diff mail_oauth.t @ 1985:b5e2609d34a3

Tests: added tests for OAUTHBEARER and XOAUTH2 auth methods. Based on a patch by Rob Mueller.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 03 Jun 2024 18:15:28 +0300
children 099c972fb42b
line wrap: on
line diff
new file mode 100644
--- /dev/null
+++ b/mail_oauth.t
@@ -0,0 +1,338 @@
+# (C) Maxim Dounin
+# Tests for mail module, XOAUTH2 and OAUTHBEARER authentication.
+use warnings;
+use strict;
+use Test::More;
+use MIME::Base64;
+use Socket qw/ CRLF /;
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+use lib 'lib';
+use Test::Nginx;
+use Test::Nginx::IMAP;
+use Test::Nginx::POP3;
+use Test::Nginx::SMTP;
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+local $SIG{PIPE} = 'IGNORE';
+my $t = Test::Nginx->new()->has(qw/mail imap pop3 smtp http map rewrite/)
+	->write_file_expand('nginx.conf', <<'EOF');
+daemon off;
+events {
+mail {
+    proxy_pass_error_message  on;
+    proxy_timeout  15s;
+    timeout  2s;
+    auth_http;
+    server {
+        listen;
+        protocol   imap;
+        imap_auth  plain oauthbearer xoauth2;
+    }
+    server {
+        listen;
+        protocol   pop3;
+        pop3_auth  plain oauthbearer xoauth2;
+    }
+    server {
+        listen;
+        protocol   smtp;
+        smtp_auth  plain oauthbearer xoauth2;
+    }
+http {
+    map $http_auth_protocol $proxy_port {
+	imap %%PORT_8144%%;
+	pop3 %%PORT_8111%%;
+	smtp %%PORT_8026%%;
+    }
+    map $http_auth_user:$http_auth_pass $reply {
+	test@example.com:secretok OK;
+	test=,@example.com:secretok OK;
+	default auth-failed;
+    }
+    map $http_auth_pass $passw {
+	secretok secret;
+    }
+    map $http_auth_pass $sasl {
+	saslfail "eyJzY2hlbWVzIjoiQmVhcmVyIiwic3RhdHVzIjoiNDAwIn0=";
+    }
+    server {
+        listen;
+        server_name  localhost;
+        location = /mail/auth {
+            add_header Auth-Status $reply;
+            add_header Auth-Server;
+            add_header Auth-Port $proxy_port;
+            add_header Auth-Pass $passw;
+            add_header Auth-Wait 1;
+            add_header Auth-Error-SASL $sasl;
+            return 204;
+        }
+    }
+$t->try_run('no oauth support')->plan(48);
+$t->waitforsocket('' . port(8144));
+$t->waitforsocket('' . port(8111));
+$t->waitforsocket('' . port(8026));
+# AUTHBEARER SASL mechanism
+# https://datatracker.ietf.org/doc/html/rfc7628
+# XOAUTH2 SASL mechanism
+# https://developers.google.com/gmail/imap/xoauth2-protocol
+my $s;
+my $token = encode_base64(
+	"n,a=test\@example.com,\001auth=Bearer secretok\001\001", '');
+my $token_escaped = encode_base64(
+	"n,a=test=3D=2C\@example.com,\001auth=Bearer secretok\001\001", '');
+my $token_saslfail = encode_base64(
+	"n,a=test\@example.com,\001auth=Bearer saslfail\001\001", '');
+my $token_bad = encode_base64(
+	"n,a=test\@example.com,\001auth=Bearer bad\001\001", '');
+my $token_xoauth2 = encode_base64(
+	"user=test\@example.com\001auth=Bearer secretok\001\001", '');
+my $token_xoauth2_saslfail = encode_base64(
+	"user=test\@example.com\001auth=Bearer saslfail\001\001", '');
+my $token_xoauth2_bad = encode_base64(
+	"user=test\@example.com\001auth=Bearer bad\001\001", '');
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token);
+$s->ok('imap oauthbearer success');
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token_escaped);
+$s->ok('imap oauthbearer escaped login');
+$s = Test::Nginx::IMAP->new();
+$s->check(qr/\+ /, 'imap oauthbearer challenge');
+$s->ok('imap oauthbearer success after challenge');
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token_bad);
+$s->check(qr/^1 NO auth-failed/, 'imap oauthbearer non-sasl error');
+my @ready = $s->can_read(0);
+is(scalar @ready, 1, "imap ready for reading");
+ok($s->eof(), "imap session closed");
+# fail, sasl failure method
+$s = Test::Nginx::IMAP->new();
+my $start = time;
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^\+ eyJz/, 'imap oauthbearer sasl failure');
+my $wait_time = time - $start;
+ok($wait_time >= 1, 'imap oauthbearer error delayed');
+$s->check(qr/^1 NO auth-failed/,
+	'imap oauthbearer auth failure after dummy response');
+# fail, sasl failure method, invalid client response
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^\+ eyJz/, 'imap oauthbearer sasl failure');
+$s->check(qr/^1 BAD /, 'imap oauthbearer invalid command after invalid line');
+# fail, sasl failure method, multiple attempts, then success
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^\+ eyJz/, 'imap oauthbearer sasl failure');
+$s->check(qr/^1 NO auth-failed/,
+	'imap oauthbearer auth failure after dummy response');
+$s->send('1 AUTHENTICATE OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^\+ eyJz/, 'imap oauthbearer sasl failure next');
+$s->check(qr/^1 BAD/, 'imap oauthbearer invalid command after invalid line');
+$s->check(qr/\+ /, 'imap oauthbearer challenge after fail');
+$s->ok('imap oauthbearer success after fail');
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE XOAUTH2 ' . $token_xoauth2);
+$s->ok('imap xoauth2 success');
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE XOAUTH2');
+$s->check(qr/^\+ /, 'imap xoauth2 challenge');
+$s->ok('imap xoauth2 success after challenge');
+$s = Test::Nginx::IMAP->new();
+$s->send('1 AUTHENTICATE XOAUTH2 ' . $token_xoauth2_saslfail);
+$s->check(qr/^\+ eyJz/, 'imap xoauth2 with bad token');
+$s->check(qr/^1 NO auth-failed/, 'imap xoauth2 auth failure after empty line');
+$s->send('1 AUTHENTICATE XOAUTH2 ' . $token_xoauth2_saslfail);
+$s->check(qr/^\+ eyJz/, 'imap xoauth2 with bad token next');
+$s->check(qr/^1 BAD/, 'imap xoauth2 invalid command after invalid line');
+$s->send('1 AUTHENTICATE XOAUTH2 ' . $token_xoauth2);
+$s->ok('imap xoauth2 success after fail');
+# POP3
+$s = Test::Nginx::POP3->new();
+$s->send('AUTH OAUTHBEARER ' . $token);
+$s->ok('pop3 oauthbearer success');
+$s = Test::Nginx::POP3->new();
+$s->send('AUTH OAUTHBEARER');
+$s->check(qr/^\+ /, 'pop3 oauthbearer challenge');
+$s->ok('pop3 oauthbearer success after challenge');
+$s = Test::Nginx::POP3->new();
+$s->send('AUTH OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^\+ eyJz/, 'pop3 oauthbearer sasl failure');
+$s->check(qr/^-ERR /, 'pop3 oauthbearer auth failure after dummy response');
+$s->send('AUTH OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^\+ eyJz/, 'pop3 oauthbearer sasl failure next');
+$s->check(qr/^-ERR /, 'pop3 oauthbearer invalid command after invalid line');
+$s->send('AUTH OAUTHBEARER ' . $token);
+$s->ok('pop3 oauthbearer success after fail');
+$s = Test::Nginx::POP3->new();
+$s->send('AUTH XOAUTH2 ' . $token_xoauth2);
+$s->ok('pop3 xoauth2 success');
+$s = Test::Nginx::POP3->new();
+$s->send('AUTH XOAUTH2');
+$s->check(qr/^\+ /, 'pop3 xoauth2 challenge');
+$s->ok('pop3 xoauth2 success after challenge');
+$s = Test::Nginx::SMTP->new();
+$s->send('EHLO example.com');
+$s->send('AUTH OAUTHBEARER ' . $token);
+$s->authok('smtp oauthbearer success');
+$s = Test::Nginx::SMTP->new();
+$s->send('EHLO example.com');
+$s->send('AUTH OAUTHBEARER');
+$s->check(qr/^334 /, 'smtp oauthbearer challenge');
+$s->authok('smtp oauthbearer success after challenge');
+$s = Test::Nginx::SMTP->new();
+$s->send('EHLO example.com');
+$s->send('AUTH OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^334 eyJz/, 'smtp oauthbearer sasl failure');
+$s->check(qr/^535 /, 'smtp oauthbearer auth failure after dummy response');
+$s->send('AUTH OAUTHBEARER ' . $token_saslfail);
+$s->check(qr/^334 eyJz/, 'smtp oauthbearer sasl failure next');
+$s->check(qr/^500 /, 'smtp oauthbearer invalid command after invalid line');
+$s->send('AUTH OAUTHBEARER ' . $token);
+$s->authok('smtp oauthbearer success after fail');
+$s = Test::Nginx::SMTP->new();
+$s->send('EHLO example.com');
+$s->send('AUTH XOAUTH2 ' . $token_xoauth2);
+$s->authok('smtp xoauth2 success');
+$s = Test::Nginx::SMTP->new();
+$s->send('EHLO example.com');
+$s->send('AUTH XOAUTH2');
+$s->check(qr/^334 /, 'smtp xoauth2 challenge');
+$s->authok('smtp xoauth2 success after challenge');