fix(logging): log all http requests to syslog

chatmaild/src/chatmaild/metadata.py

@@ -88,27 +88,29 @@ class MetadataDictProxy(DictProxy):
 
     def handle_lookup(self, parts):
         # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
-        match parts[0].split("/", 2):
-            case ["priv", _, keyname] if keyname == self.metadata.DEVICETOKEN_KEY:
-                addr = parts[1]
+        keyparts = parts[0].split("/", 2)
+        if keyparts[0] == "priv":
+            keyname = keyparts[2]
+            addr = parts[1]
+            if keyname == self.metadata.DEVICETOKEN_KEY:
                 res = " ".join(self.metadata.get_tokens_for_addr(addr))
                 return f"O{res}\n"
-            case ["shared", _, keyname]:
-                prefix = "vendor/vendor.dovecot/pvt/server/vendor/deltachat/"
-                if keyname.startswith(prefix):
-                    match keyname[len(prefix) :]:
-                        case "irohrelay" if self.iroh_relay:
-                            return f"O{self.iroh_relay}\n"
-                        case "turn":
-                            try:
-                                res = turn_credentials()
-                            except Exception:
-                                logging.exception("failed to get TURN credentials")
-                                return "N\n"
-                            return f"O{self.turn_hostname}:3478:{res}\n"
-                        case "maxsmtprecipients":
-                            # postfix default  (see "postconf smtpd_recipient_limit")
-                            return "O1000\n"
+        elif keyparts[0] == "shared":
+            keyname = keyparts[2]
+            if (
+                keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay"
+                and self.iroh_relay
+            ):
+                # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
+                return f"O{self.iroh_relay}\n"
+            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
+                try:
+                    res = turn_credentials()
+                except Exception:
+                    logging.exception("failed to get TURN credentials")
+                    return "N\n"
+                port = 3478
+                return f"O{self.turn_hostname}:{port}:{res}\n"
 
         logging.warning(f"lookup ignored: {parts!r}")
         return "N\n"
@@ -118,13 +120,12 @@ class MetadataDictProxy(DictProxy):
         # https://github.com/dovecot/core/blob/main/src/lib-storage/mailbox-attribute.h
         keyname = parts[1].split("/")
         value = parts[2] if len(parts) > 2 else ""
-        match keyname:
-            case ["priv", _, key] if key == self.metadata.DEVICETOKEN_KEY:
-                self.metadata.add_token_to_addr(addr, value)
-                return True
-            case ["priv", _, "messagenew"]:
-                self.notifier.new_message_for_addr(addr, self.metadata)
-                return True
+        if keyname[0] == "priv" and keyname[2] == self.metadata.DEVICETOKEN_KEY:
+            self.metadata.add_token_to_addr(addr, value)
+            return True
+        elif keyname[0] == "priv" and keyname[2] == "messagenew":
+            self.notifier.new_message_for_addr(addr, self.metadata)
+            return True
 
         return False
 

chatmaild/src/chatmaild/tests/test_metadata.py

@@ -360,8 +360,15 @@ def test_turn_credentials_success(notifier, metadata, monkeypatch):
 
 
 def test_iroh_relay(dictproxy):
-    key = b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org"
-    rfile, wfile = io.BytesIO(b"H\n" + key), io.BytesIO()
+    rfile = io.BytesIO(
+        b"\n".join(
+            [
+                b"H",
+                b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org",
+            ]
+        )
+    )
+    wfile = io.BytesIO()
     dictproxy.iroh_relay = "https://example.org/"
     dictproxy.loop_forever(rfile, wfile)
     assert wfile.getvalue() == b"Ohttps://example.org/\n"
@@ -376,23 +383,3 @@ def test_legacy_token_migration(metadata, testaddr):
     tokens = mdict[metadata.DEVICETOKEN_KEY]
     assert isinstance(tokens, dict)
     assert "oldtoken1" in tokens and "oldtoken2" in tokens
-
-
-@pytest.mark.parametrize(
-    "suffix, expected",
-    [
-        (b"vendor/deltachat/maxsmtprecipients", b"O1000\n"),
-        (b"wrong/prefix/key", b"N\n"),
-        (b"vendor/deltachat/unknown", b"N\n"),
-    ],
-    ids=["maxsmtprecipients", "prefix_mismatch", "unknown_name"],
-)
-def test_shared_lookup(dictproxy, suffix, expected):
-    key = (
-        b"Lshared/0123/vendor/vendor.dovecot/pvt/server/"
-        + suffix
-        + b"\tuser@example.org"
-    )
-    rfile, wfile = io.BytesIO(b"H\n" + key), io.BytesIO()
-    dictproxy.loop_forever(rfile, wfile)
-    assert wfile.getvalue() == expected

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -42,6 +42,9 @@ stream {
 }
 
 http {
+	# access_log setting is inherited by all server sections
+	access_log syslog:server=unix:/dev/log,facility=local7;
+
 {% if config.tls_cert_mode == "self" %}
 	limit_req_zone $binary_remote_addr zone=newaccount:10m rate=2r/s;
 {% endif %}
@@ -71,8 +74,6 @@ http {
 
 		server_name {{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
 
-		access_log syslog:server=unix:/dev/log,facility=local7;
-
 		location /mxdeliv {
 		    proxy_pass http://127.0.0.1:{{ config.filtermail_http_port_incoming }};
 		}
@@ -143,7 +144,6 @@ http {
 		listen 127.0.0.1:8443 ssl;
 		server_name www.{{ config.mail_domain }};
 		return 301 $scheme://{{ config.mail_domain }}$request_uri;
-		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 
 	server {

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -281,3 +281,13 @@ def test_deployed_state(remote):
     # assert len(git_status) == len(remote_version)  # for some reason, we only get 11 lines from remote.iter_output()
     for i in range(len(remote_version)):
         assert git_status[i] == remote_version[i], "You have undeployed changes."
+
+
+def test_nginx_access_log_only_defined_once(sshdomain):
+    sshexec = get_sshexec(sshdomain)
+    conf = sshexec(
+        call=remote.rshell.shell,
+        kwargs=dict(command="nginx -T 2>/dev/null"),
+    )
+    access_logs = [l for l in conf.splitlines() if l.strip().startswith("access_log")]
+    assert len(access_logs) == 1, f"expected 1 access_log, found {len(access_logs)}: {access_logs}"