pool/python-checkdmarc
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to 5.5.0:

Browse Source 
* Support `redirect` in SPF

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-checkdmarc?expand=0&rev=7
This commit is contained in:
Dirk Mueller 2024-10-10 15:49:32 +00:00 committed by Git OBS Bridge
commit 2aa4f41f73
8 changed files with 537 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

3
checkdmarc-5.3.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1d71e7fa611fa8faa36fad09416b5e2c3265d026d3b5209c051f4e292565e332
size 36307

3
checkdmarc-5.5.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d775f566f8fdd584adb9a26e792cfe1565cdf6bd50c54fe7b6d8443ce6db68cf
size 36103

84
python-checkdmarc.changes Normal file
View File

@ -0,0 +1,84 @@
-------------------------------------------------------------------
Thu Oct 10 15:49:23 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 5.5.0:
* Support `redirect` in SPF
-------------------------------------------------------------------
Thu Feb 29 01:43:19 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
- Update to 5.3.1:
* Ignore UnicodeDecodeError exceptions when querying for TXT records
* Check DNSSEC on MX hostnames
* USE DNSSEC when requesting DNSKEY records
* Do not require an RRSIG answer when querying for DNSKEY records
* Pass in nameservers and timeout when running get_dnskey recursively
* Properly cache DNSKEY answers
* Fix exception handling for query_mta_sts_record
* Check for TLSA records
* Add support for parsing SMTP TLS Reporting (RFC8460) DNS records
* Add missing import dns.dnssec
* Always use the actual subdomain or domain provided
* Include MTA-STS and BIMI results in CSV output
* Added the include_tag_descriptions parameter to
checkdmarc.bimi.check_bimi()
* Added the exception class MTASTSPolicyDownloadError
* Major refactoring: Change from a single module to a package of modules,
with each checked standard as its own package
* Add support for MTA-STS RFC 8461
* Add support for BIMI
* Specify a BIMI selector using the --bimi-selector/-b option
* Fix SPF query error and warning messages
* Add support for null MX records - RFC 7505
* Make DMARC retorting URI error messages more clear
* Fix compatibility with Python 3.8
* SPFRecordNotFound exception now includes a domain argument
* The DMARC missing authorization error message now includes the full
expected DNS record
* Properly parse DMARC and BIMI records for domains that do not have an
identified base domain
* Add ignore_unrelated_records argument to query_dmarc_record()
* Replace publicsuffix2 with publicsuffixlist
* Maintain the original character case of the DMARC record
* Always treat tag names as lowercase
* Always treat the DMARC v tag value as if it was uppercase
* Always treat the DMARC p, and fo tag values as if they were lowercase
* Always treat URI schemes as lowercase, but maintain the case of the address
* Ignore case and whitespace when parsing DMARC and BIMI key=value pairs
* Handle missing PTR records more gracefully
* Redundant DMARC fo tag values now result in a warning
* Detect non-trivial loops
* Raise a SPFSyntaxError exception when an IP address and IP version do
not match
* Fix raising the DMARCRecordNotFound exception when a DMARC record does
not exist
* Add void lookup limit
* Add Support for User Defined DNS Resolver Object
* Fix DNS caching
* Fix CSV output
* Always parse RUA and RUF fields, even if other parts of the record are
invalid
* Migrate build from setuptools to hatch
- Stop shipping LICENSE, now included directly.
- Refresh tests.py from upstream.
- Switch to pyproject and patch macros.
- No more greedy globs in %files.
- Drop skip-broken-tests.patch, not required.
- Add patch skip-network-tests.patch, skip tests that require network access.
-------------------------------------------------------------------
Wed Jul 21 10:20:44 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Use %pyunittest macro instead of directly calling %python_exec
-------------------------------------------------------------------
Tue Jul 20 17:00:06 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Use tests.py from github
- Add patch:
* skip-broken-tests.patch
-------------------------------------------------------------------
Sat Jul 17 10:14:54 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Initial package, version 4.4.1

86
python-checkdmarc.spec Normal file
View File

@ -0,0 +1,86 @@
#
# spec file for package python-checkdmarc
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2021, Martin Hauke <mardnh@gmx.de>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: python-checkdmarc
Version: 5.5.0
Release: 0
Summary: A Python module and command line parser for SPF and DMARC records
License: Apache-2.0
URL: https://domainaware.github.io/checkdmarc
Source: https://files.pythonhosted.org/packages/source/c/checkdmarc/checkdmarc-%{version}.tar.gz
Source1: https://raw.githubusercontent.com/domainaware/checkdmarc/master/tests.py
Patch0: skip-network-tests.patch
BuildRequires: %{python_module hatchling}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires: python-cryptography
Requires: python-dnspython >= 2.0.0
Requires: python-expiringdict >= 1.1.4
Requires: python-publicsuffixlist
Requires: python-pyleri >= 1.3.2
Requires: python-requests >= 2.25.0
Requires: python-timeout-decorator >= 0.4.1
Requires(post): update-alternatives
Requires(postun): update-alternatives
BuildArch: noarch
# SECTION test requirements
BuildRequires: %{python_module dnspython >= 2.0.0}
BuildRequires: %{python_module expiringdict >= 1.1.4}
BuildRequires: %{python_module publicsuffixlist}
BuildRequires: %{python_module pyleri >= 1.3.2}
BuildRequires: %{python_module requests >= 2.25.0}
BuildRequires: %{python_module timeout-decorator >= 0.4.1}
# /SECTION
%python_subpackages
%description
A Python module and command line parser for SPF and DMARC records.
%prep
%setup -q -n checkdmarc-%{version}
cp %{SOURCE1} .
%patch -P 0 -p0
%build
%pyproject_wheel
%install
%pyproject_install
%python_clone -a %{buildroot}%{_bindir}/checkdmarc
%python_expand %fdupes %{buildroot}%{$python_sitelib}
%post
%python_install_alternative checkdmarc
%postun
%python_uninstall_alternative checkdmarc
%check
%pyunittest -v tests.py
%files %{python_files}
%license LICENSE
%doc README.md
%python_alternative %{_bindir}/checkdmarc
%{python_sitelib}/checkdmarc
%{python_sitelib}/checkdmarc-%{version}.dist-info
%changelog

58
skip-network-tests.patch Normal file
View File

@ -0,0 +1,58 @@
--- tests.py~ 2024-02-29 12:22:56.007309853 +1100
+++ tests.py 2024-02-29 12:25:49.618057933 +1100
@@ -3,6 +3,7 @@
"""Automated tests"""
+import os.path
import unittest
from collections import OrderedDict
@@ -94,6 +95,7 @@
self.assertEqual(len(results["warnings"]), 0)
+ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network")
def testSplitSPFRecord(self):
"""Split SPF records are parsed properly"""
@@ -129,6 +131,7 @@
self.assertRaises(checkdmarc.spf.SPFRecordNotFound,
checkdmarc.spf.parse_spf_record, spf_record, domain)
+ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network")
def testTooManySPFDNSLookups(self):
"""SPF records with > 10 SPF mechanisms that cause DNS lookups raise
SPFTooManyDNSLookups"""
@@ -144,6 +147,7 @@
self.assertRaises(checkdmarc.spf.SPFTooManyDNSLookups,
checkdmarc.spf.parse_spf_record, spf_record, domain)
+ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network")
def testTooManySPFVoidDNSLookups(self):
"""SPF records with > 2 void DNS lookups"""
@@ -216,6 +220,7 @@
self.assertRaises(checkdmarc.spf.SPFIncludeLoop,
checkdmarc.spf.parse_spf_record, spf_record, domain)
+ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network")
def testSPFMissingMXRecord(self):
"""A warning is issued if an SPF record contains a mx mechanism
pointing to a domain that has no MX records"""
@@ -226,6 +231,7 @@
self.assertIn("{0} does not have any MX records".format(domain),
results["warnings"])
+ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network")
def testSPFMissingARecord(self):
"""A warning is issued if an SPF record contains a mx mechanism
pointing to a domain that has no A records"""
@@ -236,6 +242,7 @@
self.assertIn("cardinalhealth.net does not have any A/AAAA records",
results["warnings"])
+ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network")
def testDMARCPctLessThan100Warning(self):
"""A warning is issued if the DMARC pvt value is less than 100"""

279
tests.py Normal file
View File

@ -0,0 +1,279 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""Automated tests"""
import unittest
from collections import OrderedDict
import checkdmarc
import checkdmarc.utils
import checkdmarc.spf
import checkdmarc.dmarc
import checkdmarc.dnssec
known_good_domains = [
"fbi.gov",
"pm.me"
]
class Test(unittest.TestCase):
@unittest.skip
def testKnownGood(self):
"""Domains with known good STARTTLS support, SPF and DMARC records"""
results = checkdmarc.check_domains(known_good_domains)
for result in results:
spf_error = None
dmarc_error = None
for mx in result["mx"]["hosts"]:
self.assertEqual(
mx["starttls"], True,
"Host of known good domain {0} failed STARTTLS check: {1}"
"\n\n{0}".format(result["domain"], mx["hostname"])
)
if "error" in result["spf"]:
spf_error = result["spf"]["error"]
if "error" in result["dmarc"]:
dmarc_error = result["dmarc"]["error"]
self.assertEqual(result["spf"]["valid"], True,
"Known good domain {0} failed SPF check:"
"\n\n{1}".format(result["domain"], spf_error))
self.assertEqual(result["dmarc"]["valid"], True,
"Known good domain {0} failed DMARC check:"
"\n\n{1}".format(result["domain"], dmarc_error))
def testDMARCMixedFormatting(self):
"""DMARC records with extra spaces and mixed case are still valid"""
examples = [
"v=DMARC1;p=ReJect",
"v = DMARC1;p=reject;",
"v = DMARC1\t;\tp=reject\t;",
"v = DMARC1\t;\tp\t\t\t=\t\t\treject\t;",
"V=DMARC1;p=reject;"
]
for example in examples:
parsed_record = checkdmarc.dmarc.parse_dmarc_record(example, "")
self.assertIsInstance(parsed_record, OrderedDict)
def testGetBaseDomain(self):
subdomain = "foo.example.com"
result = checkdmarc.utils.get_base_domain(subdomain)
assert result == "example.com"
# Test reserved domains
subdomain = "_dmarc.nonauth-rua.invalid.example"
result = checkdmarc.utils.get_base_domain(subdomain)
assert result == "invalid.example"
subdomain = "_dmarc.nonauth-rua.invalid.test"
result = checkdmarc.utils.get_base_domain(subdomain)
assert result == "invalid.test"
subdomain = "_dmarc.nonauth-rua.invalid.invalid"
result = checkdmarc.utils.get_base_domain(subdomain)
assert result == "invalid.invalid"
subdomain = "_dmarc.nonauth-rua.invalid.localhost"
result = checkdmarc.utils.get_base_domain(subdomain)
assert result == "invalid.localhost"
# Test newer PSL entries
subdomain = "e3191.c.akamaiedge.net"
result = checkdmarc.utils.get_base_domain(subdomain)
assert result == "c.akamaiedge.net"
def testUppercaseSPFMechanism(self):
"""Treat uppercase SPF"SPF mechanisms as valid"""
spf_record = "v=spf1 IP4:147.75.8.208 -ALL"
domain = "example.no"
results = checkdmarc.spf.parse_spf_record(spf_record, domain)
self.assertEqual(len(results["warnings"]), 0)
def testSplitSPFRecord(self):
"""Split SPF records are parsed properly"""
rec = '"v=spf1 ip4:147.75.8.208 " "include:_spf.salesforce.com -all"'
parsed_record = checkdmarc.spf.parse_spf_record(rec, "example.com")
self.assertEqual(parsed_record["parsed"]["all"], "fail")
def testJunkAfterAll(self):
"""Ignore any mechanisms after the all mechanism, but warn about it"""
rec = "v=spf1 ip4:213.5.39.110 -all MS=83859DAEBD1978F9A7A67D3"
domain = "avd.dk"
parsed_record = checkdmarc.spf.parse_spf_record(rec, domain)
self.assertEqual(len(parsed_record["warnings"]), 1)
@unittest.skip
def testDNSSEC(self):
"""Test known good DNSSEC"""
self.assertEqual(checkdmarc.dnssec.test_dnssec("fbi.gov"), True)
def testIncludeMissingSPF(self):
"""SPF records that include domains that are missing SPF records
raise SPFRecordNotFound"""
spf_record = '"v=spf1 include:spf.comendosystems.com ' \
'include:bounce.peytz.dk include:etrack.indicia.dk ' \
'include:etrack1.com include:mail1.dialogportal.com ' \
'include:mail2.dialogportal.com a:mailrelay.jppol.dk ' \
'a:sendmail.jppol.dk ?all"'
domain = "ekstrabladet.dk"
self.assertRaises(checkdmarc.spf.SPFRecordNotFound,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testTooManySPFDNSLookups(self):
"""SPF records with > 10 SPF mechanisms that cause DNS lookups raise
SPFTooManyDNSLookups"""
spf_record = "v=spf1 a include:_spf.salesforce.com " \
"include:spf.protection.outlook.com " \
"include:spf.constantcontact.com " \
"include:_spf.elasticemail.com " \
"include:servers.mcsv.net " \
"include:_spf.google.com " \
"~all"
domain = "example.com"
self.assertRaises(checkdmarc.spf.SPFTooManyDNSLookups,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testTooManySPFVoidDNSLookups(self):
"""SPF records with > 2 void DNS lookups"""
spf_record = "v=spf1 a:13Mk4olS9VWhQqXRl90fKJrD.example.com " \
"mx:SfGiqBnQfRbOMapQJhozxo2B.example.com " \
"a:VAFeyU9N2KJX518aGsN3w6VS.example.com " \
"~all"
domain = "example.com"
self.assertRaises(checkdmarc.spf.SPFTooManyVoidDNSLookups,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFSyntaxErrors(self):
"""SPF record syntax errors raise SPFSyntaxError"""
spf_record = '"v=spf1 mx a:mail.cohaesio.net ' \
'include: trustpilotservice.com ~all"'
domain = "2021.ai"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFInvalidIPv4(self):
"""Invalid ipv4 SPF mechanism values raise SPFSyntaxError"""
spf_record = "v=spf1 ip4:78.46.96.236 +a +mx +ip4:138.201.239.158 " \
"+ip4:78.46.224.83 " \
"+ip4:relay.mailchannels.net +ip4:138.201.60.20 ~all"
domain = "surftown.dk"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFInvalidIPv6inIPv4(self):
"""Invalid ipv4 SPF mechanism values raise SPFSyntaxError"""
spf_record = "v=spf1 ip4:1200:0000:AB00:1234:0000:2552:7777:1313 ~all"
domain = "surftown.dk"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFInvalidIPv4Range(self):
"""Invalid ipv4 SPF mechanism values raise SPFSyntaxError"""
spf_record = "v=spf1 ip4:78.46.96.236/99 ~all"
domain = "surftown.dk"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFInvalidIPv6(self):
"""Invalid ipv6 SPF mechanism values raise SPFSyntaxError"""
spf_record = "v=spf1 ip6:1200:0000:AB00:1234:O000:2552:7777:1313 ~all"
domain = "surftown.dk"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFInvalidIPv4inIPv6(self):
"""Invalid ipv6 SPF mechanism values raise SPFSyntaxError"""
spf_record = "v=spf1 ip6:78.46.96.236 ~all"
domain = "surftown.dk"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFInvalidIPv6Range(self):
"""Invalid ipv6 SPF mechanism values raise SPFSyntaxError"""
record = "v=spf1 ip6:1200:0000:AB00:1234:0000:2552:7777:1313/130 ~all"
domain = "surftown.dk"
self.assertRaises(checkdmarc.spf.SPFSyntaxError,
checkdmarc.spf.parse_spf_record, record, domain)
def testSPFIncludeLoop(self):
"""SPF record with include loop raises SPFIncludeLoop"""
spf_record = '"v=spf1 include:example.com"'
domain = "example.com"
self.assertRaises(checkdmarc.spf.SPFIncludeLoop,
checkdmarc.spf.parse_spf_record, spf_record, domain)
def testSPFMissingMXRecord(self):
"""A warning is issued if an SPF record contains a mx mechanism
pointing to a domain that has no MX records"""
spf_record = '"v=spf1 mx ~all"'
domain = "seanthegeek.net"
results = checkdmarc.spf.parse_spf_record(spf_record, domain)
self.assertIn("{0} does not have any MX records".format(domain),
results["warnings"])
def testSPFMissingARecord(self):
"""A warning is issued if an SPF record contains a mx mechanism
pointing to a domain that has no A records"""
spf_record = '"v=spf1 a ~all"'
domain = "cardinalhealth.net"
results = checkdmarc.spf.parse_spf_record(spf_record, domain)
self.assertIn("cardinalhealth.net does not have any A/AAAA records",
results["warnings"])
def testDMARCPctLessThan100Warning(self):
"""A warning is issued if the DMARC pvt value is less than 100"""
dmarc_record = "v=DMARC1; p=none; sp=none; fo=1; pct=50; adkim=r; " \
"aspf=r; rf=afrf; ri=86400; " \
"rua=mailto:eits.dmarcrua@energy.gov; " \
"ruf=mailto:eits.dmarcruf@energy.gov"
domain = "energy.gov"
results = checkdmarc.dmarc.parse_dmarc_record(dmarc_record, domain)
self.assertIn("pct value is less than 100",
results["warnings"][0])
def testInvalidDMARCURI(self):
"""An invalid DMARC report URI raises InvalidDMARCReportURI"""
dmarc_record = "v=DMARC1; p=none; rua=reports@dmarc.cyber.dhs.gov," \
"mailto:dmarcreports@usdoj.gov"
domain = "dea.gov"
self.assertRaises(checkdmarc.dmarc.InvalidDMARCReportURI,
checkdmarc.dmarc.parse_dmarc_record, dmarc_record,
domain)
dmarc_record = "v=DMARC1; p=none; rua=__" \
"mailto:reports@dmarc.cyber.dhs.gov," \
"mailto:dmarcreports@usdoj.gov"
self.assertRaises(checkdmarc.dmarc.InvalidDMARCReportURI,
checkdmarc.dmarc.parse_dmarc_record, dmarc_record,
domain)
def testInvalidDMARCPolicyValue(self):
"""An invalid DMARC policy value raises InvalidDMARCTagValue """
dmarc_record = "v=DMARC1; p=foo; rua=mailto:dmarc@example.com"
domain = "example.com"
self.assertRaises(checkdmarc.dmarc.InvalidDMARCTagValue,
checkdmarc.dmarc.parse_dmarc_record,
dmarc_record,
domain)
if __name__ == "__main__":
unittest.main(verbosity=2)