {
+                delayed.push([id, ms])
+                delayedCb = cb
+            }
+            queue.cur_time = new Date()
+
+            const immediate = { filename: 'a', next_process: queue.cur_time - 1 }
+            const future = { filename: 'b', next_process: queue.cur_time.getTime() + 1000 }
+
+            try {
+                queue._add_hmail(immediate)
+                queue._add_hmail(future)
+                assert.equal(pushed.length, 1)
+                assert.equal(delayed.length, 1)
+                assert.equal(delayed[0][0], 'b')
+                delayedCb()
+                assert.equal(pushed.length, 2)
+            } finally {
+                queue.delivery_queue.push = originalPush
+                queue.temp_fail_queue.add = originalAdd
+            }
+        })
+
+        it('scan_queue_pids returns unique pids from queue files', async () => {
+            populateTestQueue()
+            const originalQueueDir = queue.queue_dir
+            queue.queue_dir = testQueueDir
+
+            try {
+                const pids = await queue.scan_queue_pids()
+                assert.ok(Array.isArray(pids))
+                assert.equal(pids.length >= 1, true)
+            } finally {
+                queue.queue_dir = originalQueueDir
+                clearTestQueue()
+            }
+        })
+
+        it('scan_queue_pids throws when queue dir cannot be read', async () => {
+            const originalQueueDir = queue.queue_dir
+            const badPath = path.join(os.tmpdir(), `queue-not-dir-${Date.now()}`)
+            fs.writeFileSync(badPath, 'x')
+            queue.queue_dir = badPath
+            try {
+                await assert.rejects(() => queue.scan_queue_pids())
+            } finally {
+                queue.queue_dir = originalQueueDir
+                fs.rmSync(badPath, { force: true })
+            }
+        })
+
+        it('delete_dot_files handles readdir errors without throwing', async () => {
+            const originalQueueDir = queue.queue_dir
+            queue.queue_dir = path.join(os.tmpdir(), `missing-dot-${Date.now()}`)
+            try {
+                await queue.delete_dot_files()
+                assert.ok(true)
+            } finally {
+                queue.queue_dir = originalQueueDir
+            }
+        })
+    })
 })

package/test/plugins/auth/auth_bridge.js

@@ -0,0 +1,80 @@
+'use strict'
+
+const assert = require('node:assert')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+describe('auth/auth_bridge', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('auth/auth_bridge')
+        plugin.load_flat_ini()
+    })
+
+    describe('load_flat_ini', () => {
+        it('loads smtp_bridge.ini config', () => {
+            assert.ok(plugin.cfg)
+            assert.ok(plugin.cfg.main)
+        })
+
+        it('cfg.main.host defaults to localhost', () => {
+            assert.equal(plugin.cfg.main.host, 'localhost')
+        })
+    })
+
+    describe('check_plain_passwd', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = fixtures.connection.createConnection()
+        })
+
+        it('calls try_auth_proxy with just host when no port configured', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(host, 'mail.example.com')
+                assert.equal(user, 'testuser')
+                assert.equal(passwd, 'testpass')
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'testuser', 'testpass', (result) => {
+                assert.equal(result, true)
+                done()
+            })
+        })
+
+        it('calls try_auth_proxy with host:port when port is configured', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com', port: '587' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(host, 'mail.example.com:587')
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'testuser', 'testpass', (result) => {
+                assert.equal(result, true)
+                done()
+            })
+        })
+
+        it('passes authentication failure through to callback', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                cb(false)
+            }
+            plugin.check_plain_passwd(conn, 'baduser', 'badpass', (result) => {
+                assert.equal(result, false)
+                done()
+            })
+        })
+
+        it('passes the connection object to try_auth_proxy', (t, done) => {
+            plugin.cfg.main = { host: 'mail.example.com' }
+            plugin.try_auth_proxy = (connection, host, user, passwd, cb) => {
+                assert.equal(connection, conn)
+                cb(true)
+            }
+            plugin.check_plain_passwd(conn, 'user', 'pass', () => done())
+        })
+    })
+})

package/test/plugins/auth/flat_file.js

@@ -0,0 +1,128 @@
+'use strict'
+
+const assert = require('node:assert')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+function makeConnection(opts = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.capabilities = []
+    conn.notes.allowed_auth_methods = []
+    conn.remote = { is_private: opts.is_private ?? false }
+    conn.tls = { enabled: opts.tls_enabled ?? false }
+    return conn
+}
+
+describe('auth/flat_file', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('auth/flat_file')
+        plugin.inherits('auth/auth_base')
+        plugin.load_flat_ini()
+    })
+
+    describe('load_flat_ini', () => {
+        it('populates cfg.users as an object', () => {
+            assert.ok(typeof plugin.cfg.users === 'object')
+        })
+
+        it('cfg.users defaults to empty object when not configured', () => {
+            // default config has no real users
+            assert.deepEqual(plugin.cfg.users, {})
+        })
+    })
+
+    describe('hook_capabilities', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = makeConnection()
+        })
+
+        it('skips for public non-TLS connection', (t, done) => {
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.capabilities.length, 0)
+                done()
+            }, conn)
+        })
+
+        it('adds AUTH methods for private connection (non-TLS)', (t, done) => {
+            conn.remote.is_private = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(
+                    conn.capabilities.some((c) => c.startsWith('AUTH ')),
+                    'AUTH capability should be present',
+                )
+                done()
+            }, conn)
+        })
+
+        it('adds AUTH methods when TLS is enabled', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(conn.capabilities.some((c) => c.startsWith('AUTH ')))
+                done()
+            }, conn)
+        })
+
+        it('sets allowed_auth_methods on connection notes', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = 'PLAIN,LOGIN'
+            plugin.hook_capabilities(() => {
+                assert.deepEqual(conn.notes.allowed_auth_methods, ['PLAIN', 'LOGIN'])
+                done()
+            }, conn)
+        })
+
+        it('does not add AUTH when no methods configured', (t, done) => {
+            conn.tls.enabled = true
+            plugin.cfg.core.methods = null
+            plugin.hook_capabilities(() => {
+                assert.equal(conn.capabilities.length, 0)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('get_plain_passwd', () => {
+        beforeEach(() => {
+            plugin.cfg.users = { alice: 'secret', bob: 'hunter2' }
+        })
+
+        it('returns password for known user', (t, done) => {
+            plugin.get_plain_passwd('alice', {}, (pw) => {
+                assert.equal(pw, 'secret')
+                done()
+            })
+        })
+
+        it('calls cb with no args for unknown user', (t, done) => {
+            plugin.get_plain_passwd('unknown', {}, (pw) => {
+                assert.equal(pw, undefined)
+                done()
+            })
+        })
+
+        it('handles multiple users', (t, done) => {
+            plugin.get_plain_passwd('bob', {}, (pw) => {
+                assert.equal(pw, 'hunter2')
+                done()
+            })
+        })
+
+        it('coerces password to string via toString()', (t, done) => {
+            plugin.cfg.users.numericuser = 12345
+            plugin.get_plain_passwd('numericuser', {}, (pw) => {
+                assert.equal(pw, '12345')
+                done()
+            })
+        })
+    })
+})

package/test/plugins/block_me.js

@@ -0,0 +1,157 @@
+'use strict'
+
+const fs = require('node:fs')
+const path = require('node:path')
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach, after } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+const { Address } = require('address-rfc2821')
+require('haraka-constants').import(global)
+
+// block_me appends to <config>/mail_from.blocklist when a sender is blocked;
+// remove the artifact the 'sets block_me note' test produces.
+after(() => {
+    fs.rmSync(path.resolve('test/config/mail_from.blocklist'), { force: true })
+})
+
+function makeConnection({
+    relaying = false,
+    mailFrom = 'sender@example.com',
+    rcptTo = ['blocklist@example.com'],
+} = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.init_transaction()
+    conn.relaying = relaying
+    conn.transaction.mail_from = new Address(`<${mailFrom}>`)
+    conn.transaction.rcpt_to = rcptTo.map((r) => new Address(`<${r}>`))
+    conn.transaction.body = { bodytext: '', children: [] }
+    return conn
+}
+
+describe('block_me', () => {
+    let plugin
+
+    // Read config (block_me.recipient, block_me.senders) from test/config rather
+    // than the real config dir. block_me also appends matched senders to
+    // mail_from.blocklist; with this override that write lands in test/config too.
+    beforeEach(() => {
+        plugin = new fixtures.plugin('block_me')
+        plugin.config = plugin.config.module_config(path.resolve('test'))
+    })
+
+    describe('hook_data', () => {
+        it('enables body parsing and calls next', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, true)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data_post', () => {
+        it('calls next when not relaying', (t, done) => {
+            const conn = makeConnection({ relaying: false })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when transaction is missing', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.relaying = true
+            conn.transaction = null
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when more than one recipient', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                rcptTo: ['blocklist@example.com', 'other@example.com'],
+            })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when recipient does not match configured address', (t, done) => {
+            const conn = makeConnection({ relaying: true, rcptTo: ['other@example.com'] })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when sender is not in the allowed senders list', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                mailFrom: 'notallowed@example.com',
+                rcptTo: ['blocklist@example.com'],
+            })
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                assert.ok(msg.includes('not allowed'))
+                done()
+            }, conn)
+        })
+
+        it('calls next when no From header found in body', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                mailFrom: 'sender@example.com',
+                rcptTo: ['blocklist@example.com'],
+            })
+            conn.transaction.body = { bodytext: 'No from header here', children: [] }
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                // note should not be set since no From header
+                assert.equal(conn.transaction.notes.block_me, undefined)
+                done()
+            }, conn)
+        })
+
+        it('sets block_me note and calls next when From is extracted', (t, done) => {
+            const conn = makeConnection({
+                relaying: true,
+                mailFrom: 'sender@example.com',
+                rcptTo: ['blocklist@example.com'],
+            })
+            conn.transaction.body = {
+                bodytext: 'From: Test User <block_target@example.com>',
+                children: [],
+            }
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.notes.block_me, 1)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_queue', () => {
+        it('returns OK when block_me note is set on transaction', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.notes.block_me = 1
+            plugin.hook_queue((rc) => {
+                assert.equal(rc, OK)
+                done()
+            }, conn)
+        })
+
+        it('calls next when block_me note is not set', (t, done) => {
+            const conn = makeConnection()
+            plugin.hook_queue((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+})

package/test/plugins/data.signatures.js

@@ -0,0 +1,114 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+require('haraka-constants').import(global)
+
+function makeConnection(bodytext = '', children = []) {
+    const conn = fixtures.connection.createConnection()
+    conn.init_transaction()
+    conn.transaction.body = { bodytext, children }
+    return conn
+}
+
+describe('data.signatures', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('data.signatures')
+    })
+
+    describe('hook_data', () => {
+        it('enables body parsing', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, true)
+                done()
+            }, conn)
+        })
+
+        it('calls next when there is no transaction', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.transaction = null
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data_post', () => {
+        it('calls next when there is no transaction', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.transaction = null
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when signature list is empty', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? [] : {})
+            const conn = makeConnection('This is some email body text')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when body matches a signature', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['spam_signature_text'] : {})
+            const conn = makeConnection('Buy cheap meds! spam_signature_text here')
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                assert.ok(msg.includes('spam'))
+                done()
+            }, conn)
+        })
+
+        it('calls next when body does not match any signature', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['bad_pattern'] : {})
+            const conn = makeConnection('Totally normal email body')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when a child body part matches a signature', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['spam_in_child'] : {})
+            const conn = fixtures.connection.createConnection()
+            conn.init_transaction()
+            conn.transaction.body = {
+                bodytext: 'clean parent text',
+                children: [{ bodytext: 'spam_in_child content here', children: [] }],
+            }
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                done()
+            }, conn)
+        })
+
+        it('calls next when multiple signatures do not match', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['sig_one', 'sig_two', 'sig_three'] : {})
+            const conn = makeConnection('No matching signatures here at all')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('matches the first of multiple signatures', (t, done) => {
+            plugin.config.get = (name, type) => (type === 'list' ? ['no_match', 'buy_cheap_pills'] : {})
+            const conn = makeConnection('This message has buy_cheap_pills for you')
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, DENY)
+                done()
+            }, conn)
+        })
+    })
+})