[Rt-commit] rt branch, 4.2-on-4.0/require-strict-smime-verify, created. rt-4.0.9-193-g8b57b99

Alex Vandiver alexmv at bestpractical.com
Mon Apr 8 15:18:28 EDT 2013


The branch, 4.2-on-4.0/require-strict-smime-verify has been created
        at  8b57b99da748108fb828e724c5c4ecf9fd113b3e (commit)

- Log -----------------------------------------------------------------
commit 3c8d14cfd212af9a29667a31ade38ff129b3b406
Author: Jason May <jasonmay at bestpractical.com>
Date:   Tue Jan 17 20:38:29 2012 -0500

    Ensure that all the message's parts are encrypted in strict mode

diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index af490f0..cd567ec 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -188,6 +188,15 @@ sub GetCurrentUser {
             }
         }
 
+        if (RT->Config->Get('Crypt')->{'Strict'} and !$decrypted) {
+            EmailErrorToSender(
+                %args,
+                Template  => 'NotEncryptedMessage',
+                Arguments => { Message  => $args{'Message'} },
+            );
+            return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
+        }
+
         $part->head->replace(
             'X-RT-Incoming-Encryption' => 
                 $decrypted ? 'Success' : 'Not encrypted'

commit 295775bd058fc37ba728606d8620230836e65676
Author: Jason May <jasonmay at bestpractical.com>
Date:   Wed Jan 18 17:43:52 2012 -0500

    Be more specific about why a ticket wasn't created from plain mail

diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index cd567ec..a95d186 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -194,7 +194,7 @@ sub GetCurrentUser {
                 Template  => 'NotEncryptedMessage',
                 Arguments => { Message  => $args{'Message'} },
             );
-            return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
+            return (-1, 'rejected because the message has unencrypted parts with Strict mode enabled');
         }
 
         $part->head->replace(

commit 0e5ea672651dc13559bebee07cbb582badba9af2
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Thu Jan 19 08:13:59 2012 +0800

    check each parts' encryption before attaching original encrypted message
    
    attaching changes MIME object's structure and may cause the check to fail.

diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index a95d186..2357125 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -158,13 +158,6 @@ sub GetCurrentUser {
             if $reject;
     }
 
-    # attach the original encrypted message
-    $args{'Message'}->attach(
-        Type        => 'application/x-rt-original-message',
-        Disposition => 'inline',
-        Data        => ${ $args{'RawMessageRef'} },
-    );
-
     my @found;
     foreach my $part ( $args{'Message'}->parts_DFS ) {
         my $decrypted;
@@ -203,6 +196,13 @@ sub GetCurrentUser {
         );
     }
 
+    # attach the original encrypted message
+    $args{'Message'}->attach(
+        Type        => 'application/x-rt-original-message',
+        Disposition => 'inline',
+        Data        => ${ $args{'RawMessageRef'} },
+    );
+
     my %seen;
     $args{'Message'}->head->replace( 'X-RT-Privacy' => $_ )
         foreach grep !$seen{$_}++, @found;

commit b5e9efc54c391561458a7d70ca379b335a06ee4c
Author: Jason May <jasonmay at bestpractical.com>
Date:   Thu Jan 19 18:27:24 2012 -0500

    Use the provided email fixtures for the strict SMIME encryption tests

diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index df71677..c41eecf 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -4,6 +4,7 @@ use warnings;
 
 use RT::Test::SMIME tests => 22;
 my $test = 'RT::Test::SMIME';
+my $mails_dir = 't/data/smime/mails';
 
 use IPC::Run3 'run3';
 use String::ShellQuote 'shell_quote';
@@ -70,25 +71,19 @@ RT::Test->close_mailgate_ok($mail);
 {
     # test for encrypted mail
     my $buf = '';
-    run3(
-        shell_quote(
-            qw(openssl smime -encrypt  -des3),
-            -from    => 'root at example.com',
-            -to      => 'rt@' . $RT::rtname,
-            -subject => "Encrypted message for queue",
-            $test->key_path('sender at example.com.crt' ),
-        ),
-        \"Subject: test\n\norzzzzzz",
-        \$buf,
-        \*STDERR
-    );
+    {
+        local $/;
+        open my $fh, "<$mails_dir/4-encrypted-plain.eml";
+        $buf = <$fh>;
+        close $fh;
+    }
 
     my ($status, $tid) = RT::Test->send_via_mailgate( $buf );
     is ($status >> 8, 0, "The mail gateway exited normally");
 
     my $tick = RT::Ticket->new( $RT::SystemUser );
     $tick->Load( $tid );
-    is( $tick->Subject, 'Encrypted message for queue',
+    is( $tick->Subject, 'Test Email ID:4',
         "Created the ticket"
     );
 
@@ -102,7 +97,7 @@ RT::Test->close_mailgate_ok($mail);
         'SMIME',
         'recorded incoming mail that is encrypted'
     );
-    like( $attach->Content, qr'orz');
+    like( $attach->Content, qr'This is encrypted message');
 
     is( $orig->GetHeader('Content-Type'), 'application/x-rt-original-message');
 }

commit f23a84dbfcf2421284088b08261a4872d735ba17
Author: Jason May <jasonmay at bestpractical.com>
Date:   Thu Jan 19 18:55:11 2012 -0500

    Limit strict encryption to just a key in the Strict config
    
    This opens opportunities for different strict modes, such as for signed
    mail.

diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index 2357125..e6f44e5 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -111,6 +111,8 @@ sub GetCurrentUser {
         @_
     );
 
+    my $strict = RT->Config->Get('Crypt')->{'Strict'} || {};
+
     # we clean all possible headers
     my @headers =
         qw(
@@ -135,7 +137,7 @@ sub GetCurrentUser {
         AddStatus => 1,
     );
     if ( $status && !@res ) {
-        if (RT->Config->Get('Crypt')->{'Strict'}) {
+        if ($strict->{'Encrypted'}) {
             EmailErrorToSender(
                 %args,
                 Template  => 'NotEncryptedMessage',
@@ -181,7 +183,7 @@ sub GetCurrentUser {
             }
         }
 
-        if (RT->Config->Get('Crypt')->{'Strict'} and !$decrypted) {
+        if ($strict->{'Encrypted'} and !$decrypted) {
             EmailErrorToSender(
                 %args,
                 Template  => 'NotEncryptedMessage',
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index c41eecf..3811953 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -10,7 +10,7 @@ use IPC::Run3 'run3';
 use String::ShellQuote 'shell_quote';
 use RT::Tickets;
 
-RT->Config->Get('Crypt')->{'Strict'} = 1;
+RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
 
 {
     my $template = RT::Template->new($RT::SystemUser);

commit b196e663aa0479b1a4e9fa2a5dd89afff33c1057
Author: Jason May <jasonmay at bestpractical.com>
Date:   Thu Jan 19 19:08:26 2012 -0500

    Move the SMIME setup before the strict encryption is set and tested

diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index 3811953..d4bb733 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -2,7 +2,7 @@
 use strict;
 use warnings;
 
-use RT::Test::SMIME tests => 22;
+use RT::Test::SMIME tests => 23;
 my $test = 'RT::Test::SMIME';
 my $mails_dir = 't/data/smime/mails';
 
@@ -10,8 +10,6 @@ use IPC::Run3 'run3';
 use String::ShellQuote 'shell_quote';
 use RT::Tickets;
 
-RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
-
 {
     my $template = RT::Template->new($RT::SystemUser);
     $template->Create(
@@ -44,6 +42,11 @@ my $user = RT::Test->load_or_create_user(
 );
 RT::Test->import_smime_key('root at example.com.crt', $user);
 RT::Test->add_rights( Principal => $user, Right => 'SuperUser', Object => RT->System );
+RT::Test->stop_server;
+
+RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
+
+($url, $m) = RT::Test->started_ok;
 
 my $mail = RT::Test->open_mailgate_ok($url);
 print $mail <<EOF;

commit 8b57b99da748108fb828e724c5c4ecf9fd113b3e
Author: Jason May <jasonmay at bestpractical.com>
Date:   Thu Jan 19 19:23:23 2012 -0500

    Abort and error if strict verify mode is on and mail is unsigned

diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index e6f44e5..4a813ab 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -137,10 +137,10 @@ sub GetCurrentUser {
         AddStatus => 1,
     );
     if ( $status && !@res ) {
-        if ($strict->{'Encrypted'}) {
+        if ($strict->{'Encrypted'} or $strict->{'Signed'}) {
             EmailErrorToSender(
                 %args,
-                Template  => 'NotEncryptedMessage',
+                Template  => $strict->{'Encrypted'} ? 'NotEncryptedMessage' : 'NotSignedMessage',
                 Arguments => { Message  => $args{'Message'} },
             );
             return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
@@ -162,7 +162,7 @@ sub GetCurrentUser {
 
     my @found;
     foreach my $part ( $args{'Message'}->parts_DFS ) {
-        my $decrypted;
+        my ($decrypted, $signed);
 
         foreach my $protocol ( @check_protocols ) {
             my @status = grep defined && length,
@@ -176,6 +176,7 @@ sub GetCurrentUser {
                     $decrypted = 1;
                 }
                 if ( $_->{Operation} eq 'Verify' && $_->{Status} eq 'DONE' ) {
+                    $signed = 1;
                     $part->head->replace(
                         'X-RT-Incoming-Signature' => $_->{UserString}
                     );
@@ -191,6 +192,14 @@ sub GetCurrentUser {
             );
             return (-1, 'rejected because the message has unencrypted parts with Strict mode enabled');
         }
+        if ($strict->{'Signed'} and !$signed) {
+            EmailErrorToSender(
+                %args,
+                Template  => 'NotSignedMessage',
+                Arguments => { Message  => $args{'Message'} },
+            );
+            return (-1, 'rejected because the message has unsigned parts with Strict mode enabled');
+        }
 
         $part->head->replace(
             'X-RT-Incoming-Encryption' => 
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index d4bb733..96594e3 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -2,7 +2,7 @@
 use strict;
 use warnings;
 
-use RT::Test::SMIME tests => 23;
+use RT::Test::SMIME tests => 30;
 my $test = 'RT::Test::SMIME';
 my $mails_dir = 't/data/smime/mails';
 
@@ -24,6 +24,21 @@ EOF
     );
 }
 
+{
+    my $template = RT::Template->new($RT::SystemUser);
+    $template->Create(
+        Name => 'NotSignedMessage',
+        Queue => 0,
+        Content => <<EOF,
+
+Subject: Failed to send unsigned message
+
+This message was not sent since it is unsigned:
+EOF
+    );
+}
+
+
 my ($url, $m) = RT::Test->started_ok;
 ok $m->login, "logged in";
 
@@ -44,11 +59,38 @@ RT::Test->import_smime_key('root at example.com.crt', $user);
 RT::Test->add_rights( Principal => $user, Right => 'SuperUser', Object => RT->System );
 RT::Test->stop_server;
 
+RT->Config->Get('Crypt')->{'Strict'} = {Signed => 1};
+
+($url, $m) = RT::Test->started_ok;
+my $mail = RT::Test->open_mailgate_ok($url);
+print $mail <<EOF;
+From: root\@localhost
+To: rt\@$RT::rtname
+Subject: This is a test of new ticket creation as root
+
+Blah!
+Foob!
+EOF
+RT::Test->close_mailgate_ok($mail);
+
+{
+    ok(!RT::Test->last_ticket, 'A ticket was not created');
+    my ($mail) = RT::Test->fetch_caught_mails;
+    like(
+        $mail,
+        qr/^Subject: Failed to send unsigned message/m,
+        'recorded incoming mail that is not signed'
+    );
+    my ($warning) = $m->get_warnings;
+    like($warning, qr/rejected because the message is unencrypted with Strict mode enabled/);
+}
+RT::Test->stop_server;
+
 RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
 
 ($url, $m) = RT::Test->started_ok;
 
-my $mail = RT::Test->open_mailgate_ok($url);
+$mail = RT::Test->open_mailgate_ok($url);
 print $mail <<EOF;
 From: root\@localhost
 To: rt\@$RT::rtname

-----------------------------------------------------------------------


More information about the Rt-commit mailing list