renames

* add a lua test script running directly against  chatctl.py

pyproject.toml

@@ -8,3 +8,23 @@ version = "0.1"
 dependencies = [
   "pyinfra",
 ]
+
+[tool.pytest.ini_options]
+addopts = "-v -ra --strict-markers"
+
+[tool.tox]
+legacy_tox_ini = """
+[tox]
+isolated_build = true
+envlist = lint
+
+[testenv:lint]
+skipdist = True
+skip_install = True
+deps =
+  ruff
+  black
+commands =
+  black --quiet --check --diff src/
+  ruff src/
+"""

src/chatmail/__init__.py

@@ -2,7 +2,6 @@
 Chat Mail pyinfra deploy.
 """
 import importlib.resources
-from io import StringIO
 
 from pyinfra import host, logger
 from pyinfra.operations import apt, files, server, systemd, python
@@ -14,7 +13,7 @@ def _install_chatctl() -> None:
     """Setup chatctl."""
     files.put(
         src=importlib.resources.files(__package__)
-        .joinpath("chatctl/chatctl.py")
+        .joinpath("dovecot/doveauth.py")
         .open("rb"),
         dest="/home/vmail/chatctl",
         user="vmail",
@@ -104,8 +103,8 @@ def _configure_dovecot(mail_server: str) -> bool:
 
     # luarocks install http lpeg_patterns fifo
     auth_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("dovecot/auth.lua"),
+        src=importlib.resources.files(__package__).joinpath("dovecot/doveauth.lua"),
-        dest="/etc/dovecot/auth.lua",
+        dest="/etc/dovecot/doveauth.lua",
         user="root",
         group="root",
         mode="644",
@@ -118,7 +117,7 @@ def _configure_dovecot(mail_server: str) -> bool:
 def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> None:
     """Deploy a chat-mail instance.
 
-    :param mail_domain: the domain part of your future email addresses, so "example.org" in user@example.org
+    :param mail_domain: domain part of your future email addresses
     :param mail_server: the DNS name under which your mail server is reachable
     :param dkim_selector:
     """

src/chatmail/acmetool/__init__.py

@@ -1,16 +1,8 @@
-from pathlib import Path
+import importlib.resources
 
 from pyinfra.operations import apt, files, systemd, server
 
 
-def openfile(basename):
-    # on newer python versions:
-    # importlib.resources.files(__package__).joinpath(basename).open("rb")
-    # but here we use a way supported on old pythons
-    dirpath = Path(__path__[0])
-    return dirpath.joinpath(basename).open("rb")
-
-
 def deploy_acmetool(nginx_hook=False, email="", domains=[]):
     """Deploy acmetool."""
     apt.packages(
@@ -19,7 +11,7 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
     )
 
     files.put(
-        src=openfile("acmetool.cron"),
+        src=importlib.resources.files(__package__).joinpath("acmetool.cron").open("rb"),
         dest="/etc/cron.d/acmetool",
         user="root",
         group="root",
@@ -28,7 +20,9 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
 
     if nginx_hook:
         files.put(
-            src=openfile("acmetool.hook"),
+            src=importlib.resources.files(__package__)
+            .joinpath("acmetool.hook")
+            .open("rb"),
             dest="/usr/lib/acme/hooks/nginx",
             user="root",
             group="root",
@@ -36,7 +30,7 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
         )
 
     files.template(
-        src=openfile("response-file.yaml.j2"),
+        src=importlib.resources.files(__package__).joinpath("response-file.yaml.j2"),
         dest="/var/lib/acme/conf/responses",
         user="root",
         group="root",
@@ -45,7 +39,9 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
     )
 
     service_file = files.put(
-        src=openfile("acmetool-redirector.service"),
+        src=importlib.resources.files(__package__)
+        .joinpath("acmetool-redirector.service")
+        .open("rb"),
         dest="/etc/systemd/system/acmetool-redirector.service",
         user="root",
         group="root",

src/chatmail/chatctl/chatctl.py

@@ -1,17 +0,0 @@
-#!/usr/bin/env python3
-import base64
-import sys
-
-if sys.argv[1] == "hexauth":
-    login = base64.b16decode(sys.argv[2])
-    password = base64.b16decode(sys.argv[3])
-    if login == b"link2xt@instant2.testrun.org" and password == b"Ahyei6ie":
-        sys.exit(0)
-    else:
-        sys.exit(1)
-elif sys.argv[1] == "hexlookup":
-    login = base64.b16decode(sys.argv[2])
-    if login == b"link2xt@instant2.testrun.org":
-        sys.exit(0)
-    else:
-        sys.exit(1)

src/chatmail/dovecot/auth.lua

@@ -1,35 +0,0 @@
--- Lua based authentication script for Dovecot.
---
--- It calls external chatctl command to answer requests.
-
--- Hexadecimal aka base16 encoding.
-function hex(data)
-   return (data:gsub(".", function(char) return string.format("%2X", char:byte()) end))
-end
-
--- Escape shell argument by hex encoding it and wrapping in quotes.
-function escape(data)
-   return ("'"..hex(data).."'")
-end
-
-function auth_password_verify(request, password)
-  if os.execute("/home/vmail/chatctl hexauth "..escape(request.user).." "..escape(password)) then
-    return dovecot.auth.PASSDB_RESULT_OK, {}
-  end
-  return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, ""
-end
-
-function auth_passdb_lookup(request)
-  if os.execute("/home/vmail/chatctl hexlookup "..escape(request.user)) then
-    return dovecot.auth.PASSDB_RESULT_OK, {}
-  end
-  return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
-end
-
-function auth_userdb_lookup(request)
-  if os.execute("/home/vmail/chatctl hexlookup "..escape(request.user)) then
-    return dovecot.auth.USERDB_RESULT_OK, "uid=vmail gid=vmail"
-  end
-
-  return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
-end

src/chatmail/dovecot/doveauth.lua

@@ -0,0 +1,60 @@
+
+-- Escape shell argument by hex encoding it and wrapping in quotes.
+function escape(data)
+   b16 = data:gsub(".", function(char) return string.format("%2X", char:byte()) end)
+   return ("'"..b16.."'")
+end
+
+-- call out to python program to actually manage authentication for dovecot
+
+function chatctl_verify(user, password)
+    local handle = io.popen("python doveauth.py hexauth "..escape(user).." "..escape(password))
+    local result = handle:read("*a")
+    handle:close()
+    return split_chatctl(result)
+end
+
+function chatctl_lookup(user) 
+    assert(user)
+    local handle = io.popen("python doveauth.py hexlookup "..escape(user))
+    local result = handle:read("*a")
+    handle:close()
+    return split_chatctl(result)
+end
+
+function get_extra_dovecot_output(res)
+    return {homedir=res.homedir, uid=res.uid, gid=res.gid}
+end
+
+
+function auth_passdb_verify(request, password)
+    local res = chatctl_verify(request.user, password)
+    if res.status == "ok" then 
+        return dovecot.auth.PASSDB_RESULT_OK, get_extra_dovecot_output(res)
+    end
+    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, ""
+end
+
+function auth_passdb_lookup(request)
+    local res = chatctl_lookup(request.user) 
+    if res.status == "ok" then 
+        return dovecot.auth.PASSDB_RESULT_OK, get_extra_dovecot_output(res)
+    end
+    return dovecot.auth.PASSDB_RESULT_USER_UNKNOWN, "no such user"
+end
+
+function auth_userdb_lookup(request)
+    local res = chatctl_lookup(request.user) 
+    if res.status == "ok" then
+        return dovecot.auth.USERDB_RESULT_OK, get_extra_dovecot_output(res)
+    end
+    return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
+end
+
+function split_chatctl(output) 
+    local ret = {}
+    for key, value in output:gmatch "(%w+)%s*=%s*(%w+)" do
+        ret[key] = value
+    end
+    return ret
+end

src/chatmail/dovecot/doveauth.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+import base64
+import sys
+
+
+def get_user_data(user):
+    if user == b"link2xt@instant2.testrun.org":
+        return dict(
+            homedir="/home/vmail/link2xt",
+            uid="vmail",
+            gid="vmail",
+            password=b"Ahyei6ie",
+        )
+    return {}
+
+
+def create_user(user, password):
+    assert isinstance(password, bytes)
+    return dict(
+        homedir=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password
+    )
+
+
+def verify_user(user, password):
+    userdata = get_user_data(user)
+    if userdata:
+        if userdata.get("password") == password:
+            userdata["status"] = "ok"
+        else:
+            userdata["status"] = "fail"
+    else:
+        userdata = create_user(user, password)
+        userdata["status"] = "ok"
+
+    return userdata
+
+
+def lookup_user(user):
+    userdata = get_user_data(user)
+    if userdata:
+        userdata["status"] = "ok"
+    else:
+        userdata["status"] = "fail"
+    return userdata
+
+
+def dump_result(res):
+    for key, value in res.items():
+        print(f"{key}={value}")
+
+
+if __name__ == "__main__":
+    if sys.argv[1] == "hexauth":
+        login = base64.b16decode(sys.argv[2])
+        password = base64.b16decode(sys.argv[3])
+        res = verify_user(login, password)
+        dump_result(res)
+    elif sys.argv[1] == "hexlookup":
+        login = base64.b16decode(sys.argv[2])
+        res = lookup_user(login)
+        dump_result(res)

src/chatmail/dovecot/dovecot.conf.j2

@@ -7,11 +7,11 @@ auth_mechanisms = plain
 # Authentication for system users.
 passdb {
   driver = lua
-  args = file=/etc/dovecot/auth.lua
+  args = file=/etc/dovecot/doveauth.lua
 }
 userdb {
   driver = lua
-  args = file=/etc/dovecot/auth.lua
+  args = file=/etc/dovecot/doveauth.lua
 }
 
 ##

src/chatmail/dovecot/test_doveauth.lua

@@ -0,0 +1,76 @@
+
+require "doveauth"
+
+-- simulate dovecot defined result codes 
+
+dovecot = {
+    auth = {
+        PASSDB_RESULT_OK="PASSWORD-OK",
+        PASSDB_RESULT_PASSWORD_MISMATCH="PASSWORD-MISMATCH",
+        USERDB_RESULT_OK="USERDB-OK",
+        USERDB_RESULT_USER_UNKNOWN="USERDB-UNKNOWN"
+    }
+}
+
+
+-- Tests for testing the lua<->python interaction 
+
+function test_passdb_verify_ok(user, password) 
+    local res, extra = auth_passdb_verify({user=user}, password)
+    assert(res==dovecot.auth.PASSDB_RESULT_OK)
+    assert(extra.uid == "vmail")
+    assert(extra.gid == "vmail")
+    -- assert(extra.homedir == "/home/vmail/link2xt")
+    print("OK test_passdb_verify_ok "..user.." "..password)
+end
+
+function test_passdb_verify_mismatch(user, password) 
+    local res = auth_passdb_verify({user=user}, password)
+    assert(res == dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH)
+    print("OK test_passdb_verify_mismatch "..user.." "..password)
+end
+
+function test_userdb_lookup_ok(user)
+    local res, extra = auth_userdb_lookup({user=user})
+    assert(extra.uid == "vmail")
+    assert(extra.gid == "vmail")
+    assert(res == dovecot.auth.USERDB_RESULT_OK)
+    print("OK test_userdb_lookup_ok "..user)
+end
+
+function test_userdb_lookup_mismatch(user)
+    local res, extra = auth_userdb_lookup({user=user})
+    assert(res == dovecot.auth.USERDB_RESULT_USER_UNKNOWN)
+    print("OK test_userdb_lookup_mismatch "..user)
+end
+
+function test_passdb_lookup_ok(user)
+    local res, extra = auth_passdb_lookup({user=user})
+    assert(extra.uid == "vmail")
+    assert(extra.gid == "vmail")
+    assert(res == dovecot.auth.PASSDB_RESULT_OK)
+    print("OK test_passdb_lookup_ok "..user)
+end
+
+function test_passdb_lookup_mismatch(user)
+    local res, extra = auth_passdb_lookup({user=user})
+    assert(res == dovecot.auth.PASSDB_RESULT_USER_UNKNOWN)
+    print("OK test_passdb_lookup_mismatch "..user)
+end
+
+function test_split_chatctl()
+    local res = split_chatctl("a=3 b=4\nc=5")
+    assert(res["a"] == "3")
+    assert(res["b"] == "4")
+    assert(res["c"] == "5")
+    print("OK test_split_chatctl")
+end 
+
+test_split_chatctl()
+test_passdb_verify_ok("link2xt@instant2.testrun.org", "Ahyei6ie")
+test_passdb_verify_mismatch("link2xt@instant2.testrun.org", "Aqwlek")
+test_userdb_lookup_ok("link2xt@instant2.testrun.org")
+test_userdb_lookup_mismatch("wlekqjlew@xyz.org")
+test_passdb_lookup_ok("link2xt@instant2.testrun.org")
+test_passdb_lookup_mismatch("llqkwjelqwe@xyz.org")
+

src/chatmail/dovecot/test_doveauth.py

@@ -0,0 +1,23 @@
+import subprocess
+import pytest
+
+from doveauth import get_user_data, verify_user
+
+
+def test_basic():
+    data = get_user_data(b"link2xt@instant2.testrun.org")
+    assert data
+
+
+@pytest.mark.xfail(reason="no persistence yet")
+def test_verify_or_create():
+    res = verify_user(b"newuser1@something.org", b"kajdlkajsldk12l3kj1983")
+    assert res["status"] == "ok"
+    res = verify_user(b"newuser1@something.org", b"kajdlqweqwe")
+    assert res["status"] == "fail"
+
+
+def test_lua_integration(request):
+    p = request.fspath.dirpath("test_doveauth.lua")
+    proc = subprocess.run(["lua", str(p)])
+    assert proc.returncode == 0

tox.ini

@@ -1,13 +0,0 @@
-[tox]
-isolated_build = true
-envlist = lint
-
-[testenv:lint]
-skipdist = True
-skip_install = True
-deps =
-  ruff
-  black
-commands =
-  black --quiet --check --diff src/
-  ruff src/