Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EOP-281: OpenARC module and APIs #782

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

EOP-281: OpenARC module and APIs #782

wants to merge 9 commits into from

Conversation

juliebin
Copy link
Contributor

  • Give your PR a recognizable title. For example: "FE-123: Add new prop to component" or "Resolve Issue Create new-pricing-increases-costs #123: Fix bug in component"
  • Your PR title will be visible in changelogs

What Changed

  • What changes does this PR propose?
  • Provide screenshots or screen recordings for any visual changes.

How To Test or Verify

  • Describe any steps that may help reviewers verify changes.
  • Anything beyond basic unit testing, such as assistive tech usage, or special interactions.

PR Checklist

Below are some checklists to follow for the correct procedure in different circumstance. The first list ("All PRs Checklist") should be followed for ALL PRs. The next 2 are additive to this list depending on what type of PR you are using.

For example: If you are submitting a content change to one of the support documents, your checklist would include the:

  • "All PRs Checklist"
  • AND the "Content Changes Checklist

If you are submitting a feature addition, enhancement, or bug fix, your checklist would include the:

  • "All PRs Checklist"
  • AND the "Development Changes Checklist"

All PRs Checklist

  • Give your pull request a meaningful name.
  • Use lowercase filenames.
  • Apply at least one team label according to which team is the content expert (ie. team-FE or team-SAZ)
  • Pull request approval from the FE team or content experts (see label applied above) that isn't the content creator.

Content Changes Checklist

  • Check that your article looks correct in the preview here or in a Netlify deploy preview.
  • Check the links in your article.
  • Check the images in your article (if there are any)
  • Check to make sure you are using markdown appropriately as outlined in examples/article.md in the root of the project directory and on the momentum doc's preface article
  • Check to make sure the Copy and Tone Guidelines are followed.

Development Changes Checklist (some checks are automatic github actions and will not be listed here. ie. "all tests pass")

  • The appropriate tests are created in cypress/ directory in the root of the project
  • The lighthouse score is passing according to the FE Support Docs' Service Outline SLI/SLOs

Copy link

netlify bot commented Nov 25, 2024

Deploy Preview for support-docs ready!

Name Link
🔨 Latest commit 5b83e44
🔍 Latest deploy log https://app.netlify.com/sites/support-docs/deploys/675ca079e977870008d4318d
😎 Deploy Preview https://deploy-preview-782--support-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

content/momentum/4/4-lua-summary-table.md Show resolved Hide resolved
content/momentum/4/hooks/index.md Show resolved Hide resolved
content/momentum/4/4-lua-summary-table.md Show resolved Hide resolved
content/momentum/4/hooks/core-post-final-validation.md Outdated Show resolved Hide resolved
content/momentum/4/hooks/core-post-final-validation.md Outdated Show resolved Hide resolved
it before and what the message's authentication assessment was at each step in the handling flow.

The openarc module add ARC capability to Momentum. It provides Lua APIs for
ARC validation on a received email, and ARC siging and sealing on an outgoing email.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

signing

content/momentum/4/modules/openarc.md Outdated Show resolved Hide resolved
content/momentum/4/modules/openarc.md Outdated Show resolved Hide resolved
content/momentum/4/modules/openarc.md Outdated Show resolved Hide resolved
content/momentum/4/modules/openarc.md Outdated Show resolved Hide resolved
either `verify` or `sign` but not both.
It's recommended to invoke `msys.validate.opendarc.verify` in `validate_data_spool` or
[`validate_data_spool_each_rcpt`](/momentum/3/3-api/hooks-core-validate-data-spool-each-rcpt) hook.
`msys.validate.opendarc.sign` shall be invoked in the last validation phase, in
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be invoked

### Note

If the `ec_message` context variable `arc_cv` is not set after this function call, errors happened
and logged into paniclog.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and were logged

<a name="lua.ref.msys.validate.openarc.verify"></a>
## Name

msys.validate.openarc.verify — Verifies ARC set headers in an email, stores the verification results
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

email and stores

This function validates the ARC set headers contained in the input message. The validation result
will be stored as string value (`none` or `pass` or `fail`) in the `ec_message`'s context variable
of `arc_cv`. A caller can take actions (e.g. disposition of the message) based on the validation
result.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing "none" means no ARC headers rather than the status of "cv=none" which is normal for just one ARC header set?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none means cv=none in ARC-Seal, also means no ARC headers.

* `authservid` – authentication service identifier, as
[authserv-id](https://datatracker.ietf.org/doc/html/rfc8601#section-2.5) defined in RFC.

If not set, will be default to the hostname.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious why we default to the hostname. According to the RFC, Common practice is to use the DNS domain name used by or within that ADMD, sometimes called the "organizational domain"
FWIW, the perl module I use that does signing (Mail::DKIM::ARC::Signer) requires the first token in the (required) AR header to match the srvid input, and this input defaults to the domain input.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, should be "will default to" or "will be defaulted to".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the authservid Momo use for Authentication-Results header.

### Note

Since ARC sealing should happen after all potential modification of a message is done, this function
shall be invoked in the `post_final_validation` stage after all the other validation phases.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be invoked


### Note

Since ARC sealing should happen after all potential modification of a message is done, this function
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe something a little stronger like "must not happen until all"

This hook is invoked right after the
[final_validation](/momentum/3/3-api/hooks-core-final-validation) hook. Its return value
does not have significance for now.
This hook is added as the absolute last point before writing the message into spool.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest "writing the message to spool for delivery".

This hook is added as the absolute last point before writing the message into spool.
It guarantees that operations implemented in this hook will happen after the operations done in
`final_validtion`.
No any message modification expected after this stage.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No message modification is expected

It guarantees that operations implemented in this hook will happen after the operations done in
`final_validtion`.
No any message modification expected after this stage.
To avoid undefined race between multiple implementations of the same hook, you shall only have up
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest "ordering" rather than "race" and "you should have at most one"

Copy link
Contributor

@dkoerichbird dkoerichbird left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

This hook is added as the absolute last point before writing the message to spool for delivery.
It guarantees that operations implemented in this hook will happen after the operations done in
`final_validation`.
No message modification is expected after this stage.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the behavior If it is modified after this stage? Can we clarify the wording.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this line, since it's not the new behavior introduced by the code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants