[Rt-commit] rt branch, 4.2-on-4.0/require-strict-smime-verify, created. rt-4.0.9-193-g8b57b99
Alex Vandiver
alexmv at bestpractical.com
Mon Apr 8 15:18:28 EDT 2013
The branch, 4.2-on-4.0/require-strict-smime-verify has been created
at 8b57b99da748108fb828e724c5c4ecf9fd113b3e (commit)
- Log -----------------------------------------------------------------
commit 3c8d14cfd212af9a29667a31ade38ff129b3b406
Author: Jason May <jasonmay at bestpractical.com>
Date: Tue Jan 17 20:38:29 2012 -0500
Ensure that all the message's parts are encrypted in strict mode
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index af490f0..cd567ec 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -188,6 +188,15 @@ sub GetCurrentUser {
}
}
+ if (RT->Config->Get('Crypt')->{'Strict'} and !$decrypted) {
+ EmailErrorToSender(
+ %args,
+ Template => 'NotEncryptedMessage',
+ Arguments => { Message => $args{'Message'} },
+ );
+ return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
+ }
+
$part->head->replace(
'X-RT-Incoming-Encryption' =>
$decrypted ? 'Success' : 'Not encrypted'
commit 295775bd058fc37ba728606d8620230836e65676
Author: Jason May <jasonmay at bestpractical.com>
Date: Wed Jan 18 17:43:52 2012 -0500
Be more specific about why a ticket wasn't created from plain mail
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index cd567ec..a95d186 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -194,7 +194,7 @@ sub GetCurrentUser {
Template => 'NotEncryptedMessage',
Arguments => { Message => $args{'Message'} },
);
- return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
+ return (-1, 'rejected because the message has unencrypted parts with Strict mode enabled');
}
$part->head->replace(
commit 0e5ea672651dc13559bebee07cbb582badba9af2
Author: sunnavy <sunnavy at bestpractical.com>
Date: Thu Jan 19 08:13:59 2012 +0800
check each parts' encryption before attaching original encrypted message
attaching changes MIME object's structure and may cause the check to fail.
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index a95d186..2357125 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -158,13 +158,6 @@ sub GetCurrentUser {
if $reject;
}
- # attach the original encrypted message
- $args{'Message'}->attach(
- Type => 'application/x-rt-original-message',
- Disposition => 'inline',
- Data => ${ $args{'RawMessageRef'} },
- );
-
my @found;
foreach my $part ( $args{'Message'}->parts_DFS ) {
my $decrypted;
@@ -203,6 +196,13 @@ sub GetCurrentUser {
);
}
+ # attach the original encrypted message
+ $args{'Message'}->attach(
+ Type => 'application/x-rt-original-message',
+ Disposition => 'inline',
+ Data => ${ $args{'RawMessageRef'} },
+ );
+
my %seen;
$args{'Message'}->head->replace( 'X-RT-Privacy' => $_ )
foreach grep !$seen{$_}++, @found;
commit b5e9efc54c391561458a7d70ca379b335a06ee4c
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 18:27:24 2012 -0500
Use the provided email fixtures for the strict SMIME encryption tests
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index df71677..c41eecf 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -4,6 +4,7 @@ use warnings;
use RT::Test::SMIME tests => 22;
my $test = 'RT::Test::SMIME';
+my $mails_dir = 't/data/smime/mails';
use IPC::Run3 'run3';
use String::ShellQuote 'shell_quote';
@@ -70,25 +71,19 @@ RT::Test->close_mailgate_ok($mail);
{
# test for encrypted mail
my $buf = '';
- run3(
- shell_quote(
- qw(openssl smime -encrypt -des3),
- -from => 'root at example.com',
- -to => 'rt@' . $RT::rtname,
- -subject => "Encrypted message for queue",
- $test->key_path('sender at example.com.crt' ),
- ),
- \"Subject: test\n\norzzzzzz",
- \$buf,
- \*STDERR
- );
+ {
+ local $/;
+ open my $fh, "<$mails_dir/4-encrypted-plain.eml";
+ $buf = <$fh>;
+ close $fh;
+ }
my ($status, $tid) = RT::Test->send_via_mailgate( $buf );
is ($status >> 8, 0, "The mail gateway exited normally");
my $tick = RT::Ticket->new( $RT::SystemUser );
$tick->Load( $tid );
- is( $tick->Subject, 'Encrypted message for queue',
+ is( $tick->Subject, 'Test Email ID:4',
"Created the ticket"
);
@@ -102,7 +97,7 @@ RT::Test->close_mailgate_ok($mail);
'SMIME',
'recorded incoming mail that is encrypted'
);
- like( $attach->Content, qr'orz');
+ like( $attach->Content, qr'This is encrypted message');
is( $orig->GetHeader('Content-Type'), 'application/x-rt-original-message');
}
commit f23a84dbfcf2421284088b08261a4872d735ba17
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 18:55:11 2012 -0500
Limit strict encryption to just a key in the Strict config
This opens opportunities for different strict modes, such as for signed
mail.
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index 2357125..e6f44e5 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -111,6 +111,8 @@ sub GetCurrentUser {
@_
);
+ my $strict = RT->Config->Get('Crypt')->{'Strict'} || {};
+
# we clean all possible headers
my @headers =
qw(
@@ -135,7 +137,7 @@ sub GetCurrentUser {
AddStatus => 1,
);
if ( $status && !@res ) {
- if (RT->Config->Get('Crypt')->{'Strict'}) {
+ if ($strict->{'Encrypted'}) {
EmailErrorToSender(
%args,
Template => 'NotEncryptedMessage',
@@ -181,7 +183,7 @@ sub GetCurrentUser {
}
}
- if (RT->Config->Get('Crypt')->{'Strict'} and !$decrypted) {
+ if ($strict->{'Encrypted'} and !$decrypted) {
EmailErrorToSender(
%args,
Template => 'NotEncryptedMessage',
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index c41eecf..3811953 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -10,7 +10,7 @@ use IPC::Run3 'run3';
use String::ShellQuote 'shell_quote';
use RT::Tickets;
-RT->Config->Get('Crypt')->{'Strict'} = 1;
+RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
{
my $template = RT::Template->new($RT::SystemUser);
commit b196e663aa0479b1a4e9fa2a5dd89afff33c1057
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 19:08:26 2012 -0500
Move the SMIME setup before the strict encryption is set and tested
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index 3811953..d4bb733 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -2,7 +2,7 @@
use strict;
use warnings;
-use RT::Test::SMIME tests => 22;
+use RT::Test::SMIME tests => 23;
my $test = 'RT::Test::SMIME';
my $mails_dir = 't/data/smime/mails';
@@ -10,8 +10,6 @@ use IPC::Run3 'run3';
use String::ShellQuote 'shell_quote';
use RT::Tickets;
-RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
-
{
my $template = RT::Template->new($RT::SystemUser);
$template->Create(
@@ -44,6 +42,11 @@ my $user = RT::Test->load_or_create_user(
);
RT::Test->import_smime_key('root at example.com.crt', $user);
RT::Test->add_rights( Principal => $user, Right => 'SuperUser', Object => RT->System );
+RT::Test->stop_server;
+
+RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
+
+($url, $m) = RT::Test->started_ok;
my $mail = RT::Test->open_mailgate_ok($url);
print $mail <<EOF;
commit 8b57b99da748108fb828e724c5c4ecf9fd113b3e
Author: Jason May <jasonmay at bestpractical.com>
Date: Thu Jan 19 19:23:23 2012 -0500
Abort and error if strict verify mode is on and mail is unsigned
diff --git a/lib/RT/Interface/Email/Auth/Crypt.pm b/lib/RT/Interface/Email/Auth/Crypt.pm
index e6f44e5..4a813ab 100644
--- a/lib/RT/Interface/Email/Auth/Crypt.pm
+++ b/lib/RT/Interface/Email/Auth/Crypt.pm
@@ -137,10 +137,10 @@ sub GetCurrentUser {
AddStatus => 1,
);
if ( $status && !@res ) {
- if ($strict->{'Encrypted'}) {
+ if ($strict->{'Encrypted'} or $strict->{'Signed'}) {
EmailErrorToSender(
%args,
- Template => 'NotEncryptedMessage',
+ Template => $strict->{'Encrypted'} ? 'NotEncryptedMessage' : 'NotSignedMessage',
Arguments => { Message => $args{'Message'} },
);
return (-1, 'rejected because the message is unencrypted with Strict mode enabled');
@@ -162,7 +162,7 @@ sub GetCurrentUser {
my @found;
foreach my $part ( $args{'Message'}->parts_DFS ) {
- my $decrypted;
+ my ($decrypted, $signed);
foreach my $protocol ( @check_protocols ) {
my @status = grep defined && length,
@@ -176,6 +176,7 @@ sub GetCurrentUser {
$decrypted = 1;
}
if ( $_->{Operation} eq 'Verify' && $_->{Status} eq 'DONE' ) {
+ $signed = 1;
$part->head->replace(
'X-RT-Incoming-Signature' => $_->{UserString}
);
@@ -191,6 +192,14 @@ sub GetCurrentUser {
);
return (-1, 'rejected because the message has unencrypted parts with Strict mode enabled');
}
+ if ($strict->{'Signed'} and !$signed) {
+ EmailErrorToSender(
+ %args,
+ Template => 'NotSignedMessage',
+ Arguments => { Message => $args{'Message'} },
+ );
+ return (-1, 'rejected because the message has unsigned parts with Strict mode enabled');
+ }
$part->head->replace(
'X-RT-Incoming-Encryption' =>
diff --git a/t/mail/smime/strict.t b/t/mail/smime/strict.t
index d4bb733..96594e3 100644
--- a/t/mail/smime/strict.t
+++ b/t/mail/smime/strict.t
@@ -2,7 +2,7 @@
use strict;
use warnings;
-use RT::Test::SMIME tests => 23;
+use RT::Test::SMIME tests => 30;
my $test = 'RT::Test::SMIME';
my $mails_dir = 't/data/smime/mails';
@@ -24,6 +24,21 @@ EOF
);
}
+{
+ my $template = RT::Template->new($RT::SystemUser);
+ $template->Create(
+ Name => 'NotSignedMessage',
+ Queue => 0,
+ Content => <<EOF,
+
+Subject: Failed to send unsigned message
+
+This message was not sent since it is unsigned:
+EOF
+ );
+}
+
+
my ($url, $m) = RT::Test->started_ok;
ok $m->login, "logged in";
@@ -44,11 +59,38 @@ RT::Test->import_smime_key('root at example.com.crt', $user);
RT::Test->add_rights( Principal => $user, Right => 'SuperUser', Object => RT->System );
RT::Test->stop_server;
+RT->Config->Get('Crypt')->{'Strict'} = {Signed => 1};
+
+($url, $m) = RT::Test->started_ok;
+my $mail = RT::Test->open_mailgate_ok($url);
+print $mail <<EOF;
+From: root\@localhost
+To: rt\@$RT::rtname
+Subject: This is a test of new ticket creation as root
+
+Blah!
+Foob!
+EOF
+RT::Test->close_mailgate_ok($mail);
+
+{
+ ok(!RT::Test->last_ticket, 'A ticket was not created');
+ my ($mail) = RT::Test->fetch_caught_mails;
+ like(
+ $mail,
+ qr/^Subject: Failed to send unsigned message/m,
+ 'recorded incoming mail that is not signed'
+ );
+ my ($warning) = $m->get_warnings;
+ like($warning, qr/rejected because the message is unencrypted with Strict mode enabled/);
+}
+RT::Test->stop_server;
+
RT->Config->Get('Crypt')->{'Strict'} = {Encrypted => 1};
($url, $m) = RT::Test->started_ok;
-my $mail = RT::Test->open_mailgate_ok($url);
+$mail = RT::Test->open_mailgate_ok($url);
print $mail <<EOF;
From: root\@localhost
To: rt\@$RT::rtname
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list