[Rt-commit] rt branch, 4.2/smime-v2-strict, updated. rt-4.0.4-509-ga946baf
Jason May
jasonmay at bestpractical.com
Thu Jan 19 19:40:07 EST 2012
The branch, 4.2/smime-v2-strict has been updated
via a946baf8b8b7d915469845acff93c2bcf47bb869 (commit)
via 52d4e1a709295a86a4556e27f6494136e004993c (commit)
via 6ec6e20d66cd4192c0d03182e012ec54e3e59e8c (commit)
from 065459231dab2a255cb7efb96d3e57452f3cfe6d (commit)
Summary of changes:
lib/RT/Interface/Email/Auth/Crypt.pm | 19 ++++++++++--
t/mail/smime/strict.t | 51 ++++++++++++++++++++++++++++++++--
2 files changed, 63 insertions(+), 7 deletions(-)
- Log -----------------------------------------------------------------
commit 6ec6e20d66cd4192c0d03182e012ec54e3e59e8c
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 18:55:11 2012 -0500
Limit strict encryption to just a key in the Strict config
This opens opportunities for different strict modes, such as for signed
mail.
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index 7a647a8..4fba265 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -111,6 +111,8 @@ sub GetCurrentUser {
@_
);
+ my $strict = RT->Config->Get('Crypt')->{'Strict'} || {};
+
# we clean all possible headers
my @headers =
qw(
@@ -133,7 +135,7 @@ sub GetCurrentUser {
AddStatus => 1,
);
if ( $status && !@res ) {
- if (RT->Config->Get('Crypt')->{'Strict'}) {
+ if ($strict->{'Encrypted'}) {
EmailErrorToSender(
%args,
Template => 'NotEncryptedMessage',
@@ -179,7 +181,7 @@ sub GetCurrentUser {
}
}
- if (RT->Config->Get('Crypt')->{'Strict'} and !$decrypted) {
+ if ($strict->{'Encrypted'} and !$decrypted) {
EmailErrorToSender(
%args,
Template => 'NotEncryptedMessage',
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index c41eecf..3811953 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -10,7 +10,7 @@ use IPC::Run3 'run3';
use String::ShellQuote 'shell_quote';
use RT::Tickets;
-RT->Config->Get('Crypt')->{'Strict'} = 1;
+RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
{
my $template = RT::Template->new($RT::SystemUser);
commit 52d4e1a709295a86a4556e27f6494136e004993c
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 19:08:26 2012 -0500
Move the SMIME setup before the strict encryption is set and tested
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index 3811953..d4bb733 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -2,7 +2,7 @@
use strict;
use warnings;
-use RT::Test::SMIME tests => 22;
+use RT::Test::SMIME tests => 23;
my $test = 'RT::Test::SMIME';
my $mails_dir = 't/data/smime/mails';
@@ -10,8 +10,6 @@ use IPC::Run3 'run3';
use String::ShellQuote 'shell_quote';
use RT::Tickets;
-RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
-
{
my $template = RT::Template->new($RT::SystemUser);
$template->Create(
@@ -44,6 +42,11 @@ my $user = RT::Test->load_or_create_user(
);
RT::Test->import_smime_key('root at example.com.crt', $user);
RT::Test->add_rights( Principal => $user, Right => 'SuperUser', Object => RT->System );
+RT::Test->stop_server;
+
+RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
+
+($url, $m) = RT::Test->started_ok;
my $mail = RT::Test->open_mailgate_ok($url);
print $mail <<EOF;
commit a946baf8b8b7d915469845acff93c2bcf47bb869
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 19:23:23 2012 -0500
Abort and error if strict verify mode is on and mail is unsigned
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index 4fba265..f41c5a1 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -135,10 +135,10 @@ sub GetCurrentUser {
AddStatus => 1,
);
if ( $status && !@res ) {
- if ($strict->{'Encrypted'}) {
+ if ($strict->{'Encrypted'} or $strict->{'Signed'}) {
EmailErrorToSender(
%args,
- Template => 'NotEncryptedMessage',
+ Template => $strict->{'Encrypted'} ? 'NotEncryptedMessage' : 'NotSignedMessage',
Arguments => { Message => $args{'Message'} },
);
return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
@@ -160,7 +160,7 @@ sub GetCurrentUser {
my @found;
foreach my $part ( $args{'Message'}->parts_DFS ) {
- my $decrypted;
+ my ($decrypted, $signed);
foreach my $protocol ( @check_protocols ) {
my @status = grep defined && length,
@@ -174,6 +174,7 @@ sub GetCurrentUser {
$decrypted = 1;
}
if ( $_->{Operation} eq 'Verify' && $_->{Status} eq 'DONE' ) {
+ $signed = 1;
$part->head->replace(
'X-RT-Incoming-Signature' => $_->{UserString}
);
@@ -189,6 +190,14 @@ sub GetCurrentUser {
);
return (-1, 'rejected because the message has unencrypted parts with Strict mode enabled');
}
+ if ($strict->{'Signed'} and !$signed) {
+ EmailErrorToSender(
+ %args,
+ Template => 'NotSignedMessage',
+ Arguments => { Message => $args{'Message'} },
+ );
+ return (-1, 'rejected because the message has unsigned parts with Strict mode enabled');
+ }
$part->head->replace(
'X-RT-Incoming-Encryption' =>
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index d4bb733..96594e3 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -2,7 +2,7 @@
use strict;
use warnings;
-use RT::Test::SMIME tests => 23;
+use RT::Test::SMIME tests => 30;
my $test = 'RT::Test::SMIME';
my $mails_dir = 't/data/smime/mails';
@@ -24,6 +24,21 @@ EOF
);
}
+{
+ my $template = RT::Template->new($RT::SystemUser);
+ $template->Create(
+ Name => 'NotSignedMessage',
+ Queue => 0,
+ Content => <<EOF,
+
+Subject: Failed to send unsigned message
+
+This message was not sent since it is unsigned:
+EOF
+ );
+}
+
+
my ($url, $m) = RT::Test->started_ok;
ok $m->login, "logged in";
@@ -44,11 +59,38 @@ RT::Test->import_smime_key('root at example.com.crt', $user);
RT::Test->add_rights( Principal => $user, Right => 'SuperUser', Object => RT->System );
RT::Test->stop_server;
+RT->Config->Get('Crypt')->{'Strict'} = {Signed => 1};
+
+($url, $m) = RT::Test->started_ok;
+my $mail = RT::Test->open_mailgate_ok($url);
+print $mail <<EOF;
+From: root\@localhost
+To: rt\@$RT::rtname
+Subject: This is a test of new ticket creation as root
+
+Blah!
+Foob!
+EOF
+RT::Test->close_mailgate_ok($mail);
+
+{
+ ok(!RT::Test->last_ticket, 'A ticket was not created');
+ my ($mail) = RT::Test->fetch_caught_mails;
+ like(
+ $mail,
+ qr/^Subject: Failed to send unsigned message/m,
+ 'recorded incoming mail that is not signed'
+ );
+ my ($warning) = $m->get_warnings;
+ like($warning, qr/rejected because the message is unencrypted with Strict mode enabled/);
+}
+RT::Test->stop_server;
+
RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
($url, $m) = RT::Test->started_ok;
-my $mail = RT::Test->open_mailgate_ok($url);
+$mail = RT::Test->open_mailgate_ok($url);
print $mail <<EOF;
From: root\@localhost
To: rt\@$RT::rtname
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list