1 # Copyright (C) 2019 all contributors <meta@public-inbox.org>
2 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
6 use File::Temp qw(tempdir);
7 use Socket qw(SOCK_STREAM);
8 foreach my $mod (qw(DBD::SQLite IO::Socket::SSL Net::NNTP)) {
10 plan skip_all => "$mod missing for $0" if $@;
12 my $cert = 'certs/server-cert.pem';
13 my $key = 'certs/server-key.pem';
14 unless (-r $key && -r $cert) {
16 "certs/ missing for $0, run ./create-certs.perl in certs/";
19 use_ok 'PublicInbox::TLS';
20 use_ok 'IO::Socket::SSL';
21 require './t/common.perl';
22 require PublicInbox::InboxWritable;
23 require PublicInbox::MIME;
24 require PublicInbox::SearchIdx;
25 my $version = 2; # v2 needs newer git
26 require_git('2.6') if $version >= 2;
27 my $tmpdir = tempdir('pi-nntpd-tls-XXXXXX', TMPDIR => 1, CLEANUP => 1);
28 my $err = "$tmpdir/stderr.log";
29 my $out = "$tmpdir/stdout.log";
30 my $mainrepo = "$tmpdir";
31 my $pi_config = "$tmpdir/pi_config";
32 my $group = 'test-nntpd-tls';
33 my $addr = $group . '@example.com';
34 my $nntpd = 'blib/script/public-inbox-nntpd';
36 LocalAddr => '127.0.0.1',
42 my $starttls = IO::Socket::INET->new(%opts);
43 my $nntps = IO::Socket::INET->new(%opts);
46 foreach ($pid, $tail_pid) {
47 kill 'TERM', $_ if defined $_;
51 my $ibx = PublicInbox::Inbox->new({
52 mainrepo => $mainrepo,
55 -primary_address => $addr,
56 indexlevel => 'basic',
58 $ibx = PublicInbox::InboxWritable->new($ibx, {nproc=>1});
61 open my $fh, '>', $pi_config or die "open: $!\n";
63 [publicinbox "nntpd-tls"]
70 close $fh or die "close: $!\n";
74 my $im = $ibx->importer(0);
75 my $mime = PublicInbox::MIME->new(do {
76 open my $fh, '<', 't/data/0001.patch' or die;
80 ok($im->add($mime), 'message added');
83 my $s = PublicInbox::SearchIdx->new($ibx, 1);
88 my $nntps_addr = $nntps->sockhost . ':' . $nntps->sockport;
89 my $starttls_addr = $starttls->sockhost . ':' . $starttls->sockport;
90 my $env = { PI_CONFIG => $pi_config };
93 [ "--cert=$cert", "--key=$key",
94 "-lnntps://$nntps_addr",
95 "-lnntp://$starttls_addr" ],
98 open my $fh, '>', $_ or die "truncate: $!";
100 if (my $tail_cmd = $ENV{TAIL}) { # don't assume GNU tail
102 if (defined $tail_pid && $tail_pid == 0) {
103 exec(split(' ', $tail_cmd), $out, $err);
106 my $cmd = [ $nntpd, '-W0', @$args, "--stdout=$out", "--stderr=$err" ];
107 $pid = spawn_listener($env, $cmd, [ $starttls, $nntps ]);
109 SSL_hostname => 'server.local',
110 SSL_verifycn_name => 'server.local',
112 SSL_verify_mode => SSL_VERIFY_PEER(),
113 SSL_ca_file => 'certs/test-ca.pem',
115 my $expect = { $group => [qw(1 1 n)] };
118 my $c = Net::NNTP->new($nntps_addr, %o);
120 is_deeply($list, $expect, 'NNTPS LIST works');
124 $c = Net::NNTP->new($starttls_addr, %o);
126 is_deeply($list, $expect, 'plain LIST works');
127 ok($c->starttls, 'STARTTLS succeeds');
128 is($c->code, 382, 'got 382 for STARTTLS');
130 is_deeply($list, $expect, 'LIST works after STARTTLS');
132 # Net::NNTP won't let us do dumb things, but we need to test
133 # dumb things, so use Net::Cmd directly:
134 my $n = $c->command('STARTTLS')->response();
135 is($n, Net::Cmd::CMD_ERROR(), 'error attempting STARTTLS again');
136 is($c->code, 502, '502 according to RFC 4642 sec#2.2.1');
138 # STARTTLS with bad hostname
139 $o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.invalid';
140 $c = Net::NNTP->new($starttls_addr, %o);
142 is_deeply($list, $expect, 'plain LIST works again');
143 ok(!$c->starttls, 'STARTTLS fails with bad hostname');
144 $c = Net::NNTP->new($starttls_addr, %o);
146 is_deeply($list, $expect, 'not broken after bad negotiation');
148 # NNTPS with bad hostname
149 $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
150 is($c, undef, 'NNTPS fails with bad hostname');
151 $o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.local';
152 $c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
153 ok($c, 'NNTPS succeeds again with valid hostname');
157 is($pid, waitpid($pid, 0), 'nntpd exited successfully');
158 is($?, 0, 'no error in exited process');
161 open my $fh, '<', $err or die "open $err failed: $!";
165 unlike($eout, qr/wide/i, 'no Wide character warnings');
166 if (defined $tail_pid) {
167 kill 'TERM', $tail_pid;
168 waitpid($tail_pid, 0);