From 26b3301698f0af73eb5031a5f0e4554a3b9a1ce5 Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Sat, 23 Nov 2024 13:06:31 +0100
Subject: [PATCH 1/2] Tests: mail: smtp: assert whether backend authentication
 is expected

We expect that the SMTP proxy does not authenticate to the backend,
except in the `PROXY` case and in the case where `proxy_smtp_auth`
is enabled.

This makes tests fail when we violate that expectation.
---
 lib/Test/Nginx/SMTP.pm | 16 +++++++++++++++-
 mail_proxy_protocol.t  |  2 +-
 mail_proxy_smtp_auth.t |  2 +-
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/lib/Test/Nginx/SMTP.pm b/lib/Test/Nginx/SMTP.pm
index f088f5fe..aaf84d81 100644
--- a/lib/Test/Nginx/SMTP.pm
+++ b/lib/Test/Nginx/SMTP.pm
@@ -150,8 +150,14 @@ sub socket {
 
 ###############################################################################
 
+sub fail {
+	my ($client, $reason) = @_;
+	print $client '500 failed: ' . $reason . CRLF;
+	$client->close();
+}
+
 sub smtp_test_daemon {
-	my ($port) = @_;
+	my ($port, $with_auth) = @_;
 	my $proxy_protocol;
 
 	my $server = IO::Socket::INET->new(
@@ -167,6 +173,7 @@ sub smtp_test_daemon {
 		print $client "220 fake esmtp server ready" . CRLF;
 
 		$proxy_protocol = '';
+		my $authenticated = 0;
 
 		while (<$client>) {
 			Test::Nginx::log_core('||', $_);
@@ -177,8 +184,15 @@ sub smtp_test_daemon {
 				print $client '250 hello ok' . CRLF;
 			} elsif (/^rset/i) {
 				print $client '250 rset ok' . CRLF;
+			} elsif (/^auth/i and not $with_auth) {
+				fail($client, "No authentication expected");
 			} elsif (/^auth plain/i) {
 				print $client '235 auth ok' . CRLF;
+				$authenticated = 1;
+			} elsif (/^mail/i and $with_auth and not $authenticated) {
+				fail($client, "Authentication expected");
+			} elsif (/^rcpt/i and $with_auth and not $authenticated) {
+				fail($client, "Authentication expected");
 			} elsif (/^mail from:[^@]+$/i) {
 				print $client '500 mail from error' . CRLF;
 			} elsif (/^mail from:/i) {
diff --git a/mail_proxy_protocol.t b/mail_proxy_protocol.t
index d4f4852d..3c318bc0 100644
--- a/mail_proxy_protocol.t
+++ b/mail_proxy_protocol.t
@@ -91,7 +91,7 @@ http {
 
 EOF
 
-$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon);
+$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon, port(8026), 1);
 $t->run()->plan(8);
 
 $t->waitforsocket('127.0.0.1:' . port(8026));
diff --git a/mail_proxy_smtp_auth.t b/mail_proxy_smtp_auth.t
index 4eb92b94..16040d90 100644
--- a/mail_proxy_smtp_auth.t
+++ b/mail_proxy_smtp_auth.t
@@ -75,7 +75,7 @@ http {
 
 EOF
 
-$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon);
+$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon, port(8026), 1);
 $t->run()->plan(7);
 
 $t->waitforsocket('127.0.0.1:' . port(8026));

From 962cb70df1b2fddb06e5ae64df88c16450de8d82 Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Tue, 26 Nov 2024 21:43:59 +0100
Subject: [PATCH 2/2] Add test for conditionally authenticating to the backend
 smtp server

Test for https://github.com/nginx/nginx/pull/156 .

`mail_proxy_smtp_auth_none.t` is a copy of `mail_proxy_smtp_auth.t`,
except that the authentication server returns 'Auth-Method: None'
and the test expects no authentication to the backend mail server.

I'm not sure if this test 'pulls its weight' and makes sense to
merge into the testsuite, but it's at least useful for testing
https://github.com/nginx/nginx/pull/156 .
---
 mail_proxy_smtp_auth_none.t | 149 ++++++++++++++++++++++++++++++++++++
 1 file changed, 149 insertions(+)
 create mode 100644 mail_proxy_smtp_auth_none.t

diff --git a/mail_proxy_smtp_auth_none.t b/mail_proxy_smtp_auth_none.t
new file mode 100644
index 00000000..f6a4d7db
--- /dev/null
+++ b/mail_proxy_smtp_auth_none.t
@@ -0,0 +1,149 @@
+#!/usr/bin/perl
+
+# (C) Sergey Kandaurov
+# (C) Nginx, Inc.
+
+# Tests for nginx mail proxy module, the proxy_smtp_auth directive.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+use MIME::Base64;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+use Test::Nginx::SMTP;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+local $SIG{PIPE} = 'IGNORE';
+
+my $t = Test::Nginx->new()->has(qw/mail smtp http rewrite/)
+	->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+mail {
+    proxy_pass_error_message  on;
+    proxy_timeout             15s;
+    proxy_smtp_auth           on;
+    auth_http  http://127.0.0.1:8080/mail/auth;
+    smtp_auth  login plain external;
+
+    server {
+        listen     127.0.0.1:8025;
+        protocol   smtp;
+    }
+
+    server {
+        listen     127.0.0.1:8027;
+        protocol   smtp;
+        xclient    off;
+    }
+}
+
+http {
+    %%TEST_GLOBALS_HTTP%%
+
+    server {
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        location = /mail/auth {
+            add_header Auth-Status OK;
+            add_header Auth-Server 127.0.0.1;
+            add_header Auth-Port   %%PORT_8026%%;
+            add_header Auth-Wait   1;
+            add_header Auth-Method none;
+            return 204;
+        }
+    }
+}
+
+EOF
+
+$t->run_daemon(\&Test::Nginx::SMTP::smtp_test_daemon, port(8026), 0);
+$t->run()->plan(7);
+
+$t->waitforsocket('127.0.0.1:' . port(8026));
+
+###############################################################################
+
+# The following combinations may be sent to backend with proxy_smtp_auth on:
+#
+# ehlo, xclient, auth
+# ehlo, xclient, helo, auth
+# ehlo, xclient, ehlo, auth
+# helo, auth
+# ehlo, auth
+#
+# Test them in order.
+
+# ehlo, xclient, auth
+
+my $s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, xclient, auth');
+
+# ehlo, xclient, helo, auth
+
+$s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('HELO example.com');
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, xclient, helo, auth');
+
+# ehlo, xclient, ehlo, auth
+
+$s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('EHLO example.com');
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, xclient, ehlo, auth');
+
+# helo, auth
+
+$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8027));
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('helo, auth');
+
+# ehlo, auth
+
+$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8027));
+$s->read();
+$s->send('EHLO example.com');
+$s->read();
+$s->send('AUTH PLAIN ' . encode_base64("\0test\@example.com\0secret", ''));
+$s->authok('ehlo, auth');
+
+# Try auth external
+
+$s = Test::Nginx::SMTP->new();
+$s->read();
+$s->send('EHLO example.com');
+$s->read();
+
+$s->send('AUTH EXTERNAL');
+$s->check(qr/^334 VXNlcm5hbWU6/, 'auth external challenge');
+$s->send(encode_base64('test@example.com', ''));
+$s->authok('auth external');
+
+###############################################################################