mirror of
https://github.com/docker-mailserver/docker-mailserver
synced 2024-06-08 10:56:07 +02:00
3b4f44e837
* tests(fix): Increase some timeouts Running tests locally via a VM these tests would fail sometimes due to the time from being queued and Amavis actually processing being roughly around 30 seconds. There should be no harm in raising this to 60 seconds, other than delaying a failure case which will ripple through other time sensitive tests. It's better to pass when functionality is actually correct but just needs a bit longer to complete. * tests(fix): Don't setup an invalid hostname During container startup `helpers/dns.sh` would panic with `hostname -f` failing. Dropping `--domainname` for this container is fine and does not affect the point of it's test. --- It's unclear why this does not occur in CI. Possibly changes within the docker daemon since as CI runs docker on Ubuntu 20.04? (2020). For clarity, this may be equivalent to setting a hostname of `domain.com.domain.com`, or `--hostname` value truncated the NIS domain (`--domainname`) of the same value. IIRC, it would still fail with both options using different values if `--hostname` was multi-label. I believe I've documented how non-deterministic these options can be across different environments. `--hostname` should be preferred. There doesn't seem to be any reason to actually need `--domainname` (which is NIS domain name, unrelated to the DNS domain name). We still need to properly investigate reworking our ENV support that `dns.sh` manages. --- Containers were also not removing themselves after failures either (missing teardown). Which would cause problems when running tests again. * chore: Normalize white-space Sets a consistent indent size of 2 spaces. Previously this varied a fair bit, sometimes with tabs or mixed tabs and spaces. Some formatting with blank lines. Easier to review with white-space in diff ignored. Some minor edits besides blank lines, but no change in functionality. * fix: `setup.sh` target container under test Some of the `setup.sh` commands did not specify the container which was problematic if another `docker-mailserver` container was running, causing test failures. This probably doesn't help with `test/no_container.bats`, but at least prevents `test/tests.bats` failing at this point.
128 lines
4.3 KiB
Bash
128 lines
4.3 KiB
Bash
load 'test_helper/common'
|
|
|
|
# Test case
|
|
# ---------
|
|
# By default, this image is using audited FFDHE groups (https://github.com/docker-mailserver/docker-mailserver/pull/1463)
|
|
#
|
|
# This test case covers the described case against both boolean states for `ONE_DIR`.
|
|
#
|
|
# Description:
|
|
# 1. Verify that the file `ffdhe4096.pem` has not been modified (checksum verification).
|
|
# 2. Verify Postfix and Dovecot are using the default `ffdhe4096.pem` from Dockerfile build.
|
|
# 3. When custom DHE parameters are supplied by the user as `/tmp/docker-mailserver/dhparams.pem`:
|
|
# - Verify Postfix and Dovecot use the custom `custom-dhe-params.pem` (contents is actually `ffdhe2048.pem`).
|
|
# - A warning is raised about usage of potentially insecure parameters.
|
|
|
|
function teardown() {
|
|
docker rm -f mail_dhparams
|
|
}
|
|
|
|
function setup_file() {
|
|
# Delegated container setup to common_container_setup
|
|
# DRY - Explicit config changes between tests are more apparent this way.
|
|
|
|
# Global scope
|
|
# Copies all of `./test/config/` to specific directory for testing
|
|
# `${PRIVATE_CONFIG}` becomes `$(pwd)/test/duplicate_configs/<bats test filename>`
|
|
export PRIVATE_CONFIG
|
|
|
|
export DMS_ONE_DIR=1 # default
|
|
|
|
local DH_DEFAULT_PARAMS
|
|
export DH_DEFAULT_CHECKSUM
|
|
export DH_CUSTOM_PARAMS
|
|
export DH_CUSTOM_CHECKSUM
|
|
|
|
DH_DEFAULT_PARAMS="$(pwd)/target/shared/ffdhe4096.pem"
|
|
DH_DEFAULT_CHECKSUM=$(sha512sum "${DH_DEFAULT_PARAMS}" | awk '{print $1}')
|
|
|
|
DH_CUSTOM_PARAMS="$(pwd)/test/test-files/ssl/custom-dhe-params.pem"
|
|
DH_CUSTOM_CHECKSUM=$(sha512sum "${DH_CUSTOM_PARAMS}" | awk '{print $1}')
|
|
}
|
|
|
|
# Not used
|
|
# function teardown_file() {
|
|
# }
|
|
|
|
@test "testing tls: DH Parameters - Verify integrity of Default (ffdhe4096)" {
|
|
# Reference used (22/04/2020):
|
|
# https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
|
|
|
|
run echo "${DH_DEFAULT_CHECKSUM}"
|
|
refute_output '' # checksum must not be empty
|
|
|
|
# Verify the FFDHE params file has not been modified (equivalent to `target/shared/ffdhe4096.pem.sha512sum`):
|
|
local DH_MOZILLA_CHECKSUM
|
|
DH_MOZILLA_CHECKSUM=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
|
|
assert_equal "${DH_DEFAULT_CHECKSUM}" "${DH_MOZILLA_CHECKSUM}"
|
|
}
|
|
|
|
@test "testing tls: DH Parameters - Default [ONE_DIR=0]" {
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_dhparams_default_0)
|
|
DMS_ONE_DIR=0
|
|
|
|
common_container_setup
|
|
should_have_valid_checksum "${DH_DEFAULT_CHECKSUM}"
|
|
}
|
|
|
|
@test "testing tls: DH Parameters - Default [ONE_DIR=1]" {
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_dhparams_default_1)
|
|
|
|
common_container_setup
|
|
should_have_valid_checksum "${DH_DEFAULT_CHECKSUM}"
|
|
}
|
|
|
|
@test "testing tls: DH Parameters - Custom [ONE_DIR=0]" {
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_dhparams_custom_0)
|
|
# shellcheck disable=SC2030
|
|
DMS_ONE_DIR=0
|
|
|
|
cp "${DH_CUSTOM_PARAMS}" "${PRIVATE_CONFIG}/dhparams.pem"
|
|
|
|
common_container_setup
|
|
should_have_valid_checksum "${DH_CUSTOM_CHECKSUM}"
|
|
should_emit_warning
|
|
}
|
|
|
|
@test "testing tls: DH Parameters - Custom [ONE_DIR=1]" {
|
|
# shellcheck disable=SC2030
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_dhparams_custom_1)
|
|
|
|
cp "${DH_CUSTOM_PARAMS}" "${PRIVATE_CONFIG}/dhparams.pem"
|
|
|
|
common_container_setup
|
|
should_have_valid_checksum "${DH_CUSTOM_CHECKSUM}"
|
|
should_emit_warning
|
|
}
|
|
|
|
function common_container_setup() {
|
|
# shellcheck disable=SC2031
|
|
docker run -d --name mail_dhparams \
|
|
-v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
|
|
-v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
|
|
-e ONE_DIR="${DMS_ONE_DIR}" \
|
|
-h mail.my-domain.com \
|
|
--tty \
|
|
"${NAME}"
|
|
|
|
wait_for_finished_setup_in_container mail_dhparams
|
|
}
|
|
|
|
# Ensures the docker image services (Postfix and Dovecot) have the intended DH files
|
|
function should_have_valid_checksum() {
|
|
local DH_CHECKSUM=$1
|
|
|
|
local DH_CHECKSUM_DOVECOT
|
|
DH_CHECKSUM_DOVECOT=$(docker exec mail_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
|
assert_equal "${DH_CHECKSUM_DOVECOT}" "${DH_CHECKSUM}"
|
|
|
|
local DH_CHECKSUM_POSTFIX
|
|
DH_CHECKSUM_POSTFIX=$(docker exec mail_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
|
assert_equal "${DH_CHECKSUM_POSTFIX}" "${DH_CHECKSUM}"
|
|
}
|
|
|
|
function should_emit_warning() {
|
|
run sh -c "docker logs mail_dhparams | grep 'Using self-generated dhparams is considered insecure.'"
|
|
assert_success
|
|
}
|