Haraka 3.1.6 → 3.2.0

package/test/plugins/delay_deny.js

@@ -0,0 +1,263 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+require('haraka-constants').import(global)
+
+// params layout: [code, msg, pi_name, pi_function, pi_params, pi_hook]
+function makeParams({ code = DENY, msg = 'test deny', name = 'some_plugin', fn = 'hook_fn', hook = 'ehlo' } = {}) {
+    return [code, msg, name, fn, null, hook]
+}
+
+describe('delay_deny', () => {
+    let plugin, conn
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('delay_deny')
+        plugin.config.get = () => ({ main: {} })
+        conn = fixtures.connection.createConnection()
+        conn.init_transaction()
+    })
+
+    describe('hook_deny', () => {
+        it('skips itself (pi_name === delay_deny)', (t, done) => {
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ name: 'delay_deny' }),
+            )
+        })
+
+        it('stores connection-level pre-DATA deny for ehlo hook', (t, done) => {
+            const params = makeParams({ hook: 'ehlo' })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, OK)
+                    assert.equal(conn.notes.delay_deny_pre.length, 1)
+                    assert.equal(conn.notes.delay_deny_pre[0], params)
+                    assert.equal(conn.notes.delay_deny_pre_fail['some_plugin'], 1)
+                    done()
+                },
+                conn,
+                params,
+            )
+        })
+
+        it('stores connection-level pre-DATA deny for connect hook', (t, done) => {
+            const params = makeParams({ hook: 'connect' })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, OK)
+                    assert.ok(conn.notes.delay_deny_pre.includes(params))
+                    done()
+                },
+                conn,
+                params,
+            )
+        })
+
+        it('stores transaction-level pre-DATA deny for mail hook', (t, done) => {
+            const params = makeParams({ hook: 'mail' })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, OK)
+                    assert.equal(conn.transaction.notes.delay_deny_pre.length, 1)
+                    assert.equal(conn.transaction.notes.delay_deny_pre[0], params)
+                    assert.equal(conn.transaction.notes.delay_deny_pre_fail['some_plugin'], 1)
+                    done()
+                },
+                conn,
+                params,
+            )
+        })
+
+        it('stores transaction-level pre-DATA deny for rcpt hook', (t, done) => {
+            const params = makeParams({ hook: 'rcpt' })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, OK)
+                    assert.equal(conn.transaction.notes.delay_deny_pre.length, 1)
+                    assert.equal(conn.transaction.notes.delay_deny_pre[0], params)
+                    done()
+                },
+                conn,
+                params,
+            )
+        })
+
+        it('calls next (no delay) for data_post hook', (t, done) => {
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ hook: 'data_post' }),
+            )
+        })
+
+        it('calls next (no delay) for data hook', (t, done) => {
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ hook: 'data' }),
+            )
+        })
+
+        it('delays when plugin is in included_plugins list', (t, done) => {
+            plugin.config.get = () => ({ main: { included_plugins: 'allowed_plugin' } })
+            const params = makeParams({ name: 'allowed_plugin', hook: 'ehlo' })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, OK)
+                    done()
+                },
+                conn,
+                params,
+            )
+        })
+
+        it('passes through when plugin is not in included_plugins list', (t, done) => {
+            plugin.config.get = () => ({ main: { included_plugins: 'allowed_plugin' } })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ name: 'other_plugin', hook: 'ehlo' }),
+            )
+        })
+
+        it('passes through when plugin is in excluded_plugins list', (t, done) => {
+            plugin.config.get = () => ({ main: { excluded_plugins: 'skip_plugin' } })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ name: 'skip_plugin', hook: 'ehlo' }),
+            )
+        })
+
+        it('delays when plugin is not in excluded_plugins list', (t, done) => {
+            plugin.config.get = () => ({ main: { excluded_plugins: 'skip_plugin' } })
+            const params = makeParams({ name: 'other_plugin', hook: 'ehlo' })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, OK)
+                    done()
+                },
+                conn,
+                params,
+            )
+        })
+
+        it('can exclude by plugin:hook format', (t, done) => {
+            plugin.config.get = () => ({ main: { excluded_plugins: 'some_plugin:helo' } })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ name: 'some_plugin', hook: 'helo' }),
+            )
+        })
+
+        it('can exclude by plugin:hook:function format', (t, done) => {
+            plugin.config.get = () => ({ main: { excluded_plugins: 'some_plugin:ehlo:hook_fn' } })
+            plugin.hook_deny(
+                (rc) => {
+                    assert.equal(rc, undefined)
+                    done()
+                },
+                conn,
+                makeParams({ name: 'some_plugin', fn: 'hook_fn', hook: 'ehlo' }),
+            )
+        })
+    })
+
+    describe('hook_rcpt_ok', () => {
+        it('calls next when there is no transaction', (t, done) => {
+            conn.transaction = null
+            plugin.hook_rcpt_ok((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('bypasses all denies when connection is relaying', (t, done) => {
+            conn.relaying = true
+            conn.notes.delay_deny_pre = [makeParams({ hook: 'ehlo' })]
+            plugin.hook_rcpt_ok((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('applies deferred connection-level deny', (t, done) => {
+            conn.relaying = false
+            conn.notes.delay_deny_pre = [[DENY, 'deferred ehlo deny', 'check_relay', 'fn', null, 'ehlo']]
+            plugin.hook_rcpt_ok((rc, msg) => {
+                assert.equal(rc, DENY)
+                assert.equal(msg, 'deferred ehlo deny')
+                done()
+            }, conn)
+        })
+
+        it('applies deferred transaction-level deny', (t, done) => {
+            conn.relaying = false
+            conn.transaction.notes.delay_deny_pre = [[DENYSOFT, 'deferred mail deny', 'check_helo', 'fn', null, 'mail']]
+            plugin.hook_rcpt_ok((rc, msg) => {
+                assert.equal(rc, DENYSOFT)
+                assert.equal(msg, 'deferred mail deny')
+                done()
+            }, conn)
+        })
+
+        it('calls next when no deferred denies are present', (t, done) => {
+            conn.relaying = false
+            plugin.hook_rcpt_ok((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data', () => {
+        it('calls next when no pre-DATA failures exist', (t, done) => {
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when transaction is missing', (t, done) => {
+            conn.transaction = null
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next with no action when transaction has pre-DATA failures', (t, done) => {
+            // Note: fails.push.apply(Object.keys(...)) in the plugin is a pre-existing bug —
+            // the array receives no items so the header is never added.
+            conn.transaction.notes.delay_deny_pre_fail = { bad_plugin: 1, another_plugin: 1 }
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+})

package/test/plugins/prevent_credential_leaks.js

@@ -0,0 +1,178 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+require('haraka-constants').import(global)
+
+function makeConnection({ authUser, authPasswd, bodytext = '', children = [] } = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.init_transaction()
+    if (authUser) conn.notes.auth_user = authUser
+    if (authPasswd) conn.notes.auth_passwd = authPasswd
+    conn.transaction.body = { bodytext, children }
+    return conn
+}
+
+describe('prevent_credential_leaks', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('prevent_credential_leaks')
+    })
+
+    describe('hook_data', () => {
+        it('does not enable parse_body when no auth credentials', (t, done) => {
+            const conn = makeConnection()
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, false)
+                done()
+            }, conn)
+        })
+
+        it('enables parse_body when both auth_user and auth_passwd are present', (t, done) => {
+            const conn = makeConnection({ authUser: 'user@example.com', authPasswd: 'secret' })
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, true)
+                done()
+            }, conn)
+        })
+
+        it('does not enable parse_body when only auth_user is set', (t, done) => {
+            const conn = makeConnection({ authUser: 'user@example.com' })
+            conn.transaction.parse_body = false
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(conn.transaction.parse_body, false)
+                done()
+            }, conn)
+        })
+
+        it('handles missing connection gracefully', (t, done) => {
+            // Simulate a null-ish connection by calling with empty notes
+            const conn = fixtures.connection.createConnection()
+            conn.init_transaction()
+            conn.notes = {}
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data_post', () => {
+        it('calls next when no auth credentials are set', (t, done) => {
+            const conn = makeConnection({ bodytext: 'user@example.com secret123' })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when only auth_user is set (no password)', (t, done) => {
+            const conn = makeConnection({ authUser: 'user@example.com', bodytext: 'user@example.com' })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when body contains neither username nor password', (t, done) => {
+            const conn = makeConnection({
+                authUser: 'alice@example.com',
+                authPasswd: 'mypassword',
+                bodytext: 'Hello, this is a clean email with no credentials.',
+            })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when body contains username but not password', (t, done) => {
+            const conn = makeConnection({
+                authUser: 'alice@example.com',
+                authPasswd: 'mypassword',
+                bodytext: 'Contact alice@example.com for more info.',
+            })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('denies when body contains both username and password', (t, done) => {
+            const conn = makeConnection({
+                authUser: 'alice@example.com',
+                authPasswd: 'mypassword',
+                bodytext: 'Please send your login: alice and password: mypassword to activate.',
+            })
+            plugin.hook_data_post((rc, msg) => {
+                assert.equal(rc, DENY)
+                assert.ok(msg.includes('Credential leak'))
+                done()
+            }, conn)
+        })
+
+        it('denies when credentials appear in a child body part', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.init_transaction()
+            conn.notes.auth_user = 'bob@example.com'
+            conn.notes.auth_passwd = 's3cr3t'
+            conn.transaction.body = {
+                bodytext: 'clean parent text',
+                children: [{ bodytext: 'bob login with s3cr3t password', children: [] }],
+            }
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, DENY)
+                done()
+            }, conn)
+        })
+
+        it('handles qualified username (user@domain) by making domain optional', (t, done) => {
+            const conn = makeConnection({
+                authUser: 'carol@corp.example.com',
+                authPasswd: 'pass123',
+                bodytext: 'carol pass123 credentials',
+            })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, DENY)
+                done()
+            }, conn)
+        })
+
+        it('unqualified username (no @) is not split into a partial match', (t, done) => {
+            // Bug: `if (idx)` with idx === -1 treated 'admin' as qualified,
+            // splitting it to user='admi' which then matches 'admiral'.
+            const conn = makeConnection({
+                authUser: 'admin',
+                authPasswd: 'pw',
+                bodytext: 'the admiral said pw today',
+            })
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next when credentials appear in neither top nor child', (t, done) => {
+            const conn = fixtures.connection.createConnection()
+            conn.init_transaction()
+            conn.notes.auth_user = 'dave@example.com'
+            conn.notes.auth_passwd = 'xyzzy'
+            conn.transaction.body = {
+                bodytext: 'Hello world',
+                children: [{ bodytext: 'No credentials here at all', children: [] }],
+            }
+            plugin.hook_data_post((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+    })
+})

package/test/plugins/process_title.js

@@ -0,0 +1,135 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+const Notes = require('haraka-notes')
+
+function makeServer(extra = {}) {
+    return {
+        notes: new Notes({
+            pt_connections: 0,
+            pt_concurrent: 0,
+            pt_cps_diff: 0,
+            pt_cps_max: 0,
+            pt_recipients: 0,
+            pt_rps_diff: 0,
+            pt_rps_max: 0,
+            pt_messages: 0,
+            pt_mps_diff: 0,
+            pt_mps_max: 0,
+            ...extra,
+        }),
+        cluster: null,
+        address: () => ({ address: '127.0.0.1', port: 25 }),
+    }
+}
+
+describe('process_title', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = new fixtures.plugin('process_title')
+    })
+
+    describe('hook_connect_init', () => {
+        it('increments connection and concurrent counts', (t, done) => {
+            const server = makeServer()
+            const conn = fixtures.connection.createConnection({}, server)
+            plugin.hook_connect_init((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_connections, 1)
+                assert.equal(server.notes.pt_concurrent, 1)
+                assert.equal(conn.notes.pt_connect_run, true)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_disconnect', () => {
+        it('decrements concurrent count when connect_init ran', (t, done) => {
+            const server = makeServer({ pt_connections: 1, pt_concurrent: 1 })
+            const conn = fixtures.connection.createConnection({}, server)
+            conn.notes.pt_connect_run = true
+            plugin.hook_disconnect((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_concurrent, 0)
+                assert.equal(server.notes.pt_connections, 1) // not re-incremented
+                done()
+            }, conn)
+        })
+
+        it('increments connection count when connect_init did not run', (t, done) => {
+            const server = makeServer({ pt_connections: 0, pt_concurrent: 0 })
+            const conn = fixtures.connection.createConnection({}, server)
+            // pt_connect_run is NOT set: disconnect does connect bookkeeping then decrements
+            plugin.hook_disconnect((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_connections, 1) // incremented by disconnect
+                assert.equal(server.notes.pt_concurrent, 0) // +1 then -1
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_rcpt', () => {
+        it('increments recipient count', (t, done) => {
+            const server = makeServer()
+            const conn = fixtures.connection.createConnection({}, server)
+            plugin.hook_rcpt((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_recipients, 1)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_data', () => {
+        it('increments message count', (t, done) => {
+            const server = makeServer()
+            const conn = fixtures.connection.createConnection({}, server)
+            plugin.hook_data((rc) => {
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_messages, 1)
+                done()
+            }, conn)
+        })
+    })
+
+    describe('hook_init_child', () => {
+        it('initializes server notes and calls next', (t, done) => {
+            const server = { notes: new Notes(), cluster: null }
+            plugin.hook_init_child((rc) => {
+                clearInterval(plugin._interval)
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_connections, 0)
+                assert.equal(server.notes.pt_messages, 0)
+                assert.equal(server.notes.pt_recipients, 0)
+                done()
+            }, server)
+        })
+    })
+
+    describe('hook_init_master', () => {
+        it('initializes server notes and calls next (no cluster)', (t, done) => {
+            const server = { notes: new Notes(), cluster: null }
+            plugin.hook_init_master((rc) => {
+                clearInterval(plugin._interval)
+                assert.equal(rc, undefined)
+                assert.equal(server.notes.pt_connections, 0)
+                assert.equal(server.notes.pt_child_exits, 0)
+                done()
+            }, server)
+        })
+    })
+
+    describe('shutdown', () => {
+        it('clears the interval', () => {
+            plugin._interval = setInterval(() => {}, 9999)
+            plugin.shutdown()
+            // If the interval was cleared, no error thrown
+            assert.ok(true)
+        })
+    })
+})

package/test/plugins/queue/deliver.js

@@ -0,0 +1,99 @@
+'use strict'
+
+const assert = require('node:assert')
+const path = require('node:path')
+const Module = require('node:module')
+const { describe, it, beforeEach, before, after } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+
+// deliver.js does `require('./outbound')` at the top level. In a running
+// Haraka that resolves to the core outbound module (Haraka/outbound/index.js),
+// which we don't want to load here: it would pull in the real delivery
+// machinery. So we intercept Module._resolveFilename to map './outbound' to a
+// stable path and pre-populate the require cache with a mock at that path
+// before loading the plugin.
+const outboundPath = path.resolve('outbound/index.js')
+let mockOutbound
+let origResolve
+
+before(() => {
+    require('haraka-constants').import(global)
+
+    mockOutbound = { send_trans_email: () => {} }
+    require.cache[outboundPath] = {
+        id: outboundPath,
+        filename: outboundPath,
+        loaded: true,
+        exports: mockOutbound,
+    }
+
+    origResolve = Module._resolveFilename
+    Module._resolveFilename = function (request, parent, isMain, options) {
+        if (request === './outbound') return outboundPath
+        return origResolve.call(this, request, parent, isMain, options)
+    }
+})
+
+after(() => {
+    Module._resolveFilename = origResolve
+    delete require.cache[outboundPath]
+})
+
+function makeConnection(opts = {}) {
+    const conn = fixtures.connection.createConnection()
+    conn.init_transaction()
+    if (opts.relaying !== undefined) conn.relaying = opts.relaying
+    return conn
+}
+
+describe('queue/deliver', () => {
+    describe('hook_queue_outbound', () => {
+        let plugin, conn
+
+        beforeEach(() => {
+            plugin = new fixtures.plugin('queue/deliver')
+            mockOutbound.send_trans_email = () => {}
+        })
+
+        it('calls next() when connection is not relaying', (t, done) => {
+            conn = makeConnection({ relaying: false })
+            plugin.hook_queue_outbound((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next() when connection is undefined', (t, done) => {
+            plugin.hook_queue_outbound((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, undefined)
+        })
+
+        it('calls outbound.send_trans_email when relaying is true', (t, done) => {
+            conn = makeConnection({ relaying: true })
+            mockOutbound.send_trans_email = (txn, next) => {
+                assert.equal(txn, conn.transaction)
+                next(OK)
+            }
+            plugin.hook_queue_outbound((rc) => {
+                assert.equal(rc, OK)
+                done()
+            }, conn)
+        })
+
+        it('passes transaction to outbound.send_trans_email', (t, done) => {
+            conn = makeConnection({ relaying: true })
+            let capturedTxn
+            mockOutbound.send_trans_email = (txn, next) => {
+                capturedTxn = txn
+                next(OK)
+            }
+            plugin.hook_queue_outbound(() => {
+                assert.equal(capturedTxn, conn.transaction)
+                done()
+            }, conn)
+        })
+    })
+})