haraka 0.0.33 → 3.3.0

package/test/plugins/status.js

@@ -0,0 +1,207 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const fixtures = require('haraka-test-fixtures')
+const { makeConnection, makePlugin } = fixtures
+const outbound = require('../../outbound')
+const { TimerQueue } = require('haraka-utils')
+
+const _set_up = () => {
+    this.plugin = makePlugin('status', { register: false })
+    this.plugin.outbound = outbound
+
+    this.connection = makeConnection()
+    this.connection.remote.is_local = true
+}
+
+describe('status', () => {
+    describe('register', () => {
+        beforeEach(_set_up)
+
+        it('loads the status plugin', () => {
+            assert.equal('status', this.plugin.name)
+        })
+    })
+
+    describe('access', () => {
+        beforeEach(_set_up)
+
+        it('remote', (t, done) => {
+            this.connection.remote.is_local = false
+            this.plugin.hook_unrecognized_command(
+                (code) => {
+                    assert.equal(DENY, code)
+                    done()
+                },
+                this.connection,
+                ['STATUS', 'POOL LIST'],
+            )
+        })
+    })
+
+    describe('pools', () => {
+        beforeEach(_set_up)
+
+        it('list_pools', (t, done) => {
+            this.connection.respond = (code, message) => {
+                const data = JSON.parse(message)
+                assert.equal('object', typeof data) // there should be one pools array for noncluster and more for cluster
+                done()
+            }
+            this.plugin.hook_unrecognized_command(() => {}, this.connection, ['STATUS', 'POOL LIST'])
+        })
+    })
+
+    describe('queues', () => {
+        beforeEach(_set_up)
+
+        it('inspect_queue', (t, done) => {
+            // should list delivery_queue and temp_fail_queue per cluster children
+            outbound.temp_fail_queue = new TimerQueue(10)
+            outbound.temp_fail_queue.add('file1', 100, () => {})
+            outbound.temp_fail_queue.add('file2', 100, () => {})
+
+            this.connection.respond = (code, message) => {
+                const data = JSON.parse(message)
+                assert.equal(0, data.delivery_queue.length)
+                assert.equal(2, data.temp_fail_queue.length)
+                done()
+            }
+            this.plugin.hook_unrecognized_command(() => {}, this.connection, ['STATUS', 'QUEUE INSPECT'])
+        })
+
+        it('stat_queue', (t, done) => {
+            // should list files only
+            this.connection.respond = (code, message) => {
+                const data = JSON.parse(message)
+                assert.ok(/^\d+\/\d+\/\d+$/.test(data))
+                done()
+            }
+            this.plugin.hook_unrecognized_command(() => {}, this.connection, ['STATUS', 'QUEUE STATS'])
+        })
+
+        it('list_queue', (t, done) => {
+            // should list files only
+            this.connection.respond = (code, message) => {
+                const data = JSON.parse(message)
+                assert.equal(0, data.length)
+                done()
+            }
+            this.plugin.hook_unrecognized_command(() => {}, this.connection, ['STATUS', 'QUEUE LIST'])
+        })
+
+        it('discard_from_queue', (t, done) => {
+            const self = this
+
+            outbound.temp_fail_queue = new TimerQueue(10)
+            outbound.temp_fail_queue.add('file1', 10, () => {
+                assert.ok(false, 'This callback should not be called')
+                done()
+            })
+
+            outbound.temp_fail_queue.add('file2', 2000, () => {})
+
+            this.plugin.hook_unrecognized_command(
+                () => {
+                    self.connection.respond = (code, message) => {
+                        const data = JSON.parse(message)
+                        assert.equal(1, data.temp_fail_queue.length)
+                        done()
+                    }
+                    self.plugin.hook_unrecognized_command(() => {}, self.connection, ['STATUS', 'QUEUE INSPECT'])
+                },
+                this.connection,
+                ['STATUS', 'QUEUE DISCARD file1'],
+            )
+        })
+
+        it('push_email_at_queue', (t, done) => {
+            const timeout = setTimeout(() => {
+                assert.ok(false, 'Timeout')
+                done()
+            }, 1000)
+
+            outbound.temp_fail_queue.add('file', 1500, () => {
+                clearTimeout(timeout)
+
+                assert.ok(true)
+                done()
+            })
+
+            this.plugin.hook_unrecognized_command(() => {}, this.connection, ['STATUS', 'QUEUE PUSH file'])
+        })
+    })
+
+    describe('merge_worker_responses', () => {
+        beforeEach(_set_up)
+
+        it('POOL LIST merges objects from all workers', () => {
+            const result = JSON.parse(
+                JSON.stringify(
+                    this.plugin.merge_worker_responses('POOL LIST', [
+                        { 'host1:25': { inUse: 1, size: 3 } },
+                        { 'host2:25': { inUse: 0, size: 2 } },
+                        {},
+                    ]),
+                ),
+            )
+            assert.deepEqual(result, {
+                'host1:25': { inUse: 1, size: 3 },
+                'host2:25': { inUse: 0, size: 2 },
+            })
+        })
+
+        it('POOL LIST with all empty workers returns empty object', () => {
+            const result = JSON.parse(JSON.stringify(this.plugin.merge_worker_responses('POOL LIST', [{}, {}, {}])))
+            assert.deepEqual(result, {})
+        })
+
+        it('QUEUE INSPECT merges queues from all workers', () => {
+            const result = JSON.parse(
+                JSON.stringify(
+                    this.plugin.merge_worker_responses('QUEUE INSPECT', [
+                        { delivery_queue: [{ id: 'a' }], temp_fail_queue: [{ id: 'x', fire_time: 1 }] },
+                        { delivery_queue: [{ id: 'b' }], temp_fail_queue: [] },
+                        { delivery_queue: [], temp_fail_queue: [{ id: 'y', fire_time: 2 }] },
+                    ]),
+                ),
+            )
+            assert.deepEqual(result, {
+                delivery_queue: [{ id: 'a' }, { id: 'b' }],
+                temp_fail_queue: [
+                    { id: 'x', fire_time: 1 },
+                    { id: 'y', fire_time: 2 },
+                ],
+            })
+        })
+
+        it('QUEUE INSPECT with all empty queues returns empty lists', () => {
+            const result = JSON.parse(
+                JSON.stringify(
+                    this.plugin.merge_worker_responses('QUEUE INSPECT', [
+                        { delivery_queue: [], temp_fail_queue: [] },
+                        { delivery_queue: [], temp_fail_queue: [] },
+                    ]),
+                ),
+            )
+            assert.deepEqual(result, { delivery_queue: [], temp_fail_queue: [] })
+        })
+
+        it('QUEUE STATS sums across workers', () => {
+            const result = this.plugin.merge_worker_responses('QUEUE STATS', ['1/2/3', '0/1/0', '2/0/1'])
+            assert.equal(result, '3/3/4')
+        })
+
+        it('QUEUE STATS with all zeros', () => {
+            const result = this.plugin.merge_worker_responses('QUEUE STATS', ['0/0/0', '0/0/0', '0/0/0'])
+            assert.equal(result, '0/0/0')
+        })
+
+        it('unknown command returns results array unchanged', () => {
+            const result = this.plugin.merge_worker_responses('POOL UNKNOWN', [{ foo: 1 }, { foo: 2 }])
+            assert.equal(result.length, 2)
+        })
+    })
+})

package/test/plugins/tarpit.js

@@ -0,0 +1,90 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const { makeConnection, makePlugin } = require('haraka-test-fixtures')
+
+describe('tarpit', () => {
+    let plugin
+
+    beforeEach(() => {
+        plugin = makePlugin('tarpit', { register: false })
+        plugin.config.get = () => ({ main: {} })
+    })
+
+    describe('register', () => {
+        it('registers tarpit on all default hooks', () => {
+            const registered = []
+            plugin.register_hook = (hook) => registered.push(hook)
+            plugin.register()
+            assert.ok(registered.includes('connect'))
+            assert.ok(registered.includes('ehlo'))
+            assert.ok(registered.includes('mail'))
+            assert.ok(registered.includes('rcpt'))
+            assert.ok(registered.includes('data'))
+            assert.ok(registered.includes('queue'))
+            assert.ok(registered.includes('quit'))
+        })
+
+        it('registers only configured hooks when hooks_to_delay is set', () => {
+            plugin.config.get = () => ({ main: { hooks_to_delay: 'ehlo, mail' } })
+            const registered = []
+            plugin.register_hook = (hook) => registered.push(hook)
+            plugin.register()
+            assert.deepEqual(registered, ['ehlo', 'mail'])
+        })
+    })
+
+    describe('tarpit', () => {
+        let conn
+
+        beforeEach(() => {
+            conn = makeConnection({ withTxn: true })
+        })
+
+        it('calls next immediately when no transaction', (t, done) => {
+            conn.transaction = null
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next immediately when no tarpit delay set', (t, done) => {
+            // No tarpit note on connection or transaction
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('calls next immediately when connection.notes.tarpit is 0', (t, done) => {
+            conn.notes.tarpit = 0
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                done()
+            }, conn)
+        })
+
+        it('delays and calls next when connection.notes.tarpit is set', { timeout: 3000 }, (t, done) => {
+            conn.notes.tarpit = 0.1
+            const start = Date.now()
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(Date.now() - start >= 90, 'should have waited ~100ms')
+                done()
+            }, conn)
+        })
+
+        it('uses transaction.notes.tarpit when connection note is absent', { timeout: 3000 }, (t, done) => {
+            conn.transaction.notes.tarpit = 0.1
+            const start = Date.now()
+            plugin.tarpit((rc) => {
+                assert.equal(rc, undefined)
+                assert.ok(Date.now() - start >= 90)
+                done()
+            }, conn)
+        })
+    })
+})

package/test/plugins/tls.js

@@ -0,0 +1,86 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const path = require('node:path')
+const { describe, it, beforeEach } = require('node:test')
+
+const { makeConnection, makePlugin } = require('haraka-test-fixtures')
+
+const _set_up = () => {
+    this.plugin = makePlugin('tls', { register: false, configDir: 'test' })
+    this.connection = makeConnection()
+
+    // use test/config instead of ./config
+    this.plugin.net_utils.config = this.plugin.net_utils.config.module_config(path.resolve('test'))
+
+    this.plugin.tls_opts = {}
+}
+
+describe('tls', () => {
+    beforeEach(_set_up)
+
+    const methods = ['register', 'upgrade_connection', 'advertise_starttls', 'emit_upgrade_msg']
+    for (const method of methods) {
+        it(`has function ${method}`, () => {
+            assert.equal(typeof this.plugin[method], 'function')
+        })
+    }
+
+    describe('register', () => {
+        it('with certs, should register hooks', () => {
+            this.plugin.register()
+            assert.ok(Object.keys(this.plugin.hooks).length)
+        })
+    })
+
+    describe('emit_upgrade_msg', () => {
+        it('should emit a log message', () => {
+            assert.equal(
+                this.plugin.emit_upgrade_msg(this.connection, true, '', {
+                    subject: {
+                        CN: 'TLS.subject',
+                        O: 'TLS.org',
+                    },
+                }),
+                'secured: verified=true cn="TLS.subject" organization="TLS.org"',
+            )
+        })
+
+        it('should emit a log message with error', () => {
+            assert.equal(
+                this.plugin.emit_upgrade_msg(this.connection, true, 'oops', {
+                    subject: {
+                        CN: 'TLS.subject',
+                        O: 'TLS.org',
+                    },
+                }),
+                'secured: verified=true error="oops" cn="TLS.subject" organization="TLS.org"',
+            )
+        })
+    })
+
+    describe('upgrade_connection (STARTTLS injection)', () => {
+        // RFC 3207 §4: data pipelined after STARTTLS but before the TLS
+        // handshake must be discarded, not processed on the cleartext channel.
+        it('discards pipelined plaintext before the TLS handshake', () => {
+            const c = this.connection
+            c.tls = { advertised: true }
+            c.notes = {}
+            // attacker pipelined an injected command after STARTTLS
+            c.current_data = Buffer.from('RCPT TO:<victim@example.com>\r\n')
+            let dataAtUpgrade = 'UPGRADE_NOT_CALLED'
+            c.client = {
+                upgrade() {
+                    dataAtUpgrade = c.current_data
+                },
+            }
+            c.respond = () => {} // bypass the real _process_data path
+            this.plugin.timeout = 0
+
+            this.plugin.upgrade_connection(() => {}, c, ['STARTTLS'])
+
+            assert.equal(dataAtUpgrade, null, 'buffer cleared before upgrade()')
+            assert.equal(c.current_data, null)
+        })
+    })
+})

package/test/plugins/toobusy.js

@@ -0,0 +1,21 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it } = require('node:test')
+
+const { makePlugin } = require('haraka-test-fixtures')
+
+describe('toobusy', () => {
+    describe('register', () => {
+        it('handles missing toobusy-js gracefully (does not throw)', () => {
+            const plugin = makePlugin('toobusy', { register: false })
+            // toobusy-js is not installed; register should catch the error and return
+            let registered = false
+            plugin.register_hook = () => {
+                registered = true
+            }
+            assert.doesNotThrow(() => plugin.register())
+            assert.equal(registered, false, 'hook should not be registered without toobusy-js')
+        })
+    })
+})

package/test/plugins/xclient.js

@@ -0,0 +1,119 @@
+'use strict'
+
+const assert = require('node:assert/strict')
+const { describe, it, beforeEach } = require('node:test')
+
+const { makeConnection, makePlugin } = require('haraka-test-fixtures')
+
+const _set_up = () => {
+    this.plugin = makePlugin('xclient', { register: false })
+    this.connection = makeConnection()
+    this.connection.capabilities = []
+}
+
+describe('xclient', () => {
+    beforeEach(_set_up)
+
+    describe('hook_capabilities', () => {
+        const cases = [
+            { desc: 'adds XCLIENT for loopback IPv4 (127.0.0.1)', ip: '127.0.0.1', expected: true },
+            { desc: 'adds XCLIENT for loopback IPv6 (::1)', ip: '::1', expected: true },
+            { desc: 'does not add XCLIENT for non-loopback IP', ip: '10.0.0.1', expected: false },
+        ]
+
+        for (const { desc, ip, expected } of cases) {
+            it(desc, async () => {
+                this.connection.remote.ip = ip
+                await new Promise((resolve) => this.plugin.hook_capabilities(resolve, this.connection))
+                const hasXclient = this.connection.capabilities.some((c) => c.startsWith('XCLIENT'))
+                assert.equal(hasXclient, expected)
+            })
+        }
+    })
+
+    describe('hook_unrecognized_command', () => {
+        const callHook = (params) =>
+            new Promise((resolve) => {
+                this.plugin.hook_unrecognized_command((code) => resolve(code), this.connection, params)
+            })
+
+        const cases = [
+            {
+                desc: 'ignores non-XCLIENT commands',
+                params: ['EHLO', 'example.com'],
+                check: (code) => assert.equal(code, undefined),
+            },
+            {
+                desc: 'denies XCLIENT when transaction is in progress',
+                setup: () => {
+                    this.connection = makeConnection({ withTxn: true })
+                    this.connection.capabilities = []
+                },
+                params: ['XCLIENT', 'ADDR=127.0.0.1'],
+                check: (code) => assert.equal(code, DENY),
+            },
+            {
+                desc: 'denies XCLIENT from disallowed IP',
+                setup: () => {
+                    this.connection.remote.ip = '10.0.0.1'
+                },
+                params: ['XCLIENT', 'ADDR=127.0.0.2'],
+                check: (code) => assert.equal(code, DENY),
+            },
+            {
+                desc: 'denies XCLIENT with no valid IP address',
+                setup: () => {
+                    this.connection.remote.ip = '127.0.0.1'
+                },
+                params: ['XCLIENT', 'NAME=example.com'],
+                check: (code) => assert.equal(code, DENY),
+            },
+            {
+                desc: 'accepts XCLIENT with valid IPv4 ADDR from allowed host',
+                setup: () => {
+                    this.connection.remote.ip = '127.0.0.1'
+                },
+                params: ['XCLIENT', 'ADDR=1.2.3.4'],
+                check: (code) => assert.ok(code === NEXT_HOOK || code === undefined),
+            },
+            {
+                desc: 'accepts XCLIENT with valid IPv6 ADDR from allowed host',
+                setup: () => {
+                    this.connection.remote.ip = '127.0.0.1'
+                },
+                params: ['XCLIENT', 'ADDR=IPV6:2001:db8::1'],
+                check: (code) => assert.ok(code === NEXT_HOOK || code === undefined),
+            },
+            {
+                desc: 'accepts XCLIENT with ADDR and NAME, skipping rdns lookup',
+                setup: () => {
+                    this.connection.remote.ip = '127.0.0.1'
+                },
+                params: ['XCLIENT', 'ADDR=1.2.3.4 NAME=example.com'],
+                check: (code) => assert.equal(code, NEXT_HOOK),
+            },
+        ]
+
+        for (const { desc, setup, params, check } of cases) {
+            it(desc, async () => {
+                if (setup) setup()
+                const code = await callHook(params)
+                check(code)
+            })
+        }
+    })
+
+    describe('DESTPORT type', () => {
+        it('stores local.port as an integer (587/465 auth check)', async () => {
+            this.connection.remote.ip = '127.0.0.1'
+            await new Promise((resolve) => {
+                this.plugin.hook_unrecognized_command(() => resolve(), this.connection, [
+                    'XCLIENT',
+                    'ADDR=1.2.3.4 DESTPORT=587',
+                ])
+            })
+            assert.strictEqual(this.connection.local.port, 587)
+            assert.equal(typeof this.connection.local.port, 'number')
+        })
+    })
+})