#!/usr/bin/perl -T

use lib '.'; use lib 't';
use SATest; sa_t_init("spf");
use Test::More;

use constant HAS_MAILSPF => eval { require Mail::SPF; };

plan skip_all => "Long running tests disabled" unless conf_bool('run_long_tests');
plan skip_all => "Net tests disabled" unless conf_bool('run_net_tests');
plan skip_all => "Need Mail::SPF" unless HAS_MAILSPF;
plan skip_all => "Can't use Net::DNS Safely" unless can_use_net_dns_safely();

plan tests => 72;

# ---------------------------------------------------------------------------

# ensure all rules will fire
tstlocalrules ("
  score SPF_FAIL 0.001
  score SPF_HELO_FAIL 0.001
  score SPF_HELO_NEUTRAL 0.001
  score SPF_HELO_SOFTFAIL 0.001
  score SPF_NEUTRAL 0.001
  score SPF_SOFTFAIL 0.001
  score SPF_PASS -0.001
  score SPF_HELO_PASS -0.001
  score USER_IN_DEF_SPF_WL -0.001
  score USER_IN_SPF_WHITELIST -0.001
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf1", \&patterns_run_cb);
ok_all_patterns();

%patterns = (
  q{ SPF_NEUTRAL }, 'neutral',
  q{ SPF_HELO_NEUTRAL }, 'helo_neutral',
);

sarun ("-t < data/spam/spf1", \&patterns_run_cb);
ok_all_patterns();

%patterns = (
  q{ SPF_SOFTFAIL }, 'softfail',
  q{ SPF_HELO_SOFTFAIL }, 'helo_softfail',
);

sarun ("-t < data/spam/spf2", \&patterns_run_cb);
ok_all_patterns();
%patterns = (
  q{ SPF_FAIL }, 'fail',
  q{ SPF_HELO_FAIL }, 'helo_fail',
);

sarun ("-t < data/spam/spf3", \&patterns_run_cb);
ok_all_patterns();


# Test using an assortment of trusted and internal network definitions

# 9-10: Trusted networks contain first header.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.157
  always_trust_envelope_sender 1
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf2", \&patterns_run_cb);
ok_all_patterns();


# 11-12: Internal networks contain first header.
#	   Trusted networks not defined.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  internal_networks 65.214.43.157
  always_trust_envelope_sender 1
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf2", \&patterns_run_cb);
ok_all_patterns();


# 13-14: Internal networks contain first header.
#	   Trusted networks contain some other IP.
#        jm: commented; this is now an error condition.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 1.2.3.4
  internal_networks 65.214.43.157
  always_trust_envelope_sender 1
");

%patterns = (
  q{ SPF_HELO_NEUTRAL }, 'helo_neutral',
  q{ SPF_NEUTRAL }, 'neutral',
);

if (0) {
  sarun ("-t < data/nice/spf2", \&patterns_run_cb);
  ok_all_patterns();
} else {
  ok(1);        # skip the tests
  ok(1);
}


# 15-16: Trusted+Internal networks contain first header.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.157
  internal_networks 65.214.43.157
  always_trust_envelope_sender 1
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf2", \&patterns_run_cb);
ok_all_patterns();


# 17-18: Trusted networks contain first and second header.
#	   Internal networks contain first header.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.157 64.142.3.173
  internal_networks 65.214.43.157
  always_trust_envelope_sender 1
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf2", \&patterns_run_cb);
ok_all_patterns();


# 19-26: Trusted networks contain first and second header.
#	   Internal networks contain first and second header.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.157 64.142.3.173
  internal_networks 65.214.43.157 64.142.3.173
  always_trust_envelope_sender 1
");

%anti_patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_HELO_FAIL }, 'helo_fail',
  q{ SPF_HELO_SOFTFAIL }, 'helo_softfail',
  q{ SPF_HELO_NEUTRAL }, 'helo_neutral',
  q{ SPF_PASS }, 'pass',
  q{ SPF_FAIL }, 'fail',
  q{ SPF_SOFTFAIL }, 'softfail',
  q{ SPF_NEUTRAL }, 'neutral',
);
%patterns = ();

sarun ("-t < data/nice/spf2", \&patterns_run_cb);
ok_all_patterns();


# 27-28: Trusted networks contain first header.
#	   Internal networks contain first and second header.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.157
  internal_networks 65.214.43.157 64.142.3.173
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf2", \&patterns_run_cb);
ok_all_patterns();


# 29-30: Trusted networks contain top 5 headers.
#	   Internal networks contain first header.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173 65.214.43.155 65.214.43.156 65.214.43.157
  internal_networks 65.214.43.158
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf3", \&patterns_run_cb);
ok_all_patterns();


# 31-32: Trusted networks contain top 5 headers.
#	   Internal networks contain top 2 headers.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173 65.214.43.155 65.214.43.156 65.214.43.157
  internal_networks 65.214.43.158 64.142.3.173
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_FAIL }, 'helo_fail',
  q{ SPF_FAIL }, 'fail',
);

sarun ("-t < data/nice/spf3", \&patterns_run_cb);
ok_all_patterns();


# 33-34: Trusted networks contain top 5 headers.
#	   Internal networks contain top 3 headers.

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173 65.214.43.155 65.214.43.156 65.214.43.157
  internal_networks 65.214.43.158 64.142.3.173 65.214.43.155
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_SOFTFAIL }, 'helo_softfail',
  q{ SPF_SOFTFAIL }, 'softfail',
);

sarun ("-t < data/nice/spf3", \&patterns_run_cb);
ok_all_patterns();


# 35-36: Trusted networks contain top 5 headers.
#	   Internal networks contain top 4 headers.	

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173 65.214.43.155 65.214.43.156 65.214.43.157
  internal_networks 65.214.43.158 64.142.3.173 65.214.43.155 65.214.43.156
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_NEUTRAL }, 'helo_neutral',
  q{ SPF_NEUTRAL }, 'neutral',
);

sarun ("-t < data/nice/spf3", \&patterns_run_cb);
ok_all_patterns();


# 37-40: same as test 1-2 with some spf whitelisting added

tstprefs("
  whitelist_from_spf newsalerts-noreply\@dnsbltest.spamassassin.org
  def_whitelist_from_spf *\@dnsbltest.spamassassin.org
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
  q{ USER_IN_SPF_WHITELIST }, 'spf_whitelist',
  q{ USER_IN_DEF_SPF_WL }, 'default_spf_whitelist',
);

sarun ("-t < data/nice/spf1", \&patterns_run_cb);
ok_all_patterns();


# 41-44: same as test 1-2 with some spf whitelist entries that don't match

tstprefs("
  whitelist_from_spf *\@example.com
  def_whitelist_from_spf nothere\@dnsbltest.spamassassin.org
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

%anti_patterns = (
  q{ USER_IN_SPF_WHITELIST }, 'spf_whitelist',
  q{ USER_IN_DEF_SPF_WL }, 'default_spf_whitelist',
);

sarun ("-t < data/nice/spf1", \&patterns_run_cb);
ok_all_patterns();

# clear these out before we loop
%anti_patterns = ();
%patterns = ();


# 45-48: same as test 37-40 with whitelist_auth added

tstprefs("
  whitelist_auth newsalerts-noreply\@dnsbltest.spamassassin.org
  def_whitelist_auth *\@dnsbltest.spamassassin.org
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
  q{ USER_IN_SPF_WHITELIST }, 'spf_whitelist',
  q{ USER_IN_DEF_SPF_WL }, 'default_spf_whitelist',
);

sarun ("-t < data/nice/spf1", \&patterns_run_cb);
ok_all_patterns();


# test usage of Received-SPF headers added by internal relays
# the Received-SPF headers shouldn't be used in this test

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158
  internal_networks 65.214.43.158
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

sarun ("-t < data/nice/spf3-received-spf", \&patterns_run_cb);
ok_all_patterns();
# Test same with nonfolded headers
sarun ("-t < data/nice/spf4-received-spf-nofold", \&patterns_run_cb);
ok_all_patterns();
# Test same with crlf line endings
sarun ("-t < data/nice/spf5-received-spf-crlf", \&patterns_run_cb);
ok_all_patterns();
# Test same with crlf line endings (bug 7785)
sarun ("-t < data/nice/spf6-received-spf-crlf2", \&patterns_run_cb);
ok_all_patterns();


# test usage of Received-SPF headers added by internal relays
# the Received-SPF headers shouldn't be used in this test

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173
  internal_networks 65.214.43.158 64.142.3.173
  always_trust_envelope_sender 1
  ignore_received_spf_header 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_FAIL }, 'helo_fail_ignore_header',
  q{ SPF_FAIL }, 'fail_ignore_header',
);

sarun ("-t < data/nice/spf3-received-spf", \&patterns_run_cb);
ok_all_patterns();
# Test same with nonfolded headers
sarun ("-t < data/nice/spf4-received-spf-nofold", \&patterns_run_cb);
ok_all_patterns();


# test usage of Received-SPF headers added by internal relays
# the bottom 2 Received-SPF headers should be used in this test

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173
  internal_networks 65.214.43.158 64.142.3.173
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_SOFTFAIL }, 'helo_softfail_from_header',
  q{ SPF_NEUTRAL }, 'neutral_from_header',
);

sarun ("-t < data/nice/spf3-received-spf", \&patterns_run_cb);
ok_all_patterns();
# Test same with nonfolded headers
sarun ("-t < data/nice/spf4-received-spf-nofold", \&patterns_run_cb);
ok_all_patterns();


# test usage of Received-SPF headers added by internal relays
# the top 2 Received-SPF headers should be used in this test

tstprefs("
  clear_trusted_networks
  clear_internal_networks
  trusted_networks 65.214.43.158 64.142.3.173
  internal_networks 65.214.43.158 64.142.3.173
  use_newest_received_spf_header 1
  always_trust_envelope_sender 1
");

%anti_patterns = ();
%patterns = (
  q{ SPF_HELO_SOFTFAIL }, 'helo_softfail_from_header',
  q{ SPF_FAIL }, 'fail_from_header',
);

sarun ("-t < data/nice/spf3-received-spf", \&patterns_run_cb);
ok_all_patterns();
# Test same with nonfolded headers
sarun ("-t < data/nice/spf4-received-spf-nofold", \&patterns_run_cb);
ok_all_patterns();


# test unwhitelist_auth and unwhitelist_from_spf

tstprefs("
  whitelist_auth newsalerts-noreply\@dnsbltest.spamassassin.org
  def_whitelist_auth newsalerts-noreply\@dnsbltest.spamassassin.org
  unwhitelist_auth newsalerts-noreply\@dnsbltest.spamassassin.org

  whitelist_from_spf *\@dnsbltest.spamassassin.org
  def_whitelist_from_spf *\@dnsbltest.spamassassin.org
  unwhitelist_from_spf *\@dnsbltest.spamassassin.org
");

%patterns = (
  q{ SPF_HELO_PASS }, 'helo_pass',
  q{ SPF_PASS }, 'pass',
);

%anti_patterns = (
  q{ USER_IN_SPF_WHITELIST }, 'spf_whitelist',
  q{ USER_IN_DEF_SPF_WL }, 'default_spf_whitelist',
);

sarun ("-t < data/nice/spf1", \&patterns_run_cb);
ok_all_patterns();