fix: harden mx helper and cleanup flow

This commit is contained in:
Marek Miklewicz
2026-06-30 11:37:27 +02:00
parent ed6146c0d8
commit ad95ecdacb
8 changed files with 252 additions and 43 deletions
+41 -4
View File
@@ -12,10 +12,11 @@ test('mx helper conditionally passes user ip binding to da login-url', function
$script = PLUGIN_ROOT . '/mx-helper/mail-login-authorized-command.sh';
$cmd = sprintf(
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s %s %s',
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s',
escapeshellarg($bin),
escapeshellarg($audit),
escapeshellarg($state),
escapeshellarg('h4.domena.pl'),
escapeshellarg($script),
'mail-login-create-url mxtest h4.domena.pl h4 30 1 198.51.100.10 /'
);
@@ -26,10 +27,11 @@ test('mx helper conditionally passes user ip binding to da login-url', function
file_put_contents($log, '');
$cmdNoIp = sprintf(
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s %s %s',
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s',
escapeshellarg($bin),
escapeshellarg($audit),
escapeshellarg($state),
escapeshellarg('h4.domena.pl'),
escapeshellarg($script),
'mail-login-create-url mxtest h4.domena.pl h4 30 0 198.51.100.10 /'
);
@@ -50,11 +52,12 @@ test('mx helper accepts forced command arguments from ssh original command', fun
$script = PLUGIN_ROOT . '/mx-helper/mail-login-authorized-command.sh';
$cmd = sprintf(
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s SSH_ORIGINAL_COMMAND=%s %s',
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s SSH_ORIGINAL_COMMAND=%s %s',
escapeshellarg($bin),
escapeshellarg($audit),
escapeshellarg($state),
escapeshellarg('mail-login-create-url mxtest h4.domena.pl h4 30 1 198.51.100.10 /'),
escapeshellarg('h4.domena.pl'),
escapeshellarg('mail-login-create-url mxtest h4.domena.pl evil 30 1 198.51.100.10 /'),
escapeshellarg($script)
);
exec($cmd, $out, $code);
@@ -62,4 +65,38 @@ test('mx helper accepts forced command arguments from ssh original command', fun
assert_same(0, $code, implode("\n", $out));
assert_contains('--user=mxtest', file_get_contents($log) ?: '');
assert_contains('autologin-h4-mxtest-', file_get_contents($audit) ?: '');
assert_not_contains('autologin-evil-mxtest-', file_get_contents($audit) ?: '');
});
test('mx helper rejects disallowed source hosts and invalid client ips', function (): void {
$bin = TEST_TMP . '/fake-da-reject';
$audit = TEST_TMP . '/audit-reject.log';
$state = TEST_TMP . '/state-reject';
test_write($bin, "#!/bin/sh\necho 'URL: https://mx1.domena.pl:2222/api/login/url?key=SECRET'\n");
chmod($bin, 0755);
$script = PLUGIN_ROOT . '/mx-helper/mail-login-authorized-command.sh';
$badHost = sprintf(
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s 2>/dev/null',
escapeshellarg($bin),
escapeshellarg($audit),
escapeshellarg($state),
escapeshellarg('h4.domena.pl'),
escapeshellarg($script),
'mail-login-create-url mxtest evil.domena.pl evil 30 1 198.51.100.10 /'
);
exec($badHost, $outHost, $codeHost);
assert_same(1, $codeHost);
$badIp = sprintf(
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s 2>/dev/null',
escapeshellarg($bin),
escapeshellarg($audit),
escapeshellarg($state),
escapeshellarg('h4.domena.pl'),
escapeshellarg($script),
'mail-login-create-url mxtest h4.domena.pl h4 30 1 999.999.999.999 /'
);
exec($badIp, $outIp, $codeIp);
assert_same(1, $codeIp);
});