GODT-1779: Remove go-imap

2022-08-26 17:00:21 +02:00
parent 3b0bc1ca15
commit 39433fe707
593 changed files with 12725 additions and 91626 deletions
--- a/internal/certs/cert_store_darwin.go
+++ b/internal/certs/cert_store_darwin.go
@ -0,0 +1,85 @@
+// Copyright (c) 2022 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package certs
+
+import (
+	"os"
+
+	"golang.org/x/sys/execabs"
+)
+
+func installCert(certPEM []byte) error {
+	name, err := writeToTempFile(certPEM)
+	if err != nil {
+		return err
+	}
+
+	return addTrustedCert(name)
+}
+
+func uninstallCert(certPEM []byte) error {
+	name, err := writeToTempFile(certPEM)
+	if err != nil {
+		return err
+	}
+
+	return removeTrustedCert(name)
+}
+
+func addTrustedCert(certPath string) error {
+	return execabs.Command( //nolint:gosec
+		"/usr/bin/security",
+		"execute-with-privileges",
+		"/usr/bin/security",
+		"add-trusted-cert",
+		"-d",
+		"-r", "trustRoot",
+		"-p", "ssl",
+		"-k", "/Library/Keychains/System.keychain",
+		certPath,
+	).Run()
+}
+
+func removeTrustedCert(certPath string) error {
+	return execabs.Command( //nolint:gosec
+		"/usr/bin/security",
+		"execute-with-privileges",
+		"/usr/bin/security",
+		"remove-trusted-cert",
+		"-d",
+		certPath,
+	).Run()
+}
+
+// writeToTempFile writes the given data to a temporary file and returns the path.
+func writeToTempFile(data []byte) (string, error) {
+	f, err := os.CreateTemp("", "tls")
+	if err != nil {
+		return "", err
+	}
+
+	if _, err := f.Write(data); err != nil {
+		return "", err
+	}
+
+	if err := f.Close(); err != nil {
+		return "", err
+	}
+
+	return f.Name(), nil
+}
--- a/internal/certs/cert_store_linux.go
+++ b/internal/certs/cert_store_linux.go
@ -0,0 +1,26 @@
+// Copyright (c) 2022 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package certs
+
+func installCert([]byte) error {
+	return nil // Linux doesn't have a root cert store.
+}
+
+func uninstallCert([]byte) error {
+	return nil // Linux doesn't have a root cert store.
+}
--- a/internal/certs/cert_store_windows.go
+++ b/internal/certs/cert_store_windows.go
@ -0,0 +1,26 @@
+// Copyright (c) 2022 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package certs
+
+func installCert([]byte) error {
+	return nil // NOTE(GODT-986): Install certs to root cert store?
+}
+
+func uninstallCert([]byte) error {
+	return nil // NOTE(GODT-986): Uninstall certs from root cert store?
+}
--- a/internal/certs/installer.go
+++ b/internal/certs/installer.go
@ -0,0 +1,15 @@
+package certs
+
+type Installer struct{}
+
+func NewInstaller() *Installer {
+	return &Installer{}
+}
+
+func (installer *Installer) InstallCert(certPEM []byte) error {
+	return installCert(certPEM)
+}
+
+func (installer *Installer) UninstallCert(certPEM []byte) error {
+	return uninstallCert(certPEM)
+}
--- a/internal/certs/tls.go
+++ b/internal/certs/tls.go
@ -0,0 +1,118 @@
+// Copyright (c) 2022 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package certs
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"net"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+// ErrTLSCertExpiresSoon is returned when the TLS certificate is about to expire.
+var ErrTLSCertExpiresSoon = fmt.Errorf("TLS certificate will expire soon")
+
+// NewTLSTemplate creates a new TLS template certificate with a random serial number.
+func NewTLSTemplate() (*x509.Certificate, error) {
+	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to generate serial number")
+	}
+
+	return &x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Country:            []string{"CH"},
+			Organization:       []string{"Proton AG"},
+			OrganizationalUnit: []string{"Proton Mail"},
+			CommonName:         "127.0.0.1",
+		},
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(20 * 365 * 24 * time.Hour),
+	}, nil
+}
+
+// GenerateTLSCert generates a new TLS certificate and returns it as PEM.
+var GenerateCert = func(template *x509.Certificate) ([]byte, []byte, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to generate private key")
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create certificate")
+	}
+
+	certPEM := new(bytes.Buffer)
+
+	if err := pem.Encode(certPEM, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		return nil, nil, err
+	}
+
+	keyPEM := new(bytes.Buffer)
+
+	if err := pem.Encode(keyPEM, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil {
+		return nil, nil, err
+	}
+
+	return certPEM.Bytes(), keyPEM.Bytes(), nil
+}
+
+// GetConfig tries to load TLS config or generate new one which is then returned.
+func GetConfig(certPEM, keyPEM []byte) (*tls.Config, error) {
+	c, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to load keypair")
+	}
+
+	c.Leaf, err = x509.ParseCertificate(c.Certificate[0])
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse certificate")
+	}
+
+	if time.Now().Add(31 * 24 * time.Hour).After(c.Leaf.NotAfter) {
+		return nil, ErrTLSCertExpiresSoon
+	}
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AddCert(c.Leaf)
+
+	//nolint:gosec  // We need to support older TLS versions for AppleMail and Outlook
+	return &tls.Config{
+		Certificates: []tls.Certificate{c},
+		ServerName:   "127.0.0.1",
+		ClientAuth:   tls.VerifyClientCertIfGiven,
+		RootCAs:      caCertPool,
+		ClientCAs:    caCertPool,
+	}, nil
+}
--- a/internal/certs/tls_test.go
+++ b/internal/certs/tls_test.go
@ -0,0 +1,79 @@
+// Copyright (c) 2022 Proton AG
+//
+// This file is part of Proton Mail Bridge.
+//
+// Proton Mail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Proton Mail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Proton Mail Bridge. If not, see <https://www.gnu.org/licenses/>.
+
+package certs
+
+import (
+	"crypto/tls"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetOldConfig(t *testing.T) {
+	// Create new TLS template.
+	tlsTemplate, err := NewTLSTemplate()
+	require.NoError(t, err)
+
+	// Make the template be an old key.
+	tlsTemplate.NotBefore = time.Now().Add(-365 * 24 * time.Hour)
+	tlsTemplate.NotAfter = time.Now()
+
+	// Generate the certs from the template.
+	certPEM, keyPEM, err := GenerateCert(tlsTemplate)
+	require.NoError(t, err)
+
+	// Generate the config from the certs -- it's going to expire soon so we don't want to use it.
+	_, err = GetConfig(certPEM, keyPEM)
+	require.Equal(t, err, ErrTLSCertExpiresSoon)
+}
+
+func TestGetValidConfig(t *testing.T) {
+	// Create new TLS template.
+	tlsTemplate, err := NewTLSTemplate()
+	require.NoError(t, err)
+
+	// Make the template be a new key.
+	tlsTemplate.NotBefore = time.Now()
+	tlsTemplate.NotAfter = time.Now().Add(2 * 365 * 24 * time.Hour)
+
+	// Generate the certs from the template.
+	certPEM, keyPEM, err := GenerateCert(tlsTemplate)
+	require.NoError(t, err)
+
+	// Generate the config from the certs -- it's not going to expire soon so we want to use it.
+	config, err := GetConfig(certPEM, keyPEM)
+	require.NoError(t, err)
+	require.Equal(t, len(config.Certificates), 1)
+
+	// Check the cert is valid.
+	now, notValidAfter := time.Now(), config.Certificates[0].Leaf.NotAfter
+	require.False(t, now.After(notValidAfter), "new certificate expected to be valid at %v but have valid until %v", now, notValidAfter)
+}
+
+func TestNewConfig(t *testing.T) {
+	tlsTemplate, err := NewTLSTemplate()
+	require.NoError(t, err)
+
+	pemCert, pemKey, err := GenerateCert(tlsTemplate)
+	require.NoError(t, err)
+
+	cert, err := tls.X509KeyPair(pemCert, pemKey)
+	require.NoError(t, err)
+	require.NotNil(t, cert)
+}