[PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Jan Viktorin]

When sending an e-mail, the client and server must
agree on an authentication mechanism. Some servers
(due to misconfiguration or a bug) deny valid
credentials for certain mechanisms. In this patch,
a new option --smtp-auth and configuration entry
smtpauth are introduced. If smtp_auth is defined,
it works as a whitelist of allowed mechanisms for
authentication selected from the ones supported by
the installed SASL perl library.

Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
---
Changes v1 -> v2:
  - check user input by regex
  - added documentation
  - still missing a test

 Documentation/git-send-email.txt |  8 ++++++++
 git-send-email.perl              | 25 ++++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/Documentation/git-send-email.txt b/Documentation/git-send-email.txt
index 7ae467b..c237c80 100644
--- a/Documentation/git-send-email.txt
+++ b/Documentation/git-send-email.txt
@@ -171,6 +171,14 @@ Sending
 	to determine your FQDN automatically.  Default is the value of
 	'sendemail.smtpDomain'.
 
+--smtp-auth=<mechs>::
+	Specify allowed SMTP-AUTH mechanisms. This setting forces using only
+	the listed mechanisms. Separate allowed mechanisms by a whitespace.
+	Example: PLAIN LOGIN GSSAPI. If at least one of the specified mechanisms
+	matchs those advertised by the SMTP server and it is supported by the SASL
+	library we use, it is used for authentication. If neither of 'sendemail.smtpAuth'
+	or '--smtp-auth' is specified, all mechanisms supported on client can be used.
+
 --smtp-pass[=<password>]::
 	Password for SMTP-AUTH. The argument is optional: If no
 	argument is specified, then the empty string is used as
diff --git a/git-send-email.perl b/git-send-email.perl
index ae9f869..ebc1e90 100755
--- a/git-send-email.perl
+++ b/git-send-email.perl
@@ -75,6 +75,9 @@ git send-email [options] <file | directory | rev-list options >
                                      Pass an empty string to disable certificate
                                      verification.
     --smtp-domain           <str>  * The domain name sent to HELO/EHLO handshake
+    --smtp-auth             <str>  * Space separated list of allowed AUTH methods.
+                                     This setting forces to use one of the listed methods.
+                                     Supported: PLAIN LOGIN CRAM-MD5 DIGEST-MD5.
     --smtp-debug            <0|1>  * Disable, enable Net::SMTP debug.
 
   Automating:
@@ -208,7 +211,7 @@ my ($cover_cc, $cover_to);
 my ($to_cmd, $cc_cmd);
 my ($smtp_server, $smtp_server_port, @smtp_server_options);
 my ($smtp_authuser, $smtp_encryption, $smtp_ssl_cert_path);
-my ($identity, $aliasfiletype, @alias_files, $smtp_domain);
+my ($identity, $aliasfiletype, @alias_files, $smtp_domain, $smtp_auth);
 my ($validate, $confirm);
 my (@suppress_cc);
 my ($auto_8bit_encoding);
@@ -239,6 +242,7 @@ my %config_settings = (
     "smtppass" => \$smtp_authpass,
     "smtpsslcertpath" => \$smtp_ssl_cert_path,
     "smtpdomain" => \$smtp_domain,
+    "smtpauth" => \$smtp_auth,
     "to" => \@initial_to,
     "tocmd" => \$to_cmd,
     "cc" => \@initial_cc,
@@ -310,6 +314,7 @@ my $rc = GetOptions("h" => \$help,
 		    "smtp-ssl-cert-path=s" => \$smtp_ssl_cert_path,
 		    "smtp-debug:i" => \$debug_net_smtp,
 		    "smtp-domain:s" => \$smtp_domain,
+		    "smtp-auth=s" => \$smtp_auth,
 		    "identity=s" => \$identity,
 		    "annotate!" => \$annotate,
 		    "no-annotate" => sub {$annotate = 0},
@@ -1136,6 +1141,10 @@ sub smtp_auth_maybe {
 		Authen::SASL->import(qw(Perl));
 	};
 
+	if($smtp_auth !~ /^(\b[A-Z0-9-_]{1,20}\s*)*$/) {
+		die "invalid smtp auth: '${smtp_auth}'";
+	}
+
 	# TODO: Authentication may fail not because credentials were
 	# invalid but due to other reasons, in which we should not
 	# reject credentials.
@@ -1148,6 +1157,20 @@ sub smtp_auth_maybe {
 		'password' => $smtp_authpass
 	}, sub {
 		my $cred = shift;
+
+		if($smtp_auth) {
+			my $sasl = Authen::SASL->new(
+				mechanism => $smtp_auth,
+				callback => {
+					user => $cred->{'username'},
+					pass => $cred->{'password'},
+					authname => $cred->{'username'},
+				}
+			);
+
+			return !!$smtp->auth($sasl);
+		}
+
 		return !!$smtp->auth($cred->{'username'}, $cred->{'password'});
 	});
 
-- 
2.5.0

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Eric Sunshine]

On Sun, Aug 2, 2015 at 12:42 PM, Jan Viktorin <viktorin@rehivetech.com> wrote:
> When sending an e-mail, the client and server must
> agree on an authentication mechanism. Some servers
> (due to misconfiguration or a bug) deny valid
> credentials for certain mechanisms. In this patch,
> a new option --smtp-auth and configuration entry
> smtpauth are introduced. If smtp_auth is defined,
> it works as a whitelist of allowed mechanisms for
> authentication selected from the ones supported by
> the installed SASL perl library.

Nit: This would read a bit more nicely if wrapped to 70-72 columns.

> Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
> ---
> diff --git a/Documentation/git-send-email.txt b/Documentation/git-send-email.txt
> index 7ae467b..c237c80 100644
> --- a/Documentation/git-send-email.txt
> +++ b/Documentation/git-send-email.txt
> @@ -171,6 +171,14 @@ Sending
> +--smtp-auth=<mechs>::
> +       Specify allowed SMTP-AUTH mechanisms. This setting forces using only
> +       the listed mechanisms. Separate allowed mechanisms by a whitespace.

Perhaps:

    Whitespace-separated list of allowed SMTP-AUTH mechanisms.

> +       Example: PLAIN LOGIN GSSAPI. If at least one of the specified mechanisms
> +       matchs those advertised by the SMTP server and it is supported by the SASL

s/matchs/matches/

> +       library we use, it is used for authentication. If neither of 'sendemail.smtpAuth'
> +       or '--smtp-auth' is specified, all mechanisms supported on client can be used.

s/neither of/neither/
s/or/nor/

> diff --git a/git-send-email.perl b/git-send-email.perl
> index ae9f869..ebc1e90 100755
> --- a/git-send-email.perl
> +++ b/git-send-email.perl
> @@ -75,6 +75,9 @@ git send-email [options] <file | directory | rev-list options >
>                                       Pass an empty string to disable certificate
>                                       verification.
>      --smtp-domain           <str>  * The domain name sent to HELO/EHLO handshake
> +    --smtp-auth             <str>  * Space separated list of allowed AUTH methods.

s/Space separated/Space-separated/

> +                                     This setting forces to use one of the listed methods.
> +                                     Supported: PLAIN LOGIN CRAM-MD5 DIGEST-MD5.

Since you're no longer checking explicitly for these mechanisms, you
probably want to drop the "Supported:" line.

>      --smtp-debug            <0|1>  * Disable, enable Net::SMTP debug.
>
>    Automating:
> @@ -1136,6 +1141,10 @@ sub smtp_auth_maybe {
>                 Authen::SASL->import(qw(Perl));
>         };
>
> +       if($smtp_auth !~ /^(\b[A-Z0-9-_]{1,20}\s*)*$/) {
> +               die "invalid smtp auth: '${smtp_auth}'";
> +       }

Style: space after 'if'

>         # TODO: Authentication may fail not because credentials were
>         # invalid but due to other reasons, in which we should not
>         # reject credentials.
> @@ -1148,6 +1157,20 @@ sub smtp_auth_maybe {
>                 'password' => $smtp_authpass
>         }, sub {
>                 my $cred = shift;
> +
> +               if($smtp_auth) {

Style: space after 'if'

> +                       my $sasl = Authen::SASL->new(
> +                               mechanism => $smtp_auth,
> +                               callback => {
> +                                       user => $cred->{'username'},
> +                                       pass => $cred->{'password'},
> +                                       authname => $cred->{'username'},
> +                               }
> +                       );
> +
> +                       return !!$smtp->auth($sasl);
> +               }
> +
>                 return !!$smtp->auth($cred->{'username'}, $cred->{'password'});
>         });
>
> --
> 2.5.0

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Jan Viktorin]

Hello Eric, all,

thanks for comments, the coding style will be fixed
in the next version (I cannot find a way how to set
vim to help me with those if<SPACE>( issues. I always/often
forget it when writing so I never do it to be consistent.).

Do I understand well that you are complaining about too
narrow commmit message?

I am trying to figure out how to write a test. It is
not very clear to me, what the testing suite does. My
attempt looks this way at the moment:

1657 do_smtp_auth_test() {
1658         git send-email \
1659                 --from="Example <nobody@example.com>" \
1660                 --to=someone@example.com \
1661                 --smtp-server="$(pwd)/fake.sendmail" \
1662                 --smtp-auth="$1" \
1663                 -v \
1664                 0001-*.patch \
1665                 2>errors >out
1666 }
1667 
1668 test_expect_success $PREREQ 'accepts SMTP AUTH mechanisms (see RFC-4422, p. 8)' '
1669         do_smtp_auth_test "PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI EXTERNAL ANONYMOUS" &&
1670         do_smtp_auth_test "ABCDEFGHIKLMNOPQRSTUVWXYZ 0123456789_-"
1671 '
1672 
1673 test_expect_success $PREREQ 'does not accept non-RFC-4422 strings for SMTP AUTH' '
1674         test_must_fail do_smtp_auth_test "../ATTACK" &&
1675         test_must_fail do_smtp_auth_test "TOO-LONG-BUT-VALID-STRING" &&
1676         test_must_fail do_smtp_auth_test "no-lower-case-sorry"
1677 '

* I do not know yet, what to check after each do_smtp_auth_test call.
* Perhaps, each case should have its own test_expect_success call?
* Why send-email -v does not generate any output?
  (I found a directory 'trash directory.t9001-send-email', however, the
  errors file is always empty.)
* Is there any other place where the files out, errors are placed?
* I have no idea what the fake.sendmail does (I could see its contents
  but still...). Is it suitable for my tests?
* Should I check the behaviour '--smtp-auth overrides
  sendemail.smtpAuth'?

Regards
Jan

On Sun, 2 Aug 2015 14:57:19 -0400
Eric Sunshine <sunshine@sunshineco.com> wrote:

> On Sun, Aug 2, 2015 at 12:42 PM, Jan Viktorin
> <viktorin@rehivetech.com> wrote:
> > When sending an e-mail, the client and server must
> > agree on an authentication mechanism. Some servers
> > (due to misconfiguration or a bug) deny valid
> > credentials for certain mechanisms. In this patch,
> > a new option --smtp-auth and configuration entry
> > smtpauth are introduced. If smtp_auth is defined,
> > it works as a whitelist of allowed mechanisms for
> > authentication selected from the ones supported by
> > the installed SASL perl library.
> 
> Nit: This would read a bit more nicely if wrapped to 70-72 columns.
> 
> > Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
> > ---
> > diff --git a/Documentation/git-send-email.txt
> > b/Documentation/git-send-email.txt index 7ae467b..c237c80 100644
> > --- a/Documentation/git-send-email.txt
> > +++ b/Documentation/git-send-email.txt
> > @@ -171,6 +171,14 @@ Sending
> > +--smtp-auth=<mechs>::
> > +       Specify allowed SMTP-AUTH mechanisms. This setting forces
> > using only
> > +       the listed mechanisms. Separate allowed mechanisms by a
> > whitespace.
> 
> Perhaps:
> 
>     Whitespace-separated list of allowed SMTP-AUTH mechanisms.
> 
> > +       Example: PLAIN LOGIN GSSAPI. If at least one of the
> > specified mechanisms
> > +       matchs those advertised by the SMTP server and it is
> > supported by the SASL
> 
> s/matchs/matches/
> 
> > +       library we use, it is used for authentication. If neither
> > of 'sendemail.smtpAuth'
> > +       or '--smtp-auth' is specified, all mechanisms supported on
> > client can be used.
> 
> s/neither of/neither/
> s/or/nor/
> 
> > diff --git a/git-send-email.perl b/git-send-email.perl
> > index ae9f869..ebc1e90 100755
> > --- a/git-send-email.perl
> > +++ b/git-send-email.perl
> > @@ -75,6 +75,9 @@ git send-email [options] <file | directory |
> > rev-list options > Pass an empty string to disable certificate
> >                                       verification.
> >      --smtp-domain           <str>  * The domain name sent to
> > HELO/EHLO handshake
> > +    --smtp-auth             <str>  * Space separated list of
> > allowed AUTH methods.
> 
> s/Space separated/Space-separated/
> 
> > +                                     This setting forces to use
> > one of the listed methods.
> > +                                     Supported: PLAIN LOGIN
> > CRAM-MD5 DIGEST-MD5.
> 
> Since you're no longer checking explicitly for these mechanisms, you
> probably want to drop the "Supported:" line.
> 
> >      --smtp-debug            <0|1>  * Disable, enable Net::SMTP
> > debug.
> >
> >    Automating:
> > @@ -1136,6 +1141,10 @@ sub smtp_auth_maybe {
> >                 Authen::SASL->import(qw(Perl));
> >         };
> >
> > +       if($smtp_auth !~ /^(\b[A-Z0-9-_]{1,20}\s*)*$/) {
> > +               die "invalid smtp auth: '${smtp_auth}'";
> > +       }
> 
> Style: space after 'if'
> 
> >         # TODO: Authentication may fail not because credentials were
> >         # invalid but due to other reasons, in which we should not
> >         # reject credentials.
> > @@ -1148,6 +1157,20 @@ sub smtp_auth_maybe {
> >                 'password' => $smtp_authpass
> >         }, sub {
> >                 my $cred = shift;
> > +
> > +               if($smtp_auth) {
> 
> Style: space after 'if'
> 
> > +                       my $sasl = Authen::SASL->new(
> > +                               mechanism => $smtp_auth,
> > +                               callback => {
> > +                                       user => $cred->{'username'},
> > +                                       pass => $cred->{'password'},
> > +                                       authname =>
> > $cred->{'username'},
> > +                               }
> > +                       );
> > +
> > +                       return !!$smtp->auth($sasl);
> > +               }
> > +
> >                 return !!$smtp->auth($cred->{'username'},
> > $cred->{'password'}); });
> >
> > --
> > 2.5.0



-- 
  Jan Viktorin                E-mail: Viktorin@RehiveTech.com
  System Architect            Web:    www.RehiveTech.com
  RehiveTech                  Phone: +420 606 201 868
  Brno, Czech Republic

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Eric Sunshine]

On Sun, Aug 2, 2015 at 2:57 PM, Eric Sunshine <sunshine@sunshineco.com> wrote:
> On Sun, Aug 2, 2015 at 12:42 PM, Jan Viktorin <viktorin@rehivetech.com> wrote:
>> @@ -1136,6 +1141,10 @@ sub smtp_auth_maybe {
>>                 Authen::SASL->import(qw(Perl));
>>         };
>>
>> +       if($smtp_auth !~ /^(\b[A-Z0-9-_]{1,20}\s*)*$/) {
>> +               die "invalid smtp auth: '${smtp_auth}'";
>> +       }
>
> Style: space after 'if'

By the way, I notice that Authen::SASL::Perl implementation itself
normalizes the incoming mechanism to uppercase, if necessary:

    $mechanism =~ s/^\s*\b(.*)\b\s*$/$1/g;
    $mechanism =~ s/-/_/g;
    $mechanism =  uc $mechanism;

Since it doesn't require uppercase, it's not clear how much benefit
there is to adding a strict regex check to git-send-email.

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Eric Sunshine]

On Sun, Aug 9, 2015 at 1:19 PM, Eric Sunshine <sunshine@sunshineco.com> wrote:
> On Sun, Aug 2, 2015 at 2:57 PM, Eric Sunshine <sunshine@sunshineco.com> wrote:
>> On Sun, Aug 2, 2015 at 12:42 PM, Jan Viktorin <viktorin@rehivetech.com> wrote:
>>> @@ -1136,6 +1141,10 @@ sub smtp_auth_maybe {
>>>                 Authen::SASL->import(qw(Perl));
>>>         };
>>>
>>> +       if($smtp_auth !~ /^(\b[A-Z0-9-_]{1,20}\s*)*$/) {
>>> +               die "invalid smtp auth: '${smtp_auth}'";
>>> +       }
>>
>> Style: space after 'if'
>
> By the way, I notice that Authen::SASL::Perl implementation itself
> normalizes the incoming mechanism to uppercase, if necessary:
>
>     $mechanism =~ s/^\s*\b(.*)\b\s*$/$1/g;
>     $mechanism =~ s/-/_/g;
>     $mechanism =  uc $mechanism;
>
> Since it doesn't require uppercase, it's not clear how much benefit
> there is to adding a strict regex check to git-send-email.

Hmm, perhaps I was looking at the wrong chunk of code. You had already
referenced the real code here[1], and it doesn't appear to do any case
transformation (it only replaces "-" with "_").

[1]: http://article.gmane.org/gmane.comp.version-control.git/275161

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Eric Sunshine]

On Wed, Aug 5, 2015 at 3:17 AM, Jan Viktorin <viktorin@rehivetech.com> wrote:
> Do I understand well that you are complaining about too
> narrow commmit message?

Yes, I'm a complainer. ;-) It's minor, though, not a big deal, and
certainly not worth a re-roll if that was the only issue. In fact,
other than the undesirable "Supported:" line in the documentation, all
comments on v2 were minor and not demanding of a re-roll.

> I am trying to figure out how to write a test. It is
> not very clear to me, what the testing suite does. My
> attempt looks this way at the moment:
>
> 1657 do_smtp_auth_test() {
> 1658         git send-email \
> 1659                 --from="Example <nobody@example.com>" \
> 1660                 --to=someone@example.com \
> 1661                 --smtp-server="$(pwd)/fake.sendmail" \
> 1662                 --smtp-auth="$1" \
> 1663                 -v \
> 1664                 0001-*.patch \
> 1665                 2>errors >out
> 1666 }
> 1667
> 1668 test_expect_success $PREREQ 'accepts SMTP AUTH mechanisms (see RFC-4422, p. 8)' '
> 1669         do_smtp_auth_test "PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI EXTERNAL ANONYMOUS" &&
> 1670         do_smtp_auth_test "ABCDEFGHIKLMNOPQRSTUVWXYZ 0123456789_-"

Wouldn't this one fail the regex check you added which limits the
length to 20 characters?

> 1671 '
> 1672
> 1673 test_expect_success $PREREQ 'does not accept non-RFC-4422 strings for SMTP AUTH' '
> 1674         test_must_fail do_smtp_auth_test "../ATTACK" &&
> 1675         test_must_fail do_smtp_auth_test "TOO-LONG-BUT-VALID-STRING" &&
> 1676         test_must_fail do_smtp_auth_test "no-lower-case-sorry"
> 1677 '
>
> * I do not know yet, what to check after each do_smtp_auth_test call.

If you were able somehow to capture the interaction with
Auth::SASL::Perl, then you'd probably want to test if it received the
whitelisted mechanisms specified via --smtp-auth, however... (see
below)

> * Perhaps, each case should have its own test_expect_success call?

The grouping seems okay as-is.

> * Why send-email -v does not generate any output?

As far as I know, git-send-email doesn't accept a -v flag.

>   (I found a directory 'trash directory.t9001-send-email', however, the
>   errors file is always empty.)

Was it empty even for the cases which should have triggered the
validation regex to invoke die()?

> * Is there any other place where the files out, errors are placed?

No.

> * I have no idea what the fake.sendmail does (I could see its contents
>   but still...). Is it suitable for my tests?

It dumps its command-line arguments to one file ("commandline") and
its stdin to another ("msgtxt"), but otherwise does no work. This is
useful for tests which need to make sure that the command-line and/or
message content gets augmented in some way, but won't help your case
since it can't capture the script's interaction with
Authen::SASL::Perl.

> * Should I check the behaviour '--smtp-auth overrides
>   sendemail.smtpAuth'?

That would be nice, but there doesn't seem to be a good way to do it
via an existing testing mechanism since you can't check the
git-sendemail's interaction with Auth::SASL::Perl. The same holds for
your question above about what to check after each do_smtp_auth_test()
call.

One possibility which comes to mind is to create a fake
Authen::SASL::Perl which merely dumps its input mechanisms to a file,
and arrange for the Perl search path to find the fake one instead. You
could then check the output file to see if it reflects your
expectations. However, this may be overkill and perhaps not worth the
effort (especially if you're not a Perl programmer).

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Jan Viktorin]

On Sun, 9 Aug 2015 14:13:33 -0400
Eric Sunshine <sunshine@sunshineco.com> wrote:

> On Wed, Aug 5, 2015 at 3:17 AM, Jan Viktorin
> <viktorin@rehivetech.com> wrote:
> > Do I understand well that you are complaining about too
> > narrow commmit message?
> 
> Yes, I'm a complainer. ;-) It's minor, though, not a big deal, and
> certainly not worth a re-roll if that was the only issue. In fact,
> other than the undesirable "Supported:" line in the documentation, all
> comments on v2 were minor and not demanding of a re-roll.

:)

> 
> > I am trying to figure out how to write a test. It is
> > not very clear to me, what the testing suite does. My
> > attempt looks this way at the moment:
> >
> > 1657 do_smtp_auth_test() {
> > 1658         git send-email \
> > 1659                 --from="Example <nobody@example.com>" \
> > 1660                 --to=someone@example.com \
> > 1661                 --smtp-server="$(pwd)/fake.sendmail" \
> > 1662                 --smtp-auth="$1" \
> > 1663                 -v \
> > 1664                 0001-*.patch \
> > 1665                 2>errors >out
> > 1666 }
> > 1667
> > 1668 test_expect_success $PREREQ 'accepts SMTP AUTH mechanisms (see
> > RFC-4422, p. 8)' ' 1669         do_smtp_auth_test "PLAIN LOGIN
> > CRAM-MD5 DIGEST-MD5 GSSAPI EXTERNAL ANONYMOUS" && 1670
> > do_smtp_auth_test "ABCDEFGHIKLMNOPQRSTUVWXYZ 0123456789_-"
> 
> Wouldn't this one fail the regex check you added which limits the
> length to 20 characters?

Yes, it would fail. But it does not work anyway...

> 
> > 1671 '
> > 1672
> > 1673 test_expect_success $PREREQ 'does not accept non-RFC-4422
> > strings for SMTP AUTH' ' 1674         test_must_fail
> > do_smtp_auth_test "../ATTACK" && 1675         test_must_fail
> > do_smtp_auth_test "TOO-LONG-BUT-VALID-STRING" && 1676
> > test_must_fail do_smtp_auth_test "no-lower-case-sorry" 1677 '
> >
> > * I do not know yet, what to check after each do_smtp_auth_test
> > call.
> 
> If you were able somehow to capture the interaction with
> Auth::SASL::Perl, then you'd probably want to test if it received the
> whitelisted mechanisms specified via --smtp-auth, however... (see
> below)

--smtp-debug

> 
> > * Perhaps, each case should have its own test_expect_success call?
> 
> The grouping seems okay as-is.
> 
> > * Why send-email -v does not generate any output?
> 
> As far as I know, git-send-email doesn't accept a -v flag.

True, I confused it with --smtp-debug. However, what I did not
understand was the testing framework. The TAP harness discards
everything (I expected some automatic redirection to a file for each
test.). Later I found the --verbose option that allows to see some
output from tests.

> 
> >   (I found a directory 'trash directory.t9001-send-email', however,
> > the errors file is always empty.)
> 
> Was it empty even for the cases which should have triggered the
> validation regex to invoke die()?
> 
> > * Is there any other place where the files out, errors are placed?
> 
> No.
> 
> > * I have no idea what the fake.sendmail does (I could see its
> > contents but still...). Is it suitable for my tests?
> 
> It dumps its command-line arguments to one file ("commandline") and
> its stdin to another ("msgtxt"), but otherwise does no work. This is
> useful for tests which need to make sure that the command-line and/or
> message content gets augmented in some way, but won't help your case
> since it can't capture the script's interaction with
> Authen::SASL::Perl.

I can see it now. Either Perl implementation or a sendmail binary is
used. Unfortunately, this is very unfriendly for such testing.

> 
> > * Should I check the behaviour '--smtp-auth overrides
> >   sendemail.smtpAuth'?
> 
> That would be nice, but there doesn't seem to be a good way to do it
> via an existing testing mechanism since you can't check the
> git-sendemail's interaction with Auth::SASL::Perl. The same holds for
> your question above about what to check after each do_smtp_auth_test()
> call.
> 
> One possibility which comes to mind is to create a fake
> Authen::SASL::Perl which merely dumps its input mechanisms to a file,
> and arrange for the Perl search path to find the fake one instead. You
> could then check the output file to see if it reflects your
> expectations. However, this may be overkill and perhaps not worth the
> effort (especially if you're not a Perl programmer).

I think that Authen::SASL::Perl mock would not help. I wanted to create
some fake sendmail (but this is impossible as stated above because
then the perl modules are not used). So the only way would be to
provide some fake socket with a static content on the other side. This
is really an overkill to just test the few lines of code.

So, what more can I do for this feature?

I think that the basic regex test is OK. It can accept lowercase
letters and do an explicit uppercase call. I do not like to rely on
internals of the SASL library. As you could see, the SASL::Perl does
not check its inputs in a very good way and its code is quite unclear
(strange for a library providing security features).

-- 
  Jan Viktorin                E-mail: Viktorin@RehiveTech.com
  System Architect            Web:    www.RehiveTech.com
  RehiveTech                  Phone: +420 606 201 868
  Brno, Czech Republic

Re: [PATCH v2] send-email: provide whitelist of SMTP AUTH mechanisms

[Eric Sunshine]

On Mon, Aug 10, 2015 at 6:06 AM, Jan Viktorin <viktorin@rehivetech.com> wrote:
> On Sun, 9 Aug 2015 14:13:33 -0400
> Eric Sunshine <sunshine@sunshineco.com> wrote:
>> One possibility which comes to mind is to create a fake
>> Authen::SASL::Perl which merely dumps its input mechanisms to a file,
>> and arrange for the Perl search path to find the fake one instead. You
>> could then check the output file to see if it reflects your
>> expectations. However, this may be overkill and perhaps not worth the
>> effort (especially if you're not a Perl programmer).
>
> I think that Authen::SASL::Perl mock would not help. I wanted to create
> some fake sendmail (but this is impossible as stated above because
> then the perl modules are not used). So the only way would be to
> provide some fake socket with a static content on the other side. This
> is really an overkill to just test the few lines of code.

Agreed.

> So, what more can I do for this feature?

I don't have any further suggestions. Other than the unwanted
"Supported:" line in the documentation and the couple style issues[1],
the patch seems sufficiently complete, as-is. The validation regex
gets a "meh" from me merely because it's not clear how beneficial it
will be in practice, but that's not an outright objection; I don't
feel strongly about it either way.

[1]: http://article.gmane.org/gmane.comp.version-control.git/275150

> I think that the basic regex test is OK. It can accept lowercase
> letters and do an explicit uppercase call. I do not like to rely on
> internals of the SASL library. As you could see, the SASL::Perl does
> not check its inputs in a very good way and its code is quite unclear
> (strange for a library providing security features).

[PATCH v3] send-email: provide whitelist of SMTP AUTH mechanisms

[Jan Viktorin]

When sending an e-mail, the client and server must agree on an
authentication mechanism. Some servers (due to misconfiguration
or a bug) deny valid credentials for certain mechanisms. In this
patch, a new option --smtp-auth and configuration entry smtpAuth
are introduced. If smtp_auth is defined, it works as a whitelist
of allowed mechanisms for authentication selected from the ones
supported by the installed SASL perl library.

Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
---
 Documentation/git-send-email.txt | 11 +++++++++++
 git-send-email.perl              | 26 +++++++++++++++++++++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/Documentation/git-send-email.txt b/Documentation/git-send-email.txt
index f14705e..82c6ae8 100644
--- a/Documentation/git-send-email.txt
+++ b/Documentation/git-send-email.txt
@@ -171,6 +171,17 @@ Sending
 	to determine your FQDN automatically.  Default is the value of
 	'sendemail.smtpDomain'.
 
+--smtp-auth=<mechs>::
+	Whitespace-separated list of allowed SMTP-AUTH mechanisms. This setting
+	forces using only the listed mechanisms. Example:
+
+	$ git send-email --smtp-auth="PLAIN LOGIN GSSAPI" ...
+
+	If at least one of the specified mechanisms matches the ones advertised by the
+	SMTP server and if it is supported by the utilized SASL library, the mechanism
+	is used for authentication. If neither 'sendemail.smtpAuth' nor '--smtp-auth'
+	is specified, all mechanisms supported by the SASL library can be used.
+
 --smtp-pass[=<password>]::
 	Password for SMTP-AUTH. The argument is optional: If no
 	argument is specified, then the empty string is used as
diff --git a/git-send-email.perl b/git-send-email.perl
index b660cc2..a7192c4 100755
--- a/git-send-email.perl
+++ b/git-send-email.perl
@@ -75,6 +75,8 @@ git send-email [options] <file | directory | rev-list options >
                                      Pass an empty string to disable certificate
                                      verification.
     --smtp-domain           <str>  * The domain name sent to HELO/EHLO handshake
+    --smtp-auth             <str>  * Space-separated list of allowed AUTH methods.
+                                     This setting forces to use one of the listed methods.
     --smtp-debug            <0|1>  * Disable, enable Net::SMTP debug.
 
   Automating:
@@ -208,7 +210,7 @@ my ($cover_cc, $cover_to);
 my ($to_cmd, $cc_cmd);
 my ($smtp_server, $smtp_server_port, @smtp_server_options);
 my ($smtp_authuser, $smtp_encryption, $smtp_ssl_cert_path);
-my ($identity, $aliasfiletype, @alias_files, $smtp_domain);
+my ($identity, $aliasfiletype, @alias_files, $smtp_domain, $smtp_auth);
 my ($validate, $confirm);
 my (@suppress_cc);
 my ($auto_8bit_encoding);
@@ -239,6 +241,7 @@ my %config_settings = (
     "smtppass" => \$smtp_authpass,
     "smtpsslcertpath" => \$smtp_ssl_cert_path,
     "smtpdomain" => \$smtp_domain,
+    "smtpauth" => \$smtp_auth,
     "to" => \@initial_to,
     "tocmd" => \$to_cmd,
     "cc" => \@initial_cc,
@@ -310,6 +313,7 @@ my $rc = GetOptions("h" => \$help,
 		    "smtp-ssl-cert-path=s" => \$smtp_ssl_cert_path,
 		    "smtp-debug:i" => \$debug_net_smtp,
 		    "smtp-domain:s" => \$smtp_domain,
+		    "smtp-auth=s" => \$smtp_auth,
 		    "identity=s" => \$identity,
 		    "annotate!" => \$annotate,
 		    "no-annotate" => sub {$annotate = 0},
@@ -1130,6 +1134,12 @@ sub smtp_auth_maybe {
 		Authen::SASL->import(qw(Perl));
 	};
 
+	# Check mechanism naming as defined in:
+	# https://tools.ietf.org/html/rfc4422#page-8
+	if ($smtp_auth !~ /^(\b[A-Z0-9-_]{1,20}\s*)*$/) {
+		die "invalid smtp auth: '${smtp_auth}'";
+	}
+
 	# TODO: Authentication may fail not because credentials were
 	# invalid but due to other reasons, in which we should not
 	# reject credentials.
@@ -1142,6 +1152,20 @@ sub smtp_auth_maybe {
 		'password' => $smtp_authpass
 	}, sub {
 		my $cred = shift;
+
+		if ($smtp_auth) {
+			my $sasl = Authen::SASL->new(
+				mechanism => $smtp_auth,
+				callback => {
+					user => $cred->{'username'},
+					pass => $cred->{'password'},
+					authname => $cred->{'username'},
+				}
+			);
+
+			return !!$smtp->auth($sasl);
+		}
+
 		return !!$smtp->auth($cred->{'username'}, $cred->{'password'});
 	});
 
-- 
2.5.0

Re: [PATCH v3] send-email: provide whitelist of SMTP AUTH mechanisms

[Eric Sunshine]

On Wed, Aug 12, 2015 at 01:39:44AM +0200, Jan Viktorin wrote:
> When sending an e-mail, the client and server must agree on an
> authentication mechanism. Some servers (due to misconfiguration
> or a bug) deny valid credentials for certain mechanisms. In this
> patch, a new option --smtp-auth and configuration entry smtpAuth
> are introduced. If smtp_auth is defined, it works as a whitelist
> of allowed mechanisms for authentication selected from the ones
> supported by the installed SASL perl library.
> 
> Signed-off-by: Jan Viktorin <viktorin@rehivetech.com>
> ---
> diff --git a/Documentation/git-send-email.txt b/Documentation/git-send-email.txt
> index f14705e..82c6ae8 100644
> --- a/Documentation/git-send-email.txt
> +++ b/Documentation/git-send-email.txt
> @@ -171,6 +171,17 @@ Sending
>  	to determine your FQDN automatically.  Default is the value of
>  	'sendemail.smtpDomain'.
>  
> +--smtp-auth=<mechs>::
> +	Whitespace-separated list of allowed SMTP-AUTH mechanisms. This setting
> +	forces using only the listed mechanisms. Example:
> +
> +	$ git send-email --smtp-auth="PLAIN LOGIN GSSAPI" ...
> +
> +	If at least one of the specified mechanisms matches the ones advertised by the
> +	SMTP server and if it is supported by the utilized SASL library, the mechanism
> +	is used for authentication. If neither 'sendemail.smtpAuth' nor '--smtp-auth'
> +	is specified, all mechanisms supported by the SASL library can be used.

Unfortuantely, this won't format correctly in Asciidoc. The following squash-in fixes it...

---- 8< ----
Subject: [PATCH] fixup! send-email: provide whitelist of SMTP AUTH mechanisms

---
 Documentation/git-send-email.txt | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/Documentation/git-send-email.txt b/Documentation/git-send-email.txt
index 82c6ae8..9e4f130 100644
--- a/Documentation/git-send-email.txt
+++ b/Documentation/git-send-email.txt
@@ -174,13 +174,15 @@ Sending
 --smtp-auth=<mechs>::
 	Whitespace-separated list of allowed SMTP-AUTH mechanisms. This setting
 	forces using only the listed mechanisms. Example:
-
-	$ git send-email --smtp-auth="PLAIN LOGIN GSSAPI" ...
-
-	If at least one of the specified mechanisms matches the ones advertised by the
-	SMTP server and if it is supported by the utilized SASL library, the mechanism
-	is used for authentication. If neither 'sendemail.smtpAuth' nor '--smtp-auth'
-	is specified, all mechanisms supported by the SASL library can be used.
++
+------
+$ git send-email --smtp-auth="PLAIN LOGIN GSSAPI" ...
+------
++
+If at least one of the specified mechanisms matches the ones advertised by the
+SMTP server and if it is supported by the utilized SASL library, the mechanism
+is used for authentication. If neither 'sendemail.smtpAuth' nor '--smtp-auth'
+is specified, all mechanisms supported by the SASL library can be used.
 
 --smtp-pass[=<password>]::
 	Password for SMTP-AUTH. The argument is optional: If no
-- 
2.5.0.276.gf5e568e