Skip to content

fix: multiple bug fixes across chatmaild and cmdeploy #836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Retengart wants to merge 14 commits into
base: main
Choose a base branch
from
Open

fix: multiple bug fixes across chatmaild and cmdeploy #836

Retengart wants to merge 14 commits into from

Conversation

@Retengart
Copy link

@Retengart Retengart commented Feb 7, 2026
edited by missytake
Loading

Summary

Bug fixes (round 1)

  • fsreport.py: fix AttributeErrorFileEntry has path, not relpath. Crashes when --mdir flag is used
  • rdns.py: fix TypeErrorget_dkim_entry returns bare None instead of (None, None) tuple on CalledProcessError, crashing cmdeploy dns on fresh servers
  • deployers.py: fix silent deploy failure — build_webpages returns None on exception, causing rsync("None/", ...)
  • cmdeploy.py: remove dead code and potential NameError in run_cmdcheck_call always returns 0 or raises, making retcode != 0 branches unreachable; remote_data undefined with --skip-dns-check
  • rshell.py: fix IndexError in dovecot_recalc_quota — empty line at end of doveadm output produces parts=[]

Security fixes (round 2)

  • newemail.py: use secrets.choice instead of random.choices for username generation — per Python docs, secrets should be used for security-sensitive data
  • nginx.conf.j2: remove deprecated TLS 1.0/1.1 — RFC 8996, aligns with postfix (≥1.2) and dovecot (1.3) in same stack
  • doveauth.py: validate localpart characters to [a-z0-9._-] — prevents filesystem issues from crafted usernames via IMAP/SMTP auth
  • doveauth.py: fix TOCTOU race in account creation — use filelock to serialize concurrent creation for same address
  • turnserver.py: add 5s socket timeout — hung TURN daemon would block dict proxy thread indefinitely
  • metadata.py: handle turn_credentials() exceptions — return N (not found) instead of crashing the dict proxy connection

Formatting

  • chore: ruff formatting fixes in acmetool, dovecot, postfix deployers

Test plan

  • pytest chatmaild/src/ — 50 passed
  • pytest cmdeploy/src/cmdeploy/tests/ --ignore=online — 16 passed
  • ruff check + ruff format --check on all changed Python files — clean
  • CI staging deploy + online tests

@Retengart
chore: fix ruff formatting in acmetool, dovecot, postfix deployers
ea52fde
@Retengart
fix: use msg.path instead of nonexistent msg.relpath in fsreport
0443965 
FileEntry namedtuple has (path, mtime, size), not relpath.
Crashes with AttributeError when --mdir flag is used.
@Retengart
fix: return tuple from get_dkim_entry on CalledProcessError
a5dc1d8 
Bare return yielded None, causing TypeError on tuple unpacking
in perform_initial_checks on fresh servers without DKIM keys.
@Retengart
fix: handle build_webpages returning None in WebsiteDeployer
3ad8e5a 
Exception in _build_webpages was silently caught, returning None.
rsync then received "None/" as source path, silently breaking deploy.
@Retengart
fix: remove dead code and potential NameError in run_cmd
0148ecd 
check_call always returns 0 or raises, making retcode!=0 branches
unreachable. Also remote_data was undefined with --skip-dns-check.
@Retengart
fix: guard against IndexError in dovecot_recalc_quota
93eb996 
doveadm output ends with empty line, parts=[] causes parts[2] crash.
@Retengart
fix(security): use secrets.choice instead of random.choices for username
c48a7d8 
Per Python docs, secrets module should be used for security-sensitive
data. random.choices uses Mersenne Twister PRNG which is predictable.
secrets.choice was already used for password generation in the same file.
@Retengart
fix(security): remove deprecated TLS 1.0/1.1 from nginx config
0d3cde9 
TLS 1.0/1.1 deprecated by RFC 8996. Nginx default is TLSv1.2 TLSv1.3.
Aligns with postfix (>=TLSv1.2) and dovecot (TLSv1.3) in the same stack.
@Retengart
fix(security): validate localpart chars and fix account creation race
e32816b 
- Reject localparts with chars outside [a-z0-9._-] to prevent
  filesystem issues from crafted usernames via IMAP/SMTP auth
- Use filelock to serialize concurrent account creation for same
  address, preventing TOCTOU race where two threads both create
  an account and last writer wins
@Retengart
fix: add 5s timeout to TURN credential socket
47c9586 
Hung TURN daemon would block dict proxy handler thread indefinitely.
Per Python docs, settimeout() raises TimeoutError on expiry.
@Retengart
fix: handle turn_credentials exceptions in metadata proxy
447c0ee 
ConnectionRefusedError/FileNotFoundError/TimeoutError from
turn_credentials() would kill the dict proxy connection.
Return N (not found) response instead and log the error.
@Retengart
test: add error-path tests for all bug fixes
1d8e44a 
- test_doveauth: invalid localpart chars rejected, concurrent same-account creation
- test_expire: --mdir filtering uses msg.path correctly
- test_metadata: TURN exception returns N\n, success returns credentials
- test_turnserver: socket timeout, connection refused, happy path
- test_dns: get_dkim_entry returns (None, None) on CalledProcessError
- test_rshell: dovecot_recalc_quota handles empty/malformed output
@missytake
Copy link
Contributor

missytake commented Feb 8, 2026
edited
Loading

Thanks for this giant PR! I will create a separate branch so the CI can deploy it to our test servers.

Usually we like to have one PR per change, so we can decide about them individually^^ let's see, if all of it is uncontroversial, it's probably fine, and at least the commits are properly separated :) I will take a look at your commits later today (or latest, on Tuesday).

@missytake missytake mentioned this pull request Feb 8, 2026
Closed
missytake
missytake approved these changes Feb 8, 2026
View reviewed changes
Copy link
Contributor

@missytake missytake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, it's really an impressive list of fixes! And thank you especially for adding tests, nice.

cmdeploy/src/cmdeploy/tests/test_dns.py Outdated
Comment on lines 82 to 83
assert result == (None, None)
assert result[0] is None and result[1] is None
Copy link
Contributor

@missytake missytake Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of interest: Is there a scenario in which the first statement passes and the second doesn't?

Copy link
Author

@Retengart Retengart Feb 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I overlooked it... Of course, you're right — it's redundant. None is a singleton so == None and is None are equivalent. Removed in the next push.

@Retengart
fix: remove redundant assertion in test_dkim_entry
f9e2b57 
None is a singleton; == already covers is None check.
@Retengart
fix: catch filelock.Timeout in doveauth and remove dead test vars
6a7adca 
- Handle filelock.Timeout gracefully in lookup_passdb: return N
  (not found) instead of killing the entire dict connection
- Remove unused call_count variables from test_rshell.py
@Retengart
Copy link
Author

Retengart commented Feb 8, 2026

Two follow-up fixes based on self-review:

  1. doveauth.py: filelock.Timeout was uncaught — if the lock couldn't be acquired in 5s, the exception would propagate to DictProxy's generic handler and kill the entire Dovecot dict connection (affecting all in-flight requests). Now caught locally: logs a warning and returns N (not found) so only the single lookup fails gracefully and the client can retry.

  2. test_rshell.py: removed unused call_count variables from 3 tests (declared and incremented but never asserted).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@missytake missytake missytake approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Retengart @missytake