From 2cc2d0b47e07cca3e26aa23656fd421c253354e8 Mon Sep 17 00:00:00 2001
From: Dominik Chilla <dominik@zwackl.de>
Date: Fri, 4 Dec 2020 09:14:29 +0100
Subject: [PATCH] Policy check: expect valid UUIDs

---
 README.md            |  6 +++---
 app/policy.py        | 15 +++++++++------
 tests/miltertest.lua | 10 +++++-----
 tests/policy.json    |  8 ++++----
 4 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index 862de51..ddaf67f 100644
--- a/README.md
+++ b/README.md
@@ -131,12 +131,12 @@ Prerequisites: `docker-compose` installed
 * Create the policy file `data/policy.json` with following content:
 ```
 {
-  "lalalulu.onmicrosoft.com": {
+  "yad.onmicrosoft.com": {
     "tenant_id": "1234abcd-18c5-45e8-88de-123456789abc",
     "dkim_enabled": true
   },
-  "asdf2.onmicrosoft.com": {
-    "tenant_id": "asdftasdfa",
+  "example.com": {
+    "tenant_id": "abcd1234-18c5-45e8-88de-987654321cba",
     "dkim_enabled": false
   }
 }
diff --git a/app/policy.py b/app/policy.py
index 356735b..8fc41fe 100644
--- a/app/policy.py
+++ b/app/policy.py
@@ -1,6 +1,7 @@
 import json
 import traceback
 import re
+from uuid import UUID
 
 class ExOTAPolicyException(Exception):
   def __init__(self, message):
@@ -30,14 +31,16 @@ class ExOTAPolicy():
         "Policy must have a 'tenant_id' attribute!"
       )
     else:
-      if policy_dict['tenant_id'] == '':
+      try:
+        UUID(policy_dict['tenant_id'])
+      except ValueError as e:
         raise ExOTAPolicyInvalidException(
-          "'tenant_id' must not be empty!"
-        )
-      if re.match(r'^.*\s+.*$', policy_dict['tenant_id']):
+          "Invalid 'tenant_id': {0}".format(str(e))
+        ) from e
+      except Exception as e:
         raise ExOTAPolicyInvalidException(
-          "'tenant_id' must not contain whitespace characters!"
-        )
+          "Invalid 'tenant_id': {0}".format(traceback.format_exc())
+        ) from e
     if 'dkim_enabled' not in policy_dict:
       raise ExOTAPolicyInvalidException(
         "Policy must have a 'dkim_enabled' attribute!"
diff --git a/tests/miltertest.lua b/tests/miltertest.lua
index 53c0384..b7ffd3f 100644
--- a/tests/miltertest.lua
+++ b/tests/miltertest.lua
@@ -27,7 +27,7 @@ if mt.getreply(conn) ~= SMFIR_CONTINUE then
 end
 
 -- HEADER
-if mt.header(conn, "From", '"Blah Blubb" <O365ConnectorValidation@lalalulu.onmicrosoft.com>') ~= nil then
+if mt.header(conn, "From", '"Blah Blubb" <O365ConnectorValidation@yad.onmicrosoft.com>') ~= nil then
   error "mt.header(From) failed"  
 end
 if mt.header(conn, "X-MS-Exchange-CrossTenant-Id", "1234abcd-18c5-45e8-88de-123456789abc") ~= nil then
@@ -36,16 +36,16 @@ end
 --if mt.header(conn, "X-MS-Exchange-CrossTenant-Id", "4321abcd-18c5-45e8-88de-blahblubb") ~= nil then
 --  error "mt.header(Subject) failed"  
 --end
-if mt.header(conn, "Authentication-Results", "another-wrong-auth-serv-id;\n  dkim=fail header.d=lalalulu.onmicrosoft.com header.s=selector1-lalalulu-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
+if mt.header(conn, "Authentication-Results", "another-wrong-auth-serv-id;\n  dkim=fail header.d=yad.onmicrosoft.com header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
   error "mt.header(Subject) failed"  
 end
-if mt.header(conn, "Authentication-Results", "wrong-auth-serv-id;\n  dkim=pass header.d=lalalulu.onmicrosoft.com header.s=selector1-lalalulu-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
+if mt.header(conn, "Authentication-Results", "wrong-auth-serv-id;\n  dkim=pass header.d=yad.onmicrosoft.com header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
   error "mt.header(Subject) failed"  
 end
-if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  dkim=pass header.d=lalalulu.onmicrosoft.com header.s=selector1-lalalulu-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
+if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  dkim=pass header.d=yad.onmicrosoft.com header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
   error "mt.header(Subject) failed"  
 end
-if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  dkim=fail header.d=lalalulu.onmicrosoft.com header.s=selector2-asdf header.b=mmmjFpv8") ~= nil then
+if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  dkim=fail header.d=yad.onmicrosoft.com header.s=selector2-asdf header.b=mmmjFpv8") ~= nil then
   error "mt.header(Subject) failed"  
 end
 if mt.header(conn, "Authentication-Results", "some-validating-host;\n dkim=pass header.d=paypal.de header.s=pp-dkim1 header.b=PmTtUzer;\n dmarc=pass (policy=reject) header.from=paypal.de;\n spf=pass (some-validating-host: domain of service@paypal.de designates 173.0.84.226 as permitted sender) smtp.mailfrom=service@paypal.de") ~= nil then
diff --git a/tests/policy.json b/tests/policy.json
index 098f7ed..d6a9b66 100644
--- a/tests/policy.json
+++ b/tests/policy.json
@@ -1,10 +1,10 @@
 {
-  "lalalulu.onmicrosoft.com": {
+  "yad.onmicrosoft.com": {
     "tenant_id": "1234abcd-18c5-45e8-88de-123456789abc",
     "dkim_enabled": true
   },
-  "asdf2.onmicrosoft.com": {
-    "tenant_id": "asdftasdfa",
-    "dkim_enabled": true
+  "example.com": {
+    "tenant_id": "abcd1234-18c5-45e8-88de-987654321cba",
+    "dkim_enabled": false
   }
 }
\ No newline at end of file