Initial commit

.github/dependabot.yml

@@ -0,0 +1,18 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/app/translations/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/app/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/mail_receiver/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/test/"
+    schedule:
+      interval: "weekly"

.github/workflows/check_no_translations_to_update.yml

@@ -0,0 +1,20 @@
+name: "check that we don't need to update translations"
+on:
+  push:
+    branches: [ '**' ]
+
+jobs:
+  check_no_translations_to_update:
+    runs-on: ubuntu-latest
+    timeout-minutes: 3
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.11"
+      - name: Update the translations
+        run: ./scripts/update_translation_files
+      - name: Check that the files didn't change
+        run: git diff --exit-code

.github/workflows/liccheck.yml

@@ -0,0 +1,28 @@
+name: "license-check"
+on:
+  push:
+    branches: [ '**' ]
+
+jobs:
+  license-check:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r app/requirements.txt -r mail_receiver/requirements.txt -r test/requirements.txt liccheck==0.9.2
+      - name: Remove checkdmarc installed from CERT PL fork from requirements as it's not supported by liccheck
+        run: cp app/requirements.txt app/requirements.txt.orig; cat app/requirements.txt.orig | grep -v ^git+.*checkdmarc > app/requirements.txt
+      - name: Run liccheck on app/requirements.txt
+        run: liccheck -r app/requirements.txt
+      - name: Run liccheck on mail_receiver/requirements.txt
+        run: liccheck -r mail_receiver/requirements.txt
+      - name: Run liccheck on test/requirements.txt
+        run: liccheck -r test/requirements.txt

.github/workflows/lint.yml

@@ -0,0 +1,22 @@
+name: "lint"
+on:
+  push:
+    branches: [ '**' ]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.11"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install pre-commit==3.5.0
+      - name: Run pre-commit
+        run: pre-commit run --all-files

.github/workflows/test.yml

@@ -0,0 +1,14 @@
+name: "tests"
+on:
+  push:
+    branches: [ '**' ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+      - name: run tests
+        run: ./scripts/test

.gitignore

@@ -0,0 +1,2 @@
+__pycache__
+logs/

.mypy.ini

@@ -0,0 +1,14 @@
+[mypy-decouple.*]
+ignore_missing_imports = True
+
+[mypy-dkim.*]
+ignore_missing_imports = True
+
+[mypy-jinja2_simple_tags.*]
+ignore_missing_imports = True
+
+[mypy-publicsuffixlist.*]
+ignore_missing_imports = True
+
+[mypy-validators.*]
+ignore_missing_imports = True

.pre-commit-config.yaml

@@ -0,0 +1,35 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.5.0
+  hooks:
+  - id: end-of-file-fixer
+  - id: trailing-whitespace
+- repo: https://github.com/psf/black
+  rev: 23.11.0
+  hooks:
+  - id: black
+- repo: https://github.com/pycqa/isort
+  rev: 5.12.0
+  hooks:
+  - id: isort
+    name: isort (python)
+- repo: https://github.com/pre-commit/mirrors-mypy
+  rev: v1.7.1
+  hooks:
+  - id: mypy
+    args: [--strict]
+    additional_dependencies:
+    - aiosmtpd==1.4.4.post2
+    - dacite==1.8.1
+    - dnspython==2.4.2
+    - email-validator==2.1.0.post1
+    - fastapi==0.104.1
+    - Jinja2==3.1.2
+    - sqlalchemy-stubs==0.4
+    - types-redis==4.6.0.11
+    - types-requests==2.31.0.10
+- repo: https://github.com/PyCQA/flake8
+  rev: 6.1.0
+  hooks:
+  - id: flake8
+    args: [.]

LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2023, CERT Polska
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of mailgoose nor the names of its contributors
+      may be used to endorse or promote products derived from this software
+      without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,60 @@
+# mailgoose
+
+## How to run locally
+To run the service locally, use:
+
+```
+cp env.example .env
+# Please review the file and set the configuration variables as needed,
+# especially APP_DOMAIN - the domain you will serve the application on.
+#
+# You may provide additional settings in this file, e.g. SSL certificate
+# settings: SSL_PRIVATE_KEY_PATH and SSL_CERTIFICATE_PATH.
+
+docker compose up --build
+```
+
+The application will listen on http://127.0.0.1:8000
+
+## How to deploy to production
+Before deploying the system using the configuration in `docker-compose.yml` remember to:
+
+- change the database password to a more secure one,
+- use Redis password,
+- consider whether you want to launch a database/Redis instance inside a container (instead
+  of e.g. attaching to your own PostgreSQL cluster),
+- check whether you want to use Google nameservers.
+
+Instead of copying `docker-compose.yml`, you may override the configuration using the
+`docker compose -f docker-compose.yml -f docker-compose.override.yml` syntax.
+
+## How to change the layout
+If you want to change the main layout template (e.g. to provide additional scripts or your own
+custom navbar with logo), mount a different file using Docker to `/app/templates/custom_layout.html`.
+Refer to `app/templates/base.html` to learn what block you can fill.
+
+You can also customize the root page (/) of the system by providing your own file that will
+replace `/app/templates/custom_root_layout.html`.
+
+By replacing `/app/templates/custom_failed_check_result_hints.html` you may provide your own
+text that will be displayed if the e-mail sender verification mechanisms checks fail.
+
+At CERT PL we use a separate `docker-compose.yml` file with additional configuration
+specific to our instance (https://bezpiecznapoczta.cert.pl/). Instead of copying
+`docker-compose.yml`, we override the configuration using the
+`docker compose -f docker-compose.yml -f docker-compose.override.yml` syntax.
+
+## How to use the HTTP API
+
+To check a domain using a HTTP API, use:
+
+```
+curl -X POST http://127.0.0.1:8000/api/v1/check-domain?domain=example.com
+```
+
+## How to run the tests
+To run the tests, use:
+
+```
+./script/test
+```

app/docker/Dockerfile

@@ -0,0 +1,18 @@
+FROM python:3.11.2-alpine
+
+RUN apk add bash openssl git tzdata opendkim opendkim-utils
+
+ENV TZ=Europe/Warsaw
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+WORKDIR /app/
+COPY app/requirements.txt /requirements.txt
+COPY app/translations/requirements.txt /translations/requirements.txt
+
+RUN pip install -r /requirements.txt
+
+COPY common/wait-for-it.sh /wait-for-it.sh
+COPY common/mail_receiver_utils.py /app/mail_receiver_utils.py
+
+COPY app/ /app/
+RUN openssl rand -hex 10 > /app/build_id

app/requirements.txt

@@ -0,0 +1,15 @@
+git+https://github.com/CERT-Polska/checkdmarc@allowing-whitespace
+dacite==1.8.1
+dkimpy==1.1.5
+email-validator==2.1.0.post1
+fastapi==0.104.1
+Jinja2==3.1.2
+jinja2-simple-tags==0.5.0
+psycopg2-binary==2.9.9
+python-decouple==3.8
+python-multipart==0.0.6
+redis==5.0.1
+SQLAlchemy==2.0.23
+uvicorn==0.24.0.post1
+validators==0.22.0
+-r translations/requirements.txt