// This file is part of the happyDeliver (R) project. // Copyright (c) 2025 happyDomain // Authors: Pierre-Olivier Mercier, et al. // // This program is offered under a commercial and under the AGPL license. // For commercial licensing, contact us at . // // For AGPL licensing: // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public License for more details. // // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . package analyzer import ( "strings" "testing" "git.happydns.org/happyDeliver/internal/api" ) func TestParseSPFResult(t *testing.T) { tests := []struct { name string part string expectedResult api.AuthResultResult expectedDomain string }{ { name: "SPF pass with domain", part: "spf=pass smtp.mailfrom=sender@example.com", expectedResult: api.AuthResultResultPass, expectedDomain: "example.com", }, { name: "SPF fail", part: "spf=fail smtp.mailfrom=sender@example.com", expectedResult: api.AuthResultResultFail, expectedDomain: "example.com", }, { name: "SPF neutral", part: "spf=neutral smtp.mailfrom=sender@example.com", expectedResult: api.AuthResultResultNeutral, expectedDomain: "example.com", }, { name: "SPF softfail", part: "spf=softfail smtp.mailfrom=sender@example.com", expectedResult: api.AuthResultResultSoftfail, expectedDomain: "example.com", }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := analyzer.parseSPFResult(tt.part) if result.Result != tt.expectedResult { t.Errorf("Result = %v, want %v", result.Result, tt.expectedResult) } if result.Domain == nil || *result.Domain != tt.expectedDomain { var gotDomain string if result.Domain != nil { gotDomain = *result.Domain } t.Errorf("Domain = %v, want %v", gotDomain, tt.expectedDomain) } }) } } func TestParseDKIMResult(t *testing.T) { tests := []struct { name string part string expectedResult api.AuthResultResult expectedDomain string expectedSelector string }{ { name: "DKIM pass with domain and selector", part: "dkim=pass header.d=example.com header.s=default", expectedResult: api.AuthResultResultPass, expectedDomain: "example.com", expectedSelector: "default", }, { name: "DKIM fail", part: "dkim=fail header.d=example.com header.s=selector1", expectedResult: api.AuthResultResultFail, expectedDomain: "example.com", expectedSelector: "selector1", }, { name: "DKIM with short form (d= and s=)", part: "dkim=pass d=example.com s=default", expectedResult: api.AuthResultResultPass, expectedDomain: "example.com", expectedSelector: "default", }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := analyzer.parseDKIMResult(tt.part) if result.Result != tt.expectedResult { t.Errorf("Result = %v, want %v", result.Result, tt.expectedResult) } if result.Domain == nil || *result.Domain != tt.expectedDomain { var gotDomain string if result.Domain != nil { gotDomain = *result.Domain } t.Errorf("Domain = %v, want %v", gotDomain, tt.expectedDomain) } if result.Selector == nil || *result.Selector != tt.expectedSelector { var gotSelector string if result.Selector != nil { gotSelector = *result.Selector } t.Errorf("Selector = %v, want %v", gotSelector, tt.expectedSelector) } }) } } func TestParseDMARCResult(t *testing.T) { tests := []struct { name string part string expectedResult api.AuthResultResult expectedDomain string }{ { name: "DMARC pass", part: "dmarc=pass action=none header.from=example.com", expectedResult: api.AuthResultResultPass, expectedDomain: "example.com", }, { name: "DMARC fail", part: "dmarc=fail action=quarantine header.from=example.com", expectedResult: api.AuthResultResultFail, expectedDomain: "example.com", }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := analyzer.parseDMARCResult(tt.part) if result.Result != tt.expectedResult { t.Errorf("Result = %v, want %v", result.Result, tt.expectedResult) } if result.Domain == nil || *result.Domain != tt.expectedDomain { var gotDomain string if result.Domain != nil { gotDomain = *result.Domain } t.Errorf("Domain = %v, want %v", gotDomain, tt.expectedDomain) } }) } } func TestParseBIMIResult(t *testing.T) { tests := []struct { name string part string expectedResult api.AuthResultResult expectedDomain string expectedSelector string }{ { name: "BIMI pass with domain and selector", part: "bimi=pass header.d=example.com header.selector=default", expectedResult: api.AuthResultResultPass, expectedDomain: "example.com", expectedSelector: "default", }, { name: "BIMI fail", part: "bimi=fail header.d=example.com header.selector=default", expectedResult: api.AuthResultResultFail, expectedDomain: "example.com", expectedSelector: "default", }, { name: "BIMI with short form (d= and selector=)", part: "bimi=pass d=example.com selector=v1", expectedResult: api.AuthResultResultPass, expectedDomain: "example.com", expectedSelector: "v1", }, { name: "BIMI none", part: "bimi=none header.d=example.com", expectedResult: api.AuthResultResultNone, expectedDomain: "example.com", }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := analyzer.parseBIMIResult(tt.part) if result.Result != tt.expectedResult { t.Errorf("Result = %v, want %v", result.Result, tt.expectedResult) } if result.Domain == nil || *result.Domain != tt.expectedDomain { var gotDomain string if result.Domain != nil { gotDomain = *result.Domain } t.Errorf("Domain = %v, want %v", gotDomain, tt.expectedDomain) } if tt.expectedSelector != "" { if result.Selector == nil || *result.Selector != tt.expectedSelector { var gotSelector string if result.Selector != nil { gotSelector = *result.Selector } t.Errorf("Selector = %v, want %v", gotSelector, tt.expectedSelector) } } }) } } func TestGetAuthenticationScore(t *testing.T) { tests := []struct { name string results *api.AuthenticationResults expectedScore int }{ { name: "Perfect authentication (SPF + DKIM + DMARC)", results: &api.AuthenticationResults{ Spf: &api.AuthResult{ Result: api.AuthResultResultPass, }, Dkim: &[]api.AuthResult{ {Result: api.AuthResultResultPass}, }, Dmarc: &api.AuthResult{ Result: api.AuthResultResultPass, }, }, expectedScore: 90, // SPF=30 + DKIM=30 + DMARC=30 }, { name: "SPF and DKIM only", results: &api.AuthenticationResults{ Spf: &api.AuthResult{ Result: api.AuthResultResultPass, }, Dkim: &[]api.AuthResult{ {Result: api.AuthResultResultPass}, }, }, expectedScore: 60, // SPF=30 + DKIM=30 }, { name: "SPF fail, DKIM pass", results: &api.AuthenticationResults{ Spf: &api.AuthResult{ Result: api.AuthResultResultFail, }, Dkim: &[]api.AuthResult{ {Result: api.AuthResultResultPass}, }, }, expectedScore: 30, // SPF=0 + DKIM=30 }, { name: "SPF softfail", results: &api.AuthenticationResults{ Spf: &api.AuthResult{ Result: api.AuthResultResultSoftfail, }, }, expectedScore: 5, }, { name: "No authentication", results: &api.AuthenticationResults{}, expectedScore: 0, }, { name: "BIMI adds to score", results: &api.AuthenticationResults{ Spf: &api.AuthResult{ Result: api.AuthResultResultPass, }, Bimi: &api.AuthResult{ Result: api.AuthResultResultPass, }, }, expectedScore: 40, // SPF (30) + BIMI (10) }, } scorer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { score, _ := scorer.CalculateAuthenticationScore(tt.results) if score != tt.expectedScore { t.Errorf("Score = %v, want %v", score, tt.expectedScore) } }) } } func TestParseARCResult(t *testing.T) { tests := []struct { name string part string expectedResult api.ARCResultResult }{ { name: "ARC pass", part: "arc=pass", expectedResult: api.ARCResultResultPass, }, { name: "ARC fail", part: "arc=fail", expectedResult: api.ARCResultResultFail, }, { name: "ARC none", part: "arc=none", expectedResult: api.ARCResultResultNone, }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { result := analyzer.parseARCResult(tt.part) if result.Result != tt.expectedResult { t.Errorf("Result = %v, want %v", result.Result, tt.expectedResult) } }) } } func TestParseAuthenticationResultsHeader(t *testing.T) { tests := []struct { name string header string expectedSPFResult *api.AuthResultResult expectedSPFDomain *string expectedDKIMCount int expectedDKIMResult *api.AuthResultResult expectedDMARCResult *api.AuthResultResult expectedDMARCDomain *string expectedBIMIResult *api.AuthResultResult expectedARCResult *api.ARCResultResult }{ { name: "Complete authentication results", header: "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com", expectedSPFResult: api.PtrTo(api.AuthResultResultPass), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 1, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCDomain: api.PtrTo("example.com"), }, { name: "SPF only", header: "mail.example.com; spf=pass smtp.mailfrom=user@domain.com", expectedSPFResult: api.PtrTo(api.AuthResultResultPass), expectedSPFDomain: api.PtrTo("domain.com"), expectedDKIMCount: 0, expectedDMARCResult: nil, }, { name: "DKIM only", header: "mail.example.com; dkim=pass header.d=example.com header.s=selector1", expectedSPFResult: nil, expectedDKIMCount: 1, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), }, { name: "Multiple DKIM signatures", header: "mail.example.com; dkim=pass header.d=example.com header.s=s1; dkim=pass header.d=example.com header.s=s2", expectedSPFResult: nil, expectedDKIMCount: 2, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCResult: nil, }, { name: "SPF fail with DKIM pass", header: "mail.example.com; spf=fail smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default", expectedSPFResult: api.PtrTo(api.AuthResultResultFail), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 1, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCResult: nil, }, { name: "SPF softfail", header: "mail.example.com; spf=softfail smtp.mailfrom=sender@example.com", expectedSPFResult: api.PtrTo(api.AuthResultResultSoftfail), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 0, expectedDMARCResult: nil, }, { name: "DMARC fail", header: "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=fail action=quarantine header.from=example.com", expectedSPFResult: api.PtrTo(api.AuthResultResultPass), expectedDKIMCount: 1, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCResult: api.PtrTo(api.AuthResultResultFail), expectedDMARCDomain: api.PtrTo("example.com"), }, { name: "BIMI pass", header: "mail.example.com; spf=pass smtp.mailfrom=sender@example.com; bimi=pass header.d=example.com header.selector=default", expectedSPFResult: api.PtrTo(api.AuthResultResultPass), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 0, expectedBIMIResult: api.PtrTo(api.AuthResultResultPass), }, { name: "ARC pass", header: "mail.example.com; arc=pass", expectedSPFResult: nil, expectedDKIMCount: 0, expectedARCResult: api.PtrTo(api.ARCResultResultPass), }, { name: "All authentication methods", header: "mx.google.com; spf=pass smtp.mailfrom=sender@example.com; dkim=pass header.d=example.com header.s=default; dmarc=pass action=none header.from=example.com; bimi=pass header.d=example.com header.selector=v1; arc=pass", expectedSPFResult: api.PtrTo(api.AuthResultResultPass), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 1, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCResult: api.PtrTo(api.AuthResultResultPass), expectedDMARCDomain: api.PtrTo("example.com"), expectedBIMIResult: api.PtrTo(api.AuthResultResultPass), expectedARCResult: api.PtrTo(api.ARCResultResultPass), }, { name: "Empty header (authserv-id only)", header: "mx.google.com", expectedSPFResult: nil, expectedDKIMCount: 0, }, { name: "Empty parts with semicolons", header: "mx.google.com; ; ; spf=pass smtp.mailfrom=sender@example.com; ;", expectedSPFResult: api.PtrTo(api.AuthResultResultPass), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 0, }, { name: "DKIM with short form parameters", header: "mail.example.com; dkim=pass d=example.com s=selector1", expectedSPFResult: nil, expectedDKIMCount: 1, expectedDKIMResult: api.PtrTo(api.AuthResultResultPass), }, { name: "SPF neutral", header: "mail.example.com; spf=neutral smtp.mailfrom=sender@example.com", expectedSPFResult: api.PtrTo(api.AuthResultResultNeutral), expectedSPFDomain: api.PtrTo("example.com"), expectedDKIMCount: 0, }, { name: "SPF none", header: "mail.example.com; spf=none", expectedSPFResult: api.PtrTo(api.AuthResultResultNone), expectedDKIMCount: 0, }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { results := &api.AuthenticationResults{} analyzer.parseAuthenticationResultsHeader(tt.header, results) // Check SPF if tt.expectedSPFResult != nil { if results.Spf == nil { t.Errorf("Expected SPF result, got nil") } else { if results.Spf.Result != *tt.expectedSPFResult { t.Errorf("SPF Result = %v, want %v", results.Spf.Result, *tt.expectedSPFResult) } if tt.expectedSPFDomain != nil { if results.Spf.Domain == nil || *results.Spf.Domain != *tt.expectedSPFDomain { var gotDomain string if results.Spf.Domain != nil { gotDomain = *results.Spf.Domain } t.Errorf("SPF Domain = %v, want %v", gotDomain, *tt.expectedSPFDomain) } } } } else { if results.Spf != nil { t.Errorf("Expected no SPF result, got %+v", results.Spf) } } // Check DKIM count and result if results.Dkim == nil { if tt.expectedDKIMCount != 0 { t.Errorf("Expected %d DKIM results, got nil", tt.expectedDKIMCount) } } else { if len(*results.Dkim) != tt.expectedDKIMCount { t.Errorf("DKIM count = %d, want %d", len(*results.Dkim), tt.expectedDKIMCount) } if tt.expectedDKIMResult != nil && len(*results.Dkim) > 0 { if (*results.Dkim)[0].Result != *tt.expectedDKIMResult { t.Errorf("DKIM Result = %v, want %v", (*results.Dkim)[0].Result, *tt.expectedDKIMResult) } } } // Check DMARC if tt.expectedDMARCResult != nil { if results.Dmarc == nil { t.Errorf("Expected DMARC result, got nil") } else { if results.Dmarc.Result != *tt.expectedDMARCResult { t.Errorf("DMARC Result = %v, want %v", results.Dmarc.Result, *tt.expectedDMARCResult) } if tt.expectedDMARCDomain != nil { if results.Dmarc.Domain == nil || *results.Dmarc.Domain != *tt.expectedDMARCDomain { var gotDomain string if results.Dmarc.Domain != nil { gotDomain = *results.Dmarc.Domain } t.Errorf("DMARC Domain = %v, want %v", gotDomain, *tt.expectedDMARCDomain) } } } } else { if results.Dmarc != nil { t.Errorf("Expected no DMARC result, got %+v", results.Dmarc) } } // Check BIMI if tt.expectedBIMIResult != nil { if results.Bimi == nil { t.Errorf("Expected BIMI result, got nil") } else { if results.Bimi.Result != *tt.expectedBIMIResult { t.Errorf("BIMI Result = %v, want %v", results.Bimi.Result, *tt.expectedBIMIResult) } } } else { if results.Bimi != nil { t.Errorf("Expected no BIMI result, got %+v", results.Bimi) } } // Check ARC if tt.expectedARCResult != nil { if results.Arc == nil { t.Errorf("Expected ARC result, got nil") } else { if results.Arc.Result != *tt.expectedARCResult { t.Errorf("ARC Result = %v, want %v", results.Arc.Result, *tt.expectedARCResult) } } } else { if results.Arc != nil { t.Errorf("Expected no ARC result, got %+v", results.Arc) } } }) } } func TestParseAuthenticationResultsHeader_OnlyFirstResultParsed(t *testing.T) { // This test verifies that only the first occurrence of each auth method is parsed analyzer := NewAuthenticationAnalyzer() t.Run("Multiple SPF results - only first is parsed", func(t *testing.T) { header := "mail.example.com; spf=pass smtp.mailfrom=first@example.com; spf=fail smtp.mailfrom=second@example.com" results := &api.AuthenticationResults{} analyzer.parseAuthenticationResultsHeader(header, results) if results.Spf == nil { t.Fatal("Expected SPF result, got nil") } if results.Spf.Result != api.AuthResultResultPass { t.Errorf("Expected first SPF result (pass), got %v", results.Spf.Result) } if results.Spf.Domain == nil || *results.Spf.Domain != "example.com" { t.Errorf("Expected domain from first SPF result") } }) t.Run("Multiple DMARC results - only first is parsed", func(t *testing.T) { header := "mail.example.com; dmarc=pass header.from=first.com; dmarc=fail header.from=second.com" results := &api.AuthenticationResults{} analyzer.parseAuthenticationResultsHeader(header, results) if results.Dmarc == nil { t.Fatal("Expected DMARC result, got nil") } if results.Dmarc.Result != api.AuthResultResultPass { t.Errorf("Expected first DMARC result (pass), got %v", results.Dmarc.Result) } if results.Dmarc.Domain == nil || *results.Dmarc.Domain != "first.com" { t.Errorf("Expected domain from first DMARC result") } }) t.Run("Multiple ARC results - only first is parsed", func(t *testing.T) { header := "mail.example.com; arc=pass; arc=fail" results := &api.AuthenticationResults{} analyzer.parseAuthenticationResultsHeader(header, results) if results.Arc == nil { t.Fatal("Expected ARC result, got nil") } if results.Arc.Result != api.ARCResultResultPass { t.Errorf("Expected first ARC result (pass), got %v", results.Arc.Result) } }) t.Run("Multiple BIMI results - only first is parsed", func(t *testing.T) { header := "mail.example.com; bimi=pass header.d=first.com; bimi=fail header.d=second.com" results := &api.AuthenticationResults{} analyzer.parseAuthenticationResultsHeader(header, results) if results.Bimi == nil { t.Fatal("Expected BIMI result, got nil") } if results.Bimi.Result != api.AuthResultResultPass { t.Errorf("Expected first BIMI result (pass), got %v", results.Bimi.Result) } if results.Bimi.Domain == nil || *results.Bimi.Domain != "first.com" { t.Errorf("Expected domain from first BIMI result") } }) t.Run("Multiple DKIM results - all are parsed", func(t *testing.T) { // DKIM is special - multiple signatures should all be collected header := "mail.example.com; dkim=pass header.d=first.com header.s=s1; dkim=fail header.d=second.com header.s=s2" results := &api.AuthenticationResults{} analyzer.parseAuthenticationResultsHeader(header, results) if results.Dkim == nil { t.Fatal("Expected DKIM results, got nil") } if len(*results.Dkim) != 2 { t.Errorf("Expected 2 DKIM results, got %d", len(*results.Dkim)) } if (*results.Dkim)[0].Result != api.AuthResultResultPass { t.Errorf("Expected first DKIM result to be pass, got %v", (*results.Dkim)[0].Result) } if (*results.Dkim)[1].Result != api.AuthResultResultFail { t.Errorf("Expected second DKIM result to be fail, got %v", (*results.Dkim)[1].Result) } }) } func TestParseLegacySPF(t *testing.T) { tests := []struct { name string receivedSPF string expectedResult api.AuthResultResult expectedDomain *string expectNil bool }{ { name: "SPF pass with envelope-from", receivedSPF: `pass (mail.example.com: 192.0.2.10 is authorized to use 'user@example.com' in 'mfrom' identity (mechanism 'ip4:192.0.2.10' matched)) receiver=mx.receiver.com; identity=mailfrom; envelope-from="user@example.com"; helo=smtp.example.com; client-ip=192.0.2.10`, expectedResult: api.AuthResultResultPass, expectedDomain: api.PtrTo("example.com"), }, { name: "SPF fail with sender", receivedSPF: `fail (mail.example.com: domain of sender@test.com does not designate 192.0.2.20 as permitted sender) receiver=mx.receiver.com; identity=mailfrom; sender="sender@test.com"; helo=smtp.test.com; client-ip=192.0.2.20`, expectedResult: api.AuthResultResultFail, expectedDomain: api.PtrTo("test.com"), }, { name: "SPF softfail", receivedSPF: "softfail (example.com: transitioning domain of admin@example.org does not designate 192.0.2.30 as permitted sender) envelope-from=\"admin@example.org\"", expectedResult: api.AuthResultResultSoftfail, expectedDomain: api.PtrTo("example.org"), }, { name: "SPF neutral", receivedSPF: "neutral (example.com: 192.0.2.40 is neither permitted nor denied by domain of info@domain.net) envelope-from=\"info@domain.net\"", expectedResult: api.AuthResultResultNeutral, expectedDomain: api.PtrTo("domain.net"), }, { name: "SPF none", receivedSPF: "none (example.com: domain of noreply@company.io has no SPF record) envelope-from=\"noreply@company.io\"", expectedResult: api.AuthResultResultNone, expectedDomain: api.PtrTo("company.io"), }, { name: "SPF temperror", receivedSPF: "temperror (example.com: error in processing SPF record) envelope-from=\"support@shop.example\"", expectedResult: api.AuthResultResultTemperror, expectedDomain: api.PtrTo("shop.example"), }, { name: "SPF permerror", receivedSPF: "permerror (example.com: domain of contact@invalid.test has invalid SPF record) envelope-from=\"contact@invalid.test\"", expectedResult: api.AuthResultResultPermerror, expectedDomain: api.PtrTo("invalid.test"), }, { name: "SPF pass without domain extraction", receivedSPF: "pass (example.com: 192.0.2.50 is authorized)", expectedResult: api.AuthResultResultPass, expectedDomain: nil, }, { name: "Empty Received-SPF header", receivedSPF: "", expectNil: true, }, { name: "SPF with unquoted envelope-from", receivedSPF: "pass (example.com: sender SPF authorized) envelope-from=postmaster@mail.example.net", expectedResult: api.AuthResultResultPass, expectedDomain: api.PtrTo("mail.example.net"), }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { // Create a mock email message with Received-SPF header email := &EmailMessage{ Header: make(map[string][]string), } if tt.receivedSPF != "" { email.Header["Received-Spf"] = []string{tt.receivedSPF} } result := analyzer.parseLegacySPF(email) if tt.expectNil { if result != nil { t.Errorf("Expected nil result, got %+v", result) } return } if result == nil { t.Fatal("Expected non-nil result, got nil") } if result.Result != tt.expectedResult { t.Errorf("Result = %v, want %v", result.Result, tt.expectedResult) } if tt.expectedDomain != nil { if result.Domain == nil { t.Errorf("Domain = nil, want %v", *tt.expectedDomain) } else if *result.Domain != *tt.expectedDomain { t.Errorf("Domain = %v, want %v", *result.Domain, *tt.expectedDomain) } } else { if result.Domain != nil { t.Errorf("Domain = %v, want nil", *result.Domain) } } if result.Details == nil { t.Error("Expected Details to be set, got nil") } else if *result.Details != tt.receivedSPF { t.Errorf("Details = %v, want %v", *result.Details, tt.receivedSPF) } }) } } func TestValidateARCChain(t *testing.T) { tests := []struct { name string arcAuthResults []string arcMessageSig []string arcSeal []string expectedValid bool }{ { name: "Empty chain is valid", arcAuthResults: []string{}, arcMessageSig: []string{}, arcSeal: []string{}, expectedValid: true, }, { name: "Valid chain with single hop", arcAuthResults: []string{ "i=1; example.com; spf=pass", }, arcMessageSig: []string{ "i=1; a=rsa-sha256; d=example.com", }, arcSeal: []string{ "i=1; a=rsa-sha256; s=arc; d=example.com", }, expectedValid: true, }, { name: "Valid chain with two hops", arcAuthResults: []string{ "i=1; example.com; spf=pass", "i=2; relay.com; arc=pass", }, arcMessageSig: []string{ "i=1; a=rsa-sha256; d=example.com", "i=2; a=rsa-sha256; d=relay.com", }, arcSeal: []string{ "i=1; a=rsa-sha256; s=arc; d=example.com", "i=2; a=rsa-sha256; s=arc; d=relay.com", }, expectedValid: true, }, { name: "Invalid chain - missing one header type", arcAuthResults: []string{ "i=1; example.com; spf=pass", }, arcMessageSig: []string{ "i=1; a=rsa-sha256; d=example.com", }, arcSeal: []string{}, expectedValid: false, }, { name: "Invalid chain - non-sequential instances", arcAuthResults: []string{ "i=1; example.com; spf=pass", "i=3; relay.com; arc=pass", }, arcMessageSig: []string{ "i=1; a=rsa-sha256; d=example.com", "i=3; a=rsa-sha256; d=relay.com", }, arcSeal: []string{ "i=1; a=rsa-sha256; s=arc; d=example.com", "i=3; a=rsa-sha256; s=arc; d=relay.com", }, expectedValid: false, }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { valid := analyzer.validateARCChain(tt.arcAuthResults, tt.arcMessageSig, tt.arcSeal) if valid != tt.expectedValid { t.Errorf("validateARCChain() = %v, want %v", valid, tt.expectedValid) } }) } } func TestParseLegacyDKIM(t *testing.T) { tests := []struct { name string dkimSignatures []string expectedCount int expectedDomains []string expectedSelector []string }{ { name: "Single DKIM signature with domain and selector", dkimSignatures: []string{ "v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=selector1; h=from:to:subject:date; bh=xyz; b=abc", }, expectedCount: 1, expectedDomains: []string{"example.com"}, expectedSelector: []string{"selector1"}, }, { name: "Multiple DKIM signatures", dkimSignatures: []string{ "v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc123", "v=1; a=rsa-sha256; d=example.com; s=selector2; b=def456", }, expectedCount: 2, expectedDomains: []string{"example.com", "example.com"}, expectedSelector: []string{"selector1", "selector2"}, }, { name: "DKIM signature with different domain", dkimSignatures: []string{ "v=1; a=rsa-sha256; d=mail.example.org; s=default; b=xyz789", }, expectedCount: 1, expectedDomains: []string{"mail.example.org"}, expectedSelector: []string{"default"}, }, { name: "DKIM signature with subdomain", dkimSignatures: []string{ "v=1; a=rsa-sha256; d=newsletters.example.com; s=marketing; b=aaa", }, expectedCount: 1, expectedDomains: []string{"newsletters.example.com"}, expectedSelector: []string{"marketing"}, }, { name: "Multiple signatures from different domains", dkimSignatures: []string{ "v=1; a=rsa-sha256; d=example.com; s=s1; b=abc", "v=1; a=rsa-sha256; d=relay.com; s=s2; b=def", }, expectedCount: 2, expectedDomains: []string{"example.com", "relay.com"}, expectedSelector: []string{"s1", "s2"}, }, { name: "No DKIM signatures", dkimSignatures: []string{}, expectedCount: 0, expectedDomains: []string{}, expectedSelector: []string{}, }, { name: "DKIM signature without selector", dkimSignatures: []string{ "v=1; a=rsa-sha256; d=example.com; b=abc123", }, expectedCount: 1, expectedDomains: []string{"example.com"}, expectedSelector: []string{""}, }, { name: "DKIM signature without domain", dkimSignatures: []string{ "v=1; a=rsa-sha256; s=selector1; b=abc123", }, expectedCount: 1, expectedDomains: []string{""}, expectedSelector: []string{"selector1"}, }, { name: "DKIM signature with whitespace in parameters", dkimSignatures: []string{ "v=1; a=rsa-sha256; d=example.com ; s=selector1 ; b=abc123", }, expectedCount: 1, expectedDomains: []string{"example.com"}, expectedSelector: []string{"selector1"}, }, { name: "DKIM signature with multiline format", dkimSignatures: []string{ "v=1; a=rsa-sha256; c=relaxed/relaxed;\r\n\td=example.com; s=selector1;\r\n\th=from:to:subject:date;\r\n\tb=abc123def456ghi789", }, expectedCount: 1, expectedDomains: []string{"example.com"}, expectedSelector: []string{"selector1"}, }, { name: "DKIM signature with ed25519 algorithm", dkimSignatures: []string{ "v=1; a=ed25519-sha256; d=example.com; s=ed25519; b=xyz", }, expectedCount: 1, expectedDomains: []string{"example.com"}, expectedSelector: []string{"ed25519"}, }, { name: "Complex real-world DKIM signature", dkimSignatures: []string{ "v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1234567890; x=1234567950; darn=example.com; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=abc123def456==; b=longsignaturehere==", }, expectedCount: 1, expectedDomains: []string{"google.com"}, expectedSelector: []string{"20230601"}, }, } analyzer := NewAuthenticationAnalyzer() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { // Create a mock email message with DKIM-Signature headers email := &EmailMessage{ Header: make(map[string][]string), } if len(tt.dkimSignatures) > 0 { email.Header["Dkim-Signature"] = tt.dkimSignatures } results := analyzer.parseLegacyDKIM(email) // Check count if len(results) != tt.expectedCount { t.Errorf("Expected %d results, got %d", tt.expectedCount, len(results)) return } // Check each result for i, result := range results { // All legacy DKIM results should have Result = none if result.Result != api.AuthResultResultNone { t.Errorf("Result[%d].Result = %v, want %v", i, result.Result, api.AuthResultResultNone) } // Check domain if i < len(tt.expectedDomains) { expectedDomain := tt.expectedDomains[i] if expectedDomain != "" { if result.Domain == nil { t.Errorf("Result[%d].Domain = nil, want %v", i, expectedDomain) } else if strings.TrimSpace(*result.Domain) != expectedDomain { t.Errorf("Result[%d].Domain = %v, want %v", i, *result.Domain, expectedDomain) } } } // Check selector if i < len(tt.expectedSelector) { expectedSelector := tt.expectedSelector[i] if expectedSelector != "" { if result.Selector == nil { t.Errorf("Result[%d].Selector = nil, want %v", i, expectedSelector) } else if strings.TrimSpace(*result.Selector) != expectedSelector { t.Errorf("Result[%d].Selector = %v, want %v", i, *result.Selector, expectedSelector) } } } // Check that Details is set if result.Details == nil { t.Errorf("Result[%d].Details = nil, expected non-nil", i) } else { expectedDetails := "DKIM signature present (verification status unknown)" if *result.Details != expectedDetails { t.Errorf("Result[%d].Details = %v, want %v", i, *result.Details, expectedDetails) } } } }) } } func TestParseLegacyDKIM_Integration(t *testing.T) { // Test that parseLegacyDKIM is properly integrated into AnalyzeAuthentication t.Run("Legacy DKIM is used when no Authentication-Results", func(t *testing.T) { analyzer := NewAuthenticationAnalyzer() email := &EmailMessage{ Header: make(map[string][]string), } email.Header["Dkim-Signature"] = []string{ "v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc", } results := analyzer.AnalyzeAuthentication(email) if results.Dkim == nil { t.Fatal("Expected DKIM results, got nil") } if len(*results.Dkim) != 1 { t.Errorf("Expected 1 DKIM result, got %d", len(*results.Dkim)) } if (*results.Dkim)[0].Result != api.AuthResultResultNone { t.Errorf("Expected DKIM result to be 'none', got %v", (*results.Dkim)[0].Result) } if (*results.Dkim)[0].Domain == nil || *(*results.Dkim)[0].Domain != "example.com" { t.Error("Expected domain to be 'example.com'") } }) t.Run("Legacy DKIM is NOT used when Authentication-Results present", func(t *testing.T) { analyzer := NewAuthenticationAnalyzer() email := &EmailMessage{ Header: make(map[string][]string), } // Both Authentication-Results and DKIM-Signature headers email.Header["Authentication-Results"] = []string{ "mx.example.com; dkim=pass header.d=verified.com header.s=s1", } email.Header["Dkim-Signature"] = []string{ "v=1; a=rsa-sha256; d=example.com; s=selector1; b=abc", } results := analyzer.AnalyzeAuthentication(email) // Should use the Authentication-Results DKIM (pass from verified.com), not the legacy signature if results.Dkim == nil { t.Fatal("Expected DKIM results, got nil") } if len(*results.Dkim) != 1 { t.Errorf("Expected 1 DKIM result, got %d", len(*results.Dkim)) } if (*results.Dkim)[0].Result != api.AuthResultResultPass { t.Errorf("Expected DKIM result to be 'pass', got %v", (*results.Dkim)[0].Result) } if (*results.Dkim)[0].Domain == nil || *(*results.Dkim)[0].Domain != "verified.com" { t.Error("Expected domain to be 'verified.com' from Authentication-Results, not 'example.com' from legacy") } }) }