fix/rename

chatmail-pyinfra/src/chatmail/dovecot/doveauth.lua

@@ -0,0 +1,57 @@
+
+-- Escape shell argument by hex encoding it and wrapping in quotes.
+function escape(data)
+   b16 = data:gsub(".", function(char) return string.format("%2X", char:byte()) end)
+   return ("'"..b16.."'")
+end
+
+-- call out to python program to actually manage authentication for dovecot
+
+function chatctl_verify(user, password)
+    local cmd = "python3 /home/vmail/chatctl hexauth "..escape(user).." "..escape(password)
+    print("executing: "..cmd)
+    local handle = io.popen(cmd)
+    local result = handle:read("*a")
+    handle:close()
+    return split_chatctl(result)
+end
+
+function chatctl_lookup(user) 
+    assert(user)
+    local handle = io.popen("python3 /home/vmail/chatctl hexlookup "..escape(user))
+    local result = handle:read("*a")
+    handle:close()
+    return split_chatctl(result)
+end
+
+function get_extra_dovecot_output(res)
+    return {home=res.home, uid=res.uid, gid=res.gid}
+end
+
+
+function auth_password_verify(request, password)
+    local res = chatctl_verify(request.user, password)
+    -- request:log_error("auth_password_verify "..request.user.." "..password)
+    if res.status == "ok" then 
+        local extra = get_extra_dovecot_output(res)
+        return dovecot.auth.PASSDB_RESULT_OK, get_extra_dovecot_output(res)
+    end
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, ""
+end
+
+
+function auth_userdb_lookup(request)
+    local res = chatctl_lookup(request.user) 
+    if res.status == "ok" then
+        return dovecot.auth.USERDB_RESULT_OK, get_extra_dovecot_output(res)
+    end
+    return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
+end
+
+function split_chatctl(output) 
+    local ret = {}
+    for key, value in output:gmatch "(%w+)%s*=%s*(%w+)" do
+        ret[key] = value
+    end
+    return ret
+end

chatmail-pyinfra/src/chatmail/dovecot/doveauth.py

@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+import base64
+import sys
+
+
+def get_user_data(user):
+    if user == "link2xt@c1.testrun.org":
+        return dict(
+            uid="vmail",
+            gid="vmail",
+            password="Ahyei6ie",
+        )
+    return {}
+
+
+def create_user(user, password):
+    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
+
+
+def verify_user(user, password):
+    userdata = get_user_data(user)
+    if userdata:
+        if userdata.get("password") == password:
+            userdata["status"] = "ok"
+        else:
+            userdata["status"] = "fail"
+    else:
+        userdata = create_user(user, password)
+        userdata["status"] = "ok"
+
+    return userdata
+
+
+def lookup_user(user):
+    userdata = get_user_data(user)
+    if userdata:
+        userdata["status"] = "ok"
+    else:
+        userdata["status"] = "fail"
+    return userdata
+
+
+def dump_result(res):
+    for key, value in res.items():
+        print(f"{key}={value}")
+
+
+if __name__ == "__main__":
+    if sys.argv[1] == "hexauth":
+        login = base64.b16decode(sys.argv[2]).decode()
+        password = base64.b16decode(sys.argv[3]).decode()
+        res = verify_user(login, password)
+        dump_result(res)
+    elif sys.argv[1] == "hexlookup":
+        login = base64.b16decode(sys.argv[2]).decode()
+        res = lookup_user(login)
+        dump_result(res)

chatmail-pyinfra/src/chatmail/dovecot/dovecot.conf.j2

@@ -0,0 +1,99 @@
+## Dovecot configuration file
+
+protocols = imap lmtp
+
+auth_mechanisms = plain
+
+auth_verbose = yes
+auth_debug = yes
+auth_debug_passwords = yes
+auth_verbose_passwords = plain
+
+# Authentication for system users.
+passdb {
+  driver = lua
+  args = file=/etc/dovecot/doveauth.lua
+}
+userdb {
+  driver = lua
+  args = file=/etc/dovecot/doveauth.lua
+}
+
+##
+## Mailbox locations and namespaces
+##
+
+# Mailboxes are stored in the "mail" directory of the vmail user home.
+mail_location = maildir:/home/vmail/mail/%d/%u
+
+namespace inbox {
+  inbox = yes
+
+  mailbox Drafts {
+    special_use = \Drafts
+  }
+  mailbox Junk {
+    special_use = \Junk
+  }
+  mailbox Trash {
+    special_use = \Trash
+  }
+
+  # For \Sent mailboxes there are two widely used names. We'll mark both of
+  # them as \Sent. User typically deletes one of them if duplicates are created.
+  mailbox Sent {
+    special_use = \Sent
+  }
+  mailbox "Sent Messages" {
+    special_use = \Sent
+  }
+}
+
+mail_uid = vmail
+mail_gid = vmail
+mail_privileged_group = vmail
+
+##
+## Mail processes
+##
+
+# Enable IMAP COMPRESS (RFC 4978).
+# <https://datatracker.ietf.org/doc/html/rfc4978.html>
+protocol imap {
+  mail_plugins = $mail_plugins imap_zlib
+}
+
+plugin {
+  imap_compress_deflate_level = 6
+}
+
+service lmtp {
+  user=vmail
+
+  unix_listener /var/spool/postfix/private/dovecot-lmtp {
+    group = postfix
+    mode = 0600
+    user = postfix
+  }
+}
+
+service auth {
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0660
+    user = postfix
+    group = postfix
+  }
+}
+
+service auth-worker {
+  # Default is root.
+  # Drop privileges we don't need.
+  user = $default_internal_user
+}
+
+ssl = required
+ssl_cert = </var/lib/acme/live/{{ config.hostname }}/fullchain
+ssl_key = </var/lib/acme/live/{{ config.hostname }}/privkey
+ssl_dh = </usr/share/dovecot/dh.pem
+ssl_min_protocol = TLSv1.2
+ssl_prefer_server_ciphers = yes

chatmail-pyinfra/src/chatmail/dovecot/test_doveauth.lua

@@ -0,0 +1,78 @@
+
+require "doveauth"
+
+-- simulate dovecot defined result codes 
+
+dovecot = {
+    auth = {
+        PASSDB_RESULT_OK="PASSWORD-OK",
+        PASSDB_RESULT_PASSWORD_MISMATCH="PASSWORD-MISMATCH",
+        USERDB_RESULT_OK="USERDB-OK",
+        USERDB_RESULT_USER_UNKNOWN="USERDB-UNKNOWN"
+    }
+}
+
+
+-- Tests for testing the lua<->python interaction 
+
+function test_password_verify_ok(user, password) 
+    local res, extra = auth_password_verify({user=user}, password)
+    assert(res==dovecot.auth.PASSDB_RESULT_OK)
+    assert(extra.uid == "vmail")
+    assert(extra.gid == "vmail")
+    -- assert(extra.homedir == "/home/vmail/link2xt")
+    print("OK test_password_verify_ok "..user.." "..password)
+end
+
+function test_password_verify_mismatch(user, password) 
+    local res = auth_password_verify({user=user}, password)
+    assert(res == dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH)
+    print("OK test_password_verify_mismatch "..user.." "..password)
+end
+
+function test_userdb_lookup_ok(user)
+    local res, extra = auth_userdb_lookup({user=user})
+    assert(extra.uid == "vmail")
+    assert(extra.gid == "vmail")
+    assert(res == dovecot.auth.USERDB_RESULT_OK)
+    print("OK test_userdb_lookup_ok "..user)
+end
+
+function test_userdb_lookup_mismatch(user)
+    local res, extra = auth_userdb_lookup({user=user})
+    assert(res == dovecot.auth.USERDB_RESULT_USER_UNKNOWN)
+    print("OK test_userdb_lookup_mismatch "..user)
+end
+
+function test_passdb_lookup_ok(user)
+    local res, extra = auth_passdb_lookup({user=user})
+    assert(extra.uid == "vmail")
+    assert(extra.gid == "vmail")
+    assert(res == dovecot.auth.PASSDB_RESULT_OK)
+    print("OK test_passdb_lookup_ok "..user)
+end
+
+function test_passdb_lookup_mismatch(user)
+    local res, extra = auth_passdb_lookup({user=user})
+    assert(res == dovecot.auth.PASSDB_RESULT_USER_UNKNOWN)
+    print("OK test_passdb_lookup_mismatch "..user)
+end
+
+function test_split_chatctl()
+    local res = split_chatctl("a=3 b=4\nc=5")
+    assert(res["a"] == "3")
+    assert(res["b"] == "4")
+    assert(res["c"] == "5")
+    print("OK test_split_chatctl")
+end 
+
+test_split_chatctl()
+test_password_verify_ok("link2xt@c1.testrun.org", "Ahyei6ie")
+test_password_verify_mismatch("link2xt@c1.testrun.org", "Aqwlek")
+test_userdb_lookup_ok("link2xt@c1.testrun.org")
+test_userdb_lookup_mismatch("wlekqjlew@xyz.org")
+
+-- probably not needed by dovecot? 
+-- test_passdb_lookup_ok("link2xt@c1.testrun.org")
+-- test_passdb_lookup_mismatch("llqkwjelqwe@xyz.org")
+

chatmail-pyinfra/src/chatmail/dovecot/test_doveauth.py

@@ -0,0 +1,23 @@
+import subprocess
+import pytest
+
+from doveauth import get_user_data, verify_user
+
+
+def test_basic():
+    data = get_user_data("link2xt@c1.testrun.org")
+    assert data
+
+
+@pytest.mark.xfail(reason="no persistence yet")
+def test_verify_or_create():
+    res = verify_user("newuser1@something.org", "kajdlkajsldk12l3kj1983")
+    assert res["status"] == "ok"
+    res = verify_user("newuser1@something.org", "kajdlqweqwe")
+    assert res["status"] == "fail"
+
+
+def test_lua_integration(request):
+    p = request.fspath.dirpath("test_doveauth.lua")
+    proc = subprocess.run(["lua", str(p)])
+    assert proc.returncode == 0