CI: don't generate files in the source directory

That was just a lazy kludge, the real way we want to do this is by
generating the config files more dynamically so they can use
non-relative paths.

.ruff.toml

@@ -1,4 +1,4 @@
-include = ["contrib/openarc-keygen"]
+include = ["contrib/openarc-keygen", "*.py"]
 line-length = 160
 
 [lint]

test/Makefile.am

@@ -1,4 +1,4 @@
-EXTRA_DIST = files/*.conf files/peerlist* files/unsafe.key pytest.ini *.py
+EXTRA_DIST = files/*.conf files/peerlist* pytest.ini *.py
 
 check:
 	pytest -vv

test/conftest.py

@@ -1,77 +1,114 @@
 #!/usr/bin/env python3
 
-import os
+import json
+import pathlib
 import subprocess
 import time
 
 import pytest
 
 
-@pytest.fixture()
-def private_key(scope='session'):
-    basepath = os.path.dirname(os.path.realpath(__file__))
-    keypath = os.path.join(basepath, 'files', 'private.key')
-    binargs = [
-        'openssl',
-        'genrsa',
-        '-out',
-        keypath,
-        '2048',
-    ]
-    subprocess.run(binargs)
-
-    pubpath = os.path.join(basepath, 'files', 'public.key')
-    binargs = [
-        'openssl',
-        'rsa',
-        '-in',
-        keypath,
-        '-pubout',
-    ]
-    res = subprocess.run(binargs, capture_output=True, text=True)
-    with open(pubpath, 'w') as f:
-        key = ''.join(res.stdout.splitlines()[1:-1])
-        f.write(
-            'sel._domainkey.dkimpy.example.com v=DKIM1; k=rsa; '
-            'p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqf/MoqRqzK3/bcCyLSx5'
-            'CDvyPotNDBjLLFHdMmcWDiSZ8saslFyNR6FkFxuNtw843m7MkwOSJ9TRd9p+OoRLDv'
-            'H0jDR1Dqq22QOJKiG5XQ91aZwin9jpWKkuoRoRZRhWrzUOJWAybHarsEQm9iCPh2zn'
-            'dbSPSzPQL1OsjURIuw5G9+/nr5rhJ72Qi6v86zofWUKdXhLf+oVmho79D0xGMFFm0f'
-            'b98xIeZlgJTnmrj/zuxIKHeVmGKI1j6L3xttdcDiUVRGxoubkFzg9TIBGhdeFkpa0C'
-            'ZuhB/1/U3f1oG3Upx5o/jXTQk/dwVaaeEXnRmTsfGYn4GQ9ziity1ijLsQIDAQAB\n'
-        )
-        f.write(f'elpmaxe._domainkey.example.com v=DKIM1; k=rsa; h=sha256; p={key}\n')
-        f.write(f'xn--2j5b._domainkey.xn--vv4b606a.example.com v=DKIM1; k=rsa; h=sha256; p={key}\n')
+@pytest.fixture(scope='session')
+def private_key(tmp_path_factory, tool_path):
+    basepath = tmp_path_factory.mktemp('keys')
 
+    for s, d in [
+        ['elpmaxe', 'example.com'],
+        ['xn--2j5b', 'xn--vv4b606a.example.com'],
+        ['unsafe', 'example.com'],
+    ]:
+        binargs = [
+            tool_path('contrib/openarc-keygen'),
+            '-D',
+            str(basepath),
+            '-d',
+            d,
+            '-s',
+            s,
+            '--hash-algorithms',
+            'sha256',
+            '-f',
+            'testkey',
+        ]
+        subprocess.run(binargs, check=True)
+
+    basepath.joinpath('unsafe._domainkey.example.com.key').chmod(0o644)
+
+    testkeys = (
+        'sel._domainkey.dkimpy.example.com v=DKIM1; k=rsa; '
+        'p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqf/MoqRqzK3/bcCyLSx5'
+        'CDvyPotNDBjLLFHdMmcWDiSZ8saslFyNR6FkFxuNtw843m7MkwOSJ9TRd9p+OoRLDv'
+        'H0jDR1Dqq22QOJKiG5XQ91aZwin9jpWKkuoRoRZRhWrzUOJWAybHarsEQm9iCPh2zn'
+        'dbSPSzPQL1OsjURIuw5G9+/nr5rhJ72Qi6v86zofWUKdXhLf+oVmho79D0xGMFFm0f'
+        'b98xIeZlgJTnmrj/zuxIKHeVmGKI1j6L3xttdcDiUVRGxoubkFzg9TIBGhdeFkpa0C'
+        'ZuhB/1/U3f1oG3Upx5o/jXTQk/dwVaaeEXnRmTsfGYn4GQ9ziity1ijLsQIDAQAB\n'
+    )
+
+    for fname in [
+        'elpmaxe._domainkey.example.com.txt',
+        'xn--2j5b._domainkey.xn--vv4b606a.example.com.txt',
+    ]:
+        with open(basepath.joinpath(fname), 'r') as f:
+            testkeys += f.read()
 
-@pytest.fixture()
-def tool_path(scope='session'):
+    keyfile = basepath.joinpath('public.key')
+    with open(keyfile, 'w') as f:
+        f.write(testkeys)
+
+    return {
+        'basepath': basepath,
+        'public_keys': str(keyfile),
+    }
+
+
+@pytest.fixture(scope='session')
+def tool_path():
     def _tool_path(tool):
-        binpath = os.path.dirname(os.path.realpath(__file__))
-        binpath = os.path.join(binpath, '..', tool)
-        return os.path.realpath(binpath)
+        return pathlib.Path(__file__).parent.parent.joinpath(tool).absolute()
 
     return _tool_path
 
 
 @pytest.fixture()
 def milter_config(request, tmp_path, private_key):
-    base_path = os.path.join(request.fspath.dirname, 'files')
+    base_path = request.path.parent.joinpath('files')
+
     config = {
-        'cwd': base_path,
-        'file': os.path.join(base_path, 'milter.conf'),
-        'sock': tmp_path.joinpath('milter.sock'),
+        'Domain': 'example.com',
+        'AuthservID': 'example.com',
+        'TestKeys': private_key['public_keys'],
+        'Selector': 'elpmaxe',
+        'KeyFile': 'elpmaxe._domainkey.example.com.key',
+        'Mode': 'sv',
+        'FixedTimestamp': '1234567890',
+        'RequireSafeKeys': 'false',  # tmp is world writeable
     }
+
     for candidate in [
-        request.fspath.basename,  # test file
+        request.path.name,  # test file
         request.function.__name__,  # test function
     ]:
-        fname = os.path.join(base_path, '.'.join([candidate, 'conf']))
-        if os.path.isfile(fname):
-            config['file'] = fname
-            return config
+        fname = base_path.joinpath(f'{candidate}.conf')
+        if fname.exists():
+            config.update(json.loads(fname.read_text()))
+
+    if config['KeyFile']:
+        config['KeyFile'] = private_key['basepath'].joinpath(config['KeyFile'])
 
-    return config
+    for static_file in ['PeerList', 'InternalHosts']:
+        if config.get(static_file):
+            config[static_file] = base_path.joinpath(config[static_file])
+
+    fname = tmp_path.joinpath('milter.conf')
+    with open(fname, 'w') as f:
+        for k, v in config.items():
+            if v is not None:
+                f.write(f'{k} {v}\n')
+
+    return {
+        'file': fname,
+        'sock': tmp_path.joinpath('milter.sock'),
+    }
 
 
 @pytest.fixture()
@@ -89,8 +126,8 @@ def milter_cmdline(tmp_path, tool_path, milter_config):
 
 @pytest.fixture()
 def milter(milter_cmdline, milter_config):
-    milter_proc = subprocess.Popen(milter_cmdline, cwd=milter_config['cwd'])
-    while not milter_proc.poll() and not os.path.exists(milter_config['sock']):
+    milter_proc = subprocess.Popen(milter_cmdline)
+    while not milter_proc.poll() and not milter_config['sock'].exists():
         time.sleep(0.1)
 
     yield milter_proc

test/files/test_config_fail.conf

@@ -1,2 +1,3 @@
-Domain          example.com
-Selector        elpmaxe
+{
+  "Selector": null
+}

test/files/test_config_requiresafekeys.conf

@@ -1,6 +1,4 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         unsafe.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            sv
+{
+  "RequireSafeKeys": "true",
+  "KeyFile": "unsafe._domainkey.example.com.key"
+}

test/files/test_config_requiresafekeys_false.conf

@@ -1,7 +1,4 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         unsafe.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            sv
-RequireSafeKeys false
+{
+    "RequireSafeKeys": "false",
+    "KeyFile": "unsafe._domainkey.example.com.key"
+}

test/files/test_milter_ar_override_disabled.conf

@@ -1,7 +1,3 @@
-Domain                          example.com
-AuthservID                      example.com
-KeyFile                         private.key
-TestKeys                        public.key
-Selector                        elpmaxe
-Mode                            sv
-PermitAuthenticationOverrides   false
+{
+  "PermitAuthenticationOverrides": "false"
+}

test/files/test_milter_authresip.conf

@@ -1,7 +1,3 @@
-Domain          example.com
-AuthservID      example.com
-AuthResIP       false
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            sv
+{
+  "AuthResIP": "false"
+}

test/files/test_milter_canon_simple.conf

@@ -1,7 +1,4 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            s
-Canonicalization simple/simple
+{
+  "Mode": "s",
+  "Canonicalization": "simple/simple"
+}

test/files/test_milter_finalreceiver.conf

@@ -1,8 +1,3 @@
-FinalReceiver   yes
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            sv
-FixedTimestamp  1234567890
+{
+  "FinalReceiver": "yes"
+}

test/files/test_milter_idna.conf

@@ -1,7 +1,7 @@
-Domain          시험.example.com
-AuthservID      시험.example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        예
-Mode            s
-FixedTimestamp  1234567890
+{
+  "Domain": "시험.example.com",
+  "AuthservID": "시험.example.com",
+  "Selector": "예",
+  "KeyFile": "xn--2j5b._domainkey.xn--vv4b606a.example.com.key",
+  "Mode": "s"
+}

test/files/test_milter_minimum_key_bits.conf

@@ -1,8 +1,4 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            s
-FixedTimestamp  1234567890
-MinimumKeySizeRSA  2048
+{
+  "Mode": "s",
+  "MinimumKeySizeRSA": "2048"
+}

test/files/test_milter_minimum_key_bits_fail.conf

@@ -1,8 +1,4 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            s
-FixedTimestamp  1234567890
-MinimumKeySizeRSA  2049
+{
+  "Mode": "s",
+  "MinimumKeySizeRSA": "2049"
+}

test/files/test_milter_mode_none_sign.conf

@@ -1,5 +1,3 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
+{
+  "Mode": null
+}

test/files/test_milter_mode_none_verify.conf

@@ -1,6 +1,4 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-InternalHosts   peerlist_nolocalhost
+{
+  "Mode": null,
+  "InternalHosts": "peerlist_nolocalhost"
+}

test/files/test_milter_mode_s.conf

@@ -1,6 +1,3 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            s
+{
+  "Mode": "s"
+}

test/files/test_milter_mode_v.conf

@@ -1,6 +1,3 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            v
+{
+  "Mode": "v"
+}

test/files/test_milter_peerlist.conf

@@ -1,7 +1,3 @@
-Domain          example.com
-AuthservID      example.com
-KeyFile         private.key
-TestKeys        public.key
-Selector        elpmaxe
-Mode            sv
-PeerList        peerlist
+{
+  "PeerList": "peerlist"
+}

test/files/test_milter_resign.conf

@@ -1,8 +1,4 @@
-Domain                          example.com
-AuthservID                      example.com
-KeyFile                         private.key
-TestKeys                        public.key
-Selector                        elpmaxe
-Mode                            sv
-MaximumHeaders                  0
-PermitAuthenticationOverrides   false
+{
+  "MaximumHeaders": "0",
+  "PermitAuthenticationOverrides": "false"
+}

test/files/test_milter_resign_s.conf

@@ -1,8 +1,5 @@
-Domain                          example.com
-AuthservID                      example.com
-KeyFile                         private.key
-TestKeys                        public.key
-Selector                        elpmaxe
-Mode                            s
-MaximumHeaders                  0
-PermitAuthenticationOverrides   false
+{
+  "MaximumHeaders": "0",
+  "PermitAuthenticationOverrides": "false",
+  "Mode": "s"
+}