Haraka 3.1.5 → 3.1.7

package/test/plugins/queue/smtp_proxy.js

@@ -0,0 +1,139 @@
+'use strict'
+
+const assert = require('node:assert')
+const path = require('node:path')
+const { describe, it, beforeEach, afterEach, before } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+const tls_socket = require('../../../tls_socket')
+
+before(() => {
+    require('haraka-constants').import(global)
+})
+
+describe('queue/smtp_proxy', () => {
+    let plugin, conn
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('queue/smtp_proxy')
+        plugin.load_smtp_proxy_ini()
+        conn = fixtures.connection.createConnection()
+        conn.init_transaction()
+    })
+
+    describe('hook_rset', () => {
+        it('calls next() when no smtp_client in notes', (t, done) => {
+            plugin.hook_rset((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('releases smtp_client and calls next() when smtp_client exists', (t, done) => {
+            let released = false
+            conn.notes.smtp_client = {
+                release: () => {
+                    released = true
+                },
+            }
+            plugin.hook_rset((rc) => {
+                assert.equal(released, true)
+                assert.equal(conn.notes.smtp_client, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_quit', () => {
+        it('calls next() when no smtp_client in notes', (t, done) => {
+            plugin.hook_quit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('is the same function as hook_rset', () => {
+            assert.equal(plugin.hook_rset, plugin.hook_quit)
+        })
+    })
+
+    describe('hook_disconnect', () => {
+        it('calls next() when no smtp_client in notes', (t, done) => {
+            plugin.hook_disconnect((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('releases and calls next when smtp_client exists', (t, done) => {
+            let released = false
+            let callNextCalled = false
+            conn.notes.smtp_client = {
+                release: () => {
+                    released = true
+                },
+                call_next: () => {
+                    callNextCalled = true
+                },
+            }
+            plugin.hook_disconnect((rc) => {
+                assert.equal(released, true)
+                assert.equal(callNextCalled, true)
+                assert.equal(conn.notes.smtp_client, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_queue', () => {
+        it('calls next() when transaction is missing', (t, done) => {
+            const connNoTxn = fixtures.connection.createConnection()
+            plugin.hook_queue((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, connNoTxn)
+        })
+
+        it('calls next() when smtp_client is not in notes', (t, done) => {
+            plugin.hook_queue((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('tls_options', () => {
+        let origTlsConfig, origTlsCfg
+
+        beforeEach(() => {
+            origTlsConfig = tls_socket.config
+            origTlsCfg = tls_socket.cfg
+            tls_socket.config = require('haraka-config').module_config(path.resolve('test'))
+            tls_socket.cfg = undefined
+            // re-derive with test/config in scope
+            plugin.load_smtp_proxy_ini()
+        })
+
+        afterEach(() => {
+            tls_socket.config = origTlsConfig
+            tls_socket.cfg = origTlsCfg
+        })
+
+        it('populates tls_options from tls.ini [main]', () => {
+            assert.ok(plugin.tls_options)
+            assert.equal(plugin.tls_options.rejectUnauthorized, false)
+            assert.equal(plugin.tls_options.minVersion, 'TLSv1')
+            assert.ok(plugin.tls_options.ciphers)
+            assert.ok(Array.isArray(plugin.tls_options.no_tls_hosts))
+            assert.ok(Array.isArray(plugin.tls_options.force_tls_hosts))
+        })
+
+        it('reload re-derives tls_options', () => {
+            const first = plugin.tls_options
+            plugin.load_smtp_proxy_ini()
+            assert.ok(plugin.tls_options)
+            assert.notEqual(plugin.tls_options, first)
+        })
+    })
+})

package/test/plugins/reseed_rng.js

@@ -0,0 +1,34 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+describe('reseed_rng', () => {
+    describe('hook_init_child', () => {
+        it('calls Math.seedrandom with a hex string and calls next', (t, done) => {
+            const plugin = new fixtures.plugin('reseed_rng')
+            let called = false
+            let calledArg
+            Math.seedrandom = (arg) => {
+                called = true
+                calledArg = arg
+            }
+            plugin.hook_init_child((rc) => {
+                delete Math.seedrandom
+                assert.equal(rc, undefined)
+                assert.ok(called, 'Math.seedrandom should have been called')
+                assert.equal(typeof calledArg, 'string')
+                assert.ok(calledArg.length > 0)
+                done()
+            })
+        })
+
+        it('throws when Math.seedrandom is not defined', () => {
+            const plugin = new fixtures.plugin('reseed_rng')
+            delete Math.seedrandom
+            assert.throws(() => plugin.hook_init_child(() => {}), /Math\.seedrandom is not a function/)
+        })
+    })
+})

package/test/plugins/tarpit.js

@@ -0,0 +1,91 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+describe('tarpit', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('tarpit')
+        plugin.config.get = () => ({ main: {} })
+    })
+
+    describe('register', () => {
+        it('registers tarpit on all default hooks', () => {
+            const registered = []
+            plugin.register_hook = (hook) => registered.push(hook)
+            plugin.register()
+            assert.ok(registered.includes('connect'))
+            assert.ok(registered.includes('ehlo'))
+            assert.ok(registered.includes('mail'))
+            assert.ok(registered.includes('rcpt'))
+            assert.ok(registered.includes('data'))
+            assert.ok(registered.includes('queue'))
+            assert.ok(registered.includes('quit'))
+        })
+
+        it('registers only configured hooks when hooks_to_delay is set', () => {
+            plugin.config.get = () => ({ main: { hooks_to_delay: 'ehlo, mail' } })
+            const registered = []
+            plugin.register_hook = (hook) => registered.push(hook)
+            plugin.register()
+            assert.deepEqual(registered, ['ehlo', 'mail'])
+        })
+    })
+
+    describe('tarpit', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = fixtures.connection.createConnection()
+            conn.init_transaction()
+        })
+
+        it('calls next immediately when no transaction', (t, done) => {
+            conn.transaction = null
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next immediately when no tarpit delay set', (t, done) => {
+            // No tarpit note on connection or transaction
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next immediately when connection.notes.tarpit is 0', (t, done) => {
+            conn.notes.tarpit = 0
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('delays and calls next when connection.notes.tarpit is set', { timeout: 3000 }, (t, done) => {
+            conn.notes.tarpit = 0.1
+            const start = Date.now()
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(Date.now() - start >= 90, 'should have waited ~100ms')
+                done()
+            }, conn)
+        })
+
+        it('uses transaction.notes.tarpit when connection note is absent', { timeout: 3000 }, (t, done) => {
+            conn.transaction.notes.tarpit = 0.1
+            const start = Date.now()
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(Date.now() - start >= 90)
+                done()
+            }, conn)
+        })
+    })
+})

package/test/plugins/tls.js

@@ -60,4 +60,29 @@ describe('tls', () => {
             )
         })
     })
+
+    describe('upgrade_connection (STARTTLS injection)', () => {
+        // RFC 3207 §4: data pipelined after STARTTLS but before the TLS
+        // handshake must be discarded, not processed on the cleartext channel.
+        it('discards pipelined plaintext before the TLS handshake', () => {
+            const c = this.connection
+            c.tls = { advertised: true }
+            c.notes = {}
+            // attacker pipelined an injected command after STARTTLS
+            c.current_data = Buffer.from('RCPT TO:<victim@example.com>\r\n')
+            let dataAtUpgrade = 'UPGRADE_NOT_CALLED'
+            c.client = {
+                upgrade() {
+                    dataAtUpgrade = c.current_data
+                },
+            }
+            c.respond = () => {} // bypass the real _process_data path
+            this.plugin.timeout = 0
+
+            this.plugin.upgrade_connection(() => {}, c, ['STARTTLS'])
+
+            assert.equal(dataAtUpgrade, null, 'buffer cleared before upgrade()')
+            assert.equal(c.current_data, null)
+        })
+    })
 })

package/test/plugins/toobusy.js

@@ -0,0 +1,21 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+describe('toobusy', () => {
+    describe('register', () => {
+        it('handles missing toobusy-js gracefully (does not throw)', () => {
+            const plugin = new fixtures.plugin('toobusy')
+            // toobusy-js is not installed; register should catch the error and return
+            let registered = false
+            plugin.register_hook = () => {
+                registered = true
+            }
+            assert.doesNotThrow(() => plugin.register())
+            assert.equal(registered, false, 'hook should not be registered without toobusy-js')
+        })
+    })
+})

package/test/plugins/xclient.js

@@ -99,4 +99,18 @@ describe('xclient', () => {
             })
         }
     })
+
+    describe('DESTPORT type', () => {
+        it('stores local.port as an integer (587/465 auth check)', async () => {
+            this.connection.remote.ip = '127.0.0.1'
+            await new Promise((resolve) => {
+                this.plugin.hook_unrecognized_command(() => resolve(), this.connection, [
+                    'XCLIENT',
+                    'ADDR=1.2.3.4 DESTPORT=587',
+                ])
+            })
+            assert.strictEqual(this.connection.local.port, 587)
+            assert.equal(typeof this.connection.local.port, 'number')
+        })
+    })
 })

package/test/server.js

@@ -6,6 +6,7 @@ const { createHmac } = require('node:crypto')
 const net = require('node:net')
 const path = require('node:path')
 const tls = require('node:tls')
+const constants = require('haraka-constants')
 
 const endpoint = require('../endpoint')
 const message = require('haraka-email-message')
@@ -254,6 +255,177 @@ describe('server', () => {
         })
     })
 
+    describe('lifecycle helpers', () => {
+        beforeEach(() => {
+            this.server = require('../server')
+            this.server.cfg = this.server.cfg || { main: {} }
+            this.server.cfg.main = this.server.cfg.main || {}
+        })
+
+        it('init_child_respond OK path starts HTTP listeners', () => {
+            let called = 0
+            const original = this.server.setup_http_listeners
+            this.server.setup_http_listeners = () => {
+                called++
+            }
+            try {
+                this.server.init_child_respond(constants.ok)
+                assert.equal(called, 1)
+            } finally {
+                this.server.setup_http_listeners = original
+            }
+        })
+
+        it('init_child_respond error path kills master and exits', () => {
+            process.env.CLUSTER_MASTER_PID = '12345'
+            const originalKill = process.kill
+            const originalDump = this.server.logger.dump_and_exit
+            let killed = null
+            let exitCode = null
+            process.kill = (pid) => {
+                killed = pid
+            }
+            this.server.logger.dump_and_exit = (code) => {
+                exitCode = code
+            }
+            try {
+                this.server.init_child_respond(constants.deny, 'nope')
+                assert.equal(killed, '12345')
+                assert.equal(exitCode, 1)
+            } finally {
+                process.kill = originalKill
+                this.server.logger.dump_and_exit = originalDump
+                delete process.env.CLUSTER_MASTER_PID
+            }
+        })
+
+        it('listening applies configured uid/gid and marks ready', () => {
+            this.server.cfg.main.group = 'staff'
+            this.server.cfg.main.user = 'nobody'
+            const originalGetGid = process.getgid
+            const originalSetGid = process.setgid
+            const originalGetUid = process.getuid
+            const originalSetUid = process.setuid
+            const calls = { setgid: 0, setuid: 0 }
+            process.getgid = () => 20
+            process.setgid = () => {
+                calls.setgid++
+            }
+            process.getuid = () => 501
+            process.setuid = () => {
+                calls.setuid++
+            }
+            try {
+                this.server.listening()
+                assert.equal(calls.setgid, 1)
+                assert.equal(calls.setuid, 1)
+                assert.equal(this.server.ready, 1)
+            } finally {
+                process.getgid = originalGetGid
+                process.setgid = originalSetGid
+                process.getuid = originalGetUid
+                process.setuid = originalSetUid
+                delete this.server.cfg.main.group
+                delete this.server.cfg.main.user
+            }
+        })
+
+        it('sendToMaster calls receiveAsMaster when not clustered', () => {
+            const originalCluster = this.server.cluster
+            const originalReceive = this.server.receiveAsMaster
+            const seen = []
+            this.server.cluster = null
+            this.server.receiveAsMaster = (cmd, params) => {
+                seen.push([cmd, params])
+            }
+            try {
+                this.server.sendToMaster('flushQueue', ['example.com'])
+                assert.deepEqual(seen[0], ['flushQueue', ['example.com']])
+            } finally {
+                this.server.cluster = originalCluster
+                this.server.receiveAsMaster = originalReceive
+            }
+        })
+
+        it('receiveAsMaster ignores invalid commands and executes valid ones', () => {
+            const errors = []
+            const originalLogError = this.server.logerror
+            this.server.logerror = (msg) => errors.push(msg)
+            this.server._testCommand = (a, b) => {
+                this.server.notes.received = [a, b]
+            }
+            try {
+                this.server.receiveAsMaster('notACommand', [])
+                assert.equal(errors.length > 0, true)
+
+                this.server.receiveAsMaster('_testCommand', ['x', 'y'])
+                assert.deepEqual(this.server.notes.received, ['x', 'y'])
+            } finally {
+                this.server.logerror = originalLogError
+                delete this.server._testCommand
+            }
+        })
+    })
+
+    describe('HTTP helpers', () => {
+        beforeEach(() => {
+            this.server = require('../server')
+        })
+
+        it('handle404 serves html/json/text based on request accepts', () => {
+            const makeReq = (kind) => ({
+                accepts(type) {
+                    return type === kind
+                },
+            })
+            const responses = []
+            const makeRes = () => ({
+                status(code) {
+                    responses.push({ code })
+                    return this
+                },
+                sendFile(name, opts) {
+                    responses.push({ type: 'html', name, opts })
+                },
+                send(body) {
+                    responses.push({ type: 'body', body })
+                },
+            })
+
+            this.server.handle404(makeReq('html'), makeRes())
+            this.server.handle404(makeReq('json'), makeRes())
+            this.server.handle404(makeReq('none'), makeRes())
+
+            assert.equal(responses[0].code, 404)
+            assert.equal(responses[1].type, 'html')
+            assert.equal(responses[3].type, 'body')
+            assert.deepEqual(responses[3].body, { err: 'Not found' })
+            assert.equal(responses[5].body, 'Not found!')
+        })
+
+        it('init_http_respond logs and returns when ws is unavailable', () => {
+            const Module = require('node:module')
+            const originalRequire = Module.prototype.require
+            const originalLogError = this.server.logerror
+            const errors = []
+            this.server.logerror = (msg) => {
+                errors.push(msg)
+            }
+            this.server.http = { server: {} }
+            Module.prototype.require = function (id) {
+                if (id === 'ws') throw new Error('ws missing')
+                return originalRequire.apply(this, arguments)
+            }
+            try {
+                this.server.init_http_respond()
+                assert.equal(errors.length > 0, true)
+            } finally {
+                Module.prototype.require = originalRequire
+                this.server.logerror = originalLogError
+            }
+        })
+    })
+
     // ── SMTP sessions ─────────────────────────────────────────────────────────
     describe('SMTP sessions', () => {
         beforeEach(async () => setupServer('127.0.0.1:2503'))
@@ -355,3 +527,62 @@ describe('server', () => {
         })
     })
 })
+
+describe('_graceful (cluster restart)', () => {
+    it('actually disconnects workers (queued thunks are invoked)', async () => {
+        const cluster = require('node:cluster')
+        const Server = require('../server')
+        Server.cfg = Server.cfg || { main: {} }
+        Server.cfg.main = Server.cfg.main || {}
+        Server.cfg.main.force_shutdown_timeout = 1
+
+        const saved = {
+            cluster: Server.cluster,
+            workers: cluster.workers,
+            fork: cluster.fork,
+            rmAll: cluster.removeAllListeners,
+        }
+
+        let disconnected = 0
+        const mkWorker = () => ({
+            _cbs: {},
+            send() {},
+            kill() {},
+            once(ev, cb) {
+                ;(this._cbs[ev] ||= []).push(cb)
+            },
+            on(ev, cb) {
+                ;(this._cbs[ev] ||= []).push(cb)
+            },
+            _fire(ev) {
+                for (const cb of this._cbs[ev] || []) cb()
+            },
+            disconnect() {
+                disconnected++
+                setImmediate(() => {
+                    this._fire('disconnect')
+                    setImmediate(() => this._fire('exit'))
+                })
+            },
+        })
+
+        cluster.workers = { 1: mkWorker() }
+        cluster.removeAllListeners = () => {}
+        cluster.fork = () => {
+            const nw = mkWorker()
+            setImmediate(() => nw._fire('listening'))
+            return nw
+        }
+        Server.cluster = cluster
+
+        try {
+            await Server._graceful()
+            assert.equal(disconnected, 1, 'worker.disconnect() was invoked')
+        } finally {
+            Server.cluster = saved.cluster
+            cluster.workers = saved.workers
+            cluster.fork = saved.fork
+            cluster.removeAllListeners = saved.rmAll
+        }
+    })
+})