vuls: init at 0.27.0
[NixPkgs.git] / nixos / tests / rspamd.nix
blob26895fbad3f3b529ca0087f52663e30b3b9d4e42
1 { system ? builtins.currentSystem,
2   config ? {},
3   pkgs ? import ../.. { inherit system config; }
4 }:
6 with import ../lib/testing-python.nix { inherit system pkgs; };
7 with pkgs.lib;
9 let
10   initMachine = ''
11     start_all()
12     machine.wait_for_unit("rspamd.service")
13     machine.succeed("id rspamd >/dev/null")
14   '';
15   checkSocket = socket: user: group: mode: ''
16     machine.succeed(
17         "ls ${socket} >/dev/null",
18         '[[ "$(stat -c %U ${socket})" == "${user}" ]]',
19         '[[ "$(stat -c %G ${socket})" == "${group}" ]]',
20         '[[ "$(stat -c %a ${socket})" == "${mode}" ]]',
21     )
22   '';
23   simple = name: enableIPv6: makeTest {
24     name = "rspamd-${name}";
25     nodes.machine = {
26       services.rspamd.enable = true;
27       networking.enableIPv6 = enableIPv6;
28     };
29     testScript = ''
30       start_all()
31       machine.wait_for_unit("multi-user.target")
32       machine.wait_for_open_port(11334)
33       machine.wait_for_unit("rspamd.service")
34       machine.succeed("id rspamd >/dev/null")
35       ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "660" }
36       machine.sleep(10)
37       machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
38       machine.log(
39           machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
40       )
41       machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
42       machine.log(machine.succeed("systemctl cat rspamd.service"))
43       machine.log(machine.succeed("curl http://localhost:11334/auth"))
44       machine.log(machine.succeed("curl http://127.0.0.1:11334/auth"))
45       ${optionalString enableIPv6 ''machine.log(machine.succeed("curl http://[::1]:11334/auth"))''}
46       # would not reformat
47     '';
48   };
51   simple = simple "simple" true;
52   ipv4only = simple "ipv4only" false;
53   deprecated = makeTest {
54     name = "rspamd-deprecated";
55     nodes.machine = {
56       services.rspamd = {
57         enable = true;
58         workers.normal.bindSockets = [{
59           socket = "/run/rspamd/rspamd.sock";
60           mode = "0600";
61           owner = "rspamd";
62           group = "rspamd";
63         }];
64         workers.controller.bindSockets = [{
65           socket = "/run/rspamd/rspamd-worker.sock";
66           mode = "0666";
67           owner = "rspamd";
68           group = "rspamd";
69         }];
70       };
71     };
73     testScript = ''
74       ${initMachine}
75       machine.wait_for_file("/run/rspamd/rspamd.sock")
76       ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
77       ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
78       machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
79       machine.log(
80           machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
81       )
82       machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
83       machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
84       machine.log(
85           machine.succeed(
86               "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
87           )
88       )
89     '';
90   };
92   bindports = makeTest {
93     name = "rspamd-bindports";
94     nodes.machine = {
95       services.rspamd = {
96         enable = true;
97         workers.normal.bindSockets = [{
98           socket = "/run/rspamd/rspamd.sock";
99           mode = "0600";
100           owner = "rspamd";
101           group = "rspamd";
102         }];
103         workers.controller.bindSockets = [{
104           socket = "/run/rspamd/rspamd-worker.sock";
105           mode = "0666";
106           owner = "rspamd";
107           group = "rspamd";
108         }];
109         workers.controller2 = {
110           type = "controller";
111           bindSockets = [ "0.0.0.0:11335" ];
112           extraConfig = ''
113             static_dir = "''${WWWDIR}";
114             secure_ip = null;
115             password = "verysecretpassword";
116           '';
117         };
118       };
119     };
121     testScript = ''
122       ${initMachine}
123       machine.wait_for_file("/run/rspamd/rspamd.sock")
124       ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
125       ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
126       machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
127       machine.log(
128           machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
129       )
130       machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
131       machine.log(
132           machine.succeed(
133               "grep 'LOCAL_CONFDIR/override.d/worker-controller2.inc' /etc/rspamd/rspamd.conf"
134           )
135       )
136       machine.log(
137           machine.succeed(
138               "grep 'verysecretpassword' /etc/rspamd/override.d/worker-controller2.inc"
139           )
140       )
141       machine.wait_until_succeeds(
142           "journalctl -u rspamd | grep -i 'starting controller process' >&2"
143       )
144       machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
145       machine.log(
146           machine.succeed(
147               "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
148           )
149       )
150       machine.log(machine.succeed("curl http://localhost:11335/ping"))
151     '';
152   };
153   customLuaRules = makeTest {
154     name = "rspamd-custom-lua-rules";
155     nodes.machine = {
156       environment.etc."tests/no-muh.eml".text = ''
157         From: Sheep1<bah@example.com>
158         To: Sheep2<mah@example.com>
159         Subject: Evil cows
161         I find cows to be evil don't you?
162       '';
163       environment.etc."tests/muh.eml".text = ''
164         From: Cow<cow@example.com>
165         To: Sheep2<mah@example.com>
166         Subject: Evil cows
168         Cows are majestic creatures don't Muh agree?
169       '';
170       services.rspamd = {
171         enable = true;
172         locals = {
173           "antivirus.conf" = mkIf false { text = ''
174               clamav {
175                 action = "reject";
176                 symbol = "CLAM_VIRUS";
177                 type = "clamav";
178                 log_clean = true;
179                 servers = "/run/clamav/clamd.ctl";
180               }
181             '';};
182           "redis.conf" = {
183             enable = false;
184             text = ''
185               servers = "127.0.0.1";
186             '';
187           };
188           "groups.conf".text = ''
189             group "cows" {
190               symbol {
191                 NO_MUH = {
192                   weight = 1.0;
193                   description = "Mails should not muh";
194                 }
195               }
196             }
197           '';
198         };
199         localLuaRules = pkgs.writeText "rspamd.local.lua" ''
200           local rspamd_logger = require "rspamd_logger"
201           rspamd_config.NO_MUH = {
202             callback = function (task)
203               local parts = task:get_text_parts()
204               if parts then
205                 for _,part in ipairs(parts) do
206                   local content = tostring(part:get_content())
207                   rspamd_logger.infox(rspamd_config, 'Found content %s', content)
208                   local found = string.find(content, "Muh");
209                   rspamd_logger.infox(rspamd_config, 'Found muh %s', tostring(found))
210                   if found then
211                     return true
212                   end
213                 end
214               end
215               return false
216             end,
217             score = 5.0,
218             description = 'Allow no cows',
219             group = "cows",
220           }
221           rspamd_logger.infox(rspamd_config, 'Work dammit!!!')
222         '';
223       };
224     };
225     testScript = ''
226       ${initMachine}
227       machine.wait_for_open_port(11334)
228       machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
229       machine.log(machine.succeed("cat /etc/rspamd/rspamd.local.lua"))
230       machine.log(machine.succeed("cat /etc/rspamd/local.d/groups.conf"))
231       # Verify that redis.conf was not written
232       machine.fail("cat /etc/rspamd/local.d/redis.conf >&2")
233       # Verify that antivirus.conf was not written
234       machine.fail("cat /etc/rspamd/local.d/antivirus.conf >&2")
235       ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "660" }
236       machine.log(
237           machine.succeed("curl --unix-socket /run/rspamd/rspamd.sock http://localhost/ping")
238       )
239       machine.log(machine.succeed("rspamc -h 127.0.0.1:11334 stat"))
240       machine.log(machine.succeed("cat /etc/tests/no-muh.eml | rspamc -h 127.0.0.1:11334"))
241       machine.log(
242           machine.succeed("cat /etc/tests/muh.eml | rspamc -h 127.0.0.1:11334 symbols")
243       )
244       machine.wait_until_succeeds("journalctl -u rspamd | grep -i muh >&2")
245       machine.log(
246           machine.fail(
247               "cat /etc/tests/no-muh.eml | rspamc -h 127.0.0.1:11334 symbols | grep NO_MUH"
248           )
249       )
250       machine.log(
251           machine.succeed(
252               "cat /etc/tests/muh.eml | rspamc -h 127.0.0.1:11334 symbols | grep NO_MUH"
253           )
254       )
255     '';
256   };
257   postfixIntegration = makeTest {
258     name = "rspamd-postfix-integration";
259     nodes.machine = {
260       environment.systemPackages = with pkgs; [ msmtp ];
261       environment.etc."tests/gtube.eml".text = ''
262         From: Sheep1<bah@example.com>
263         To: Sheep2<tester@example.com>
264         Subject: Evil cows
266         I find cows to be evil don't you?
268         XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
269       '';
270       environment.etc."tests/example.eml".text = ''
271         From: Sheep1<bah@example.com>
272         To: Sheep2<tester@example.com>
273         Subject: Evil cows
275         I find cows to be evil don't you?
276       '';
277       users.users.tester = {
278         isNormalUser = true;
279         password = "test";
280       };
281       services.postfix = {
282         enable = true;
283         destination = ["example.com"];
284       };
285       services.rspamd = {
286         enable = true;
287         postfix.enable = true;
288         workers.rspamd_proxy.type = "rspamd_proxy";
289       };
290     };
291     testScript = ''
292       ${initMachine}
293       machine.wait_for_open_port(11334)
294       machine.wait_for_open_port(25)
295       ${checkSocket "/run/rspamd/rspamd-milter.sock" "rspamd" "postfix" "660" }
296       machine.log(machine.succeed("rspamc -h 127.0.0.1:11334 stat"))
297       machine.log(
298           machine.succeed(
299               "msmtp --host=localhost -t --read-envelope-from < /etc/tests/example.eml"
300           )
301       )
302       machine.log(
303           machine.fail(
304               "msmtp --host=localhost -t --read-envelope-from < /etc/tests/gtube.eml"
305           )
306       )
308       machine.wait_until_fails('[ "$(postqueue -p)" != "Mail queue is empty" ]')
309       machine.fail("journalctl -u postfix | grep -i error >&2")
310       machine.fail("journalctl -u postfix | grep -i warning >&2")
311     '';
312   };