#!/usr/bin/env bash # # Phase 5 Validation: E2EE Webmail # # Validates that RFC 0043 components are deployed and healthy: # - Webmail frontend (loads, login works) # - Key service (health endpoint, key generation) # - E2EE functionality (encryption/decryption) # set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' PASSED=0 FAILED=0 WARNINGS=0 # Configuration DOMAIN="${DOMAIN:-coherence.dev}" log_info() { echo -e "${BLUE}[INFO]${NC} $1" } log_pass() { echo -e "${GREEN}[PASS]${NC} $1" ((PASSED++)) } log_fail() { echo -e "${RED}[FAIL]${NC} $1" ((FAILED++)) } log_warn() { echo -e "${YELLOW}[WARN]${NC} $1" ((WARNINGS++)) } check_webmail_frontend() { log_info "Checking webmail frontend..." # Check if namespace exists if ! kubectl get namespace webmail &> /dev/null; then log_warn "webmail namespace does not exist (Phase 5 may be optional)" return fi # Check pod health local ready_pods ready_pods=$(kubectl -n webmail get pods -l app=webmail -o json 2>/dev/null | jq '[.items[] | select(.status.phase == "Running") | select(.status.containerStatuses[]?.ready == true)] | length') if [ "$ready_pods" -ge 1 ]; then log_pass "Webmail frontend has $ready_pods ready pods" else log_fail "Webmail frontend has no ready pods" return fi # Check service local svc_exists svc_exists=$(kubectl -n webmail get svc webmail -o name 2>/dev/null || echo "") if [ -n "$svc_exists" ]; then log_pass "Webmail service exists" else log_fail "Webmail service does not exist" fi # Check ingress local ingress_exists ingress_exists=$(kubectl get ingress -A -o json 2>/dev/null | jq '[.items[] | select(.spec.rules[]?.host | contains("mail"))] | length') if [ "$ingress_exists" -ge 1 ]; then log_pass "Webmail ingress configured" else log_warn "No webmail ingress found" fi } check_key_service() { log_info "Checking key service..." # Check if namespace exists if ! kubectl get namespace webmail &> /dev/null; then log_warn "webmail namespace does not exist" return fi # Check pod health local ready_pods ready_pods=$(kubectl -n webmail get pods -l app=key-service -o json 2>/dev/null | jq '[.items[] | select(.status.phase == "Running") | select(.status.containerStatuses[]?.ready == true)] | length') if [ "$ready_pods" -ge 1 ]; then log_pass "Key service has $ready_pods ready pods" else log_fail "Key service has no ready pods" return fi # Check health endpoint local ks_pod ks_pod=$(kubectl -n webmail get pods -l app=key-service -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") if [ -n "$ks_pod" ]; then local health_status health_status=$(kubectl -n webmail exec "$ks_pod" -- wget -q -O - http://localhost:8080/health 2>/dev/null || echo "") if echo "$health_status" | grep -q "ok\|healthy\|200"; then log_pass "Key service health endpoint responding" else log_warn "Key service health check returned: $health_status" fi fi # Check Vault integration log_info "Checking Vault PKI integration..." local vault_pki_exists vault_pki_exists=$(kubectl -n vault exec vault-0 -- vault secrets list -format=json 2>/dev/null | jq 'has("pki_smime/")' || echo "false") if [ "$vault_pki_exists" = "true" ]; then log_pass "Vault S/MIME PKI is configured" else log_warn "Vault S/MIME PKI not found" fi } check_e2ee_functionality() { log_info "Checking E2EE functionality..." log_info "Manual verification required:" echo " 1. Navigate to https://mail.$DOMAIN" echo " 2. Login via Keycloak SSO" echo " 3. Verify key pair is generated on first login" echo " 4. Compose an email to another user" echo " 5. Verify email is encrypted in transit" echo " 6. Verify recipient can decrypt and read email" echo "" log_warn "E2EE functionality requires manual testing" } check_stalwart_integration() { log_info "Checking Stalwart integration..." # Check if webmail can reach Stalwart local webmail_pod webmail_pod=$(kubectl -n webmail get pods -l app=webmail -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") if [ -n "$webmail_pod" ]; then # Check IMAP connectivity local imap_check imap_check=$(kubectl -n webmail exec "$webmail_pod" -- nc -z stalwart.email.svc.cluster.local 993 2>/dev/null && echo "ok" || echo "fail") if [ "$imap_check" = "ok" ]; then log_pass "Webmail can reach Stalwart IMAP" else log_warn "Webmail cannot reach Stalwart IMAP" fi # Check SMTP connectivity local smtp_check smtp_check=$(kubectl -n webmail exec "$webmail_pod" -- nc -z stalwart.email.svc.cluster.local 587 2>/dev/null && echo "ok" || echo "fail") if [ "$smtp_check" = "ok" ]; then log_pass "Webmail can reach Stalwart SMTP" else log_warn "Webmail cannot reach Stalwart SMTP" fi else log_warn "Cannot check Stalwart integration - no webmail pod" fi } print_summary() { echo "" echo "========================================" echo "Phase 5 Validation Summary" echo "========================================" echo -e " ${GREEN}Passed:${NC} $PASSED" echo -e " ${RED}Failed:${NC} $FAILED" echo -e " ${YELLOW}Warnings:${NC} $WARNINGS" echo "========================================" if [ "$FAILED" -gt 0 ]; then echo "" echo -e "${RED}Phase 5 validation FAILED${NC}" echo "Please fix the issues above." exit 1 elif [ "$WARNINGS" -gt 0 ]; then echo "" echo -e "${YELLOW}Phase 5 validation passed with warnings${NC}" echo "Review warnings above. Perform manual E2EE testing." exit 0 else echo "" echo -e "${GREEN}Phase 5 validation PASSED${NC}" echo "Full infrastructure stack deployment complete!" exit 0 fi } main() { echo "========================================" echo "Phase 5 Validation: E2EE Webmail" echo "========================================" echo "" check_webmail_frontend check_key_service check_stalwart_integration check_e2ee_functionality print_summary } main "$@"