Merge remote-tracking branch 'origin/topic/jazoff/gh-3268t '

* origin/topic/jazoff/gh-3268:
  Fix check for emailed notices

Changes: Added a test-case printing email_delay_tokens to compare email vs
non-email notice types. Previously, both notice types would have email
delay tokens at that point in the flow.

CHANGES

@@ -1,3 +1,9 @@
+6.1.0-dev.361 | 2023-09-04 14:00:37 +0200
+
+  * Fix check for emailed notices (Justin Azoff, Corelight)
+
+    This bug was introduced in 9d0bd96
+
 6.1.0-dev.358 | 2023-09-01 11:53:55 +0200
 
   * GH-1705: http: Prevent request/response de-synchronization and unbounded state growth (Arne Welzel, Corelight)

VERSION

@@ -1 +1 @@
-6.1.0-dev.358
+6.1.0-dev.361

scripts/policy/frameworks/notice/extend-email/hostnames.zeek

@@ -20,7 +20,7 @@ hook notice(n: Notice::Info) &priority=-1
 		return;
 
 	# This should only be done for notices that are being sent to email.
-	if ( ! n?$email_dest )
+	if ( |n$email_dest| == 0 )
 		return;
 
 	# I'm not recovering gracefully from the when statements because I want

testing/btest/Baseline/scripts.policy.frameworks.notice.extend-email.hostnames/out

@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+email_delay_tokens, Test_New_Connection_Notice, (empty)
+email_delay_tokens, Test_Connection_State_Remove_Notice, hostnames-dst,hostnames-src

testing/btest/scripts/policy/frameworks/notice/extend-email/hostnames.zeek

@@ -0,0 +1,43 @@
+# @TEST-DOC: Check that extend-email/hostnames.zeek does not run lookup_addr() for non email type notices.
+# @TEST-EXEC: zeek -b -r $TRACES/http/get.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/frameworks/notice
+
+@load frameworks/notice/extend-email/hostnames
+
+
+redef enum Notice::Type += {
+	Test_New_Connection_Notice,
+	Test_Connection_State_Remove_Notice,
+};
+
+redef Notice::emailed_types += {
+	Test_Connection_State_Remove_Notice,
+};
+
+redef Notice::mail_dest = "user@example.net";
+redef Notice::sendmail = "fake-sendmail";  # not in effect, but better safe than sorry.
+
+
+module Notice;
+
+hook Notice::notice(n: Notice::Info) &priority=-2
+	{
+	# email_delay_token population runs at priority -1
+	# in extend-email/hostnames.zeek, so we can look
+	# at the result during priority=-2 and observe
+	# that only Test_Connection_State_Remove_Notice
+	# has email_delay_tokens set.
+	print "email_delay_tokens", n$note, |n$email_delay_tokens| > 0 ? join_string_set(n$email_delay_tokens, ",") : "(empty)";
+	}
+
+event new_connection(c: connection)
+	{
+	NOTICE([$note=Test_New_Connection_Notice, $conn=c]);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	NOTICE([$note=Test_Connection_State_Remove_Notice, $conn=c]);
+	}