# Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/ require 'rails_helper' RSpec.describe SecureMailing::PGP, :aggregate_failures do before do Setting.set('pgp_integration', true) end let(:raw_body) { 'Testing some Content' } let(:attachments) { [] } let(:system_email_address) { 'pgp1@example.com' } let(:customer_email_address) { 'pgp2@example.com' } let(:cc_customer_email_address) { 'pgp3@example.com' } let(:expired_email_address) { 'expiredpgp1@example.com' } let(:content_type) { 'text/plain' } def build_mail Channel::EmailBuild.build( from: sender_email_address, to: recipient_email_address, cc: cc_recipient_email_address, body: raw_body, content_type: content_type, security: security_preferences, attachments: attachments ) end describe 'outgoing' do shared_examples 'HttpLog writer' do |status| it "logs #{status}" do expect do build_mail rescue # allow failures end.to change(HttpLog, :count).by(1) expect(HttpLog.last.attributes).to include('direction' => 'out', 'status' => status) end end let(:sender_email_address) { system_email_address } let(:recipient_email_address) { customer_email_address } let(:cc_recipient_email_address) { cc_customer_email_address } context 'without security' do let(:security_preferences) do nil end it 'builds mail' do expect(build_mail.body).not_to match(SecureMailing::PGP::Incoming::SIGNATURE_CONTENT_TYPE) expect(build_mail.body).to eq(raw_body) end end context 'with signing' do let(:security_preferences) do { type: 'PGP', sign: { success: true, }, encryption: { success: false, }, } end context 'when private key present' do before do create(:pgp_key, :with_private, fixture: system_email_address) end it 'builds mail' do expect(build_mail.body).to match(SecureMailing::PGP::Incoming::SIGNATURE_CONTENT_TYPE) end it_behaves_like 'HttpLog writer', 'success' context 'with expired key' do let(:system_email_address) { expired_email_address } it 'raises exception' do expect { build_mail }.to raise_error ActiveRecord::RecordNotFound end it_behaves_like 'HttpLog writer', 'failed' end end context 'when no private key is present' do it 'raises exception' do expect { build_mail }.to raise_error ActiveRecord::RecordNotFound end it_behaves_like 'HttpLog writer', 'failed' end end context 'with encryption' do let(:security_preferences) do { type: 'PGP', sign: { success: false, }, encryption: { success: true, }, } end context 'when all needed keys are present' do before do create(:pgp_key, :with_private, fixture: system_email_address) create(:pgp_key, fixture: recipient_email_address) create(:pgp_key, fixture: cc_recipient_email_address) end it 'builds mail' do mail = build_mail expect(mail['Content-Type'].value).to include('multipart/encrypted') expect(mail.body).not_to include(raw_body) end it_behaves_like 'HttpLog writer', 'success' end context 'when needed keys are not present' do it 'raises exception' do expect { build_mail }.to raise_error ActiveRecord::RecordNotFound end end context 'when one key is expired' do before do create(:pgp_key, :with_private, fixture: system_email_address) create(:pgp_key, fixture: recipient_email_address) create(:pgp_key, fixture: cc_recipient_email_address) end let(:customer_email_address) { expired_email_address } it 'raises exception' do expect { build_mail }.to raise_error ActiveRecord::RecordNotFound end end context 'when a key with multiple UIDs is present' do let(:customer_email_address) { 'multipgp2@example.com' } before do create(:pgp_key, :with_private, fixture: system_email_address) create(:pgp_key, fixture: recipient_email_address) create(:pgp_key, fixture: cc_customer_email_address) end it 'builds mail' do mail = build_mail expect(mail['Content-Type'].value).to include('multipart/encrypted') expect(mail.body).not_to include(raw_body) end it_behaves_like 'HttpLog writer', 'success' end end context 'with encryption and signing' do let(:security_preferences) do { type: 'PGP', sign: { success: true, }, encryption: { success: true, }, } end before do create(:pgp_key, :with_private, fixture: system_email_address) create(:pgp_key, :with_private, fixture: recipient_email_address) create(:pgp_key, fixture: cc_customer_email_address) end it 'builds mail' do mail = build_mail expect(mail['Content-Type'].value).to include('multipart/encrypted') expect(mail.body).not_to include(raw_body) end context 'with inline image' do let(:article) do create(:ticket_article, ticket: create(:ticket), body: '
some message article helper test1

') end let(:attachments) do create_list( :store, 1, object: 'Ticket::Article', o_id: article.id, data: 'fake', filename: 'inline_image.jpg', preferences: { 'Content-Type' => 'image/jpeg', 'Mime-Type' => 'image/jpeg', 'Content-ID' => '<15.274327094.140939>', 'Content-Disposition' => 'inline', } ) end let(:raw_body) do <<~MSG_HTML.chomp
some message article helper test1

MSG_HTML end let(:content_type) { 'text/html' } it 'builds mail' do mail = build_mail expect(mail['Content-Type'].value).to include('multipart/encrypted') end end end end describe '.incoming' do shared_examples 'HttpLog writer' do |status| it "logs #{status}" do expect do mail rescue # allow failures end.to change(HttpLog, :count).by(2) expect(HttpLog.last.attributes).to include('direction' => 'in', 'status' => status) end end shared_examples 'decrypting message content' do it 'decrypts message content' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to be_nil expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq '' end end shared_examples 'decrypting and verifying signature' do it 'decrypts and verifies signature' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq('Good signature') expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq '' end end let(:sender_email_address) { system_email_address } let(:recipient_email_address) { customer_email_address } let(:cc_recipient_email_address) { cc_customer_email_address } context 'when signature verification' do context 'when sender public key present' do before do create(:pgp_key, :with_private, fixture: sender_email_address) end let(:security_preferences) do { type: 'PGP', sign: { success: true, }, encryption: { success: false, }, } end let(:mail) do pgp_mail = build_mail mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end it 'verifies' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq 'Good signature' expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to be_nil end it_behaves_like 'HttpLog writer', 'success' context 'with html mail' do let(:raw_content) { '
> Welcome!
>
> Thank you for installing Zammad. äöüß
>
' } let(:raw_body) do <<~MSG_HTML.chomp #{raw_content} MSG_HTML end let(:content_type) { 'text/html' } it 'verifies' do expect(mail[:body]).to eq(raw_content) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq 'Good signature' expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to be_nil end end context 'when key is expired' do let(:mail) do # Import a mail which was created with a now expired key. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-expired.box').read mail = Channel::EmailParser.new.parse(pgp_mail) SecureMailing.incoming(mail) mail end let(:sender_email_address) { expired_email_address } it 'not verified' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq 'Good signature' expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to be_nil end end end end context 'with decryption' do let(:security_preferences) do { type: 'PGP', sign: { success: false, }, encryption: { success: true, }, } end let!(:sender_key) { create(:pgp_key, :with_private, fixture: sender_email_address) } let!(:recipient_key) { create(:pgp_key, :with_private, fixture: recipient_email_address) } let!(:cc_recipient_key) { create(:pgp_key, :with_private, fixture: cc_recipient_email_address) } context 'when private key present' do let(:mail) do pgp_mail = build_mail parsed_mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(parsed_mail) parsed_mail end it_behaves_like 'decrypting message content' it_behaves_like 'HttpLog writer', 'success' context 'with existing second key for same uid' do let(:mail) do # Import a mail which was created with a now expired key. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-other-key.box').read mail = Channel::EmailParser.new.parse(pgp_mail) SecureMailing.incoming(mail) mail end before do create(:pgp_key, :with_private, fixture: "#{recipient_email_address}-other") end it_behaves_like 'decrypting message content' end context 'with OCB key' do let(:recipient_email_address) { 'ocbpgp1@example.com' } let(:mail) do # Import a mail which was created with an OCB key. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-ocb.box').read mail = Channel::EmailParser.new.parse(pgp_mail) SecureMailing.incoming(mail) mail end context 'with GPG version >= 2.2.27', if: SecureMailing::PGP::Tool.version >= '2.2.27' do it_behaves_like 'decrypting message content' end context 'with GPG version < 2.2.27', if: ENV['CI'] && SecureMailing::PGP::Tool.version < '2.2.27' do it 'provides an error message as an article comment' do expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to be_nil expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq 'There was an unknown PGP error. This PGP email was encrypted with a potentially unknown encryption algorithm.' end end end context 'when recipient is bcc only' do let(:mail) do create(:pgp_key, :with_private, fixture: 'zammad@localhost') # Import a mail which was created with bcc recipient only. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-decrypt-bcc.box').read mail = Channel::EmailParser.new.parse(pgp_mail) SecureMailing.incoming(mail) mail end it_behaves_like 'decrypting message content' end end context 'with no private key present' do let(:mail) do pgp_mail = build_mail mail = Channel::EmailParser.new.parse(pgp_mail.to_s) sender_key.destroy! recipient_key.destroy! cc_recipient_key.destroy! SecureMailing.incoming(mail) mail end it 'fails' do expect(mail[:body]).to include('no visible content') expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to be_nil expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq('The private PGP key could not be found.') end it_behaves_like 'HttpLog writer', 'failed' end end context 'with signature verification and decryption' do let(:security_preferences) do { type: 'PGP', sign: { success: true, }, encryption: { success: true, }, } end context 'when the mail is signed and encrypted separately' do before do create(:pgp_key, :with_private, fixture: sender_email_address) create(:pgp_key, :with_private, fixture: recipient_email_address) create(:pgp_key, fixture: cc_recipient_email_address) end let(:mail) do pgp_mail = build_mail mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end it_behaves_like 'decrypting and verifying signature' end context 'when the mail is signed and encrypted (detached signature)' do let(:sender_key) { create(:pgp_key, :with_private, fixture: sender_email_address) } let(:recipient_key) { create(:pgp_key, :with_private, fixture: recipient_email_address) } let(:cc_recipient_key) { create(:pgp_key, :with_private, fixture: cc_recipient_email_address) } let(:mail) do # Import a mail that was signed + encrypted with a detached signature. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-detached.box').read mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end context 'when all keys are present' do before do sender_key recipient_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end context 'when only cc recipient key is present for decryption' do before do sender_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end context 'when only decryption key is present' do before do recipient_key cc_recipient_key end it 'decrypts, but verifies signature fails' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq('The public PGP key could not be found.') expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq '' end end context 'when all keys are present, but addresses are in upcase' do let(:mail) do # Import a mail and change the case of the sender address. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-detached.box').read pgp_mail = pgp_mail.sub!('pgp1@example.com', 'PGP1@EXAMPLE.COM') pgp_mail = pgp_mail.sub!('pgp2@example.com', 'PGP2@EXAMPLE.COM') pgp_mail = pgp_mail.sub!('pgp3@example.com', 'PGP3@EXAMPLE.COM') mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end before do sender_key recipient_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end end context 'when the mail is signed and encrypted (attached signature)' do let(:sender_key) { create(:pgp_key, :with_private, fixture: sender_email_address) } let(:recipient_key) { create(:pgp_key, :with_private, fixture: recipient_email_address) } let(:cc_recipient_key) { create(:pgp_key, :with_private, fixture: cc_recipient_email_address) } let(:mail) do # Import a mail that was signed + encrypted with an attached signature. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-attached.box').read mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end context 'when all keys are present' do before do sender_key recipient_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end context 'when only cc recipient key is present for decryption' do before do sender_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end context 'when only decryption key is present' do before do recipient_key cc_recipient_key end it 'decrypts, but verifies signature fails' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq('The public PGP key could not be found.') expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq '' end end end context 'when the mail is signed and encrypted in the same go (combined)' do let(:sender_key) { create(:pgp_key, :with_private, fixture: sender_email_address) } let(:recipient_key) { create(:pgp_key, :with_private, fixture: recipient_email_address) } let(:cc_recipient_key) { create(:pgp_key, :with_private, fixture: cc_recipient_email_address) } let(:mail) do # Import a mail that was signed + encrypted with the same command. pgp_mail = Rails.root.join('spec/fixtures/files/pgp/mail/mail-combined.box').read mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end context 'when all keys are present' do before do sender_key recipient_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end context 'when only cc recipient key is present for decryption' do before do sender_key cc_recipient_key end it_behaves_like 'decrypting and verifying signature' end context 'when only decryption key is present' do before do recipient_key cc_recipient_key end it 'decrypts, but verifies signature fails' do expect(mail[:body]).to include(raw_body) expect(mail['x-zammad-article-preferences'][:security][:sign][:success]).to be false expect(mail['x-zammad-article-preferences'][:security][:sign][:comment]).to eq('The public PGP key could not be found.') expect(mail['x-zammad-article-preferences'][:security][:encryption][:success]).to be true expect(mail['x-zammad-article-preferences'][:security][:encryption][:comment]).to eq '' end end end context 'when domain alias support is used' do before do Setting.set('pgp_recipient_alias_configuration', true) create(:pgp_key, :with_private, fixture: 'pgp1@example.com', domain_alias: 'domain1.com') create(:pgp_key, :with_private, fixture: 'pgp2@example.com', domain_alias: 'domain2.com') create(:pgp_key, fixture: 'pgp3@example.com', domain_alias: 'domain3.com') end let(:system_email_address) { 'pgp1@domain1.com' } let(:customer_email_address) { 'pgp2@domain2.com' } let(:cc_customer_email_address) { 'pgp3@domain3.com' } let(:mail) do pgp_mail = build_mail mail = Channel::EmailParser.new.parse(pgp_mail.to_s) SecureMailing.incoming(mail) mail end it_behaves_like 'decrypting and verifying signature' end end end describe '.required_version?' do context 'with GnuPG being present on the system' do it 'succeeds' do expect(described_class.required_version?).to be true end end context 'without GnuPG being present on the system' do it 'fails' do allow(SecureMailing::PGP::Tool).to receive(:version).and_raise(Errno::ENOENT) expect(described_class.required_version?).to be false end end context 'with and outdated version of GnuPG' do it 'fails' do allow(SecureMailing::PGP::Tool).to receive(:version).and_return('1.8.0') expect(described_class.required_version?).to be false end end end describe '.retry' do let(:sender_email_address) { customer_email_address } let(:recipient_email_address) { system_email_address } let(:cc_recipient_email_address) { nil } let(:security_preferences) do { type: 'PGP', sign: { success: false, }, encryption: { success: true, }, } end let(:mail) do sender_pgp_key = create(:pgp_key, :with_private, fixture: sender_email_address) recipient_pgp_key = create(:pgp_key, :with_private, fixture: system_email_address) pgp_mail = Channel::EmailBuild.build( from: sender_email_address, to: recipient_email_address, body: raw_body, content_type: 'text/plain', security: security_preferences, attachments: [ { content_type: 'text/plain', content: 'blub', filename: 'test-file1.txt', }, ], ) mail = Channel::EmailParser.new.parse(pgp_mail.to_s) sender_pgp_key.destroy recipient_pgp_key.destroy mail end let!(:article) do _ticket, article, _user, _mail = Channel::EmailParser.new.process({}, mail['raw']) article end context 'when private key added' do before do create(:pgp_key, :with_private, fixture: recipient_email_address) end it 'succeeds' do SecureMailing.retry(article) expect(article.preferences[:security][:sign][:success]).to be false expect(article.preferences[:security][:sign][:comment]).to be_nil expect(article.preferences[:security][:encryption][:success]).to be true expect(article.preferences[:security][:encryption][:comment]).to eq '' expect(article.body).to include(raw_body) expect(article.attachments.count).to eq(1) expect(article.attachments.first.filename).to eq('test-file1.txt') end context 'when PGP activated' do before do Setting.set('pgp_integration', false) end it 'succeeds' do Setting.set('pgp_integration', true) SecureMailing.retry(article) expect(article.preferences[:security][:sign][:success]).to be false expect(article.preferences[:security][:sign][:comment]).to be_nil expect(article.preferences[:security][:encryption][:success]).to be true expect(article.preferences[:security][:encryption][:comment]).to eq '' expect(article.body).to include(raw_body) expect(article.attachments.count).to eq(1) expect(article.attachments.first.filename).to eq('test-file1.txt') end end end end end