docker-mailserver/test/tests/serial/open_dkim.bats
Brennan Kinney 88767f7cc8
tests(refactor): open_dkim.bats (#3060)
* tests(refactor): Make test cases for opendkim keysizes DRY

- These all do roughly the same logic that can be split into two separate methods.
- `_should_generate_dkim_key()` covers a bit more logic as it can be leveraged to handle other test cases that also perform the same logic.
- The `config/opendkim/` doesn't seem necessary for tests. Only the first few test cases here are testing against it, so we can conditionally make that available. `process_check_restart.bats` also depended on it to run OpenDKIM successfully, but this was due to the `setup-stack.sh` config defaults failing to find an "empty" file forcing `supervisord` to constantly restart the process..
- With this, there we inverse the default opendkim config, so we don't have to mount unique / empty subfolders for each test case, followed by copying over the two extra configs.

* tests(refactor): DRY up more test cases

All the remaining test cases but the last one were refactored here for a clean commit diff. The last test case will be refactored in the following commit.

Plenty of repeated logic spread across these test cases, now condensed into shared methods.

* tests(refactor): Make final test case DRY

* chore: Migrate to new testing helpers

* chore: Revise test case descriptions

* tests(refactor): Improve and simplify assertions

* tests(refactor): Use common container setup instead of `docker run`

- As the majority of test cases are only running `open-dkim` helper, we don't actually have to wait for a full container setup. So an alternative container start is called.
- Also improves assertions a bit more instead of just counting lines.
- Some test cases don't bind mount all of `/tmp/docker-mailserver` contents, thus don't raise permission errors on subsequent test runs.
- Instead of `rm -f` on some config files, have opted to mount them read-only instead, or alternatively mount an anonymous empty volume instead.
- Collapsed the first three test cases into one, thus no `setup_file()` necessary.
- Shift the `_wait_for_finished_setup_in_container()` method into `_common_container_setup()` instead since nothing else is using `_common_container_start()` yet, this allows for avoiding the wait.

* tests(refactor): Collapse dkim key size test cases into single test case

This makes these tests a bit more DRY, and enhances the raised quality issue with these tests. Now not only is the domain checked in the generated DNS dkim record, but we also verify the key size is corrected in the public and private keys via openssl.

* chore: Revise container names

* chore: Swap order of test case 1 and 2

* tests(refactor): Assert generated log output

- `__should_have_tables_trustedhosts_for_domain` shifted in each test case to just after generating the domains keys.
- Asserts `open-dkim` logs instead of just counting them.
- Added checks for domains that should not be present in a test case.
- Additional coverage and notes about the alias from vhost `@localdomain.com`
- Single assert statement with switch statement as all are using common args.

* chore: Minor changes

* tests(refactor):  Share `find` logic in helpers and tests

* tests(fix): Listing file content does not need to match line order

The order printed from local system vs CI differed causing the CI to fail. The order of lines is irrelevant so `--index` is not required.

Additionally correct the prefix of the called method to be only one `_` now that it's a `common.bash` helper method.

* chore: Collapse custom DKIM selector test into custom DKIM domain test

These cover the same test logic for the most part, the first domain could also be testing the custom selector.

`special_use_folders.bats` + `mailbox_format_dbox` can assert lines instead, removing the need for `--partial`.

* Apply suggestions from code review

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>

* chore: Split switch statement method into wrapper methods

---------

Co-authored-by: Georg Lauterbach <44545919+georglauterbach@users.noreply.github.com>
2023-02-10 00:18:06 +13:00

280 lines
10 KiB
Bash

load "${REPOSITORY_ROOT}/test/helper/common"
load "${REPOSITORY_ROOT}/test/helper/setup"
BATS_TEST_NAME_PREFIX='[OpenDKIM] '
CONTAINER1_NAME='dms-test_opendkim_key-sizes'
CONTAINER2_NAME='dms-test_opendkim_with-config-volume'
CONTAINER3_NAME='dms-test_opendkim_without-config-volume'
CONTAINER4_NAME='dms-test_opendkim_without-accounts'
CONTAINER5_NAME='dms-test_opendkim_without-virtual'
CONTAINER6_NAME='dms-test_opendkim_with-args'
function teardown() { _default_teardown ; }
# TODO: Neither of these are too important, but might be worth covering:
# - May want to also add test cases for log: 'No entries found, no keys to make'
# - May want to also do a redundant 2nd run for matching no log output? (Bad UX?)
@test "should support creating keys of different sizes" {
export CONTAINER_NAME=${CONTAINER2_NAME}
__init_container_without_waiting
# The default size created should be 4096-bit:
__should_support_creating_key_of_size
# Explicit sizes:
__should_support_creating_key_of_size '4096'
__should_support_creating_key_of_size '2048'
__should_support_creating_key_of_size '1024'
}
# NOTE: This pre-generated opendkim config was before the alias `localdomain2.com`
# was present or supported by open-dkim? (when sourcing domains from generated vhost entries)
@test "providing config volume should setup /etc/opendkim" {
export CONTAINER_NAME=${CONTAINER1_NAME}
_init_with_defaults
mv "${TEST_TMP_CONFIG}/example-opendkim/" "${TEST_TMP_CONFIG}/opendkim/"
_common_container_setup
_run_in_container cat '/etc/opendkim/KeyTable'
assert_success
__assert_has_entry_in_keytable 'localhost.localdomain'
__assert_has_entry_in_keytable 'otherdomain.tld'
_should_output_number_of_lines 2
_should_have_content_in_directory '/etc/opendkim/keys/'
assert_output --partial 'localhost.localdomain'
assert_output --partial 'otherdomain.tld'
_should_output_number_of_lines 2
# /etc/opendkim.conf should contain nameservers copied from /etc/resolv.conf
_run_in_container grep -E \
'^Nameservers ((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' \
/etc/opendkim.conf
assert_success
}
# No default config supplied to /tmp/docker-mailserver/opendkim
# Generating key should create keys and tables + TrustedHosts files:
@test "should create keys and config files (with defaults)" {
export CONTAINER_NAME=${CONTAINER3_NAME}
__init_container_without_waiting
__should_generate_dkim_key 6
__assert_outputs_common_dkim_logs
__should_have_tables_trustedhosts_for_domain
__should_have_key_for_domain 'localhost.localdomain'
__should_have_key_for_domain 'localdomain2.com'
__should_have_key_for_domain 'otherdomain.tld'
}
@test "should create keys and config files (without postfix-accounts.cf)" {
export CONTAINER_NAME=${CONTAINER4_NAME}
# Only mount single config file (postfix-virtual.cf):
__init_container_without_waiting "${PWD}/test/config/postfix-virtual.cf:/tmp/docker-mailserver/postfix-virtual.cf:ro"
__should_generate_dkim_key 5
__assert_outputs_common_dkim_logs
__should_have_tables_trustedhosts_for_domain
__should_have_key_for_domain 'localhost.localdomain'
__should_have_key_for_domain 'localdomain2.com'
# NOTE: This would only be present if supplying the default postfix-accounts.cf:
__should_not_have_key_for_domain 'otherdomain.tld'
}
@test "should create keys and config files (without postfix-virtual.cf)" {
export CONTAINER_NAME=${CONTAINER5_NAME}
# Only mount single config file (postfix-accounts.cf):
__init_container_without_waiting "${PWD}/test/config/postfix-accounts.cf:/tmp/docker-mailserver/postfix-accounts.cf:ro"
__should_generate_dkim_key 5
__assert_outputs_common_dkim_logs
__should_have_tables_trustedhosts_for_domain
__should_have_key_for_domain 'localhost.localdomain'
__should_have_key_for_domain 'otherdomain.tld'
# NOTE: This would only be present if supplying the default postfix-virtual.cf:
__should_not_have_key_for_domain 'localdomain2.com'
}
@test "should create keys and config files (with custom domains and selector)" {
export CONTAINER_NAME=${CONTAINER6_NAME}
# Create without config volume (creates an empty anonymous volume instead):
__init_container_without_waiting '/tmp/docker-mailserver'
# generate first key (with a custom selector)
__should_generate_dkim_key 4 '2048' 'domain1.tld' 'mailer'
__assert_outputs_common_dkim_logs
# generate two additional keys different to the previous one
__should_generate_dkim_key 2 '2048' 'domain2.tld,domain3.tld'
__assert_logged_dkim_creation 'domain2.tld'
__assert_logged_dkim_creation 'domain3.tld'
# generate an additional key whilst providing already existing domains
__should_generate_dkim_key 1 '2048' 'domain3.tld,domain4.tld'
__assert_logged_dkim_creation 'domain4.tld'
__should_have_tables_trustedhosts_for_domain
__should_have_key_for_domain 'domain1.tld' 'mailer'
__should_have_key_for_domain 'domain2.tld'
__should_have_key_for_domain 'domain3.tld'
__should_have_key_for_domain 'domain4.tld'
# This would be created by default (from vhost) if no domain was given to open-dkim:
__should_not_have_key_for_domain 'localhost.localdomain'
# Without the default account configs, neither of these should be present:
__should_not_have_key_for_domain 'otherdomain.tld'
__should_not_have_key_for_domain 'localdomain2.com'
_run_in_container cat "/tmp/docker-mailserver/opendkim/KeyTable"
__assert_has_entry_in_keytable 'domain1.tld' 'mailer'
__assert_has_entry_in_keytable 'domain2.tld'
__assert_has_entry_in_keytable 'domain3.tld'
__assert_has_entry_in_keytable 'domain4.tld'
_should_output_number_of_lines 4
_run_in_container cat "/tmp/docker-mailserver/opendkim/SigningTable"
__assert_has_entry_in_signingtable 'domain1.tld' 'mailer'
__assert_has_entry_in_signingtable 'domain2.tld'
__assert_has_entry_in_signingtable 'domain3.tld'
__assert_has_entry_in_signingtable 'domain4.tld'
_should_output_number_of_lines 4
}
function __init_container_without_waiting {
_init_with_defaults
# Override the default config volume:
[[ -n ${1} ]] && TEST_CONFIG_VOLUME="${1}"
_common_container_create
_common_container_start
}
function __assert_has_entry_in_keytable() {
local EXPECTED_DOMAIN=${1}
local EXPECTED_SELECTOR=${2:-mail}
# EXAMPLE: mail._domainkey.domain1.tld domain1.tld:mail:/etc/opendkim/keys/domain1.tld/mail.private
assert_output --partial "${EXPECTED_SELECTOR}._domainkey.${EXPECTED_DOMAIN} ${EXPECTED_DOMAIN}:${EXPECTED_SELECTOR}:/etc/opendkim/keys/${EXPECTED_DOMAIN}/${EXPECTED_SELECTOR}.private"
}
function __assert_has_entry_in_signingtable() {
local EXPECTED_DOMAIN=${1}
local EXPECTED_SELECTOR=${2:-mail}
# EXAMPLE: *@domain1.tld mail._domainkey.domain1.tld
assert_output --partial "*@${EXPECTED_DOMAIN} ${EXPECTED_SELECTOR}._domainkey.${EXPECTED_DOMAIN}"
}
function __assert_logged_dkim_creation() {
local EXPECTED_DOMAIN=${1}
local EXPECTED_SELECTOR=${2:-mail}
assert_output --partial "Creating DKIM private key '/tmp/docker-mailserver/opendkim/keys/${EXPECTED_DOMAIN}/${EXPECTED_SELECTOR}.private'"
}
function __assert_outputs_common_dkim_logs() {
refute_output --partial 'No entries found, no keys to make'
assert_output --partial 'Creating DKIM KeyTable'
assert_output --partial 'Creating DKIM SigningTable'
assert_output --partial 'Creating DKIM TrustedHosts'
}
function __should_support_creating_key_of_size() {
local EXPECTED_KEYSIZE=${1:-}
__should_generate_dkim_key 6 "${EXPECTED_KEYSIZE}"
__assert_outputs_common_dkim_logs
__assert_logged_dkim_creation 'localdomain2.com'
__assert_logged_dkim_creation 'localhost.localdomain'
__assert_logged_dkim_creation 'otherdomain.tld'
__should_have_expected_files "${EXPECTED_KEYSIZE:-4096}"
_run_in_container rm -r /tmp/docker-mailserver/opendkim
}
function __should_generate_dkim_key() {
local EXPECTED_LINES=${1}
local ARG_KEYSIZE=${2:-}
local ARG_DOMAINS=${3:-}
local ARG_SELECTOR=${4:-}
local DKIM_CMD='open-dkim'
[[ -n ${ARG_KEYSIZE} ]] && DKIM_CMD+=" keysize ${ARG_KEYSIZE}"
[[ -n ${ARG_DOMAINS} ]] && DKIM_CMD+=" domain '${ARG_DOMAINS}'"
[[ -n ${ARG_SELECTOR} ]] && DKIM_CMD+=" selector '${ARG_SELECTOR}'"
_run_in_container_bash "${DKIM_CMD}"
assert_success
_should_output_number_of_lines "${EXPECTED_LINES}"
}
function __should_have_expected_files() {
local EXPECTED_KEYSIZE=${1:?Keysize must be provided}
local DKIM_DOMAIN='localhost.localdomain'
local TARGET_DIR="/tmp/docker-mailserver/opendkim/keys/${DKIM_DOMAIN}"
# DKIM private key for signing, parse it to verify private key size is correct:
_run_in_container_bash "openssl rsa -in '${TARGET_DIR}/mail.private' -noout -text"
assert_success
assert_line --index 0 "RSA Private-Key: (${EXPECTED_KEYSIZE} bit, 2 primes)"
# DKIM record, extract public key (base64 encoded, potentially multi-line)
# - tail to exclude first line,
# - then sed to extract values within quoted lines, then remove `p=` from the start,
# - and finally echo to concatenate all lines into single string
# Next decode and parse it with openssl to verify public-key key size is correct:
_run_in_container_bash "echo \$( \
tail -n +2 '${TARGET_DIR}/mail.txt' \
| sed -nE -e 's/.*\"(.*)\".*/\1/p' \
| sed -e 's/^p=//' \
) | openssl enc -base64 -d | openssl pkey -inform DER -pubin -noout -text
"
assert_success
assert_line --index 0 "RSA Public-Key: (${EXPECTED_KEYSIZE} bit)"
# Contents is for expected DKIM_DOMAIN and selector (mail):
_run_in_container cat "${TARGET_DIR}/mail.txt"
assert_output --regexp "; ----- DKIM key mail for ${DKIM_DOMAIN}$"
}
function __should_have_key_for_domain() {
local KEY_DOMAIN=${1}
local KEY_SELECTOR=${2:-mail}
_should_have_content_in_directory "/tmp/docker-mailserver/opendkim/keys/${KEY_DOMAIN}"
assert_success
assert_line "${KEY_SELECTOR}.private"
assert_line "${KEY_SELECTOR}.txt"
_should_output_number_of_lines 2
}
function __should_not_have_key_for_domain() {
local KEY_DOMAIN=${1:?Domain must be provided}
local KEY_SELECTOR=${2:-mail}
local TARGET_DIR="/tmp/docker-mailserver/opendkim/keys/${KEY_DOMAIN}"
_run_in_container_bash "[[ -d ${TARGET_DIR} ]]"
assert_failure
}
function __should_have_tables_trustedhosts_for_domain() {
_should_have_content_in_directory '/tmp/docker-mailserver/opendkim'
assert_success
assert_line 'keys'
assert_line 'KeyTable'
assert_line 'SigningTable'
assert_line 'TrustedHosts'
}