6 files changed, 58 insertions, 4 deletions

diff --git a/src/mailman_pgp/config/mailman_pgp.cfg b/src/mailman_pgp/config/mailman_pgp.cfg
index 5db31dd..4f7a3cd 100644
--- a/src/mailman_pgp/config/mailman_pgp.cfg
+++ b/src/mailman_pgp/config/mailman_pgp.cfg
@@ -88,6 +88,10 @@ in: in_default
 # The lifetime for `key change` request confirmation.
 change_request_lifetime: 1d
 
+# Collect all signature hashes of successful postings to a PGP enabled mailing
+# list for signature replay checking.
+collect_sig_hashes: yes
+
 
 [rest]
 # Allow the accessing of a list private key through the REST API.
diff --git a/src/mailman_pgp/config/schema.cfg b/src/mailman_pgp/config/schema.cfg
index e6e90c2..fcec263 100644
--- a/src/mailman_pgp/config/schema.cfg
+++ b/src/mailman_pgp/config/schema.cfg
@@ -55,6 +55,8 @@ in: str
 [misc]
 change_request_lifetime: lazr.config.as_timedelta
 
+collect_sig_hashes: lazr.config.as_boolean
+
 
 [rest]
 allow_read_private_key: lazr.config.as_boolean
diff --git a/src/mailman_pgp/rules/signature.py b/src/mailman_pgp/rules/signature.py
index ae27bb5..2e1728b 100644
--- a/src/mailman_pgp/rules/signature.py
+++ b/src/mailman_pgp/rules/signature.py
@@ -28,6 +28,7 @@ from zope.component import getUtility
 from zope.event import classhandler
 from zope.interface import implementer
 
+from mailman_pgp.config import config
 from mailman_pgp.database import transaction
 from mailman_pgp.model.address import PGPAddress
 from mailman_pgp.model.list import PGPMailingList
@@ -133,9 +134,6 @@ class Signature:
                     return True
         msgdata['pgp_sig_hashes'] = sig_hashes
 
-        # XXX: we need to track key revocation separately to use it here
-        # TODO: check key revocation here
-
         return False
 
 
@@ -147,6 +145,8 @@ def on_message_posting(event):
     :param event:
     :type event: AcceptEvent
     """
+    if not config.get_value('misc', 'collect_sig_hashes'):
+        return
     pgp_list = PGPMailingList.for_list(event.mlist)
     if pgp_list is None:
         return
diff --git a/src/mailman_pgp/rules/tests/test_signature.py b/src/mailman_pgp/rules/tests/test_signature.py
index ec49a18..45dbf21 100644
--- a/src/mailman_pgp/rules/tests/test_signature.py
+++ b/src/mailman_pgp/rules/tests/test_signature.py
@@ -32,7 +32,7 @@ from zope.component import getUtility
 from zope.event import notify
 
 from mailman_pgp.chains.default import PGPChain
-from mailman_pgp.config import mm_config
+from mailman_pgp.config import mm_config, config
 from mailman_pgp.database import mm_transaction, transaction
 from mailman_pgp.model.address import PGPAddress
 from mailman_pgp.model.list import PGPMailingList
@@ -41,6 +41,7 @@ from mailman_pgp.pgp.inline import InlineWrapper
 from mailman_pgp.pgp.mime import MIMEWrapper
 from mailman_pgp.pgp.wrapper import PGPWrapper
 from mailman_pgp.rules.signature import Signature
+from mailman_pgp.testing.config import patch_config
 from mailman_pgp.testing.layers import PGPConfigLayer
 from mailman_pgp.testing.pgp import load_key, load_message
 from mailman_pgp.utils.pgp import hashes
@@ -299,6 +300,17 @@ class TestPostingEvent(TestCase):
             self.assertIsNotNone(sig_hash)
             self.assertEqual(sig_hash.fingerprint, self.sender_key.fingerprint)
 
+    @patch_config('misc', 'collect_sig_hashes', 'no')
+    def test_no_collect(self):
+        msg = load_message('mime_signed.eml')
+        wrapped = PGPWrapper(msg)
+        sighashes = set(hashes(wrapped.verify(self.sender_key)))
+        msgdata = dict(pgp_sig_hashes=sighashes)
+        notify(AcceptEvent(self.mlist, msg, msgdata,
+                           mm_config.chains[PGPChain.name]))
+
+        self.assertEqual(0, len(PGPSigHash.query().all()))
+
     def test_no_pgp_list(self):
         with mm_transaction():
             mlist = create_list('ordinary@example.com')
diff --git a/src/mailman_pgp/testing/config.py b/src/mailman_pgp/testing/config.py
new file mode 100644
index 0000000..0bcb6b4
--- /dev/null
+++ b/src/mailman_pgp/testing/config.py
@@ -0,0 +1,32 @@
+# Copyright (C) 2017 Jan Jancar
+#
+# This file is a part of the Mailman PGP plugin.
+#
+# This program is free software; you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# this program.  If not, see <http://www.gnu.org/licenses/>.
+
+""""""
+from contextlib import contextmanager
+
+from public import public
+
+from mailman_pgp.config import config
+
+
+@public
+@contextmanager
+def patch_config(section, option, new):
+    current = config.get(section, option)
+    config.set(section, option, new)
+    yield
+    config.set(section, option, current)
diff --git a/src/mailman_pgp/testing/mailman_pgp.cfg b/src/mailman_pgp/testing/mailman_pgp.cfg
index d9570eb..1e6d1dc 100644
--- a/src/mailman_pgp/testing/mailman_pgp.cfg
+++ b/src/mailman_pgp/testing/mailman_pgp.cfg
@@ -88,6 +88,10 @@ in: in_default
 # The lifetime for `key change` request confirmation.
 change_request_lifetime: 1d
 
+# Collect all signature hashes of successful postings to a PGP enabled mailing
+# list for signature replay checking.
+collect_sig_hashes: yes
+
 
 [rest]
 # Allow the accessing of a list private key through the REST API.