Commit graph

1441 commits

Author SHA1 Message Date
David Bremner
0e4695abaa test: regression tests for n_indexopts_{get,set}_decrypt_policy
The main criteria is that they don't crash. Working with a closed
database is a bonus.
2020-08-03 21:05:29 -03:00
David Bremner
e3f88436b7 test: regression test for traversing config list with closed db
Also mention error return in API docs
2020-08-03 21:03:43 -03:00
David Bremner
a0b2a54aa7 test: regression test for n_d_get_config_list on closed db.
Exception is caught.
2020-08-03 21:01:53 -03:00
David Bremner
e8ffbf84ff test: regression test for n_directory_{get,set}_mtime
The mtime is cached, so closing the db is not a problem. Writing the
mtime throws an exception, which is caught.
2020-08-03 21:00:25 -03:00
David Bremner
f4f5db0f1a lib: fix return value for n_directory_delete
Falling out of the catch meant the error return was lost
2020-08-03 20:59:06 -03:00
David Bremner
b03cc6cf90 test: known broken test for n_directory_delete with closed db.
There is a return value bug in notmuch_directory_delete that is hiding
the exception.
2020-08-03 20:57:43 -03:00
David Bremner
337665e26a lib: catch exceptions in n_directory_get_child_files
Also clarify API in error case.
2020-08-03 20:56:09 -03:00
David Bremner
3890d98966 test: add known broken test for n_directory_get_child_files
This is a clone of the one for get_child_directories
2020-08-03 20:54:26 -03:00
David Bremner
9668583a49 lib: catch exceptions in n_directory_get_child_directories
Also clarify API in error case.
2020-08-03 20:53:04 -03:00
David Bremner
919b89156c test: add known broken test for n_directory_get_child_directories
Start a new test file (for the notmuch_directory_* API group) to hold
this test.
2020-08-03 20:51:40 -03:00
David Bremner
c151506773 test: regression test for n_m_get_filenames
Closing the database after the iterator is created is not a problem.
2020-08-03 20:50:15 -03:00
David Bremner
2b6e73d895 test: split header for lib-message tests.
This allows finer control over when to close the database.
2020-08-03 20:48:51 -03:00
David Bremner
e5e17926db test: add regression test for n_messages_collect_tags
Also test n_messages_destroy.
2020-08-03 20:47:18 -03:00
David Bremner
31dab9b1cd lib: return NULL from n_d_get_default_indexopts on error
This is a rare and probably serious programming error, so better not
to silently return a default value.
2020-08-03 20:45:58 -03:00
David Bremner
99a7aac8f2 test: drop use of db_ending
This will allow the dropping of the test for the default ending from
configure.
2020-08-01 20:27:30 -03:00
David Bremner
29a58ecf4a test: drop NOTMUCH_DEFAULT_XAPIAN_BACKEND from T360-symbol-test
Inspired by the suggestion of

         id:20200727154108.16269-3-congdanhqx@gmail.com

to drop the configuration test for the default backend. This version
is hopefully robust against backend changes.
2020-07-31 21:30:06 -03:00
David Bremner
00f48f397a test: destroy thread from closed database
Check for (non)-crash.
2020-07-31 07:41:00 -03:00
David Bremner
864f422f14 test: regression test for n_thread_get_tags
Code is taken from the API docs, with the twist that the underlying
database is closed. Not crashing is the main point.
2020-07-31 07:41:00 -03:00
David Bremner
43406e7d4c test: add regression tests for oldest and newest dates
These are strictly to watch for crashes, so don't be too fussy about
the actual timestamps.
2020-07-31 07:41:00 -03:00
David Bremner
c5017c76d9 test: add regression tests for n_t_get_{authors, subject}
This is returning explicitely cached data, so no database access is needed.
2020-07-31 07:41:00 -03:00
David Bremner
70b30066f6 test: add regression test for n_t_get_messages
This is similar to the case of toplevel messages. Currently everything
is cached, so no database access is necessary. This might change in
the future, but it should not crash in either case.
2020-07-31 07:41:00 -03:00
David Bremner
6ccc4338a4 test: add regression tests for n_thread_get_toplevel_messages
Include a test for the previously omitted non-trivial code path for
notmuch_thread_get_replies.
2020-07-31 07:41:00 -03:00
David Bremner
02ab473115 test: add regression test for n_thread_get_total_{messages,files}
This is returning cached info, so does not need to access the (closed)
database.
2020-07-31 07:41:00 -03:00
David Bremner
0baa581e6e test: regression test for n_t_get_thread_id
This is just cached data, so as long as we don't prematurely free
anything, it should be fine.
2020-07-31 07:41:00 -03:00
David Bremner
46468baa5a test: regression test for notmuch_query_destroy
As with other void API entries, not crashing counts as success.
2020-07-29 12:20:41 -03:00
David Bremner
451c0ce3fc test: regression tests for n_q_count_{messages, threads}
At least these exceptions are caught.
2020-07-29 12:20:30 -03:00
David Bremner
0a4c6cdeb1 test: regression test for n_q_search_messages
Exception handling matches notmuch_query_search_threads, at least for
this case.
2020-07-29 12:20:22 -03:00
David Bremner
25fc8662ed test: regression test for n_q_search_threads
At least this exception is caught.
2020-07-29 12:20:14 -03:00
David Bremner
4130b4e514 test: add regression test for n_q_add_tag_exclude
This relies on the change to not tear down the auxilary Xapian
objects, in particular the query parser, when the database is closed.
2020-07-29 12:20:06 -03:00
David Bremner
d5c84c8289 test: regression test for n_q_{set, get}_sort
We just want to make sure accessing the query owned by a closed db
does not cause a crash.
2020-07-29 12:19:57 -03:00
David Bremner
a292461e65 test: regression test for set_omit_excluded 2020-07-29 12:19:48 -03:00
David Bremner
768efe88d0 test: regression test for notmuch_query_get_database
Current functionality is too trivial to really justify a test, but
it's simpler just to test the complete API.
2020-07-29 12:19:39 -03:00
David Bremner
cbf9f890aa test: add regression test for n_q_{create,_get_query_string}
Start a new file of tests, to keep to the (emerging) scheme of one
notmuch_foo group per file
2020-07-29 12:19:09 -03:00
David Bremner
85da95e266 test: move notmuch_message_* tests to their own file
This is for consistency with the recently added tests for
notmuch_database_*.
2020-07-29 12:18:11 -03:00
Jonas Bernoulli
8b162b40f8 test: Explicitly state that we want to sign with sender
Since Emacs 27 'mml-secure-epg-sign' errors out if we don't opt-in to
signing as the sender using 'mml-secure-openpgp-sign-with-sender'.
2020-07-28 08:40:30 -03:00
Jonas Bernoulli
7b752e9eb4 test: Remove misguided emacs testing utilities
The goal of this abstraction was to save space.  But that failed as
the result actually was that four trivial lines got replace with 15
fairly complicated lines.  The opposite of what it was supposed to
do.

Also it made it harder to come up with the fix in the previous commit;
simply grepping for the relevant symbols did not work because they get
constructed at run-time instead of appearing in the source file.
2020-07-28 08:39:58 -03:00
Jonas Bernoulli
d5d8846c32 test: Deal with Emacs 27 switching to lexical scope by default
Starting with Emacs 27 undeclared variables in evaluated interactive
code uses lexical scope.  This includes code passed with '--eval' as
we do in the Emacs tests, which also happen to assume dynamic scope.

- This can affect variables defined by libraries that we use.  We
  let-bind such variables to change the behavior of functions which we
  then call with these bindings in effect.  If these libraries are not
  loaded beforehand, then the bindings are lexical and fail to have
  the effect we intended.

  At this time only 'smtpmail' has to be loaded explicitly (for the
  variables let-bound in emacs_deliver_message and emacs_fcc_message).

  'message' doesn't have to be loaded explicitly, because loading
  'notmuch' (in 'run_emacs') already takes care of that, indirectly.

- Our own testing-only variables also have to be declared explicitly.
  We should have done that anyway, but because of how and where these
  variables are used it was very easy to overlook that (i.e. it isn't
  something the byte-compiler ever looks at).  Not so in Emacs 27
  anymore; here this oversight caused four tests to fail.

  The numeric values of these variables get incremented by functions
  that we add to hooks that are run by many tests, not just the tests
  where we actually inspect the value and therefore take care to let-
  bind the values to 0 before we begin.  The global values therefore
  have to be numeric values as well.  I have chosen -100 instead of 0
  as the default in case someone writes a test that inspects the value
  but forgets to let-bind the value.  I hope that the unusual negative
  value that one is going to see in such a case will help debugging
  the issue.
2020-07-28 08:39:44 -03:00
David Bremner
24cf4381b8 test: add known broken test for n_d_get_default_indexopts
Xapian exceptions are swallowed and turned into default return value.
2020-07-22 19:52:55 -03:00
David Bremner
b268c8c071 lib: fix error return bug with n_d_set_config.
The catch block either needs to return, or the function needs to
return "status". Choose the latter for consistency with
n_d_get_config.
2020-07-22 19:52:55 -03:00
David Bremner
f6d74be840 test: add known broken test for n_d_set_config
Error status is currently lost.
2020-07-22 19:52:55 -03:00
David Bremner
a5e13d5218 test: add regression test for n_d_get_config
Xapian exceptions seem to handled OK, at least for this case.
2020-07-22 19:52:55 -03:00
David Bremner
dfab190a40 lib: add regresion test for n_d_get_all_tags
Existing error handling seems adequate, if not ideal.
2020-07-22 19:52:55 -03:00
David Bremner
64aa896151 lib: add regression test for n_d_find_message_by_filename
At least this Xapian exception is caught. Make sure it stays that way.
2020-07-22 19:52:55 -03:00
David Bremner
ce360ce4c9 lib: rename _n_d_create to _n_d_find_or_create
The error message and name were confusing when called in some "read
only" context.
2020-07-22 19:52:55 -03:00
David Bremner
97c887282a test: add known broken test for notmuch_database_remove_message
The current error message is a bit confusing; fix in next commit.
2020-07-22 19:52:55 -03:00
David Bremner
c477d7ce31 lib: convert relative filenames to absolute in n_d_index_file
The API docs promise to handle relative filenames, but the code did
not do it.

Also check for files outside the mail root, as implied by the API
description.

This fixes the bug reported at

     id:87sgdqo0rz.fsf@tethera.net
2020-07-22 19:52:55 -03:00
David Bremner
be3f4aec3f test: add known broken test for indexing relative path
The current code seems to look for the path relative to the current
working directory, rather than the mail store root.
2020-07-22 19:52:55 -03:00
David Bremner
9ab3e2e77d test: regression test for n_d_index_file closed db
Current exception handling seems OK, at least for this case.
2020-07-22 19:52:55 -03:00
David Bremner
1ca805a962 test: add regression test for n_d_get_directory
At least this exception is already handled correctly.
2020-07-22 19:52:55 -03:00
David Bremner
959cb4b7a7 test: regression test for n_d_get_revision
This function only accesses data cached by notmuch, so being closed is
not a problem.
2020-07-22 19:52:55 -03:00
David Bremner
bcb02dd8fc test: add regression test for n_d_{begin,end}_atomic
Xapian currently succeeds to begin/end a transaction on a closed database,
or at least does not throw an exception. Make the test robust against
this changing.
2020-07-22 19:52:55 -03:00
David Bremner
3f121d636e test: regression test for n_d_upgrade
The logic is that if it's acceptable to return SUCCESS for read only
database, it's acceptable for a closed one.
2020-07-22 19:52:55 -03:00
David Bremner
f25fc8e211 lib/n_d_needs_upgrade: handle error return from n_d_get_version
Also clarify documentation of error return from n_d_needs_upgrade.
2020-07-22 19:52:55 -03:00
David Bremner
cf90431cbf test: add known broken test for n_d_needs_upgrade
It's a bit arbitrary which value to return for errors, but the same
argument as for read only databases applies for errors.
2020-07-22 19:52:55 -03:00
David Bremner
37dc6045e4 test: add regression tests for notmuch database destroy
Either an open or closed database should be ok to destroy
2020-07-22 19:52:55 -03:00
David Bremner
964e783fd4 test: regression test for closing a closed database
This does not currently throw an error, and it should stay that way.
2020-07-22 19:52:55 -03:00
David Bremner
ab45654192 lib/n_d_get_version: catch exceptions and clarify the API
notmuch_database_get_version previously returned 0 on some errors, but
did not document this. Luckily 0 is not a valid database version.
2020-07-22 19:52:55 -03:00
David Bremner
920dc56e60 test: add known broken test for n_d_get_version on closed db
This should not crash, but it does currently.
2020-07-22 19:52:55 -03:00
David Bremner
f3a56b5f6d test: regression tests for n_d_status_string and n_d_get_path
These do not crash on a closed database, and we want to keep it that
way.

Start a new file of tests as T560-lib-error was starting to get unwieldy.
2020-07-22 19:52:55 -03:00
David Bremner
e9867b818b lib: fix exception messages for n_m_message_*
The original generic handler had an extra '%s' in the format
string. Update tests that failed to catch this because the template to
print status strings checked 'stat', which was not set.
2020-07-22 19:52:55 -03:00
David Bremner
1a8060b81f test: sanitize line numbers in exception reports
Prevent test suite churn when reported line numbers change.
2020-07-22 19:52:55 -03:00
David Bremner
765ca7bc08 lib: fix return value for n_m_reindex
Also update the documentation for the behaviour of n_m_get_thread_id
that this fix relies on.
2020-07-20 08:54:42 -03:00
David Bremner
a0c83e1fac test: add known broken test for n_m_reindex on closed db
This is another case where the code should not call INTERNAL_ERROR.
2020-07-20 08:54:42 -03:00
David Bremner
a2279c322e test: regression for retrieving closed db from message
This is actually one of the few potentially useful things you can do
with a message belonging to a closed database, since in principle you
could re-open the database.
2020-07-20 08:54:42 -03:00
David Bremner
1578e2af6a test: regression test for destroying message with closed db
This should be fine because the message belongs to the
database (talloc context wise).
2020-07-20 08:54:42 -03:00
David Bremner
9244f58860 test: regression tests of n_m_freeze and n_m_thaw on closed db
Neither of these accesses the database, so should be safe. Add the
tests to catch any changes in exception throwing.
2020-07-20 08:54:42 -03:00
David Bremner
a2b90dc084 lib: handle xapian exception in n_m_remove_all_tags
At least the exception we already catch should be reported properly.
2020-07-20 08:54:42 -03:00
David Bremner
a4ac9941a8 test: add broken test for n_m_remove_all_tags
The Xapian exception is actually caught here, but the NULL return is
not dealt with properly.
2020-07-20 08:54:42 -03:00
David Bremner
e32f66d0e3 test: add regression test for n_m_maildir_flags_to_tags
This function currently catches at least the obvious Xapian exceptions
and we want to keep it that way.
2020-07-20 08:54:42 -03:00
David Bremner
b7572ceb14 lib: add notmuch_message_has_maildir_flag_st
Initially the new function is mainly tested indirectly via the
wrapper.
2020-07-20 08:54:42 -03:00
David Bremner
b21f0fcb6a test: add regression test for notmuch_message_has_maildir_flag
This passes the NULL return inside _ensure_maildir_flags does not
break anything. Probably this should be handled more explicitely.
2020-07-20 08:45:15 -03:00
David Bremner
2d04ed2631 lib: catch exceptions in n_m_get_flag, provide n_m_get_flag_st
It's not very nice to return FALSE for an error, so provide
notmuch_message_get_flag_st as a migration path.

Bump LIBNOTMUCH_MINOR_VERSION because the API is extended.
2020-07-18 09:52:27 -03:00
David Bremner
aa8e3f4487 lib: catch Xapian exceptions in n_m_remove_tag
The churn here is again mainly re-indentation.
2020-07-14 07:31:45 -03:00
David Bremner
0fc769aa4f test: add broken test for n_m_remove_tag
Exception will be caught in next commit.
2020-07-14 07:31:45 -03:00
David Bremner
33dd5fdc69 lib: catch Xapian exceptions in n_m_add_tag
This is mostly just (horizontal) code movement due to wrapping
everything in a try / catch.
2020-07-14 07:31:45 -03:00
David Bremner
503c035077 test: add known broken test for n_m_add_tag with closed db
Exception will be caught in next commit.
2020-07-14 07:31:45 -03:00
David Bremner
96befd0dd0 lib: catch Xapian exceptions in n_m_count_files
This will require some care for the caller to check the sign, and not
just add error returns into a running total.
2020-07-14 07:31:37 -03:00
David Bremner
6dc62d8bea test: add known broken test for n_m_count_files
This will be fixed in the next commit.
2020-07-14 07:31:30 -03:00
David Bremner
00f1abfdf4 lib: catch Xapian exceptions in n_m_get_tags
This allows the function to return an error value rather than
crashing.
2020-07-14 07:12:52 -03:00
David Bremner
d284dc00da test: add known broken test for n_m_get_tags
This will be fixed in the next commit.
2020-07-14 07:12:52 -03:00
David Bremner
6eaadb43ad lib: add regression test for n_m_get_date; clarify API
This function catches Xapian exceptions. The test is intended to make
sure it stays that way.
2020-07-14 07:12:52 -03:00
David Bremner
ef15946def test: add known broken for n_m_get_flag on closed db
Exception caught in next commit. Note that FLAG_GHOST is the only one
that triggers the I/O code path.
2020-07-13 07:19:22 -03:00
David Bremner
286161b703 lib: catch exceptions in n_m_get_filenames
This is essentially copied from the change to notmuch_message_get_filename
2020-07-13 07:19:22 -03:00
David Bremner
2c2ba7d6e2 test: add known broken test for n_m_get_filenames
This will be fixed in the next commit
2020-07-13 07:19:22 -03:00
David Bremner
a606cba32b lib/n_m_g_filename: catch Xapian exceptions, document NULL return
This is the same machinery as applied for

     notmuch_message_get_{thread,message}_id
2020-07-13 07:19:22 -03:00
David Bremner
46e8076281 lib: add known broken test for notmuch_message_get_filename
This will be fixed in the next commit
2020-07-13 07:19:22 -03:00
David Bremner
a962bd2bf8 lib/n_m_get_replies: doc return, initial regression test
We need to to set a query and retrieve the threads to meaningfully
test this function.
2020-07-13 07:19:22 -03:00
David Bremner
056794a60d test: add regression test for n_m_get_header
This function already catches Xapian exceptions, and we want to make
sure it stays that way.
2020-07-13 07:19:22 -03:00
David Bremner
cca551a736 test: drop use of assert in closed db tests
Instead of printing the same static string for each test, can replace
the assert with something simpler (or at least easier to integrate
into the test suite).
2020-07-13 07:19:22 -03:00
David Bremner
a280d2a1a1 test: remove unused backup_database calls
Since these backups are never restored, they should be safe to remove.
2020-07-13 07:19:22 -03:00
David Bremner
ee897cab8b test: drop upgrade from v1 tests
These are less crucial since we stopped generating new database
versions and relied primarily on features. They also rely on a
pre-generated v1 database which happens to be chert format. This
backend is not supported by Xapian 1.5.

Also drop the tool gen-testdb.sh, which is currently broken, due to
changes in the testing infrastructure.
2020-07-11 17:20:09 -03:00
David Bremner
dbdb860bb9 lib/message: catch exception in n_m_get_thread_id
This allows us to return an error value from the library.
2020-07-03 21:04:43 -03:00
David Bremner
bb51f3aa29 test: add known broken test for n_m_get_thread_id on closed db
This will be fixed in the next commit.
2020-07-03 21:04:02 -03:00
David Bremner
87d462a204 lib: catch error from closed db in n_m_get_message_id
By catching it at the library top level, we can return an error value.
2020-07-03 21:03:51 -03:00
David Bremner
2c17327ee5 test: add known broken test for error handling on closed database
Based on id:87d05je1j6.fsf@powell.devork.be
2020-07-03 21:01:39 -03:00
David Bremner
e9f8ffd882 test: fix python 3.8.4 related regression in T210-raw
It seems (at least in 3.8.4~rc1-1 on Debian) that set_content requires
at least one line.
2020-07-03 07:23:32 -03:00
Daniel Kahn Gillmor
18a1522948 tests: mark sig verification known-broken with session keys on buggy gpgme
We make use of the just-introduced configure test.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-07-02 21:23:28 -03:00
David Bremner
b46d842782 test: mark two tests broken on machines with 32 bit time_t
I haven't traced the code path as exhaustively for the SMIME test, but
the expiry date in question is larger then representable in a signed
32 bit integer.
2020-06-26 22:16:51 -03:00
Daniel Kahn Gillmor
b624b406ff tests/ruby: Ensure that test works for out-of-tree builds 2020-05-31 13:52:33 -03:00
Daniel Kahn Gillmor
ef0ab496b3 python-cffi: enable out-of-tree builds
This is a simple hack to enable out-of-tree builds, a concern raised
by Tomi in id:m24kzjib9a.fsf@guru.guru-group.fi

This change at least enables "make check" to complete without error,
but I'm sure it could be improved.  I am not expert enough in
setuptools to know how.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Amended by db per id:87d06usa31.fsf@powell.devork.be
2020-05-30 12:42:14 -03:00
Tomi Ollila
c9e55a712e test/test-lib.sh: fix two out of tree test issues
json_check_nodes.py exists in source tree, not in out of tree
build tree. Added -B to the execution so source tree is not
"polluted" by a .pyc file when json_check_nodes.py is executed.

When creating run_emacs.sh make it load .elc files from out of
tree build tree, not from source tree if such files existed.
If existed, those may be outdated, or even created by some other
emacs than the one that was used to build .elc files in out of
tree build dir.
2020-05-30 12:42:14 -03:00
Jonas Bernoulli
291ef68ede emacs: Use dolist' instead of mapcar' for side-effects
As recommended by the byte-compiler.
2020-05-26 20:23:14 -03:00
Daniel Kahn Gillmor
6cdf4b7e38 smime: Index cleartext of envelopedData when requested
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:12:00 -03:00
Daniel Kahn Gillmor
cb88b51fe5 smime: Pass PKCS#7 envelopedData to node_decrypt_and_verify
This change means we can support "notmuch show --decrypt=true" for
S/MIME encrypted messages, resolving several outstanding broken tests,
including all the remaining S/MIME protected header examples.

We do not yet handle indexing the cleartext of S/MIME encrypted
messages, though.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:51 -03:00
Daniel Kahn Gillmor
1b9f4a9863 cli/reply: Ignore PKCS#7 wrapper parts when replying
When composing a reply, no one wants to see this line in the proposed
message:

    Non-text part: application/pkcs7-mime

So we hide it, the same way we hide PGP/MIME cruft.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:25 -03:00
Daniel Kahn Gillmor
f12fb4d819 cli/show: If a leaf part has children, show them instead of omitting
Until we did PKCS#7 unwrapping, no leaf MIME part could have a child.

Now, we treat the unwrapped MIME part as the child of the PKCS#7
SignedData object.  So in that case, we want to show it instead of
deliberately omitting the content.

This fixes the test of the protected subject in
id:smime-onepart-signed@protected-headers.example.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:17 -03:00
Daniel Kahn Gillmor
5f4aceee26 cli: include wrapped part of PKCS#7 SignedData in the MIME tree
Unwrap a PKCS#7 SignedData part unconditionally when the cli is
traversing the MIME tree, and return it as a "child" of what would
otherwise be a leaf in the tree.

Unfortunately, this also breaks the JSON output.  We will fix that
next.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:11:07 -03:00
Daniel Kahn Gillmor
ad60e5d4e8 smime: Identify encrypted S/MIME parts during indexing
We don't handle them correctly yet, but we can at least mark them as
being encrypted.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:10:55 -03:00
Daniel Kahn Gillmor
38bd0df922 lib: index PKCS7 SignedData parts
When we are indexing, we should treat SignedData parts the same way
that we treat a multipart object, indexing the wrapped part as a
distinct MIME object.

Unfortunately, this means doing some sort of cryptographic
verification whose results we throw away, because GMime doesn't offer
us any way to unwrap without doing signature verification.

I've opened https://github.com/jstedfast/gmime/issues/67 to request
the capability from GMime but for now, we'll just accept the
additional performance hit.

As we do this indexing, we also apply the "signed" tag, by analogy
with how we handle multipart/signed messages.  These days, that kind
of change should probably be done with a property instead, but that's
a different set of changes.  This one is just for consistency.

Note that we are currently *only* handling signedData parts, which are
basically clearsigned messages.  PKCS#7 parts can also be
envelopedData and authEnvelopedData (which are effectively encryption
layers), and compressedData (which afaict isn't implemented anywhere,
i've never encountered it).  We're laying the groundwork for indexing
these other S/MIME types here, but we're only dealing with signedData
for now.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:10:46 -03:00
Daniel Kahn Gillmor
b14d9ae204 smime: tests of X.509 certificate validity are known-broken on GMime < 3.2.7
When checking cryptographic signatures, Notmuch relies on GMime to
tell it whether the certificate that signs a message has a valid User
ID or not.

If the User ID is not valid, then notmuch does not report the signer's
User ID to the user.  This means that the consumer of notmuch's
cryptographic summary of a message (or of its protected headers) can
be confident in relaying the reported identity to the user.

However, some versions of GMime before 3.2.7 cannot report Certificate
validity for X.509 certificates.  This is resolved upstream in GMime
at https://github.com/jstedfast/gmime/pull/90.

We adapt to this by marking tests of reported User IDs for
S/MIME-signed messages as known-broken if GMime is older than 3.2.7
and has not been patched.

If GMime >= 3.2.7 and certificate validity still doesn't work for
X.509 certs, then there has likely been a regression in GMime and we
should fail early, during ./configure.

To break out these specific User ID checks from other checks, i had to
split some tests into two parts, and reuse $output across the two
subtests.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-22 22:04:57 -03:00
Daniel Kahn Gillmor
627460d7bb test-lib: mark function variables as local
Several functions in test/test-lib.sh used variable names that are
also used outside of those functions (e.g. $output and $expected are
used in many of the test scripts), but they are not expected to
communicate via those variables.

We mark those variables "local" within test-lib.sh so that they do not
get clobbered when used outside test-lib.

We also move the local variable declarations to beginning of each
function, to avoid weird gotchas with local variable declarations as
described in https://tldp.org/LDP/abs/html/localvar.html.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-05-09 08:32:51 -03:00
David Bremner
45cfeb2e55 lib: replace STRNCMP_LITERAL in __message_remove_indexed_terms
strncmp looks for a prefix that matches, which is very much not what
we want here. This fixes the bug reported by Franz Fellner in
id:1588595993-ner-8.651@TPL520
2020-05-04 10:55:43 -03:00
David Bremner
accfee5c6e test: known broken test for reindex tag preservation
In id:1588595993-ner-8.651@TPL520 Franz Fellner reported that tags
starting with 'attachment' are removed by 'notmuch reindex'. This is
probably related to the use of STRNCMP_LITERAL in
_notmuch_message_remove_indexed_terms.
2020-05-04 10:49:43 -03:00
Daniel Kahn Gillmor
9055dfdae4 tests: disable CRL checks from gpgsm
GPGME has a strange failure mode when it is in offline mode, and/or
when certificates don't have any CRLs: in particular, it refuses to
accept the validity of any certificate other than a "root" cert.

This can be worked around by setting the `disable-crl-checks`
configuration variable for gpgsm.

I've reported this to the GPGME upstream at
https://dev.gnupg.org/T4883, but I have no idea how it will be
resolved.  In the meantime, we'll just work around it.

Note that this fixes the test for verification of
id:smime-multipart-signed@protected-headers.example, because
multipart/signed messages are already handled correctly (one-part
PKCS#7 messages will get fixed later).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 18:02:38 -03:00
Daniel Kahn Gillmor
b415ec06c3 test/protected-headers: Add tests for S/MIME protected headers
Recognize the protected subject for S/MIME example protected header
messages.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:57:37 -03:00
Daniel Kahn Gillmor
b1a04bddc2 tests/smime: add tests for S/MIME SignedData
Add a simple S/MIME SignedData message, taken from an upcoming draft
of
https://datatracker.ietf.org/doc/draft-autocrypt-lamps-protected-headers/

RFC 8551 describes a SignedData, a one-part clearsigned object that is
more resistant to common patterns of MTA message munging than
multipart/signed (but has the downside that it is only readable by
clients that implement S/MIME).

To make sure sure notmuch can handle this kind of object, we want to
know a few things:

Already working:

 - Is the content of the SignedData object indexed?  It actually is
   right now because of dumb luck -- i think we're indexing the raw
   CMS object and it happens to contain the cleartext of the message
   in a way that we can consume it before passing it on to Xapian.
 - Are we accidentally indexing the embedded PKCS#7 certificates? We
   don't want to, and for some reason I don't understand, our indexing
   is actually skipping the embedded certificates already.  That's
   good!

Still need fixing:
 - do we know the MIME type of the embedded part?
 - do we know that the message is signed?
 - can notmuch-show read its content?
 - can notmuch-show indicate the signature validity?
 - can notmuch-reply properly quote and attribute content?

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:57:26 -03:00
Daniel Kahn Gillmor
488e91f42b test-lib.sh: add test_valid_json
This test does exactly what it says on the tin.  It expects JSON data
to be parseable by Python, at least.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:57:16 -03:00
Daniel Kahn Gillmor
92149485cb tests/smime: Test indexing cleartext of envelopedData
These tests describe some simple behavior we would expect to work if
we were to correctly index the cleartext of encrypted S/MIME messages
(PKCS#7 envelopedData).

Of course, they don't currently pass, so we mark them known-broken.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:56:13 -03:00
Daniel Kahn Gillmor
a8bf94af44 tests/smime: Verify cryptographic message status
When consuming a signed+encrypted S/MIME message generated by emacs,
we expect to see the same cryptographic properties for the message as
a whole.  This is not done correctly yet, so the test is marked as
known broken.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:56:02 -03:00
Daniel Kahn Gillmor
482af5a031 tests: Add S/MIME messages to protected-headers corpus
These sample messages are taken directly from the Protected Headers
draft:

https://www.ietf.org/id/draft-autocrypt-lamps-protected-headers-02.html

Note that this commit doesn't strictly pass the common git pre-commit
hook due to introducing some trailing whitespace.  That's just the
nature of the corpus, though.  We should have that trailing
whitespace, so I've made this commit with --no-verify.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:55:19 -03:00
Daniel Kahn Gillmor
7c7cebffe6 tests/smime: include secret key material for Bob
This is taken from the same Internet Draft that test/smime/ca.crt
comes from.  See that draft for more details.
https://www.ietf.org/id/draft-dkg-lamps-samples-02.html#name-pkcs12-object-for-bob

We don't use it yet, but it will be used to decrypt other messages in
the test suite.

Note that we include it here with an empty passphrase, rather than
with the passphrase "bob" that it is supplied with in the I-D.  The
underlying cryptographic material is the same, but this way we can
import cleanly into gpgsm without having a passphrase set on it (gpgsm
converts an empty-string passphrase into no passphrase at all on
import).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:55:11 -03:00
Daniel Kahn Gillmor
51c43d0e92 test: Allow tests to have both gpg and gpgsm active at once
Without this fix, we couldn't run both add_gnupg_home and
add_gpgsm_home in the same test script.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:54:58 -03:00
Daniel Kahn Gillmor
7eaac52ddb tests/smime: avoid copying the key+cert.pem around
No functional change.

We no longer need to identify the key and cert to mml-mode when
sending an S/MIME message, so making a copy of key+cert.pem to
test_suite.pem is superfluous.  Get rid of the extra file.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:54:48 -03:00
Daniel Kahn Gillmor
2e351d10c2 tests/smime: Use gpgsm instead of openssl for mml creation of S/MIME msgs
The documentation for message mode clearly states that EasyPG (which
uses GnuPG) is the default and recommended way to use S/MIME with
mml-secure:

[0] https://www.gnu.org/software/emacs/manual/html_node/message/Using-S_002fMIME.html

To ensure that this mode works, we just need to import the secret key
in question into gpgsm in addition to the public key.  gpgsm should be
able pick the right keys+certificates to use based on To/From headers,
so we don't have to specify anything manually in the #secure mml tag.

The import process from the OpenSSL-preferred form (cert+secretkey) is
rather ugly, because gpgsm wants to see a PKCS#12 object when
importing secret keys.

Note that EasyPG generates the more modern Content-Type:
application/pkcs7-signature instead of application/x-pkcs7-signature
for the detached signature.

We are also obliged to manually set gpgsm's include-certs setting to 1
because gpgsm defaults to send "everything but the root cert".  In our
weird test case, the certificate we're using is self-signed, so it
*is* the root cert, which means that gpgsm doesn't include it by
default.  Setting it to 1 forces inclusion of the signer's cert, which
satisfies openssl's smime subcommand. See https://dev.gnupg.org/T4878
for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:54:37 -03:00
Daniel Kahn Gillmor
f7921e6e1c tests/smime: consistently quote $GNUPGHOME
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:54:03 -03:00
Daniel Kahn Gillmor
1f21465205 tests/smime: Include the Sample LAMPS Certificate Authority
This CA is useful for test suites and the like, but is not an
actually-secure CA, because its secret key material is also published.

I plan to use it for its intended purpose in the notmuch test suite.

It was copied from this Internet Draft:

https://tools.ietf.org/id/draft-dkg-lamps-samples-01.html#name-certificate-authority-certi

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:53:54 -03:00
Daniel Kahn Gillmor
6d843b8199 tests/smime: Always use --batch with gpgsm
GnuPG's gpgsm, like gpg, should always be used with --batch when it is
invoked in a non-interactive environment.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:53:43 -03:00
Daniel Kahn Gillmor
055e0917d7 tests: move add_gpgsm_home to test-lib.sh
This allows us to test S/MIME messages in other tests.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2020-04-30 17:53:34 -03:00
Jonas Bernoulli
11ac932a45 emacs: Use cl-lib' instead of deprecated cl'
Starting with Emacs 27 the old `cl' implementation is finally
considered obsolete.  Previously its use was strongly discouraged
at run-time but one was still allowed to use it at compile-time.

For the most part the transition is very simple and boils down to
adding the "cl-" prefix to some symbols.  A few replacements do not
follow that simple pattern; e.g. `first' is replaced with `car',
even though the alias `cl-first' exists, because the latter is not
idiomatic emacs-lisp.

In a few cases we start using `pcase-let' or `pcase-lambda' instead
of renaming e.g. `first' to `car'.  That way we can remind the reader
of the meaning of the various parts of the data that is being
deconstructed.

An obsolete `lexical-let' and a `lexical-let*' are replaced with their
regular variants `let' and `let*' even though we do not at the same
time enable `lexical-binding' for that file.  That is the right thing
to do because it does not actually make a difference in those cases
whether lexical bindings are used or not, and because this should be
enabled in a separate commit.

We need to explicitly depend on the `cl-lib' package because Emacs
24.1 and 24.2 lack that library.  When using these releases we end
up using the backport from GNU Elpa.

We need to explicitly require the `pcase' library because
`pcase-dolist' was not autoloaded until Emacs 25.1.
2020-04-27 07:36:10 -03:00
Olivier Taïbi
7b756d1e38 test: sort the output of the "prefix" test in T610-message-property
This test extracts values from a (key,value) map where multiple entries
can have the same key, and the entries are sorted by key, but not by
value.  The test incorrectly assumes that the values will be sorted as
well, so sort the output.
2020-04-23 21:31:37 -03:00
Tomi Ollila
00cdfe1071 build: drop support for xapian versions less than 1.4
Xapian 1.4 is over 3 years old now (1.4.0 released 2016-06-24),
and 1.2 has been deprecated in Notmuch version 0.27 (2018-06-13).

Xapian 1.4 supports compaction, field processors and retry locking;
conditionals checking compaction and field processors were removed
but user may want to disable retry locking at configure time so it
is kept.
2020-04-23 21:28:45 -03:00
David Bremner
690e36bacd cli/dump: replace use of gzprintf with gzputs for config values
These can be large, and hit buffer limitations of gzprintf.
2020-04-13 17:14:50 -03:00
David Bremner
d50f41c0fd test: add known_broken test for dumping large stored queries
'qsx' reported a bug on #notmuch with notmuch-dump and large stored
queries. This test will pass (on my machine) if the value of `repeat'
is made smaller.

Reported-By: Thomas Schneider <qsx@chaotikum.eu>
2020-04-13 09:35:14 -03:00
Daniel Kahn Gillmor
1c39065245 tests/smime: fix typo in README
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseaman.net>
2020-03-19 21:55:20 -03:00
Peter Wang
c17fca40e2 sprinter: change integer method to use int64_t
In particular, timestamps beyond 2038 could overflow the sprinter
interface on systems where time_t is 64-bit but 'int' is a signed 32-bit
integer type.
2020-02-13 19:10:42 -04:00
Peter Wang
e091427d98 test: add known broken test with timestamp beyond 2038 2020-02-13 19:08:56 -04:00
Örjan Ekeberg
757ed001aa test: extend test of attachment warnings
Check that attachment warnings are not raised when the word
"attach" only occurs in a forwarded message.
2019-12-14 07:29:00 -04:00
David Bremner
6cd47227de test: add a known broken test for S/MIME decryption
This should serve to clarify this feature is not implimented in
notmuch yet.
2019-12-14 07:25:06 -04:00
David Bremner
85adc756c9 tests: run python-cffi tests
The entire python-cffi test suite is considered as a single test at
the level of the notmuch test suite. This might or might not be ideal,
but it gets them run.
2019-12-03 08:12:30 -04:00
David Bremner
1979145b91 Merge branch 'release' 2019-10-13 09:24:48 -03:00
David Bremner
4c5b17b10b util: unreference objects referenced by the returned stream obj
We want freeing the returned stream to also free these underlying
objects. Compare tests/test-filters.c in the gmime 3.2.x source, which
uses this same idiom.

Thanks to James Troup for the report and the fix.
2019-10-12 08:45:55 -03:00
David Bremner
2cf38f8e1c test: known broken test file descriptor leak in gzip file open
James Troup reported this bug in id:87pnjsf9q5.fsf@canonical.com
2019-10-12 08:43:39 -03:00
Daniel Kahn Gillmor
23bcd00363 cli/{show,reply}: use repaired form of "Mixed Up" mangled messages
When showing or replying to a message that has been mangled in transit
by an MTA in the "Mixed up" way, notmuch should instead use the
repaired form of the message.

Tracking the repaired GMimeObject for the lifetime of the mime_node so
that it is cleaned up properly is probably the trickiest part of this
patch, but the choices here are based on the idea that the
mime_node_context is the memory manager for the whole mime_node tree
in the first place, so new GMimeObject tree created on-the-fly during
message parsing should be disposed of in the same place.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 19:07:06 -04:00
Daniel Kahn Gillmor
4b1a8fd183 index: repair "Mixed Up" messages before indexing.
When encountering a message that has been mangled in the "mixed up"
way by an intermediate MTA, notmuch should instead repair it and index
the repaired form.

When it does this, it also associates the index.repaired=mixedup
property with the message.  If a problem is found with this repair
process, or an improved repair process is proposed later, this should
make it easy for people to reindex the relevant message.  The property
will also hopefully make it easier to diagnose this particular problem
in the future.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 19:07:06 -04:00
Daniel Kahn Gillmor
cb522fb06e test: add test for "Mixed-Up Mime" message mangling
Some MTAs mangle e-mail messages in transit in ways that are
repairable.

Microsoft Exchange (in particular, the version running today on
Office365's mailservers) appears to mangle multipart/encrypted
messages in a way that makes them undecryptable by the recipient.

I've documented this in section 4.1 "Mixed-up encryption" of draft -00
of
https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling

Fortunately, it's possible to repair such a message, and notmuch can
do that so that a user who receives an encrypted message from a user
of office365.com can still decrypt the message.

Enigmail already knows about this particular kind of mangling.  It
describes it as "broken PGP email format probably caused by an old
Exchange server", and it tries to repair by directly changing the
message held by the user.  if this kind of repair goes wrong, the
repair process can cause data loss
(https://sourceforge.net/p/enigmail/bugs/987/, yikes).

The tests introduced here are currently broken.  In subsequent
patches, i'll introduce a non-destructive form of repair for notmuch
so that notmuch users can read mail that has been mangled in this way,
and the tests will succeed.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 01:20:03 -04:00
Daniel Kahn Gillmor
9829533e92 index: avoid indexing legacy-display parts
When we notice a legacy-display part during indexing, it makes more
sense to avoid indexing it as part of the message body.

Given that the protected subject will already be indexed, there is no
need to index this part at all, so we skip over it.

If this happens during indexing, we set a property on the message:
index.repaired=skip-protected-headers-legacy-display

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:45:30 -03:00
Daniel Kahn Gillmor
c61e22d5cb cli/{show,reply}: skip over legacy-display parts
Make use of the previous changes to fast-forward past any
legacy-display parts during "notmuch show" and "notmuch reply".

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:44:17 -03:00
Daniel Kahn Gillmor
27b25e45dc test: avoid showing legacy-display parts
Enigmail generates a "legacy-display" part when it sends encrypted
mail with a protected Subject: header.  This part is intended to
display the Subject for mail user agents that are capable of
decryption, but do not know how to deal with embedded protected
headers.

This part is the first child of a two-part multipart/mixed
cryptographic payload within a cryptographic envelope that includes
encryption (that is, it is not just a cleartext signed message).  It
uses Content-Type: text/rfc822-headers.

That is:

A └┬╴multipart/encrypted
B  ├─╴application/pgp-encrypted
C  └┬╴application/octet-stream
*   ╤ <decryption>
D   └┬╴multipart/mixed; protected-headers=v1 (cryptographic payload)
E    ├─╴text/rfc822-headers; protected-headers=v1 (legacy-display part)
F    └─╴… (actual message body)

In discussions with jrollins, i've come to the conclusion that a
legacy-display part should be stripped entirely from "notmuch show"
and "notmuch reply" now that these tools can understand and interpret
protected headers.

You can tell when a message part is a protected header part this way:

 * is the payload (D) multipart/mixed with exactly two children?
 * is its first child (E) Content-Type: text/rfc822-headers?
 * does the first child (E) have the property protected-headers=v1?
 * do all the headers in the body of the first child (E) match
   the protected headers in the payload part (D) itself?

If this is the case, and we already know how to deal with the
protected header, then there is no reason to try to render the
legacy-display part itself for the user.

Furthermore, when indexing, if we are indexing properly, we should
avoid indexing the text in E as part of the message body.

'notmuch reply' is an interesting case: the standard use of 'notmuch
reply' will end up omitting all mention of protected Subject:.

The right fix is for the replying MUA to be able to protect its
headers, and for it to set them appropriately based on headers found
in the original message.

If a replying MUA is unable to protect headers, but still wants the
user to be able to see the original header, a replying MUA that
notices that the original message's subject differs from the proposed
reply subject may choose to include the original's subject in the
quoted/attributed text. (this would be a stopgap measure; it's not
even clear that there is user demand for it)

This test suite change indicates what we want to happen for this case
(the tests are currently broken), and includes three additional TODO
suggestions of subtle cases for anyone who wants to flesh out the test
suite even further.  (i believe all these cases should be already
fixed by the rest of this series, but haven't had time to write the
tests for the unusual cases)

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:32:56 -03:00
Tomi Ollila
b6e589f54f test: aggregate-results.sh: count test files where all tests skipped
Previously, when all tests were skipped on a test file, there were
no indication of this in the final results aggregate-results.sh
printed.
Now count of the files where all tests were skipped is printed.
2019-07-05 17:58:23 +02:00
Daniel Kahn Gillmor
bdc87f0d3e test: run uncrustify
This is the result of running:

    $ uncrustify --replace --config ../devel/uncrustify.cfg *.cc *.c *.h

in the test directory.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-06-29 21:18:15 +02:00
David Bremner
1959a95d25 test: replace use of gdb with LD_PRELOAD shims in T070-insert.sh
This removes the dependency of this test script on gdb, and
considerably speeds up the running of the tests.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-06-29 21:11:08 +02:00
David Bremner
6544a2e305 test: provide machinery to make and use test_shims
These can be used e.g. to override return values for functions, in
place of the existing scripting of gdb.

This prepends to LD_PRELOAD rather than clobbering it, thanks to a
suggestion from Tomi Ollila.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-06-29 21:10:44 +02:00
Tomi Ollila
00c63bf736 test: aggregate-results.sh: consistent style. zero forks.
- all variables in $((...)) without leading $
- all comparisons use -gt, -eq or -ne
- no -a nor -o inside [ ... ] expressions
- all indentation levels using one tab

Dropped unnecessary empty string check when reading results files.

Replaced pluralize() which was executed in subshell with
pluralize_s(). pluralize_s sets $s to 's' or '' based on value of
$1. Calls to pluralize_s are done in context of current shell, so
no forks to subshells executed.
2019-06-11 07:20:01 -03:00
Daniel Kahn Gillmor
bc396c967c test: signature verification during decryption (session keys)
When the user knows the signer's key, we want "notmuch show" to be
able to verify the signature of an encrypted and signed message
regardless of whether we are using a stashed session key or not.

I wrote this test because I was surprised to see signature
verification failing when viewing some encrypted messages after
upgrading to GPGME 1.13.0-1 in debian experimental.

The added tests here all pass with GPGME 1.12.0, but the final test
fails with 1.13.0, due to some buggy updates to GPGME upstream: see
https://dev.gnupg.org/T3464 for more details.

While the bug needs to be fixed in GPGME, notmuch's test suite needs
to make sure that GMime is doing what we expect it to do; i was a bit
surprised that it hadn't caught the problem, hence this patch.

I've fixed this bug in debian experimental with gpgme 1.13.0-2, so the
tests should pass on any debian system.  I've also fixed it in the
gpgme packages (1.13.0-2~ppa1) in the ubuntu xenial PPA
(ppa:notmuch/notmuch) that notmuch uses for Travis CI.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-06-08 20:14:00 -03:00
David Bremner
2c1e5c186e test: update test description.
I missed this fix in dkg's revisions.
2019-05-29 08:40:02 -03:00
Daniel Kahn Gillmor
1c704dd22d cli/reply: pull proposed subject line from the message, not the index
Protected subject lines were being emitted in reply when the cleartext
of documents was indexed.  create_reply_message() was pulling the
subject line from the index, rather than pulling it from the
GMimeMessage object that it already has on hand.

This one-line fix to notmuch-reply.c solves that problem, and doesn't
cause any additional tests to fail.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:17:33 -03:00
Daniel Kahn Gillmor
06dedd0a83 test: reply (in cli and emacs) should protect indexed sensitive headers
These tests are currently broken!  When a protected subject is indexed
in the clear, it leaks in the reply headers :(

For emacs, we set up separate tests for when the protected header is
indexed in the clear and when it is unindexed.  neither case should
leak, but the former wasn't tested yet.

We will fix the two broken tests in a subsequent patch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:17:20 -03:00
Daniel Kahn Gillmor
cd8006886b test: emacs/show: ensure that protected headers appear as expected
This tests notmuch-show; headers appear appropriately based on the
setting of notmuch-crypto-process-mime.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:17:12 -03:00
Daniel Kahn Gillmor
5007595be8 test: ensure that protected headers appear in notmuch-emacs search as expected
We initially test only notmuch-search; tests for other functionality
come in different patchsets later.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:16:58 -03:00
Daniel Kahn Gillmor
809a34a870 test: try indexing nested messages and protected headers
We want to make sure that internally-forwarded messages don't end up
"bubbling up" when they aren't actually the cryptographic payload.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:15:28 -03:00
Daniel Kahn Gillmor
bfed02bb0b test: after reindexing, only legitimate protected subjects are searchable
This test scans for all the possible protected headers (including
bogus/broken ones) that are present in the protected-headers corpus,
trying to make sure that only the ones that are not broken or
malformed show up in a search after re-indexing.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:15:18 -03:00
Daniel Kahn Gillmor
b36248a26e test: protected headers should work when both encrypted and signed.
Up to this point, we've tested protected headers on messages that have
either been encrypted or signed, but not both.

This adds a couple tests of signed+encrypted messages, one where the
subject line is masked (outside subject line is "Subject Unavailable")
and another where it is not (outside Subject: matches inner Subject:)

See the discussion at
https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#protected-headers
for more details about the nuances between signed, stripped, and
stubbed headers.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:14:57 -03:00
Daniel Kahn Gillmor
5c3a44681f indexing: record protected subject when indexing cleartext
When indexing the cleartext of an encrypted message, record any
protected subject in the database, which should make it findable and
visible in search.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:14:44 -03:00
Daniel Kahn Gillmor
b7b553e732 cli/reply: ensure encrypted Subject: line does not leak in the clear
Now that we can decrypt headers, we want to make sure that clients
using "notmuch reply" to prepare a reply don't leak cleartext in their
subject lines.  In particular, the ["reply-headers"]["Subject"] should
by default show the external Subject.

A replying MUA that intends to protect the Subject line should show
the user the Subject from ["original"]["headers"]["Subject"] instead
of using ["reply-headers"]["Subject"].

This minor asymmetry with "notmuch show" is intentional.  While both
tools always render the cleartext subject line when they know it (in
["headers"]["Subject"] for "notmuch show" and in
["original"]["headers"]["Subject"] for "notmuch reply"), "notmuch
reply" should never leak something that should stay under encrypted
cover in "reply-headers".

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:14:32 -03:00
Daniel Kahn Gillmor
996ef5710c test: show cryptographic envelope information for signed mails
Make sure that we emit the correct cryptographic envelope status for
cleartext signed messages.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:13:06 -03:00
Daniel Kahn Gillmor
1c879f3939 test: add test for missing external subject
Adding another test to ensure that we handle protected headers
gracefully when no external subject is present.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:12:49 -03:00
Daniel Kahn Gillmor
56416a5470 cli/show: add information about which headers were protected
The header-mask member of the per-message crypto object allows a
clever UI frontend to mark whether a header was protected (or not).
And if it was protected, it contains enough information to show useful
detail to an interested user.  For example, an MUA could offer a "show
what this message's Subject looked like on the wire" feature in expert
mode.

As before, we only handle Subject for now, but we might be able to
handle other headers in the future.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Amended by db: tweaked schemata notation.
2019-05-29 08:11:50 -03:00
Daniel Kahn Gillmor
1c7fbbcc99 cli/show: emit payload subject instead of outside subject
Correctly fix the two outstanding tests so that the protected (hidden)
subject is properly reported.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:05:01 -03:00
Daniel Kahn Gillmor
528f526f69 cli/show: add tests for viewing protected headers
Here we add several variant e-mail messages, some of which have
correctly-structured protected headers, and some of which do not.  The
goal of the tests is to ensure that the right protected subjects get
reported.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:04:32 -03:00
Jameson Graef Rollins
03839a8110 test: new test framework to compare json parts
This makes it easier to write fairly compact, readable tests of json
output, without needing to sanitize away parts that we don't care
about.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:03:21 -03:00
Daniel Kahn Gillmor
80728a95e6 cli/show: emit headers after emitting body
This paves the way for emitting protected headers after verification
and decryption, because it means that the headers will only be emitted
after the body has been parsed.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-29 08:02:32 -03:00
Daniel Kahn Gillmor
73cebe6e72 test: report summary even when aborting
In certain cases of test suite failure, the summary report was not
being printed.  In particular, any failure on the parallel test suite,
and any aborted test in the serialized test suite would end up hiding
the summary.

It's better to always show the summary where we can (while preserving
the return code).  If we do abort due to this high-level failure,
though, we should also announce to the user that we're doing so as
close to the end of the process as possible, to make it easier to find
the problem.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-26 18:55:06 -03:00
Daniel Kahn Gillmor
4cb789aa09 cli/show: emit new whole-message crypto status output
This allows MUAs that don't want to think about per-mime-part
cryptographic status to have a simple high-level overview of the
message's cryptographic state.

Sensibly structured encrypted and/or signed messages will work fine
with this.  The only requirement for the simplest encryption + signing
is that the message have all of its encryption and signing protection
(the "cryptographic envelope") in a contiguous set of MIME layers at
the very outside of the message itself.

This is because messages with some subparts signed or encrypted, but
with other subparts with no cryptographic protection is very difficult
to reason about, and even harder for the user to make sense of or work
with.

For further characterization of the Cryptographic Envelope and some of
the usability tradeoffs, see here:

   https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope
2019-05-26 08:20:23 -03:00
Daniel Kahn Gillmor
9300defd64 emacs: Drop content-free "Unknown signature status" button
When we have not been able to evaluate the signature status of a given
MIME part, showing a content-free (and interaction-free) "[ Unknown
signature status ]" button doesn't really help the user at all, and
takes up valuable screen real-estate.

A visual reminder that a given message is *not* signed isn't helpful
unless it is always present, in which case we'd want to see "[ Unknown
signature status ]" buttons on all messages, even ones that don't have
a signing structure, but i don't think we want that.

Amended by db to drop the unused initialization of 'label'
2019-05-25 13:02:02 -03:00
Daniel Kahn Gillmor
fa9d8b7026 test: allow disabling timeout with NOTMUCH_TEST_TIMEOUT=0
To aid in diagnosing test suite tooling that interacts poorly with
coreutils' timeout, it's handy to be able to bypass it entirely.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-25 08:26:41 -03:00
David Bremner
adb53b0737 lib/database: index user headers.
This essentially involves calling _notmuch_message_gen_terms once for
each user defined header.
2019-05-25 07:21:13 -03:00
David Bremner
575493e785 lib: setup user headers in query parser
These tests will need to be updated if the Xapian
query print/debug format changes.
2019-05-25 06:56:16 -03:00
David Bremner
4b9c03efc6 cli/config: check syntax of user configured field names
These restrictions are meant to prevent incompatibilities with the
Xapian query parser (which will split at non-word characters) and
clashes with future notmuch builtin fields.
2019-05-25 06:56:16 -03:00
David Bremner
7981bd050e cli/config: support user header index config
We don't do anything with this configuration information information
yet, but nonetheless add a couple of regression tests to make sure we
don't break standard functionality when we do use the configuration
information.
2019-05-25 06:56:16 -03:00
Tomi Ollila
3563079be3 test-lib.sh: colors to test output when parallel(1) is run on tty
Done via $COLORS_WITHOUT_TTY environment variable as passing options
to commands through parallel(1) does not look trivial.

Reorganized color checking in test-lib.sh a bit for this (perhaps
were not fully necessary but rest still an improvement):

  - color checking commands in subshell are not run before arg parsing
    (args may disable colors with --no-color)

  - [ -t 1 ] is checked before forking subshell
2019-05-23 08:00:31 -03:00
Tomi Ollila
a1aea7272e test-lib.sh: "tidied" emacs_deliver_message ()
Added initialization and checking of smtp_dummy_port
like it was done with smtp_dummy_pid.

Made those function-local variables.

One 8 spaces to tab consistency conversion.

And last, but definitely not least; while doing above
noticed that there were quite a few double-quoted strings
where $@ was in the middle of it -- replaced those with $*
for robustness ("...$@..." expands params to separate words,
"...$*..." params expands to single word).
2019-05-23 08:00:13 -03:00
Tomi Ollila
f33053023b test: redirect STDIN from /dev/null
Without this stdin may be anything that parent process provided for it.

Test processes might have tried to read something from it, which would
have caused undeterministic behavior.

E.g. gdb(1) tries to do tty related ioctls on fd 0 (and fd 1 and fd 2,
but those are redirected to 'test.output' before test runs).
2019-05-22 08:47:17 -03:00
David Bremner
f4708ce0b1 test/emacs: revert invalid-from test to pre-86f89385 behaviour
To the best of my understanding, this original behaviour was what
Carl's homebrew parser produced. With commit 86f89385 Austin switched
to using GMime (2.6). This produced arguably worse results, but since
the input was bad, we could live with it. Now with GMime 3.0 we are
getting the original results again, and there is no reason to consider
this test broken.
2019-05-20 16:31:28 -03:00
Daniel Kahn Gillmor
c88e030580 tests: fail and report when a parallel build fails (or times out)
When a parallel build fails (or when it times out, if timeout is
present), the test suite should not blithely succeed.  Catch these
failures and at least report them.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-20 14:48:56 -03:00
Daniel Kahn Gillmor
73bf7e532e tests: make timeout configurable with NOTMUCH_TEST_TIMEOUT (default: 2m)
The current 2 minute timeout is reasonable, but to exercise the test
suite or induce timeout failures, we might want to make it shorter.
This makes it configurable so you can run (for example):

    make check NOTMUCH_TEST_TIMEOUT=10s

We stick with the default of 2m.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-20 14:48:43 -03:00
Daniel Kahn Gillmor
9c0001de4b test: show what emacs sees of an encrypted message when crypto is disabled
Some users may set notmuch-crypto-process-mime to nil, disabling all
crypto use.  We should have a baseline for what that looks like.
2019-05-10 12:30:03 -03:00
Daniel Kahn Gillmor
bda0fecccd test: avoid unnecessary extraction of the test fingerprint
FINGERPRINT is already exported by add_gnupg_home, so this is
unnecessary.  This change also happens to get rid of the superfluous
check-trustdb spew from the test suite that looked like this:

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-10 06:56:34 -03:00
David Bremner
f2425a11a3 test: let the OS choose a port for smtp-dummy
This should avoid potential collisions if we start running multiple
smtp-dummy processes in parallel.
2019-05-10 06:56:22 -03:00
Daniel Kahn Gillmor
e1c8357c44 emacs: test notmuch-show during message decryption
We did not have a test showing what message decryption looks like
within notmuch-emacs.  This change gives us a baseline for future work
on the notmuch-emacs interface.

This differs from previous revisions of this patch in that it should
be insensitive to the order in which the local filesystem readdir()s
the underlying maildir.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-10 06:54:50 -03:00
Jameson Graef Rollins
eeff431996 tests: environment variable to specify that tests should be serialized
If NOTMUCH_TEST_SERIALIZE is non-null all tests will be run in series,
rather than in parallel.
2019-05-07 06:55:31 -03:00
Jameson Graef Rollins
908d930d22 tests: run all tests in parallel, if available
If either the moreutils or GNU parallel utility are available, run all
tests in parallel.  On my eight core machine this makes for a ~x7
speed-up in the full test suite (1m24s -> 12s).

The design of the test suite makes this parallelization trivial.
2019-05-07 06:54:09 -03:00
Jameson Graef Rollins
591388ccd1 tests: remove entangling corpus index optimization
The add_email_corpus test utility includes logic that tries to re-use
an index of the corpus if available.  This was seemingly done as an
optimization, so that every test that uses the corpus didn't have to
create it's own index of the corpus.  However, this has the perverse
side effect of entangling tests together, and breaks parallelization.

Forcing each test to do it's own index does increase the overall time
of the test slightly (~6%), but this will be more than made up for in
the next patch that introduces paraellization.
2019-05-07 06:53:57 -03:00
Jameson Graef Rollins
7f7af27bd8 tests: remove some redundant pre-cleanup of the corpus MAIL_DIR
add_email_corpus itself does an rm -rf $MAIL_DIR, so these are not necessary.
2019-05-07 06:52:35 -03:00
Daniel Kahn Gillmor
7d48604157 test/crypto: add_gnupg_home should have ultimate trust on "its own" key
The typical use case for gpg is that if you control a secret key, you
mark it with "ultimate" ownertrust.

The opaque --import-ownertrust mechanism is GnuPG's standard mechanism
to set up ultimate ownertrust (the ":6:" means "ultimate", for
whatever reason).

We adjust the test suite to match this change, inverting the sense of
one test: since the default is now that the user ID of the suite's own
key is valid, we change the test to make sure that the user ID is not
emitted when it is *not* valid.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-07 06:42:21 -03:00
Daniel Kahn Gillmor
93e699e5c8 test: simplify user ID handling
The user ID on the self-test is a little bit clunky-looking.  It also
may end up showing up elsewhere in the test suite.  Centralizing the
user ID in one place should make it easier to handle if it ever
changes, and should make tests easier to read.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-07 06:42:11 -03:00
Daniel Kahn Gillmor
9f05ceb994 test/crypto: clarify the difference between ownertrust and validity
This is a subtle difference, but the output of notmuch shouldn't ever
change based on ownertrust itself -- notmuch is intended to show valid
User IDs, and to avoid showing invalid User IDs.

It so happens that setting ownertrust of a key to ultimate sets all
associated user IDs to "full" validity, so the test is correct, but
just misnamed.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-07 06:42:01 -03:00
David Bremner
6682b4e686 Merge tag 0.28.4
No functionality changes merged, since the bug in question was already
fixed on master.
2019-05-05 16:38:51 -03:00
David Bremner
ae6b52488d cli/show: avoid empty write to stdout in format_part_raw
Previously if the input was exactly a multiple of the internal buffer
size, notmuch would attempt to fwrite nothing to stdout, but still
expected fwrite to return 1, causing a failure that looked like this:

  $ notmuch show --format=raw id:87o96f1cya.fsf@codeaurora.org
    ...entire message shown as expected..
  Error: Write failed
  $ echo $?
  1

To fix the problem don't call fwrite at all when there's nothing to
write.

Amended by db: add some tests of message sizes likely to cause this
problem.
2019-05-05 08:01:17 -03:00
David Bremner
103c11822e cli/notmuch-show: support gzipped files
This drops "file" from mime_node_context and just uses a local
variable. It also uses the new gzip aware utility routines recently
added to util/gmime-extra.c. The use of gzopen / gzfile in addition is
a bit icky, but the choice is between that, and providing yet another
readline implimentation that understands GMime streams.
2019-05-03 07:48:43 -03:00
David Bremner
852167479f lib/message_file: open gzipped files
Rather than storing the lower level stdio FILE object, we store a
GMime stream. This allows both transparent decompression, and passing
the stream into GMime for parsing. As a side effect, we can let GMime
close the underlying OS stream (indeed, that stream isn't visible here
anymore).

This change is enough to get notmuch-{new,search} working, but there is still
some work required for notmuch-show, to be done in a following commit.
2019-05-03 07:48:43 -03:00