From c2af0a21cb1263ec354708b4623eca154a19d102 Mon Sep 17 00:00:00 2001 From: drebs Date: Wed, 23 Jan 2013 17:19:26 -0200 Subject: Add test for message encryption. --- src/leap/email/smtp/smtprelay.py | 203 ++++++++++++++++++++++++++++ src/leap/email/smtp/smtprelay.tac | 200 --------------------------- src/leap/email/smtp/tests/__init__.py | 2 +- src/leap/email/smtp/tests/test_smtprelay.py | 66 +++++---- 4 files changed, 240 insertions(+), 231 deletions(-) create mode 100644 src/leap/email/smtp/smtprelay.py delete mode 100644 src/leap/email/smtp/smtprelay.tac (limited to 'src/leap/email') diff --git a/src/leap/email/smtp/smtprelay.py b/src/leap/email/smtp/smtprelay.py new file mode 100644 index 00000000..f44aeb6f --- /dev/null +++ b/src/leap/email/smtp/smtprelay.py @@ -0,0 +1,203 @@ +import re +import gnupg +from zope.interface import implements +from StringIO import StringIO +from twisted.mail import smtp +from twisted.internet.protocol import ServerFactory +from twisted.internet import reactor +from twisted.internet import defer +from twisted.application import internet, service +from twisted.python import log +from email.Header import Header + + +class SMTPFactory(ServerFactory): + """ + Factory for an SMTP server with encrypted relaying capabilities. + """ + + def __init__(self, gpg=None): + self._gpg = gpg + + def buildProtocol(self, addr): + "Return a protocol suitable for the job." + # TODO: use ESMTP here. + smtpProtocol = smtp.SMTP(SMTPDelivery(self._gpg)) + smtpProtocol.factory = self + return smtpProtocol + + +class SMTPDelivery(object): + """ + Validate email addresses and handle message delivery. + """ + + implements(smtp.IMessageDelivery) + + def __init__(self, gpg=None): + if gpg: + self._gpg = gpg + else: + self._gpg = GPGWrapper() + + def receivedHeader(self, helo, origin, recipients): + myHostname, clientIP = helo + headerValue = "by %s from %s with ESMTP ; %s" % ( + myHostname, clientIP, smtp.rfc822date( )) + # email.Header.Header used for automatic wrapping of long lines + return "Received: %s" % Header(headerValue) + + def validateTo(self, user): + """Assert existence of and trust on recipient's GPG public key.""" + # try to find recipient's public key + try: + # this will raise an exception if key is not found + trust = self._gpg.find_key(user.dest.addrstr)['trust'] + # if key is not ultimatelly trusted, then the message will not + # be encrypted. So, we check for this below + #if trust != 'u': + # raise smtp.SMTPBadRcpt(user) + log.msg("Accepting mail for %s..." % user.dest) + return lambda: EncryptedMessage(user, gpg=self._gpg) + except LookupError: + raise smtp.SMTPBadRcpt(user) + + def validateFrom(self, helo, originAddress): + # accept mail from anywhere. To reject an address, raise + # smtp.SMTPBadSender here. + return originAddress + + +class EncryptedMessage(): + """ + Receive plaintext from client, encrypt it and send message to a + recipient. + """ + implements(smtp.IMessage) + + SMTP_HOSTNAME = "mail.riseup.net" + SMTP_PORT = 25 + + def __init__(self, user, gpg=None): + self.user = user + self.getSMTPInfo() + self.lines = [] + if gpg: + self._gpg = gpg + else: + self._gpg = GPGWrapper() + + def lineReceived(self, line): + """Store email DATA lines as they arrive.""" + self.lines.append(line) + + def eomReceived(self): + """Encrypt and send message.""" + log.msg("Message data complete.") + self.lines.append('') # add a trailing newline + self.parseMessage() + try: + self.encrypt() + return self.sendMessage() + except LookupError: + return None + + def parseMessage(self): + """Separate message headers from body.""" + sep = self.lines.index('') + self.headers = self.lines[:sep] + self.body = self.lines[sep+1:] + + def connectionLost(self): + log.msg("Connection lost unexpectedly!") + log.err() + # unexpected loss of connection; don't save + self.lines = [] + + def sendSuccess(self, r): + log.msg(r) + + def sendError(self, e): + log.msg(e) + log.err() + + def prepareHeader(self): + self.headers.insert(1, "From: %s" % self.user.orig.addrstr) + self.headers.insert(2, "To: %s" % self.user.dest.addrstr) + self.headers.append('') + + def sendMessage(self): + self.prepareHeader() + msg = '\n'.join(self.headers+[self.cyphertext]) + d = defer.Deferred() + factory = smtp.ESMTPSenderFactory(self.smtp_username, + self.smtp_password, + self.smtp_username, + self.user.dest.addrstr, + StringIO(msg), + d) + # the next call is TSL-powered! + reactor.connectTCP(self.SMTP_HOSTNAME, self.SMTP_PORT, factory) + d.addCallback(self.sendSuccess) + d.addErrback(self.sendError) + return d + + def encrypt(self, always_trust=True): + # TODO: do not "always trust" here. + fp = self._gpg.find_key(self.user.dest.addrstr)['fingerprint'] + log.msg("Encrypting to %s" % fp) + self.cyphertext = str(self._gpg.encrypt('\n'.join(self.body), [fp], + always_trust=always_trust)) + + # this will be replaced by some other mechanism of obtaining credentials + # for SMTP server. + def getSMTPInfo(self): + f = open('/media/smtp-info.txt', 'r') + self.smtp_host = f.readline().rstrip() + self.smtp_port = f.readline().rstrip() + self.smtp_username = f.readline().rstrip() + self.smtp_password = f.readline().rstrip() + f.close() + + +class GPGWrapper(): + """ + This is a temporary class for handling GPG requests, and should be + replaced by a more general class used throughout the project. + """ + + GNUPG_HOME = "~/.config/leap/gnupg" + GNUPG_BINARY = "/usr/bin/gpg" # this has to be changed based on OS + + def __init__(self, gpghome=GNUPG_HOME, gpgbinary=GNUPG_BINARY): + self.gpg = gnupg.GPG(gnupghome=gpghome, gpgbinary=gpgbinary) + + def find_key(self, email): + """ + Find user's key based on their email. + """ + for key in self.gpg.list_keys(): + for uid in key['uids']: + if re.search(email, uid): + return key + raise LookupError("GnuPG public key for %s not found!" % email) + + def encrypt(self, data, recipient, always_trust=True): + # TODO: do not 'always_trust'. + return self.gpg.encrypt(data, recipient, always_trust=always_trust) + + def decrypt(self, data): + return self.gpg.decrypt(data) + + def import_keys(self, data): + return self.gpg.import_keys(data) + + +# service configuration +port = 25 +factory = SMTPFactory() + +# these enable the use of this service with twistd +application = service.Application("LEAP SMTP Relay") +service = internet.TCPServer(port, factory) +service.setServiceParent(application) diff --git a/src/leap/email/smtp/smtprelay.tac b/src/leap/email/smtp/smtprelay.tac deleted file mode 100644 index f7074dfb..00000000 --- a/src/leap/email/smtp/smtprelay.tac +++ /dev/null @@ -1,200 +0,0 @@ -import re -import gnupg -from zope.interface import implements -from StringIO import StringIO -from twisted.mail import smtp -from twisted.internet.protocol import ServerFactory -from twisted.internet import reactor -from twisted.internet import defer -from twisted.application import internet, service -from email.Header import Header - - -class SMTPFactory(ServerFactory): - """ - Factory for an SMTP server with encrypted relaying capabilities. - """ - - def __init__(self, gpg=None): - self._gpg = gpg - - def buildProtocol(self, addr): - "Return a protocol suitable for the job." - # TODO: use ESMTP here. - smtpProtocol = smtp.SMTP(SMTPDelivery(self._gpg)) - smtpProtocol.factory = self - return smtpProtocol - - -class SMTPDelivery(object): - """ - Validate email addresses and handle message delivery. - """ - - implements(smtp.IMessageDelivery) - - def __init__(self, gpg=None): - if gpg: - self._gpg = gpg - else: - self._gpg = GPGWrapper() - - def receivedHeader(self, helo, origin, recipients): - myHostname, clientIP = helo - headerValue = "by %s from %s with ESMTP ; %s" % ( - myHostname, clientIP, smtp.rfc822date( )) - # email.Header.Header used for automatic wrapping of long lines - return "Received: %s" % Header(headerValue) - - def validateTo(self, user): - """Assert existence of and trust on recipient's GPG public key.""" - # try to find recipient's public key - try: - # this will raise an exception if key is not found - trust = self._gpg.find_key(user.dest.addrstr)['trust'] - # if key is not ultimatelly trusted, then the message will not - # be encrypted. So, we check for this below - #if trust != 'u': - # raise smtp.SMTPBadRcpt(user) - print "Accepting mail for %s..." % user.dest - return lambda: EncryptedMessage(user, gpg=self._gpg) - except LookupError: - raise smtp.SMTPBadRcpt(user) - - def validateFrom(self, helo, originAddress): - # accept mail from anywhere. To reject an address, raise - # smtp.SMTPBadSender here. - return originAddress - - -class EncryptedMessage(): - """ - Receive plaintext from client, encrypt it and send message to a - recipient. - """ - implements(smtp.IMessage) - - SMTP_HOSTNAME = "mail.riseup.net" - SMTP_PORT = 25 - - def __init__(self, user, gpg=None): - self.user = user - self.getSMTPInfo() - self.lines = [] - if gpg: - self._gpg = gpg - else: - self._gpg = GPGWrapper() - - def lineReceived(self, line): - """Store email DATA lines as they arrive.""" - self.lines.append(line) - - def eomReceived(self): - """Encrypt and send message.""" - print "Message data complete." - self.lines.append('') # add a trailing newline - self.parseMessage() - try: - self.encrypt() - return self.sendMessage() - except LookupError: - return None - - def parseMessage(self): - """Separate message headers from body.""" - sep = self.lines.index('') - self.headers = self.lines[:sep] - self.body = self.lines[sep+1:] - - def connectionLost(self): - print "Connection lost unexpectedly!" - # unexpected loss of connection; don't save - self.lines = [] - - def sendSuccess(self, r): - print r - - def sendError(self, e): - print e - - def prepareHeader(self): - self.headers.insert(1, "From: %s" % self.user.orig.addrstr) - self.headers.insert(2, "To: %s" % self.user.dest.addrstr) - self.headers.append('') - - def sendMessage(self): - self.prepareHeader() - msg = '\n'.join(self.headers+[self.cyphertext]) - d = defer.Deferred() - factory = smtp.ESMTPSenderFactory(self.smtp_username, - self.smtp_password, - self.smtp_username, - self.user.dest.addrstr, - StringIO(msg), - d) - # the next call is TSL-powered! - reactor.connectTCP(self.SMTP_HOSTNAME, self.SMTP_PORT, factory) - d.addCallback(self.sendSuccess) - d.addErrback(self.sendError) - return d - - def encrypt(self, always_trust=True): - # TODO: do not "always trust" here. - fp = self._gpg.find_key(self.user.dest.addrstr)['fingerprint'] - print "Encrypting to %s" % fp - self.cyphertext = str(self._gpg.encrypt('\n'.join(self.body), [fp], - always_trust=always_trust)) - - # this will be replaced by some other mechanism of obtaining credentials - # for SMTP server. - def getSMTPInfo(self): - f = open('/media/smtp-info.txt', 'r') - self.smtp_host = f.readline().rstrip() - self.smtp_port = f.readline().rstrip() - self.smtp_username = f.readline().rstrip() - self.smtp_password = f.readline().rstrip() - f.close() - - -class GPGWrapper(): - """ - This is a temporary class for handling GPG requests, and should be - replaced by a more general class used throughout the project. - """ - - GNUPG_HOME = "~/.config/leap/gnupg" - GNUPG_BINARY = "/usr/bin/gpg" # this has to be changed based on OS - - def __init__(self, gpghome=GNUPG_HOME, gpgbinary=GNUPG_BINARY): - self.gpg = gnupg.GPG(gnupghome=gpghome, gpgbinary=gpgbinary) - - def find_key(self, email): - """ - Find user's key based on their email. - """ - for key in self.gpg.list_keys(): - for uid in key['uids']: - if re.search(email, uid): - return key - raise LookupError("GnuPG public key for %s not found!" % email) - - def encrypt(self, data, recipient, always_trust=True): - # TODO: do not 'always_trust'. - return self.gpg.encrypt(data, recipient, always_trust=always_trust) - - def decrypt(self, data): - return self.gpg.decrypt(data) - - def import_keys(self, data): - return self.gpg.import_keys(data) - - -# service configuration -port = 25 -factory = SMTPFactory() - -# these enable the use of this service with twistd -application = service.Application("LEAP SMTP Relay") -service = internet.TCPServer(port, factory) -service.setServiceParent(application) diff --git a/src/leap/email/smtp/tests/__init__.py b/src/leap/email/smtp/tests/__init__.py index 1b2d8bd1..d00ebeb5 100644 --- a/src/leap/email/smtp/tests/__init__.py +++ b/src/leap/email/smtp/tests/__init__.py @@ -21,7 +21,7 @@ class OpenPGPTestCase(unittest.TestCase): def tearDown(self): shutil.rmtree(self.GNUPG_HOME) - def test_encrypt_decrypt(self): + def test_openpgp_encrypt_decrypt(self): text = "simple raw text" encrypted = str(self._gpg.encrypt(text, KEY_FINGERPRINT, # TODO: handle always trust issue diff --git a/src/leap/email/smtp/tests/test_smtprelay.py b/src/leap/email/smtp/tests/test_smtprelay.py index 5410c75e..dc0055c6 100644 --- a/src/leap/email/smtp/tests/test_smtprelay.py +++ b/src/leap/email/smtp/tests/test_smtprelay.py @@ -1,22 +1,25 @@ from datetime import datetime import re from leap.email.smtp.smtprelay import ( - SMTPFactory, # a ServerFactory + SMTPFactory, #SMTPDelivery, # an object - #EncryptedMessage, + EncryptedMessage, ) from leap.email.smtp import tests from twisted.internet.error import ConnectionDone from twisted.test import proto_helpers +from twisted.internet import defer +from twisted.mail.smtp import User +# some regexps +IP_REGEX = "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])"; +HOSTNAME_REGEX = "(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])"; +IP_OR_HOST_REGEX = '(' + IP_REGEX + '|' + HOSTNAME_REGEX + ')' + class TestSmtpRelay(tests.OpenPGPTestCase): - IP_REGEX = "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])"; - HOSTNAME_REGEX = "(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])"; - IP_OR_HOST_REGEX = '(' + IP_REGEX + '|' + HOSTNAME_REGEX + ')' - - CRLF = '\r\n' + EMAIL_DATA = [ 'HELO relay.leap.se', 'MAIL FROM: ', 'RCPT TO: ', @@ -32,25 +35,8 @@ class TestSmtpRelay(tests.OpenPGPTestCase): '', '.', 'QUIT' ] - SMTP_ANSWERS = [ '220 ' + IP_OR_HOST_REGEX + ' NO UCE NO UBE NO RELAY PROBES', - '250 ' + IP_OR_HOST_REGEX + ' Hello ' + IP_OR_HOST_REGEX + ', nice to meet you', - '250 Sender address accepted', - '250 Recipient address accepted', - '354 Continue' ] - - - def setUp(self): - super(TestSmtpRelay, self).setUp() - self.proto = SMTPFactory(self._gpg).buildProtocol(('127.0.0.1',0)) - self.transport = proto_helpers.StringTransport() - self.proto.makeConnection(self.transport) - def tearDown(self): - self.proto.setTimeout(None) - super(TestSmtpRelay, self).tearDown() - - def assertMatch(self, string, pattern, msg=None): if not re.match(pattern, string): msg = self._formatMessage(msg, '"%s" does not match pattern "%s".' @@ -58,13 +44,33 @@ class TestSmtpRelay(tests.OpenPGPTestCase): raise self.failureException(msg) - def test_send_email(self): + def test_relay_accepts_valid_email(self): """ - If L{smtp.SMTP} receives an empty line, it responds with a 500 error - response code and a message about a syntax error. + Test if SMTP server responds correctly for valid interaction. """ + SMTP_ANSWERS = [ '220 ' + IP_OR_HOST_REGEX + ' NO UCE NO UBE NO RELAY PROBES', + '250 ' + IP_OR_HOST_REGEX + ' Hello ' + IP_OR_HOST_REGEX + ', nice to meet you', + '250 Sender address accepted', + '250 Recipient address accepted', + '354 Continue' ] + proto = SMTPFactory(self._gpg).buildProtocol(('127.0.0.1',0)) + transport = proto_helpers.StringTransport() + proto.makeConnection(transport) for i, line in enumerate(self.EMAIL_DATA): - self.proto.lineReceived(line+self.CRLF) - self.assertMatch(self.transport.value(), - self.CRLF.join(self.SMTP_ANSWERS[0:i+1])) + proto.lineReceived(line + '\r\n') + self.assertMatch(transport.value(), + '\r\n'.join(SMTP_ANSWERS[0:i+1])) + proto.setTimeout(None) + + + def test_message_encrypt(self): + proto = SMTPFactory(self._gpg).buildProtocol(('127.0.0.1',0)) + user = User('leap@leap.se', 'relay.leap.se', proto, 'leap@leap.se') + m = EncryptedMessage(user, self._gpg) + for line in self.EMAIL_DATA[4:12]: + m.lineReceived(line) + m.parseMessage() + m.encrypt() + decrypted = str(self._gpg.decrypt(m.cyphertext)) + self.assertEqual('\n'.join(self.EMAIL_DATA[9:12]), decrypted) -- cgit v1.2.3