1package webaccount

2

3import (

4 "archive/tar"

5 "archive/zip"

6 "bytes"

7 "compress/gzip"

8 "context"

9 "encoding/json"

10 "fmt"

11 "io"

12 "mime/multipart"

13 "net/http"

14 "net/http/httptest"

15 "net/url"

16 "os"

17 "path"

18 "path/filepath"

19 "reflect"

20 "runtime/debug"

21 "sort"

22 "strings"

23 "testing"

24 "time"

25

26 "github.com/mjl-/bstore"

27 "github.com/mjl-/sherpa"

28

29 "github.com/mjl-/mox/config"

30 "github.com/mjl-/mox/dns"

31 "github.com/mjl-/mox/mlog"

32 "github.com/mjl-/mox/mox-"

33 "github.com/mjl-/mox/queue"

34 "github.com/mjl-/mox/store"

35 "github.com/mjl-/mox/webauth"

36 "github.com/mjl-/mox/webhook"

37)

38

39var ctxbg = context.Background()

40

41func init() {

42 mox.LimitersInit()

43 webauth.BadAuthDelay = 0

44}

45

46func tcheck(t *testing.T, err error, msg string) {

47 t.Helper()

48 if err != nil {

49 t.Fatalf("%s: %s", msg, err)

50 }

51}

52

53func readBody(r io.Reader) string {

54 buf, err := io.ReadAll(r)

55 if err != nil {

56 return fmt.Sprintf("read error: %s", err)

57 }

58 return fmt.Sprintf("data: %q", buf)

59}

60

61func tneedErrorCode(t *testing.T, code string, fn func()) {

62 t.Helper()

63 defer func() {

64 t.Helper()

65 x := recover()

66 if x == nil {

67 debug.PrintStack()

68 t.Fatalf("expected sherpa user error, saw success")

69 }

70 if err, ok := x.(*sherpa.Error); !ok {

71 debug.PrintStack()

72 t.Fatalf("expected sherpa error, saw %#v", x)

73 } else if err.Code != code {

74 debug.PrintStack()

75 t.Fatalf("expected sherpa error code %q, saw other sherpa error %#v", code, err)

76 }

77 }()

78

79 fn()

80}

81

82func tcompare(t *testing.T, got, expect any) {

83 t.Helper()

84 if !reflect.DeepEqual(got, expect) {

85 t.Fatalf("got:\n%#v\nexpected:\n%#v", got, expect)

86 }

87}

88

89func TestAccount(t *testing.T) {

90 os.RemoveAll("../testdata/httpaccount/data")

91 mox.ConfigStaticPath = filepath.FromSlash("../testdata/httpaccount/mox.conf")

92 mox.ConfigDynamicPath = filepath.Join(filepath.Dir(mox.ConfigStaticPath), "domains.conf")

93 mox.MustLoadConfig(true, false)

94 log := mlog.New("webaccount", nil)

95 acc, err := store.OpenAccount(log, "mjl☺")

96 tcheck(t, err, "open account")

97 err = acc.SetPassword(log, "test1234")

98 tcheck(t, err, "set password")

99 defer func() {

100 err = acc.Close()

101 tcheck(t, err, "closing account")

102 acc.CheckClosed()

103 }()

104 defer store.Switchboard()()

105

106 api := Account{cookiePath: "/account/"}

107 apiHandler, err := makeSherpaHandler(api.cookiePath, false)

108 tcheck(t, err, "sherpa handler")

109

110 // Record HTTP response to get session cookie for login.

111 respRec := httptest.NewRecorder()

112 reqInfo := requestInfo{"", "", "", respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}}

113 ctx := context.WithValue(ctxbg, requestInfoCtxKey, reqInfo)

114

115 // Missing login token.

116 tneedErrorCode(t, "user:error", func() { api.Login(ctx, "", "mjl☺@mox.example", "test1234") })

117

118 // Login with loginToken.

119 loginCookie := &http.Cookie{Name: "webaccountlogin"}

120 loginCookie.Value = api.LoginPrep(ctx)

121 reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}}

122

123 csrfToken := api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "test1234")

124 var sessionCookie *http.Cookie

125 for _, c := range respRec.Result().Cookies() {

126 if c.Name == "webaccountsession" {

127 sessionCookie = c

128 break

129 }

130 }

131 if sessionCookie == nil {

132 t.Fatalf("missing session cookie")

133 }

134

135 // Valid loginToken, but bad credentials.

136 loginCookie.Value = api.LoginPrep(ctx)

137 reqInfo.Request.Header = http.Header{"Cookie": []string{loginCookie.String()}}

138 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "mjl☺@mox.example", "badauth") })

139 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@mox.example", "badauth") })

140 tneedErrorCode(t, "user:loginFailed", func() { api.Login(ctx, loginCookie.Value, "baduser@baddomain.example", "badauth") })

141

142 type httpHeaders [][2]string

143 ctJSON := [2]string{"Content-Type", "application/json; charset=utf-8"}

144

145 cookieOK := &http.Cookie{Name: "webaccountsession", Value: sessionCookie.Value}

146 cookieBad := &http.Cookie{Name: "webaccountsession", Value: "AAAAAAAAAAAAAAAAAAAAAA mjl"}

147 hdrSessionOK := [2]string{"Cookie", cookieOK.String()}

148 hdrSessionBad := [2]string{"Cookie", cookieBad.String()}

149 hdrCSRFOK := [2]string{"x-mox-csrf", string(csrfToken)}

150 hdrCSRFBad := [2]string{"x-mox-csrf", "AAAAAAAAAAAAAAAAAAAAAA"}

151

152 testHTTP := func(method, path string, headers httpHeaders, expStatusCode int, expHeaders httpHeaders, check func(resp *http.Response)) {

153 t.Helper()

154

155 req := httptest.NewRequest(method, path, nil)

156 for _, kv := range headers {

157 req.Header.Add(kv[0], kv[1])

158 }

159 rr := httptest.NewRecorder()

160 rr.Body = &bytes.Buffer{}

161 handle(apiHandler, false, rr, req)

162 if rr.Code != expStatusCode {

163 t.Fatalf("got status %d, expected %d (%s)", rr.Code, expStatusCode, readBody(rr.Body))

164 }

165

166 resp := rr.Result()

167 for _, h := range expHeaders {

168 if resp.Header.Get(h[0]) != h[1] {

169 t.Fatalf("for header %q got value %q, expected %q", h[0], resp.Header.Get(h[0]), h[1])

170 }

171 }

172

173 if check != nil {

174 check(resp)

175 }

176 }

177 testHTTPAuthAPI := func(method, path string, expStatusCode int, expHeaders httpHeaders, check func(resp *http.Response)) {

178 t.Helper()

179 testHTTP(method, path, httpHeaders{hdrCSRFOK, hdrSessionOK}, expStatusCode, expHeaders, check)

180 }

181

182 userAuthError := func(resp *http.Response, expCode string) {

183 t.Helper()

184

185 var response struct {

186 Error *sherpa.Error `json:"error"`

187 }

188 err := json.NewDecoder(resp.Body).Decode(&response)

189 tcheck(t, err, "parsing response as json")

190 if response.Error == nil {

191 t.Fatalf("expected sherpa error with code %s, no error", expCode)

192 }

193 if response.Error.Code != expCode {

194 t.Fatalf("got sherpa error code %q, expected %s", response.Error.Code, expCode)

195 }

196 }

197 badAuth := func(resp *http.Response) {

198 t.Helper()

199 userAuthError(resp, "user:badAuth")

200 }

201 noAuth := func(resp *http.Response) {

202 t.Helper()

203 userAuthError(resp, "user:noAuth")

204 }

205

206 testHTTP("POST", "/api/Bogus", httpHeaders{}, http.StatusOK, nil, noAuth)

207 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad}, http.StatusOK, nil, noAuth)

208 testHTTP("POST", "/api/Bogus", httpHeaders{hdrSessionBad}, http.StatusOK, nil, noAuth)

209 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad, hdrSessionBad}, http.StatusOK, nil, badAuth)

210 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFOK}, http.StatusOK, nil, noAuth)

211 testHTTP("POST", "/api/Bogus", httpHeaders{hdrSessionOK}, http.StatusOK, nil, noAuth)

212 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFBad, hdrSessionOK}, http.StatusOK, nil, badAuth)

213 testHTTP("POST", "/api/Bogus", httpHeaders{hdrCSRFOK, hdrSessionBad}, http.StatusOK, nil, badAuth)

214 testHTTPAuthAPI("GET", "/api/Types", http.StatusMethodNotAllowed, nil, nil)

215 testHTTPAuthAPI("POST", "/api/Types", http.StatusOK, httpHeaders{ctJSON}, nil)

216

217 testHTTP("POST", "/import", httpHeaders{}, http.StatusForbidden, nil, nil)

218 testHTTP("POST", "/import", httpHeaders{hdrSessionBad}, http.StatusForbidden, nil, nil)

219 testHTTP("GET", "/export", httpHeaders{}, http.StatusForbidden, nil, nil)

220 testHTTP("GET", "/export", httpHeaders{hdrSessionBad}, http.StatusForbidden, nil, nil)

221 testHTTP("GET", "/export", httpHeaders{hdrSessionOK}, http.StatusForbidden, nil, nil)

222

223 // SetPassword needs the token.

224 sessionToken := store.SessionToken(strings.SplitN(sessionCookie.Value, " ", 2)[0])

225 reqInfo = requestInfo{"mjl☺@mox.example", "mjl☺", sessionToken, respRec, &http.Request{RemoteAddr: "127.0.0.1:1234"}}

226 ctx = context.WithValue(ctxbg, requestInfoCtxKey, reqInfo)

227

228 api.SetPassword(ctx, "test1234")

229

230 err = queue.Init() // For DB.

231 tcheck(t, err, "queue init")

232

233 account, _, _, _ := api.Account(ctx)

234

235 // Check we don't see the alias member list.

236 tcompare(t, len(account.Aliases), 1)

237 tcompare(t, account.Aliases[0], config.AddressAlias{

238 SubscriptionAddress: "mjl☺@mox.example",

239 Alias: config.Alias{

240 LocalpartStr: "support",

241 Domain: dns.Domain{ASCII: "mox.example"},

242 AllowMsgFrom: true,

243 },

244 })

245

246 api.DestinationSave(ctx, "mjl☺@mox.example", account.Destinations["mjl☺@mox.example"], account.Destinations["mjl☺@mox.example"]) // todo: save modified value and compare it afterwards

247

248 api.AccountSaveFullName(ctx, account.FullName+" changed") // todo: check if value was changed

249 api.AccountSaveFullName(ctx, account.FullName)

250

251 go ImportManage()

252

253 // Import mbox/maildir tgz/zip.

254 testImport := func(filename string, expect int) {

255 t.Helper()

256

257 var reqBody bytes.Buffer

258 mpw := multipart.NewWriter(&reqBody)

259 part, err := mpw.CreateFormFile("file", path.Base(filename))

260 tcheck(t, err, "creating form file")

261 buf, err := os.ReadFile(filename)

262 tcheck(t, err, "reading file")

263 _, err = part.Write(buf)

264 tcheck(t, err, "write part")

265 err = mpw.Close()

266 tcheck(t, err, "close multipart writer")

267

268 r := httptest.NewRequest("POST", "/import", &reqBody)

269 r.Header.Add("Content-Type", mpw.FormDataContentType())

270 r.Header.Add("x-mox-csrf", string(csrfToken))

271 r.Header.Add("Cookie", cookieOK.String())

272 w := httptest.NewRecorder()

273 handle(apiHandler, false, w, r)

274 if w.Code != http.StatusOK {

275 t.Fatalf("import, got status code %d, expected 200: %s", w.Code, w.Body.Bytes())

276 }

277 var m ImportProgress

278 if err := json.Unmarshal(w.Body.Bytes(), &m); err != nil {

279 t.Fatalf("parsing import response: %v", err)

280 }

281

282 l := importListener{m.Token, make(chan importEvent, 100), make(chan bool)}

283 importers.Register <- &l

284 if !<-l.Register {

285 t.Fatalf("register failed")

286 }

287 defer func() {

288 importers.Unregister <- &l

289 }()

290 count := 0

291 loop:

292 for {

293 e := <-l.Events

294 if e.Event == nil {

295 continue

296 }

297 switch x := e.Event.(type) {

298 case importCount:

299 count += x.Count

300 case importProblem:

301 t.Fatalf("unexpected problem: %q", x.Message)

302 case importStep:

303 case importDone:

304 break loop

305 case importAborted:

306 t.Fatalf("unexpected aborted import")

307 default:

308 panic(fmt.Sprintf("missing case for Event %#v", e))

309 }

310 }

311 if count != expect {

312 t.Fatalf("imported %d messages, expected %d", count, expect)

313 }

314 }

315 testImport(filepath.FromSlash("../testdata/importtest.mbox.zip"), 2)

316 testImport(filepath.FromSlash("../testdata/importtest.maildir.tgz"), 2)

317

318 // Check there are messages, with the right flags.

319 acc.DB.Read(ctxbg, func(tx *bstore.Tx) error {

320 _, err = bstore.QueryTx[store.Message](tx).FilterEqual("Expunged", false).FilterIn("Keywords", "other").FilterIn("Keywords", "test").Get()

321 tcheck(t, err, `fetching message with keywords "other" and "test"`)

322

323 mb, err := acc.MailboxFind(tx, "importtest")

324 tcheck(t, err, "looking up mailbox importtest")

325 if mb == nil {

326 t.Fatalf("missing mailbox importtest")

327 }

328 sort.Strings(mb.Keywords)

329 if strings.Join(mb.Keywords, " ") != "other test" {

330 t.Fatalf(`expected mailbox keywords "other" and "test", got %v`, mb.Keywords)

331 }

332

333 n, err := bstore.QueryTx[store.Message](tx).FilterEqual("Expunged", false).FilterIn("Keywords", "custom").Count()

334 tcheck(t, err, `fetching message with keyword "custom"`)

335 if n != 2 {

336 t.Fatalf(`got %d messages with keyword "custom", expected 2`, n)

337 }

338

339 mb, err = acc.MailboxFind(tx, "maildir")

340 tcheck(t, err, "looking up mailbox maildir")

341 if mb == nil {

342 t.Fatalf("missing mailbox maildir")

343 }

344 if strings.Join(mb.Keywords, " ") != "custom" {

345 t.Fatalf(`expected mailbox keywords "custom", got %v`, mb.Keywords)

346 }

347

348 return nil

349 })

350

351 testExport := func(format, archive string, expectFiles int) {

352 t.Helper()

353

354 fields := url.Values{

355 "csrf": []string{string(csrfToken)},

356 "format": []string{format},

357 "archive": []string{archive},

358 "mailbox": []string{""},

359 "recursive": []string{"on"},

360 }

361 r := httptest.NewRequest("POST", "/export", strings.NewReader(fields.Encode()))

362 r.Header.Set("Content-Type", "application/x-www-form-urlencoded")

363 r.Header.Add("Cookie", cookieOK.String())

364 w := httptest.NewRecorder()

365 handle(apiHandler, false, w, r)

366 if w.Code != http.StatusOK {

367 t.Fatalf("export, got status code %d, expected 200: %s", w.Code, w.Body.Bytes())

368 }

369 var count int

370 if archive == "zip" {

371 buf := w.Body.Bytes()

372 zr, err := zip.NewReader(bytes.NewReader(buf), int64(len(buf)))

373 tcheck(t, err, "reading zip")

374 for _, f := range zr.File {

375 if !strings.HasSuffix(f.Name, "/") {

376 count++

377 }

378 }

379 } else {

380 var src io.Reader = w.Body

381 if archive == "tgz" {

382 gzr, err := gzip.NewReader(src)

383 tcheck(t, err, "gzip reader")

384 src = gzr

385 }

386 tr := tar.NewReader(src)

387 for {

388 h, err := tr.Next()

389 if err == io.EOF {

390 break

391 }

392 tcheck(t, err, "next file in tar")

393 if !strings.HasSuffix(h.Name, "/") {

394 count++

395 }

396 _, err = io.Copy(io.Discard, tr)

397 tcheck(t, err, "reading from tar")

398 }

399 }

400 if count != expectFiles {

401 t.Fatalf("export, has %d files, expected %d", count, expectFiles)

402 }

403 }

404

405 testExport("maildir", "tgz", 6) // 2 mailboxes, each with 2 messages and a dovecot-keyword file

406 testExport("maildir", "zip", 6)

407 testExport("mbox", "tar", 2+6) // 2 imported plus 6 default mailboxes (Inbox, Draft, etc)

408 testExport("mbox", "zip", 2+6)

409

410 sl := api.SuppressionList(ctx)

411 tcompare(t, len(sl), 0)

412

413 api.SuppressionAdd(ctx, "mjl@mox.example", true, "testing")

414 tneedErrorCode(t, "user:error", func() { api.SuppressionAdd(ctx, "mjl@mox.example", true, "testing") }) // Duplicate.

415 tneedErrorCode(t, "user:error", func() { api.SuppressionAdd(ctx, "bogus", true, "testing") }) // Bad address.

416

417 sl = api.SuppressionList(ctx)

418 tcompare(t, len(sl), 1)

419

420 api.SuppressionRemove(ctx, "mjl@mox.example")

421 tneedErrorCode(t, "user:error", func() { api.SuppressionRemove(ctx, "mjl@mox.example") }) // Absent.

422 tneedErrorCode(t, "user:error", func() { api.SuppressionRemove(ctx, "bogus") }) // Not an address.

423

424 var hooks int

425 hookServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

426 fmt.Fprintln(w, "ok")

427 hooks++

428 }))

429 defer hookServer.Close()

430

431 api.OutgoingWebhookSave(ctx, "http://localhost:1234", "Basic base64", []string{"delivered"})

432 api.OutgoingWebhookSave(ctx, "http://localhost:1234", "Basic base64", []string{})

433 tneedErrorCode(t, "user:error", func() {

434 api.OutgoingWebhookSave(ctx, "http://localhost:1234/outgoing", "Basic base64", []string{"bogus"})

435 })

436 tneedErrorCode(t, "user:error", func() { api.OutgoingWebhookSave(ctx, "invalid", "Basic base64", nil) })

437 api.OutgoingWebhookSave(ctx, "", "", nil) // Restore.

438

439 code, response, errmsg := api.OutgoingWebhookTest(ctx, hookServer.URL, "", webhook.Outgoing{})

440 tcompare(t, code, 200)

441 tcompare(t, response, "ok\n")

442 tcompare(t, errmsg, "")

443 tneedErrorCode(t, "user:error", func() { api.OutgoingWebhookTest(ctx, "bogus", "", webhook.Outgoing{}) })

444

445 api.IncomingWebhookSave(ctx, "http://localhost:1234", "Basic base64")

446 tneedErrorCode(t, "user:error", func() { api.IncomingWebhookSave(ctx, "invalid", "Basic base64") })

447 api.IncomingWebhookSave(ctx, "", "") // Restore.

448

449 code, response, errmsg = api.IncomingWebhookTest(ctx, hookServer.URL, "", webhook.Incoming{})

450 tcompare(t, code, 200)

451 tcompare(t, response, "ok\n")

452 tcompare(t, errmsg, "")

453 tneedErrorCode(t, "user:error", func() { api.IncomingWebhookTest(ctx, "bogus", "", webhook.Incoming{}) })

454

455 api.FromIDLoginAddressesSave(ctx, []string{"mjl☺@mox.example"})

456 api.FromIDLoginAddressesSave(ctx, []string{"mjl☺@mox.example", "mjl☺+fromid@mox.example"})

457 api.FromIDLoginAddressesSave(ctx, []string{})

458 tneedErrorCode(t, "user:error", func() { api.FromIDLoginAddressesSave(ctx, []string{"bogus@other.example"}) })

459

460 api.KeepRetiredPeriodsSave(ctx, time.Minute, time.Minute)

461 api.KeepRetiredPeriodsSave(ctx, 0, 0) // Restore.

462

463 api.AutomaticJunkFlagsSave(ctx, true, "^(junk|spam)", "^(inbox|neutral|postmaster|dmarc|tlsrpt|rejects)", "")

464 api.AutomaticJunkFlagsSave(ctx, false, "", "", "")

465

466 api.RejectsSave(ctx, "Rejects", true)

467 api.RejectsSave(ctx, "Rejects", false)

468 api.RejectsSave(ctx, "", false) // Restore.

469

470 api.Logout(ctx)

471 tneedErrorCode(t, "server:error", func() { api.Logout(ctx) })

472}

473