restructure DNS checks

- don't try to guess IP addresses but insist on A and AAAA records
- try to allow ipv4 or ipv6 only zones
- move chatmail.zone generation to jinja so we can have conditionals

chatmaild/src/chatmaild/filtermail.py

@@ -111,7 +111,7 @@ def check_encrypted(message):
     """
     if not message.is_multipart():
         return False
-    if message.get("subject") not in {"...", "[...]"}:
+    if message.get("subject") != "...":
         return False
     if message.get_content_type() != "multipart/encrypted":
         return False

chatmaild/src/chatmaild/tests/mail-data/encrypted.eml

@@ -1,6 +1,6 @@
 From: {from_addr}
 To: {to_addr}
-Subject: {subject}
+Subject: ...
 Date: Sun, 15 Oct 2023 16:43:21 +0000
 Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>
 In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>

chatmaild/src/chatmaild/tests/plugin.py

@@ -71,11 +71,11 @@ def maildata(request):
 
     assert datadir.exists(), datadir
 
-    def maildata(name, from_addr, to_addr, subject="..."):
+    def maildata(name, from_addr, to_addr):
         # Using `.read_bytes().decode()` instead of `.read_text()` to preserve newlines.
         data = datadir.joinpath(name).read_bytes().decode()
 
-        text = data.format(from_addr=from_addr, to_addr=to_addr, subject=subject)
+        text = data.format(from_addr=from_addr, to_addr=to_addr)
         return BytesParser(policy=policy.default).parsebytes(text.encode())
 
     return maildata

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -54,16 +54,10 @@ def test_filtermail_no_encryption_detection(maildata):
 
 
 def test_filtermail_encryption_detection(maildata):
-    for subject in ("...", "[...]"):
-        msg = maildata(
-            "encrypted.eml",
-            from_addr="1@example.org",
-            to_addr="2@example.org",
-            subject=subject,
-        )
-        assert check_encrypted(msg)
+    msg = maildata("encrypted.eml", from_addr="1@example.org", to_addr="2@example.org")
+    assert check_encrypted(msg)
 
-    # if the subject is not a known encrypted subject value, it is not considered ac-encrypted
+    # if the subject is not "..." it is not considered ac-encrypted
     msg.replace_header("Subject", "Click this link")
     assert not check_encrypted(msg)
 
@@ -78,7 +72,7 @@ def test_filtermail_unencrypted_mdn(maildata, gencreds):
     """Unencrypted MDNs should not pass."""
     from_addr = gencreds()[0]
     to_addr = gencreds()[0] + ".other"
-    msg = maildata("mdn.eml", from_addr=from_addr, to_addr=to_addr)
+    msg = maildata("mdn.eml", from_addr, to_addr)
 
     assert not check_encrypted(msg)
 
@@ -101,7 +95,7 @@ def test_excempt_privacy(maildata, gencreds, handler):
     handler.config.passthrough_recipients = [to_addr]
     false_to = "privacy@something.org"
 
-    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+    msg = maildata("plain.eml", from_addr, to_addr)
 
     class env:
         mail_from = from_addr
@@ -124,7 +118,7 @@ def test_passthrough_senders(gencreds, handler, maildata):
     to_addr = "recipient@something.org"
     handler.config.passthrough_senders = [acc1]
 
-    msg = maildata("plain.eml", from_addr=acc1, to_addr=to_addr)
+    msg = maildata("plain.eml", acc1, to_addr)
 
     class env:
         mail_from = acc1

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -55,7 +55,7 @@ def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
     remote_data = dns.get_initial_remote_data(args, out)
-    if not dns.check_initial_remote_data(remote_data, print=out.red):
+    if not remote_data:
         return 1
 
     env = os.environ.copy()
@@ -283,14 +283,16 @@ def main(args=None):
     if not hasattr(args, "func"):
         return parser.parse_args(["-h"])
 
-    ssh_cache = []
+    ssh_exec_cache = []
 
     def get_sshexec():
-        if not ssh_cache:
+        if not ssh_exec_cache:
             print(f"[ssh] login to {args.config.mail_domain}")
-            ssh = SSHExec(args.config.mail_domain, remote_funcs, verbose=args.verbose)
-            ssh_cache.append(ssh)
-        return ssh_cache[0]
+            ssh_exec = SSHExec(
+                args.config.mail_domain, remote_funcs, verbose=args.verbose
+            )
+            ssh_exec_cache.append(ssh_exec)
+        return ssh_exec_cache[0]
 
     args.get_sshexec = get_sshexec
 
@@ -311,6 +313,7 @@ def main(args=None):
         if res is None:
             res = 0
         return res
+
     except KeyboardInterrupt:
         out.red("KeyboardInterrupt")
         sys.exit(130)

cmdeploy/src/cmdeploy/dns.py

@@ -9,18 +9,15 @@ from . import remote_funcs
 def get_initial_remote_data(args, out):
     sshexec = args.get_sshexec()
     mail_domain = args.config.mail_domain
-    return sshexec.logged(
+    remote_data = sshexec.logged(
         call=remote_funcs.perform_initial_checks, kwargs=dict(mail_domain=mail_domain)
     )
 
-
-def check_initial_remote_data(remote_data, print=print):
-    mail_domain = remote_data["mail_domain"]
     if not remote_data["A"] and not remote_data["AAAA"]:
-        print("Missing A and/or AAAA DNS records for {mail_domain}!")
+        out.red("Missing A and/or AAAA DNS records for {mail_domain}!")
     elif not remote_data["MTA_STS"]:
-        print("Missing MTA-STS CNAME record:")
-        print(f"mta-sts.{mail_domain}.   CNAME  {mail_domain}")
+        out.red("Missing MTA_STS record:")
+        out(f"{mail_domain}.   CNAME  {mail_domain}")
     else:
         return remote_data
 
@@ -65,7 +62,7 @@ def show_dns(args, out, remote_data) -> int:
         with open(args.zonefile, "w+") as zf:
             zf.write(zonefile)
         out.green(f"DNS records successfully written to: {args.zonefile}")
-        return 0
+        return -1
 
     if diff_records:
         out.red("Please set the following DNS entries at your DNS provider:\n")

cmdeploy/src/cmdeploy/remote_funcs.py

@@ -11,7 +11,6 @@ All functions of this module
 """
 
 import re
-import traceback
 from subprocess import CalledProcessError, check_output
 
 
@@ -32,12 +31,11 @@ def get_systemd_running():
 
 def perform_initial_checks(mail_domain):
     """Collecting initial DNS zone content."""
-    assert mail_domain
     A = query_dns("A", mail_domain)
     AAAA = query_dns("AAAA", mail_domain)
     MTA_STS = query_dns("CNAME", f"mta-sts.{mail_domain}")
 
-    res = dict(mail_domain=mail_domain, A=A, AAAA=AAAA, MTA_STS=MTA_STS)
+    res = dict(A=A, AAAA=AAAA, MTA_STS=MTA_STS)
     if not MTA_STS or (not A and not AAAA):
         return res
 
@@ -71,14 +69,14 @@ def query_dns(typ, domain):
     print(res)
     if res:
         return res.split("\n")[0]
-    return ""
 
 
 def check_zonefile(zonefile):
-    """Check expected zone file entries."""
+    """Check all expected zone file entries."""
     diff = []
 
     for zf_line in zonefile.splitlines():
+        print("")
         print(f"dns-checking {zf_line!r}")
         zf_domain, zf_typ, zf_value = zf_line.split(maxsplit=2)
         zf_domain = zf_domain.rstrip(".")
@@ -91,35 +89,16 @@ def check_zonefile(zonefile):
     return diff
 
 
-## Function Execution server
-
-
-def _run_loop(cmd_channel):
-    while 1:
-        cmd = cmd_channel.receive()
-        if cmd is None:
-            break
-
-        cmd_channel.send(_handle_one_request(cmd))
-
-
-def _handle_one_request(cmd):
-    func_name, kwargs = cmd
-    try:
-        res = globals()[func_name](**kwargs)
-        return ("finish", res)
-    except:
-        data = traceback.format_exc()
-        return ("error", data)
-
-
 # check if this module is executed remotely
 # and setup a simple serialized function-execution loop
 
 if __name__ == "__channelexec__":
-    channel = channel  # noqa (channel object gets injected)
 
-    # enable simple "print" debugging for anyone changing this module
-    globals()["print"] = lambda x="": channel.send(("log", x))
+    def print(item):
+        channel.send(("log", item))  # noqa
 
-    _run_loop(channel)
+    while 1:
+        func_name, kwargs = channel.receive()  # noqa
+        kwargs = kwargs if kwargs else {}
+        res = globals()[func_name](**kwargs)  # noqa
+        channel.send(("finish", res))  # noqa

cmdeploy/src/cmdeploy/sshexec.py

@@ -3,13 +3,8 @@ import sys
 import execnet
 
 
-class FuncError(Exception):
-    pass
-
-
 class SSHExec:
     RemoteError = execnet.RemoteError
-    FuncError = FuncError
 
     def __init__(self, host, remote_funcs, verbose=False, python="python3", timeout=60):
         self.gateway = execnet.makegateway(f"ssh=root@{host}//python={python}")
@@ -18,8 +13,6 @@ class SSHExec:
         self.verbose = verbose
 
     def __call__(self, call, kwargs=None, log_callback=None):
-        if kwargs is None:
-            kwargs = {}
         self._remote_cmdloop_channel.send((call.__name__, kwargs))
         while 1:
             code, data = self._remote_cmdloop_channel.receive(timeout=self.timeout)
@@ -27,8 +20,6 @@ class SSHExec:
                 log_callback(data)
             elif code == "finish":
                 return data
-            elif code == "error":
-                raise self.FuncError(data)
 
     def logged(self, call, kwargs):
         def log_progress(data):

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -40,18 +40,6 @@ class TestSSHExecutor:
         assert len(lines) > 4
         assert remote_funcs.perform_initial_checks.__doc__ in lines[0]
 
-    def test_exception(self, sshexec, capsys):
-        try:
-            sshexec.logged(
-                remote_funcs.perform_initial_checks,
-                kwargs=dict(mail_domain=None),
-            )
-        except sshexec.FuncError as e:
-            assert "remote_funcs.py" in str(e)
-            assert "AssertionError" in str(e)
-        else:
-            pytest.fail("didn't raise exception")
-
 
 def test_remote(remote, imap_or_smtp):
     lineproducer = remote.iter_output(imap_or_smtp.logcmd)

cmdeploy/src/cmdeploy/tests/test_dns.py

@@ -1,50 +0,0 @@
-import pytest
-
-from cmdeploy import remote_funcs
-from cmdeploy.dns import check_initial_remote_data
-
-
-class TestPerformInitialChecks:
-    @pytest.fixture
-    def mockdns(self, monkeypatch):
-        qdict = {
-            "A": {"some.domain": "1.1.1.1"},
-            "AAAA": {"some.domain": "fde5:cd7a:9e1c:3240:5a99:936f:cdac:53ae"},
-            "CNAME": {"mta-sts.some.domain": "some.domain"},
-        }.copy()
-
-        def query_dns(typ, domain):
-            try:
-                return qdict[typ][domain]
-            except KeyError:
-                return ""
-
-        monkeypatch.setattr(remote_funcs, query_dns.__name__, query_dns)
-        return qdict
-
-    def test_perform_initial_checks_ok1(self, mockdns):
-        remote_data = remote_funcs.perform_initial_checks("some.domain")
-        assert len(remote_data) == 7
-
-    @pytest.mark.parametrize("drop", ["A", "AAAA"])
-    def test_perform_initial_checks_with_one_of_A_AAAA(self, mockdns, drop):
-        del mockdns[drop]
-        remote_data = remote_funcs.perform_initial_checks("some.domain")
-        assert len(remote_data) == 7
-        assert not remote_data[drop]
-
-        l = []
-        res = check_initial_remote_data(remote_data, print=l.append)
-        assert res
-        assert not l
-
-    def test_perform_initial_checks_no_mta_sts(self, mockdns):
-        del mockdns["CNAME"]
-        remote_data = remote_funcs.perform_initial_checks("some.domain")
-        assert len(remote_data) == 4
-        assert not remote_data["MTA_STS"]
-
-        l = []
-        res = check_initial_remote_data(remote_data, print=l.append)
-        assert not res
-        assert len(l) == 2