mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21173 Commits
28 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
rspamd/lualib/lua_dkim_tools.lua

lua_dkim_tools.lua 24KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local exports = {}

  19. 

  20. local E = {}

  21. local lua_util = require "lua_util"

  22. local rspamd_util = require "rspamd_util"

  23. local logger = require "rspamd_logger"

  24. local fun = require "fun"

  25. 

  26. local function check_violation(N, task, domain)

  27.   -- Check for DKIM_REJECT

  28.   local sym_check = 'R_DKIM_REJECT'

  29. 

  30.   if N == 'arc' then

  31.     sym_check = 'ARC_REJECT'

  32.   end

  33.   if task:has_symbol(sym_check) then

  34.     local sym = task:get_symbol(sym_check)[1]

  35.     logger.infox(task, 'skip signing for %s: violation %s found: %s',

  36.         domain, sym_check, sym.options)

  37.     return false

  38.   end

  39. 

  40.   return true

  41. end

  42. 

  43. local function insert_or_update_prop(N, task, p, prop, origin, data)

  44.   if #p == 0 then

  45.     local k = {}

  46.     k[prop] = data

  47.     table.insert(p, k)

  48.     lua_util.debugm(N, task, 'add %s "%s" using %s', prop, data, origin)

  49.   else

  50.     for _, k in ipairs(p) do

  51.       if not k[prop] then

  52.         k[prop] = data

  53.         lua_util.debugm(N, task, 'set %s to "%s" using %s', prop, data, origin)

  54.       end

  55.     end

  56.   end

  57. end

  58. 

  59. local function get_mempool_selectors(N, task)

  60.   local p = {}

  61.   local key_var = "dkim_key"

  62.   local selector_var = "dkim_selector"

  63.   if N == "arc" then

  64.     key_var = "arc_key"

  65.     selector_var = "arc_selector"

  66.   end

  67. 

  68.   p.key = task:get_mempool():get_variable(key_var)

  69.   p.selector = task:get_mempool():get_variable(selector_var)

  70. 

  71.   if (not p.key or not p.selector) then

  72.     return false, {}

  73.   end

  74. 

  75.   lua_util.debugm(N, task, 'override selector and key to %s:%s', p.key, p.selector)

  76.   return true, p

  77. end

  78. 

  79. local function parse_dkim_http_headers(N, task, settings)

  80.   -- Configure headers

  81.   local headers = {

  82.     sign_header = settings.http_sign_header or "PerformDkimSign",

  83.     sign_on_reject_header = settings.http_sign_on_reject_header_header or 'SignOnAuthFailed',

  84.     domain_header = settings.http_domain_header or 'DkimDomain',

  85.     selector_header = settings.http_selector_header or 'DkimSelector',

  86.     key_header = settings.http_key_header or 'DkimPrivateKey'

  87.   }

  88. 

  89.   if task:get_request_header(headers.sign_header) then

  90.     local domain = task:get_request_header(headers.domain_header)

  91.     local selector = task:get_request_header(headers.selector_header)

  92.     local key = task:get_request_header(headers.key_header)

  93. 

  94.     if not (domain and selector and key) then

  95. 

  96.       logger.errx(task, 'missing required headers to sign email')

  97.       return false, {}

  98.     end

  99. 

  100.     -- Now check if we need to check the existing auth

  101.     local hdr = task:get_request_header(headers.sign_on_reject_header)

  102.     if not hdr or tostring(hdr) == '0' or tostring(hdr) == 'false' then

  103.       if not check_violation(N, task, domain, selector) then

  104.         return false, {}

  105.       end

  106.     end

  107. 

  108.     local p = {}

  109.     local k = {

  110.       domain = tostring(domain),

  111.       rawkey = tostring(key),

  112.       selector = tostring(selector),

  113.     }

  114.     table.insert(p, k)

  115.     return true, p

  116.   end

  117. 

  118.   lua_util.debugm(N, task, 'no sign header %s', headers.sign_header)

  119.   return false, {}

  120. end

  121. 

  122. local function prepare_dkim_signing(N, task, settings)

  123.   local is_local, is_sign_networks, is_authed

  124. 

  125.   if settings.use_http_headers then

  126.     local res, tbl = parse_dkim_http_headers(N, task, settings)

  127. 

  128.     if not res then

  129.       if not settings.allow_headers_fallback then

  130.         return res, {}

  131.       else

  132.         lua_util.debugm(N, task, 'failed to read http headers, fallback to normal schema')

  133.       end

  134.     else

  135.       return res, tbl

  136.     end

  137.   end

  138. 

  139.   if settings.sign_condition and type(settings.sign_condition) == 'function' then

  140.     -- Use sign condition only

  141.     local ret = settings.sign_condition(task)

  142. 

  143.     if not ret then

  144.       return false, {}

  145.     end

  146. 

  147.     if ret[1] then

  148.       return true, ret

  149.     else

  150.       return true, { ret }

  151.     end

  152.   end

  153. 

  154.   local auser = task:get_user()

  155.   local ip = task:get_from_ip()

  156. 

  157.   if ip and ip:is_local() then

  158.     is_local = true

  159.   end

  160. 

  161.   local has_pre_result = task:has_pre_result()

  162.   if has_pre_result then

  163.     local metric_action = task:get_metric_action()

  164. 

  165.     if metric_action == 'reject' or metric_action == 'drop' then

  166.       -- No need to sign what we are already rejecting/dropping

  167.       lua_util.debugm(N, task, 'task result is already %s, no need to sign', metric_action)

  168.       return false, {}

  169.     end

  170. 

  171.     if metric_action == 'soft reject' then

  172.       -- Same here, we are going to delay an email, signing is just a waste of time

  173.       lua_util.debugm(N, task, 'task result is %s, skip signing', metric_action)

  174.       return false, {}

  175.     end

  176. 

  177.     -- For spam actions, there is no clear distinction

  178.     if metric_action ~= 'no action' and type(settings.skip_spam_sign) == 'boolean' and settings.skip_spam_sign then

  179.       lua_util.debugm(N, task, 'task result is %s, no need to sign', metric_action)

  180.       return false, {}

  181.     end

  182.   end

  183. 

  184.   if settings.sign_authenticated and auser then

  185.     lua_util.debugm(N, task, 'user is authenticated')

  186.     is_authed = true

  187.   elseif (settings.sign_networks and settings.sign_networks:get_key(ip)) then

  188.     is_sign_networks = true

  189.     lua_util.debugm(N, task, 'mail is from address in sign_networks')

  190.   elseif settings.sign_local and is_local then

  191.     lua_util.debugm(N, task, 'mail is from local address')

  192.   elseif settings.sign_inbound and not is_local and not auser then

  193.     lua_util.debugm(N, task, 'mail was sent to us')

  194.   else

  195.     lua_util.debugm(N, task, 'mail is ineligible for signing')

  196.     return false, {}

  197.   end

  198. 

  199.   local efrom = task:get_from('smtp')

  200.   local empty_envelope = false

  201.   if #(((efrom or E)[1] or E).addr or '') == 0 then

  202.     if not settings.allow_envfrom_empty then

  203.       lua_util.debugm(N, task, 'empty envelope from not allowed')

  204.       return false, {}

  205.     else

  206.       empty_envelope = true

  207.     end

  208.   end

  209. 

  210.   local hfrom = task:get_from('mime')

  211.   if not settings.allow_hdrfrom_multiple and (hfrom or E)[2] then

  212.     lua_util.debugm(N, task, 'multiple header from not allowed')

  213.     return false, {}

  214.   end

  215. 

  216.   local eto = task:get_recipients(0)

  217. 

  218.   local dkim_domain

  219.   local hdom = ((hfrom or E)[1] or E).domain

  220.   local edom = ((efrom or E)[1] or E).domain

  221.   local tdom = ((eto or E)[1] or E).domain

  222.   local udom = string.match(auser or '', '.*@(.*)')

  223. 

  224.   local function get_dkim_domain(dtype)

  225.     if settings[dtype] == 'header' then

  226.       return hdom

  227.     elseif settings[dtype] == 'envelope' then

  228.       return edom

  229.     elseif settings[dtype] == 'auth' then

  230.       return udom

  231.     elseif settings[dtype] == 'recipient' then

  232.       return tdom

  233.     else

  234.       return settings[dtype]:lower()

  235.     end

  236.   end

  237. 

  238.   local function is_skip_sign()

  239.     return not (settings.sign_networks and is_sign_networks) and

  240.         not (settings.sign_authenticated and is_authed) and

  241.         not (settings.sign_local and is_local)

  242.   end

  243. 

  244.   if hdom then

  245.     hdom = hdom:lower()

  246.   end

  247.   if edom then

  248.     edom = edom:lower()

  249.   end

  250.   if udom then

  251.     udom = udom:lower()

  252.   end

  253.   if tdom then

  254.     tdom = tdom:lower()

  255.   end

  256. 

  257.   if settings.signing_table and (settings.key_table or settings.use_vault) then

  258.     -- OpenDKIM style

  259.     if is_skip_sign() then

  260.       lua_util.debugm(N, task,

  261.           'skip signing: is_sign_network: %s, is_authed: %s, is_local: %s',

  262.           is_sign_networks, is_authed, is_local)

  263.       return false, {}

  264.     end

  265. 

  266.     if not hfrom or not hfrom[1] or not hfrom[1].addr then

  267.       lua_util.debugm(N, task,

  268.           'signing_table: cannot get data when no header from is presented')

  269.       return false, {}

  270.     end

  271.     local sign_entry = settings.signing_table:get_key(hfrom[1].addr:lower())

  272. 

  273.     if sign_entry then

  274.       -- Check opendkim style entries

  275.       lua_util.debugm(N, task,

  276.           'signing_table: found entry for %s: %s', hfrom[1].addr, sign_entry)

  277.       if sign_entry == '%' then

  278.         sign_entry = hdom

  279.       end

  280. 

  281.       if settings.key_table then

  282.         -- Now search in key table

  283.         local key_entry = settings.key_table:get_key(sign_entry)

  284. 

  285.         if key_entry then

  286.           local parts = lua_util.str_split(key_entry, ':')

  287. 

  288.           if #parts == 2 then

  289.             -- domain + key

  290.             local selector = settings.selector

  291. 

  292.             if not selector then

  293.               logger.errx(task, 'no selector defined for sign_entry %s, key_entry %s',

  294.                   sign_entry, key_entry)

  295.               return false, {}

  296.             end

  297. 

  298.             local res = {

  299.               selector = selector,

  300.               domain = parts[1]:gsub('%%', hdom)

  301.             }

  302. 

  303.             local st = parts[2]:sub(1, 2)

  304. 

  305.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  306.               res.key = parts[2]:gsub('%%', hdom)

  307.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  308.                   hdom, selector, res.domain, res.key)

  309.             else

  310.               res.rawkey = parts[2] -- No sanity check here

  311.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  312.                   hdom, selector, res.domain)

  313.             end

  314. 

  315.             return true, { res }

  316.           elseif #parts == 3 then

  317.             -- domain, selector, key

  318.             local selector = parts[2]

  319. 

  320.             local res = {

  321.               selector = selector,

  322.               domain = parts[1]:gsub('%%', hdom)

  323.             }

  324. 

  325.             local st = parts[3]:sub(1, 2)

  326. 

  327.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  328.               res.key = parts[3]:gsub('%%', hdom)

  329.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  330.                   hdom, selector, res.domain, res.key)

  331.             else

  332.               res.rawkey = parts[3] -- No sanity check here

  333.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  334.                   hdom, selector, res.domain)

  335.             end

  336. 

  337.             return true, { res }

  338.           else

  339.             logger.errx(task, 'invalid key entry for sign entry %s: %s; when signing %s domain',

  340.                 sign_entry, key_entry, hdom)

  341.             return false, {}

  342.           end

  343.         elseif settings.use_vault then

  344.           -- Sign table is presented, the rest is covered by vault

  345.           lua_util.debugm(N, task, 'check vault for %s, by sign entry %s, key entry is missing',

  346.               hdom, sign_entry)

  347.           return true, {

  348.             domain = sign_entry,

  349.             vault = true

  350.           }

  351.         else

  352.           logger.errx(task, 'missing key entry for sign entry %s; when signing %s domain',

  353.               sign_entry, hdom)

  354.           return false, {}

  355.         end

  356.       else

  357.         logger.errx(task, 'cannot get key entry for signing entry %s, when signing %s domain',

  358.             sign_entry, hdom)

  359.         return false, {}

  360.       end

  361.     else

  362.       lua_util.debugm(N, task,

  363.           'signing_table: no entry for %s', hfrom[1].addr)

  364.       return false, {}

  365.     end

  366.   else

  367.     if settings.use_domain_sign_networks and is_sign_networks then

  368.       dkim_domain = get_dkim_domain('use_domain_sign_networks')

  369.       lua_util.debugm(N, task,

  370.           'sign_networks: use domain(%s) for signature: %s',

  371.           settings.use_domain_sign_networks, dkim_domain)

  372.     elseif settings.use_domain_sign_local and is_local then

  373.       dkim_domain = get_dkim_domain('use_domain_sign_local')

  374.       lua_util.debugm(N, task, 'local: use domain(%s) for signature: %s',

  375.           settings.use_domain_sign_local, dkim_domain)

  376.     elseif settings.use_domain_sign_inbound and not is_local and not auser then

  377.       dkim_domain = get_dkim_domain('use_domain_sign_inbound')

  378.       lua_util.debugm(N, task, 'inbound: use domain(%s) for signature: %s',

  379.           settings.use_domain_sign_inbound, dkim_domain)

  380.     elseif settings.use_domain_custom then

  381.       if type(settings.use_domain_custom) == 'string' then

  382.         -- Load custom function

  383.         local loadstring = loadstring or load

  384.         local ret, res_or_err = pcall(loadstring(settings.use_domain_custom))

  385.         if ret then

  386.           if type(res_or_err) == 'function' then

  387.             settings.use_domain_custom = res_or_err

  388.             dkim_domain = settings.use_domain_custom(task)

  389.             lua_util.debugm(N, task, 'use custom domain for signing: %s',

  390.                 dkim_domain)

  391.           else

  392.             logger.errx(task, 'cannot load dkim domain custom script: invalid type: %s, expected function',

  393.                 type(res_or_err))

  394.             settings.use_domain_custom = nil

  395.           end

  396.         else

  397.           logger.errx(task, 'cannot load dkim domain custom script: %s', res_or_err)

  398.           settings.use_domain_custom = nil

  399.         end

  400.       else

  401.         dkim_domain = settings.use_domain_custom(task)

  402.         lua_util.debugm(N, task, 'use custom domain for signing: %s',

  403.             dkim_domain)

  404.       end

  405.     else

  406.       dkim_domain = get_dkim_domain('use_domain')

  407.       lua_util.debugm(N, task, 'use domain(%s) for signature: %s',

  408.           settings.use_domain, dkim_domain)

  409.     end

  410.   end

  411. 

  412.   if not dkim_domain then

  413.     lua_util.debugm(N, task, 'could not extract dkim domain')

  414.     return false, {}

  415.   end

  416. 

  417.   if settings.use_esld then

  418.     dkim_domain = rspamd_util.get_tld(dkim_domain)

  419.     if hdom then

  420.       hdom = rspamd_util.get_tld(hdom)

  421.     end

  422.     if edom then

  423.       edom = rspamd_util.get_tld(edom)

  424.     end

  425.   end

  426. 

  427.   lua_util.debugm(N, task, 'final DKIM domain: %s', dkim_domain)

  428. 

  429.   -- Sanity checks

  430.   if edom and hdom and not settings.allow_hdrfrom_mismatch and hdom ~= edom then

  431.     if settings.allow_hdrfrom_mismatch_local and is_local then

  432.       lua_util.debugm(N, task, 'domain mismatch allowed for local IP: %1 != %2', hdom, edom)

  433.     elseif settings.allow_hdrfrom_mismatch_sign_networks and is_sign_networks then

  434.       lua_util.debugm(N, task, 'domain mismatch allowed for sign_networks: %1 != %2', hdom, edom)

  435.     else

  436.       if empty_envelope and hdom then

  437.         lua_util.debugm(N, task, 'domain mismatch allowed for empty envelope: %1 != %2', hdom, edom)

  438.       else

  439.         lua_util.debugm(N, task, 'domain mismatch not allowed: %1 != %2', hdom, edom)

  440.         return false, {}

  441.       end

  442.     end

  443.   end

  444. 

  445.   if auser and not settings.allow_username_mismatch then

  446.     if not udom then

  447.       lua_util.debugm(N, task, 'couldnt find domain in username')

  448.       return false, {}

  449.     end

  450.     if settings.use_esld then

  451.       udom = rspamd_util.get_tld(udom)

  452.     end

  453.     if udom ~= dkim_domain then

  454.       lua_util.debugm(N, task, 'user domain mismatch')

  455.       return false, {}

  456.     end

  457.   end

  458. 

  459.   local p = {}

  460. 

  461.   if settings.use_vault then

  462.     if settings.vault_domains then

  463.       if settings.vault_domains:get_key(dkim_domain) then

  464.         table.insert(p, {

  465.           domain = dkim_domain,

  466.           vault = true,

  467.         })

  468.       else

  469.         lua_util.debugm(N, task, 'domain %s is not designated for vault',

  470.             dkim_domain)

  471.       end

  472.     else

  473.       -- TODO: try every domain in the vault

  474.       table.insert(p, {

  475.         domain = dkim_domain,

  476.         vault = true,

  477.       })

  478.     end

  479.   end

  480. 

  481.   if settings.domain[dkim_domain] then

  482.     -- support old style selector/paths

  483.     if settings.domain[dkim_domain].selector or

  484.         settings.domain[dkim_domain].path then

  485.       local k = {}

  486.       k.selector = settings.domain[dkim_domain].selector

  487.       k.key = settings.domain[dkim_domain].path

  488.       table.insert(p, k)

  489.     end

  490.     for _, s in ipairs((settings.domain[dkim_domain].selectors or {})) do

  491.       lua_util.debugm(N, task, 'adding selector: %1', s)

  492.       local k = {}

  493.       k.selector = s.selector

  494.       k.key = s.path

  495.       table.insert(p, k)

  496.     end

  497.   end

  498. 

  499.   if #p == 0 then

  500.     local ret, k = get_mempool_selectors(N, task)

  501.     if ret then

  502.       table.insert(p, k)

  503.       lua_util.debugm(N, task, 'using mempool selector %s with key %s',

  504.           k.selector, k.key)

  505.     end

  506.   end

  507. 

  508.   if settings.selector_map then

  509.     local data = settings.selector_map:get_key(dkim_domain)

  510.     if data then

  511.       insert_or_update_prop(N, task, p, 'selector', 'selector_map', data)

  512.     else

  513.       lua_util.debugm(N, task, 'no selector in map for %s', dkim_domain)

  514.     end

  515.   end

  516. 

  517.   if settings.path_map then

  518.     local data = settings.path_map:get_key(dkim_domain)

  519.     if data then

  520.       insert_or_update_prop(N, task, p, 'key', 'path_map', data)

  521.     else

  522.       lua_util.debugm(N, task, 'no key in map for %s', dkim_domain)

  523.     end

  524.   end

  525. 

  526.   if #p == 0 and not settings.try_fallback then

  527.     lua_util.debugm(N, task, 'dkim unconfigured and fallback disabled')

  528.     return false, {}

  529.   end

  530. 

  531.   if not settings.use_redis then

  532.     insert_or_update_prop(N, task, p, 'key',

  533.         'default path', settings.path)

  534.   end

  535. 

  536.   insert_or_update_prop(N, task, p, 'selector',

  537.       'default selector', settings.selector)

  538. 

  539.   if settings.check_violation then

  540.     if not check_violation(N, task, p.domain) then

  541.       return false, {}

  542.     end

  543.   end

  544. 

  545.   insert_or_update_prop(N, task, p, 'domain', 'dkim_domain',

  546.       dkim_domain)

  547. 

  548.   return #p > 0 and true or false, p

  549. end

  550. 

  551. exports.prepare_dkim_signing = prepare_dkim_signing

  552. 

  553. exports.sign_using_redis = function(N, task, settings, selectors, sign_func, err_func)

  554.   local lua_redis = require "lua_redis"

  555. 

  556.   local function try_redis_key(selector, p)

  557.     p.key = nil

  558.     p.selector = selector

  559.     local rk = string.format('%s.%s', p.selector, p.domain)

  560.     local function redis_key_cb(err, data)

  561.       if err then

  562.         err_func(string.format("cannot make request to load DKIM key for %s: %s",

  563.             rk, err))

  564.       elseif type(data) ~= 'string' then

  565.         lua_util.debugm(N, task, "missing DKIM key for %s", rk)

  566.       else

  567.         p.rawkey = data

  568.         lua_util.debugm(N, task, 'found and parsed key for %s:%s in Redis',

  569.             p.domain, p.selector)

  570.         sign_func(task, p)

  571.       end

  572.     end

  573.     local rret = lua_redis.redis_make_request(task,

  574.         settings.redis_params, -- connect params

  575.         rk, -- hash key

  576.         false, -- is write

  577.         redis_key_cb, --callback

  578.         'HGET', -- command

  579.         { settings.key_prefix, rk } -- arguments

  580.     )

  581.     if not rret then

  582.       err_func(task,

  583.           string.format("cannot make request to load DKIM key for %s", rk))

  584.     end

  585.   end

  586. 

  587.   for _, p in ipairs(selectors) do

  588.     if settings.selector_prefix then

  589.       logger.infox(task, "using selector prefix '%s' for domain '%s'",

  590.           settings.selector_prefix, p.domain);

  591.       local function redis_selector_cb(err, data)

  592.         if err or type(data) ~= 'string' then

  593.           err_func(task, string.format("cannot make request to load DKIM selector for domain %s: %s",

  594.               p.domain, err))

  595.         else

  596.           try_redis_key(data, p)

  597.         end

  598.       end

  599.       local rret = lua_redis.redis_make_request(task,

  600.           settings.redis_params, -- connect params

  601.           p.domain, -- hash key

  602.           false, -- is write

  603.           redis_selector_cb, --callback

  604.           'HGET', -- command

  605.           { settings.selector_prefix, p.domain } -- arguments

  606.       )

  607.       if not rret then

  608.         err_func(task, string.format("cannot make Redis request to load DKIM selector for domain %s",

  609.             p.domain))

  610.       end

  611.     else

  612.       try_redis_key(p.selector, p)

  613.     end

  614.   end

  615. end

  616. 

  617. exports.sign_using_vault = function(N, task, settings, selector, sign_func, err_func)

  618.   local http = require "rspamd_http"

  619.   local ucl = require "ucl"

  620. 

  621.   local full_url = string.format('%s/v1/%s/%s',

  622.       settings.vault_url, settings.vault_path or 'dkim', selector.domain)

  623.   local upstream_list = lua_util.http_upstreams_by_url(rspamd_config:get_mempool(), settings.vault_url)

  624. 

  625.   local function vault_callback(err, code, body, _)

  626.     if code ~= 200 then

  627.       err_func(task, string.format('cannot request data from the vault url: %s; %s (%s)',

  628.           full_url, err, body))

  629.     else

  630.       local parser = ucl.parser()

  631.       local res, parser_err = parser:parse_string(body)

  632.       if not res then

  633.         err_func(task, string.format('vault reply for %s (data=%s) cannot be parsed: %s',

  634.             full_url, body, parser_err))

  635.       else

  636.         local obj = parser:get_object()

  637. 

  638.         if not obj or not obj.data then

  639.           err_func(task, string.format('vault reply for %s (data=%s) is invalid, no data',

  640.               full_url, body))

  641.         else

  642.           local elts = obj.data.selectors or {}

  643.           local errs = {}

  644.           local nvalid = 0

  645. 

  646.           -- Filter selectors by time/sanity

  647.           local function is_selector_valid(p)

  648.             if not p.key or not p.selector then

  649.               table.insert(errs, { "missing key/selector", p })

  650.               return false

  651.             end

  652. 

  653.             if p.valid_start then

  654.               -- Check start time

  655.               if rspamd_util.get_time() < tonumber(p.valid_start) then

  656.                 table.insert(errs, { "start time is in the future", p })

  657.                 return false

  658.               end

  659.             end

  660. 

  661.             if p.valid_end then

  662.               if rspamd_util.get_time() >= tonumber(p.valid_end) then

  663.                 table.insert(errs, { "end time is in the past", p })

  664.                 return false

  665.               end

  666.             end

  667. 

  668.             return true

  669.           end

  670.           fun.each(function(p)

  671.             local dkim_sign_data = {

  672.               rawkey = p.key,

  673.               selector = p.selector,

  674.               domain = p.domain or selector.domain,

  675.               alg = p.alg,

  676.             }

  677.             lua_util.debugm(N, task, 'found and parsed key for %s:%s in Vault',

  678.                 dkim_sign_data.domain, dkim_sign_data.selector)

  679.             nvalid = nvalid + 1

  680.             sign_func(task, dkim_sign_data)

  681.           end, fun.filter(is_selector_valid, elts))

  682.           for _, e in errs do

  683.             lua_util.debugm(N, task, 'error found during processing Vault selectors: %s:%s',

  684.                 e[1], e[2])

  685.           end

  686. 

  687.           if nvalid == 0 then

  688.             lua_util.debugm(N, task, 'no valid selectors have been returned from the Vault, skip signing')

  689.           end

  690.         end

  691.       end

  692.     end

  693.   end

  694. 

  695.   local ret = http.request {

  696.     task = task,

  697.     url = full_url,

  698.     callback = vault_callback,

  699.     timeout = settings.http_timeout or 5.0,

  700.     no_ssl_verify = settings.no_ssl_verify,

  701.     keepalive = true,

  702.     upstream = upstream_list and upstream_list:get_upstream_round_robin() or nil,

  703.     headers = {

  704.       ['X-Vault-Token'] = settings.vault_token,

  705.     },

  706.   }

  707. 

  708.   if not ret then

  709.     err_func(task, string.format("cannot make HTTP request to load DKIM data domain %s",

  710.         selector.domain))

  711.   end

  712. end

  713. 

  714. exports.validate_signing_settings = function(settings)

  715.   return settings.use_redis or

  716.       settings.path or

  717.       settings.domain or

  718.       settings.path_map or

  719.       settings.selector_map or

  720.       settings.use_http_headers or

  721.       (settings.signing_table and settings.key_table) or

  722.       (settings.use_vault and settings.vault_url and settings.vault_token) or

  723.       settings.sign_condition

  724. end

  725. 

  726. exports.process_signing_settings = function(N, settings, opts)

  727.   local lua_maps = require "lua_maps"

  728.   -- Used to convert plain options to the maps

  729.   local maps_opts = {

  730.     sign_networks = { 'radix', 'DKIM signing networks' },

  731.     path_map = { 'map', 'Paths to DKIM signing keys' },

  732.     selector_map = { 'map', 'DKIM selectors' },

  733.     signing_table = { 'glob', 'DKIM signing table' },

  734.     key_table = { 'glob', 'DKIM keys table' },

  735.     vault_domains = { 'glob', 'DKIM signing domains in vault' },

  736.     whitelisted_signers_map = { 'set', 'ARC trusted signers domains' }

  737.   }

  738.   for k, v in pairs(opts) do

  739.     local maybe_map = maps_opts[k]

  740.     if maybe_map then

  741.       settings[k] = lua_maps.map_add_from_ucl(v, maybe_map[1], maybe_map[2])

  742.     elseif k == 'sign_condition' then

  743.       local ret, f = lua_util.callback_from_string(v)

  744.       if ret then

  745.         settings[k] = f

  746.       else

  747.         logger.errx(rspamd_config, 'cannot load sign condition %s: %s', v, f)

  748.       end

  749.     else

  750.       settings[k] = v

  751.     end

  752.   end

  753. end

  754. 

  755. return exports