diff options
author | jessib <jessib@riseup.net> | 2013-10-17 10:51:47 -0700 |
---|---|---|
committer | jessib <jessib@riseup.net> | 2013-10-17 10:51:47 -0700 |
commit | bf3b59e6807c8e4789b97232c7416093b07cccdf (patch) | |
tree | 5ba3438eac4e0b6c221c76dc1d400245bcbfd76a | |
parent | 4302dcbf6215b863fa5e5389d89c449da300bd47 (diff) | |
parent | 9f4b1bcf315f09fd6d302ad187281ec4ed443f04 (diff) |
Merge pull request #102 from azul/feature/3602-email-blacklist
blacklist system logins for aliases and logins
-rw-r--r-- | config/defaults.yml | 7 | ||||
-rw-r--r-- | users/app/models/local_email.rb | 33 | ||||
-rw-r--r-- | users/test/unit/local_email_test.rb | 31 |
3 files changed, 70 insertions, 1 deletions
diff --git a/config/defaults.yml b/config/defaults.yml index 8d81668..66ec639 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -18,6 +18,11 @@ common: &common pagination_size: 30 auth: token_expires_after: 60 + # handles that will be blocked from being used as logins or email aliases + # in addition to the ones in /etc/passwd and http://tools.ietf.org/html/rfc2142 + handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop] + # handles that will be allowed despite being in /etc/passwd or rfc2142 + handle_whitelist: [] development: <<: *dev_ca @@ -43,4 +48,4 @@ production: admins: [] domain: example.net payment: [] -# logfile: /path/to/your/logs + # logfile: /path/to/your/logs diff --git a/users/app/models/local_email.rb b/users/app/models/local_email.rb index 6303bb6..2b4c65e 100644 --- a/users/app/models/local_email.rb +++ b/users/app/models/local_email.rb @@ -1,5 +1,10 @@ class LocalEmail < Email + BLACKLIST_FROM_RFC2142 = [ + 'postmaster', 'hostmaster', 'domainadmin', 'webmaster', 'www', + 'abuse', 'noc', 'security', 'usenet', 'news', 'uucp', + 'ftp', 'sales', 'marketing', 'support', 'info' + ] def self.domain APP_CONFIG[:domain] @@ -11,6 +16,8 @@ class LocalEmail < Email :message => "needs to end in @#{domain}" } + validate :handle_allowed + def initialize(s) super append_domain_if_needed @@ -32,4 +39,30 @@ class LocalEmail < Email end end + def handle_allowed + errors.add(:handle, "is reserved.") if handle_reserved? + end + + def handle_reserved? + # *ARRAY in a case statement tests if ARRAY includes the handle. + case handle + when *APP_CONFIG[:handle_blacklist] + true + when *APP_CONFIG[:handle_whitelist] + false + when *BLACKLIST_FROM_RFC2142 + true + else + handle_in_passwd? + end + end + + def handle_in_passwd? + begin + !!Etc.getpwnam(handle) + rescue ArgumentError + # handle was not found + return false + end + end end diff --git a/users/test/unit/local_email_test.rb b/users/test/unit/local_email_test.rb index b25f46f..20ee7f1 100644 --- a/users/test/unit/local_email_test.rb +++ b/users/test/unit/local_email_test.rb @@ -24,6 +24,37 @@ class LocalEmailTest < ActiveSupport::TestCase assert_equal ["needs to end in @#{LocalEmail.domain}"], local.errors[:email] end + test "blacklists rfc2142" do + black_listed = LocalEmail.new('hostmaster') + assert !black_listed.valid? + end + + test "blacklists etc passwd" do + black_listed = LocalEmail.new('nobody') + assert !black_listed.valid? + end + + test "whitelist overwrites automatic blacklists" do + with_config handle_whitelist: ['nobody', 'hostmaster'] do + white_listed = LocalEmail.new('nobody') + assert white_listed.valid? + white_listed = LocalEmail.new('hostmaster') + assert white_listed.valid? + end + end + + test "blacklists from config" do + black_listed = LocalEmail.new('www-data') + assert !black_listed.valid? + end + + test "blacklist from config overwrites whitelist" do + with_config handle_whitelist: ['www-data'] do + black_listed = LocalEmail.new('www-data') + assert !black_listed.valid? + end + end + def handle @handle ||= Faker::Internet.user_name end |