aerc/lib/auth/auth.go

package auth

import (
	"fmt"
	"regexp"
	"strings"

	"github.com/emersion/go-message/mail"
	"github.com/emersion/go-msgauth/authres"
)

const (
	AuthHeader = "Authentication-Results"
)

type Method string

const (
	DKIM  Method = "dkim"
	SPF   Method = "spf"
	DMARC Method = "dmarc"
)

type Result string

const (
	ResultNone    Result = "none"
	ResultPass    Result = "pass"
	ResultFail    Result = "fail"
	ResultNeutral Result = "neutral"
	ResultPolicy  Result = "policy"
)

type Details struct {
	Results []Result
	Infos   []string
	Reasons []string
	Err     error
}

func (d *Details) add(r Result, info string, reason string) {
	d.Results = append(d.Results, r)
	d.Infos = append(d.Infos, info)
	d.Reasons = append(d.Reasons, reason)
}

type ParserFunc func(*mail.Header, []string) (*Details, error)

func New(s string) ParserFunc {
	if i := strings.IndexRune(s, '+'); i > 0 {
		s = s[:i]
	}
	m := Method(strings.ToLower(s))
	switch m {
	case DKIM, SPF, DMARC:
		return CreateParser(m)
	}
	return nil
}

func trust(s string, trusted []string) bool {
	for _, t := range trusted {
		if matched, _ := regexp.MatchString(t, s); matched || t == "*" {
			return true
		}
	}
	return false
}

var cleaner = regexp.MustCompile(`(\(.*);(.*\))`)

func CreateParser(m Method) func(*mail.Header, []string) (*Details, error) {
	return func(header *mail.Header, trusted []string) (*Details, error) {
		details := &Details{}
		found := false

		hf := header.FieldsByKey(AuthHeader)
		for hf.Next() {
			headerText, err := hf.Text()
			if err != nil {
				return nil, err
			}

			identifier, results, err := authres.Parse(headerText)
			// TODO: refactor to use errors.Is
			switch {
			case err != nil && err.Error() == "msgauth: unsupported version":
				// Some MTA write their authres header without an identifier
				// which does not conform to RFC but still exists in the wild
				identifier, results, err = authres.Parse("unknown;" + headerText)
				if err != nil {
					return nil, err
				}
			case err != nil && err.Error() == "msgauth: malformed authentication method and value":
				// the go-msgauth parser doesn't like semi-colons in the comments
				// as a work-around we remove those
				cleanHeader := cleaner.ReplaceAllString(headerText, "${1}${2}")
				identifier, results, err = authres.Parse(cleanHeader)
				if err != nil {
					return nil, err
				}
			case err != nil:
				return nil, err
			}

			// implements recommendation from RFC 7601 Sec 7.1 to
			// have an explicit list of trustworthy hostnames
			// before displaying AuthRes results
			if !trust(identifier, trusted) {
				return nil, fmt.Errorf("%s is not trusted", identifier)
			}

			for _, result := range results {
				switch r := result.(type) {
				case *authres.DKIMResult:
					if m == DKIM {
						info := r.Identifier
						if info == "" && r.Domain != "" {
							info = r.Domain
						}
						details.add(Result(r.Value), info, r.Reason)
						found = true
					}
				case *authres.SPFResult:
					if m == SPF {
						info := r.From
						if info == "" && r.Helo != "" {
							info = r.Helo
						}
						details.add(Result(r.Value), info, r.Reason)
						found = true
					}
				case *authres.DMARCResult:
					if m == DMARC {
						details.add(Result(r.Value), r.From, r.Reason)
						found = true
					}
				}
			}
		}

		if !found {
			details.add(ResultNone, "", "")
		}
		return details, nil
	}
}
msgviewer: parse and display authentication results Parse the Authentication-Results header and display it in the message viewer (not enabled by default). DKIM, SPF and DMARC authentication methods are supported. Implement recommendation from RFC 7601 Sec 7.1 to have an explicit list of trustworthy hostnames before displaying the authentication results. Be aware that the authentication headers can be forged. To display the results for a specific authentication method, add the corresponding name to the layout of headers in the viewer section of aerc.conf, e.g. to display all three, use: header-layout = From\|To,Cc\|Bcc,Date,Subject,DKIM\|SPF\|DMARC More information will be displayed when "+" is appended to the authentication method name, e.g. DKIM+ or SPF+ or DMARC+. Also, add the trustworthy hosts per account with the trusted-authres parameter, e.g. trusted-authres = * to trust every host or use regular expressions for a finer control. Multiple hosts can be entered as a comma-separated list. Authentication results will only be displayed when the host is listed in the trusted-authres list. Link: https://datatracker.ietf.org/doc/html/rfc7601 Signed-off-by: Koni Marti <koni.marti@gmail.com> Tested-by: Tim Culverhouse <tim@timculverhouse.com> Acked-by: Robin Jarry <robin@jarry.cc> 2022-05-30 00:20:41 +02:00			`package auth`

			`import (`
			`"fmt"`
			`"regexp"`
			`"strings"`

			`"github.com/emersion/go-message/mail"`
			`"github.com/emersion/go-msgauth/authres"`
			`)`

			`const (`
			`AuthHeader = "Authentication-Results"`
			`)`

			`type Method string`

			`const (`
			`DKIM Method = "dkim"`
			`SPF Method = "spf"`
			`DMARC Method = "dmarc"`
			`)`

			`type Result string`

			`const (`
			`ResultNone Result = "none"`
			`ResultPass Result = "pass"`
			`ResultFail Result = "fail"`
			`ResultNeutral Result = "neutral"`
			`ResultPolicy Result = "policy"`
			`)`

			`type Details struct {`
			`Results []Result`
			`Infos []string`
			`Reasons []string`
			`Err error`
			`}`

			`func (d *Details) add(r Result, info string, reason string) {`
			`d.Results = append(d.Results, r)`
			`d.Infos = append(d.Infos, info)`
			`d.Reasons = append(d.Reasons, reason)`
			`}`

			`type ParserFunc func(mail.Header, []string) (Details, error)`

			`func New(s string) ParserFunc {`
			`if i := strings.IndexRune(s, '+'); i > 0 {`
			`s = s[:i]`
			`}`
			`m := Method(strings.ToLower(s))`
			`switch m {`
			`case DKIM, SPF, DMARC:`
			`return CreateParser(m)`
			`}`
			`return nil`
			`}`

			`func trust(s string, trusted []string) bool {`
			`for _, t := range trusted {`
			`if matched, _ := regexp.MatchString(t, s); matched \|\| t == "*" {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			var cleaner = regexp.MustCompile(`(\(.);(.\))`)

			`func CreateParser(m Method) func(mail.Header, []string) (Details, error) {`
			`return func(header mail.Header, trusted []string) (Details, error) {`
			`details := &Details{}`
			`found := false`

			`hf := header.FieldsByKey(AuthHeader)`
			`for hf.Next() {`
			`headerText, err := hf.Text()`
			`if err != nil {`
			`return nil, err`
			`}`

			`identifier, results, err := authres.Parse(headerText)`
lint: homogenize operations and minor fixes (gocritic) Apply GoDoc comment policy (comments for humans should have a space after the //; machine-readable comments shouldn't) Use strings.ReplaceAll instead of strings.Replace when appropriate Remove if/else chains by replacing them with switches Use short assignment/increment notation Replace single case switches with if statements Combine else and if when appropriate Signed-off-by: Moritz Poldrack <moritz@poldrack.dev> Acked-by: Robin Jarry <robin@jarry.cc> 2022-07-31 14:32:48 +02:00			`// TODO: refactor to use errors.Is`
			`switch {`
			`case err != nil && err.Error() == "msgauth: unsupported version":`
msgviewer: parse and display authentication results Parse the Authentication-Results header and display it in the message viewer (not enabled by default). DKIM, SPF and DMARC authentication methods are supported. Implement recommendation from RFC 7601 Sec 7.1 to have an explicit list of trustworthy hostnames before displaying the authentication results. Be aware that the authentication headers can be forged. To display the results for a specific authentication method, add the corresponding name to the layout of headers in the viewer section of aerc.conf, e.g. to display all three, use: header-layout = From\|To,Cc\|Bcc,Date,Subject,DKIM\|SPF\|DMARC More information will be displayed when "+" is appended to the authentication method name, e.g. DKIM+ or SPF+ or DMARC+. Also, add the trustworthy hosts per account with the trusted-authres parameter, e.g. trusted-authres = * to trust every host or use regular expressions for a finer control. Multiple hosts can be entered as a comma-separated list. Authentication results will only be displayed when the host is listed in the trusted-authres list. Link: https://datatracker.ietf.org/doc/html/rfc7601 Signed-off-by: Koni Marti <koni.marti@gmail.com> Tested-by: Tim Culverhouse <tim@timculverhouse.com> Acked-by: Robin Jarry <robin@jarry.cc> 2022-05-30 00:20:41 +02:00			`// Some MTA write their authres header without an identifier`
			`// which does not conform to RFC but still exists in the wild`
			`identifier, results, err = authres.Parse("unknown;" + headerText)`
			`if err != nil {`
			`return nil, err`
			`}`
lint: homogenize operations and minor fixes (gocritic) Apply GoDoc comment policy (comments for humans should have a space after the //; machine-readable comments shouldn't) Use strings.ReplaceAll instead of strings.Replace when appropriate Remove if/else chains by replacing them with switches Use short assignment/increment notation Replace single case switches with if statements Combine else and if when appropriate Signed-off-by: Moritz Poldrack <moritz@poldrack.dev> Acked-by: Robin Jarry <robin@jarry.cc> 2022-07-31 14:32:48 +02:00			`case err != nil && err.Error() == "msgauth: malformed authentication method and value":`
msgviewer: parse and display authentication results Parse the Authentication-Results header and display it in the message viewer (not enabled by default). DKIM, SPF and DMARC authentication methods are supported. Implement recommendation from RFC 7601 Sec 7.1 to have an explicit list of trustworthy hostnames before displaying the authentication results. Be aware that the authentication headers can be forged. To display the results for a specific authentication method, add the corresponding name to the layout of headers in the viewer section of aerc.conf, e.g. to display all three, use: header-layout = From\|To,Cc\|Bcc,Date,Subject,DKIM\|SPF\|DMARC More information will be displayed when "+" is appended to the authentication method name, e.g. DKIM+ or SPF+ or DMARC+. Also, add the trustworthy hosts per account with the trusted-authres parameter, e.g. trusted-authres = * to trust every host or use regular expressions for a finer control. Multiple hosts can be entered as a comma-separated list. Authentication results will only be displayed when the host is listed in the trusted-authres list. Link: https://datatracker.ietf.org/doc/html/rfc7601 Signed-off-by: Koni Marti <koni.marti@gmail.com> Tested-by: Tim Culverhouse <tim@timculverhouse.com> Acked-by: Robin Jarry <robin@jarry.cc> 2022-05-30 00:20:41 +02:00			`// the go-msgauth parser doesn't like semi-colons in the comments`
			`// as a work-around we remove those`
			`cleanHeader := cleaner.ReplaceAllString(headerText, "${1}${2}")`
			`identifier, results, err = authres.Parse(cleanHeader)`
			`if err != nil {`
			`return nil, err`
			`}`
lint: homogenize operations and minor fixes (gocritic) Apply GoDoc comment policy (comments for humans should have a space after the //; machine-readable comments shouldn't) Use strings.ReplaceAll instead of strings.Replace when appropriate Remove if/else chains by replacing them with switches Use short assignment/increment notation Replace single case switches with if statements Combine else and if when appropriate Signed-off-by: Moritz Poldrack <moritz@poldrack.dev> Acked-by: Robin Jarry <robin@jarry.cc> 2022-07-31 14:32:48 +02:00			`case err != nil:`
msgviewer: parse and display authentication results Parse the Authentication-Results header and display it in the message viewer (not enabled by default). DKIM, SPF and DMARC authentication methods are supported. Implement recommendation from RFC 7601 Sec 7.1 to have an explicit list of trustworthy hostnames before displaying the authentication results. Be aware that the authentication headers can be forged. To display the results for a specific authentication method, add the corresponding name to the layout of headers in the viewer section of aerc.conf, e.g. to display all three, use: header-layout = From\|To,Cc\|Bcc,Date,Subject,DKIM\|SPF\|DMARC More information will be displayed when "+" is appended to the authentication method name, e.g. DKIM+ or SPF+ or DMARC+. Also, add the trustworthy hosts per account with the trusted-authres parameter, e.g. trusted-authres = * to trust every host or use regular expressions for a finer control. Multiple hosts can be entered as a comma-separated list. Authentication results will only be displayed when the host is listed in the trusted-authres list. Link: https://datatracker.ietf.org/doc/html/rfc7601 Signed-off-by: Koni Marti <koni.marti@gmail.com> Tested-by: Tim Culverhouse <tim@timculverhouse.com> Acked-by: Robin Jarry <robin@jarry.cc> 2022-05-30 00:20:41 +02:00			`return nil, err`
			`}`

			`// implements recommendation from RFC 7601 Sec 7.1 to`
			`// have an explicit list of trustworthy hostnames`
			`// before displaying AuthRes results`
			`if !trust(identifier, trusted) {`
			`return nil, fmt.Errorf("%s is not trusted", identifier)`
			`}`

			`for _, result := range results {`
			`switch r := result.(type) {`
			`case *authres.DKIMResult:`
			`if m == DKIM {`
			`info := r.Identifier`
			`if info == "" && r.Domain != "" {`
			`info = r.Domain`
			`}`
			`details.add(Result(r.Value), info, r.Reason)`
			`found = true`
			`}`
			`case *authres.SPFResult:`
			`if m == SPF {`
			`info := r.From`
			`if info == "" && r.Helo != "" {`
			`info = r.Helo`
			`}`
			`details.add(Result(r.Value), info, r.Reason)`
			`found = true`
			`}`
			`case *authres.DMARCResult:`
			`if m == DMARC {`
			`details.add(Result(r.Value), r.From, r.Reason)`
			`found = true`
			`}`
			`}`
			`}`
			`}`

			`if !found {`
			`details.add(ResultNone, "", "")`
			`}`
			`return details, nil`
			`}`
			`}`