mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19118 Commits
28 Branches
Tree: 7afa0694da
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7afa0694da'
${ noResults }
rspamd/lualib/lua_dkim_tools.lua

lua_dkim_tools.lua 22KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2017, Vsevolod Stakhov <vsevolod@highsecure.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local exports = {}

  19. 

  20. local E = {}

  21. local lua_util = require "lua_util"

  22. local rspamd_util = require "rspamd_util"

  23. local logger = require "rspamd_logger"

  24. local fun = require "fun"

  25. 

  26. local function check_violation(N, task, domain)

  27.   -- Check for DKIM_REJECT

  28.   local sym_check = 'R_DKIM_REJECT'

  29. 

  30.   if N == 'arc' then sym_check = 'ARC_REJECT' end

  31.   if task:has_symbol(sym_check) then

  32.     local sym = task:get_symbol(sym_check)

  33.     logger.infox(task, 'skip signing for %s: violation %s found: %s',

  34.         domain, sym_check, sym.options)

  35.     return false

  36.   end

  37. 

  38.   return true

  39. end

  40. 

  41. local function insert_or_update_prop(N, task, p, prop, origin, data)

  42.   if #p == 0 then

  43.     local k = {}

  44.     k[prop] = data

  45.     table.insert(p, k)

  46.     lua_util.debugm(N, task, 'add %s "%s" using %s', prop, data, origin)

  47.   else

  48.     for _, k in ipairs(p) do

  49.       if not k[prop] then

  50.         k[prop] = data

  51.         lua_util.debugm(N, task, 'set %s to "%s" using %s', prop, data, origin)

  52.       end

  53.     end

  54.   end

  55. end

  56. 

  57. local function get_mempool_selectors(N, task)

  58.   local p = {}

  59.   local key_var = "dkim_key"

  60.   local selector_var = "dkim_selector"

  61.   if N == "arc" then

  62.     key_var = "arc_key"

  63.     selector_var = "arc_selector"

  64.   end

  65. 

  66.   p.key = task:get_mempool():get_variable(key_var)

  67.   p.selector = task:get_mempool():get_variable(selector_var)

  68. 

  69.   if (not p.key or not p.selector) then

  70.     return false, {}

  71.   end

  72. 

  73.   lua_util.debugm(N, task, 'override selector and key to %s:%s', p.key, p.selector)

  74.   return true, p

  75. end

  76. 

  77. local function parse_dkim_http_headers(N, task, settings)

  78.   -- Configure headers

  79.   local headers = {

  80.     sign_header = settings.http_sign_header or "PerformDkimSign",

  81.     sign_on_reject_header = settings.http_sign_on_reject_header_header or 'SignOnAuthFailed',

  82.     domain_header = settings.http_domain_header or 'DkimDomain',

  83.     selector_header = settings.http_selector_header or 'DkimSelector',

  84.     key_header = settings.http_key_header or 'DkimPrivateKey'

  85.   }

  86. 

  87.   if task:get_request_header(headers.sign_header) then

  88.     local domain = task:get_request_header(headers.domain_header)

  89.     local selector = task:get_request_header(headers.selector_header)

  90.     local key = task:get_request_header(headers.key_header)

  91. 

  92.     if not (domain and selector and key) then

  93. 

  94.       logger.errx(task, 'missing required headers to sign email')

  95.       return false,{}

  96.     end

  97. 

  98.     -- Now check if we need to check the existing auth

  99.     local hdr = task:get_request_header(headers.sign_on_reject_header)

  100.     if not hdr or tostring(hdr) == '0' or tostring(hdr) == 'false' then

  101.       if not check_violation(N, task, domain, selector) then

  102.         return false, {}

  103.       end

  104.     end

  105. 

  106.     local p = {}

  107.     local k = {

  108.       domain = tostring(domain),

  109.       rawkey = tostring(key),

  110.       selector = tostring(selector),

  111.     }

  112.     table.insert(p, k)

  113.     return true, p

  114.   end

  115. 

  116.   lua_util.debugm(N, task, 'no sign header %s', headers.sign_header)

  117.   return false,{}

  118. end

  119. 

  120. local function prepare_dkim_signing(N, task, settings)

  121.   local is_local, is_sign_networks, is_authed

  122. 

  123.   if settings.use_http_headers then

  124.     local res,tbl = parse_dkim_http_headers(N, task, settings)

  125. 

  126.     if not res then

  127.       if not settings.allow_headers_fallback then

  128.         return res,{}

  129.       else

  130.         lua_util.debugm(N, task, 'failed to read http headers, fallback to normal schema')

  131.       end

  132.     else

  133.       return res,tbl

  134.     end

  135.   end

  136. 

  137.   if settings.sign_condition and type(settings.sign_condition) == 'function' then

  138.     -- Use sign condition only

  139.     local ret = settings.sign_condition(task)

  140. 

  141.     if not ret then

  142.       return false,{}

  143.     end

  144. 

  145.     if ret[1] then

  146.       return true,ret

  147.     else

  148.       return true,{ret}

  149.     end

  150.   end

  151. 

  152.   local auser = task:get_user()

  153.   local ip = task:get_from_ip()

  154. 

  155.   if ip and ip:is_local() then

  156.     is_local = true

  157.   end

  158. 

  159.   if settings.sign_authenticated and auser then

  160.     lua_util.debugm(N, task, 'user is authenticated')

  161.     is_authed = true

  162.   elseif (settings.sign_networks and settings.sign_networks:get_key(ip)) then

  163.     is_sign_networks = true

  164.     lua_util.debugm(N, task, 'mail is from address in sign_networks')

  165.   elseif settings.sign_local and is_local then

  166.     lua_util.debugm(N, task, 'mail is from local address')

  167.   elseif settings.sign_inbound and not is_local and not auser then

  168.     lua_util.debugm(N, task, 'mail was sent to us')

  169.   else

  170.     lua_util.debugm(N, task, 'mail is ineligible for signing')

  171.     return false,{}

  172.   end

  173. 

  174.   local efrom = task:get_from('smtp')

  175.   local empty_envelope = false

  176.   if #(((efrom or E)[1] or E).addr or '') == 0 then

  177.     if not settings.allow_envfrom_empty then

  178.       lua_util.debugm(N, task, 'empty envelope from not allowed')

  179.       return false,{}

  180.     else

  181.       empty_envelope = true

  182.     end

  183.   end

  184. 

  185.   local hfrom = task:get_from('mime')

  186.   if not settings.allow_hdrfrom_multiple and (hfrom or E)[2] then

  187.     lua_util.debugm(N, task, 'multiple header from not allowed')

  188.     return false,{}

  189.   end

  190. 

  191.   local eto = task:get_recipients(0)

  192. 

  193.   local dkim_domain

  194.   local hdom = ((hfrom or E)[1] or E).domain

  195.   local edom = ((efrom or E)[1] or E).domain

  196.   local tdom = ((eto or E)[1] or E).domain

  197.   local udom = string.match(auser or '', '.*@(.*)')

  198. 

  199.   local function get_dkim_domain(dtype)

  200.     if settings[dtype] == 'header' then

  201.       return hdom

  202.     elseif settings[dtype] == 'envelope' then

  203.       return edom

  204.     elseif settings[dtype] == 'auth' then

  205.       return udom

  206.     elseif settings[dtype] == 'recipient' then

  207.       return tdom

  208.     else

  209.       return settings[dtype]:lower()

  210.     end

  211.   end

  212. 

  213.   local function is_skip_sign()

  214.     return not (settings.sign_networks and is_sign_networks) and

  215.         not (settings.sign_authenticated and is_authed) and

  216.         not (settings.sign_local and is_local)

  217.   end

  218. 

  219.   if hdom then

  220.     hdom = hdom:lower()

  221.   end

  222.   if edom then

  223.     edom = edom:lower()

  224.   end

  225.   if udom then

  226.     udom = udom:lower()

  227.   end

  228.   if tdom then

  229.     tdom = tdom:lower()

  230.   end

  231. 

  232.   if settings.signing_table and (settings.key_table or settings.use_vault) then

  233.     -- OpenDKIM style

  234.     if is_skip_sign() then

  235.       lua_util.debugm(N, task,

  236.           'skip signing: is_sign_network: %s, is_authed: %s, is_local: %s',

  237.           is_sign_networks, is_authed, is_local)

  238.       return false,{}

  239.     end

  240. 

  241.     if not hfrom or not hfrom[1] or not hfrom[1].addr then

  242.       lua_util.debugm(N, task,

  243.           'signing_table: cannot get data when no header from is presented')

  244.       return false,{}

  245.     end

  246.     local sign_entry = settings.signing_table:get_key(hfrom[1].addr)

  247. 

  248.     if sign_entry then

  249.       -- Check opendkim style entries

  250.       lua_util.debugm(N, task,

  251.           'signing_table: found entry for %s: %s', hfrom[1].addr, sign_entry)

  252.       if sign_entry == '%' then

  253.         sign_entry = hdom

  254.       end

  255. 

  256.       if settings.key_table then

  257.       -- Now search in key table

  258.       local key_entry = settings.key_table:get_key(sign_entry)

  259. 

  260.         if key_entry then

  261.           local parts = lua_util.str_split(key_entry, ':')

  262. 

  263.           if #parts == 2 then

  264.             -- domain + key

  265.             local selector = settings.selector

  266. 

  267.             if not selector then

  268.               logger.errx(task, 'no selector defined for sign_entry %s, key_entry %s',

  269.                   sign_entry, key_entry)

  270.               return false,{}

  271.             end

  272. 

  273.             local res = {

  274.               selector = selector,

  275.               domain = parts[1]:gsub('%%', hdom)

  276.             }

  277. 

  278.             local st = parts[2]:sub(1, 2)

  279. 

  280.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  281.               res.key = parts[2]:gsub('%%', hdom)

  282.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  283.                   hdom, selector, res.domain, res.key)

  284.             else

  285.               res.rawkey = parts[2] -- No sanity check here

  286.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  287.                   hdom, selector, res.domain)

  288.             end

  289. 

  290.             return true,{res}

  291.           elseif #parts == 3 then

  292.             -- domain, selector, key

  293.             local selector = parts[2]

  294. 

  295.             local res = {

  296.               selector = selector,

  297.               domain = parts[1]:gsub('%%', hdom)

  298.             }

  299. 

  300.             local st = parts[3]:sub(1, 2)

  301. 

  302.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  303.               res.key = parts[3]:gsub('%%', hdom)

  304.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  305.                   hdom, selector, res.domain, res.key)

  306.             else

  307.               res.rawkey = parts[3] -- No sanity check here

  308.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  309.                   hdom, selector, res.domain)

  310.             end

  311. 

  312.             return true,{res}

  313.           else

  314.             logger.errx(task, 'invalid key entry for sign entry %s: %s; when signing %s domain',

  315.                 sign_entry, key_entry, hdom)

  316.             return false,{}

  317.           end

  318.         elseif settings.use_vault then

  319.           -- Sign table is presented, the rest is covered by vault

  320.           lua_util.debugm(N, task, 'check vault for %s, by sign entry %s, key entry is missing',

  321.               hdom, sign_entry)

  322.           return true, {

  323.             domain = sign_entry,

  324.             vault = true

  325.           }

  326.         else

  327.           logger.errx(task, 'missing key entry for sign entry %s; when signing %s domain',

  328.               sign_entry, hdom)

  329.           return false,{}

  330.         end

  331.       else

  332.         logger.errx(task, 'cannot get key entry for signing entry %s, when signing %s domain',

  333.             sign_entry, hdom)

  334.         return false,{}

  335.       end

  336.     else

  337.       lua_util.debugm(N, task,

  338.           'signing_table: no entry for %s', hfrom[1].addr)

  339.       return false,{}

  340.     end

  341.   else

  342.     if settings.use_domain_sign_networks and is_sign_networks then

  343.       dkim_domain = get_dkim_domain('use_domain_sign_networks')

  344.       lua_util.debugm(N, task,

  345.           'sign_networks: use domain(%s) for signature: %s',

  346.           settings.use_domain_sign_networks, dkim_domain)

  347.     elseif settings.use_domain_sign_local and is_local then

  348.       dkim_domain = get_dkim_domain('use_domain_sign_local')

  349.       lua_util.debugm(N, task, 'local: use domain(%s) for signature: %s',

  350.           settings.use_domain_sign_local, dkim_domain)

  351.     elseif settings.use_domain_sign_inbound and not is_local and not auser then

  352.       dkim_domain = get_dkim_domain('use_domain_sign_inbound')

  353.       lua_util.debugm(N, task, 'inbound: use domain(%s) for signature: %s',

  354.           settings.use_domain_sign_inbound, dkim_domain)

  355.     elseif settings.use_domain_custom then

  356.       if type(settings.use_domain_custom) == 'string' then

  357.         -- Load custom function

  358.         local loadstring = loadstring or load

  359.         local ret, res_or_err = pcall(loadstring(settings.use_domain_custom))

  360.         if ret then

  361.           if type(res_or_err) == 'function' then

  362.             settings.use_domain_custom = res_or_err

  363.             dkim_domain = settings.use_domain_custom(task)

  364.             lua_util.debugm(N, task, 'use custom domain for signing: %s',

  365.                 dkim_domain)

  366.           else

  367.             logger.errx(task, 'cannot load dkim domain custom script: invalid type: %s, expected function',

  368.                 type(res_or_err))

  369.             settings.use_domain_custom = nil

  370.           end

  371.         else

  372.           logger.errx(task, 'cannot load dkim domain custom script: %s', res_or_err)

  373.           settings.use_domain_custom = nil

  374.         end

  375.       else

  376.         dkim_domain = settings.use_domain_custom(task)

  377.         lua_util.debugm(N, task, 'use custom domain for signing: %s',

  378.             dkim_domain)

  379.       end

  380.     else

  381.       dkim_domain = get_dkim_domain('use_domain')

  382.       lua_util.debugm(N, task, 'use domain(%s) for signature: %s',

  383.           settings.use_domain, dkim_domain)

  384.     end

  385.   end

  386. 

  387.   if not dkim_domain then

  388.     lua_util.debugm(N, task, 'could not extract dkim domain')

  389.     return false,{}

  390.   end

  391. 

  392.   if settings.use_esld then

  393.     dkim_domain = rspamd_util.get_tld(dkim_domain)

  394.     if hdom then

  395.       hdom = rspamd_util.get_tld(hdom)

  396.     end

  397.     if edom then

  398.       edom = rspamd_util.get_tld(edom)

  399.     end

  400.   end

  401. 

  402.   lua_util.debugm(N, task, 'final DKIM domain: %s', dkim_domain)

  403. 

  404.   -- Sanity checks

  405.   if edom and hdom and not settings.allow_hdrfrom_mismatch and hdom ~= edom then

  406.     if settings.allow_hdrfrom_mismatch_local and is_local then

  407.       lua_util.debugm(N, task, 'domain mismatch allowed for local IP: %1 != %2', hdom, edom)

  408.     elseif settings.allow_hdrfrom_mismatch_sign_networks and is_sign_networks then

  409.       lua_util.debugm(N, task, 'domain mismatch allowed for sign_networks: %1 != %2', hdom, edom)

  410.     else

  411.       if empty_envelope and hdom then

  412.         lua_util.debugm(N, task, 'domain mismatch allowed for empty envelope: %1 != %2', hdom, edom)

  413.       else

  414.         lua_util.debugm(N, task, 'domain mismatch not allowed: %1 != %2', hdom, edom)

  415.         return false,{}

  416.       end

  417.     end

  418.   end

  419. 

  420.   if auser and not settings.allow_username_mismatch then

  421.     if not udom then

  422.       lua_util.debugm(N, task, 'couldnt find domain in username')

  423.       return false,{}

  424.     end

  425.     if settings.use_esld then

  426.       udom = rspamd_util.get_tld(udom)

  427.     end

  428.     if udom ~= dkim_domain then

  429.       lua_util.debugm(N, task, 'user domain mismatch')

  430.       return false,{}

  431.     end

  432.   end

  433. 

  434.   local p = {}

  435. 

  436.   if settings.use_vault then

  437.     if settings.vault_domains then

  438.       if settings.vault_domains:get_key(dkim_domain) then

  439.         return true, {

  440.           domain = dkim_domain,

  441.           vault = true,

  442.         }

  443.       else

  444.         lua_util.debugm(N, task, 'domain %s is not designated for vault',

  445.           dkim_domain)

  446.         return false,{}

  447.       end

  448.     else

  449.       -- TODO: try every domain in the vault

  450.       return true, {

  451.         domain = dkim_domain,

  452.         vault = true,

  453.       }

  454.     end

  455.   end

  456. 

  457.   if settings.domain[dkim_domain] then

  458.     -- support old style selector/paths

  459.     if settings.domain[dkim_domain].selector or

  460.        settings.domain[dkim_domain].path then

  461.       local k = {}

  462.       k.selector = settings.domain[dkim_domain].selector

  463.       k.key = settings.domain[dkim_domain].path

  464.       table.insert(p, k)

  465.     end

  466.     for _, s in ipairs((settings.domain[dkim_domain].selectors or {})) do

  467.       lua_util.debugm(N, task, 'adding selector: %1', s)

  468.       local k = {}

  469.       k.selector = s.selector

  470.       k.key = s.path

  471.       table.insert(p, k)

  472.     end

  473.   end

  474. 

  475.   if #p == 0 then

  476.     local ret, k = get_mempool_selectors(N, task)

  477.     if ret then

  478.       table.insert(p, k)

  479.       lua_util.debugm(N, task, 'using mempool selector %s with key %s',

  480.                       k.selector, k.key)

  481.     end

  482.   end

  483. 

  484.   if settings.selector_map then

  485.     local data = settings.selector_map:get_key(dkim_domain)

  486.     if data then

  487.       insert_or_update_prop(N, task, p, 'selector', 'selector_map', data)

  488.     else

  489.       lua_util.debugm(N, task, 'no selector in map for %s', dkim_domain)

  490.     end

  491.   end

  492. 

  493.   if settings.path_map then

  494.     local data = settings.path_map:get_key(dkim_domain)

  495.     if data then

  496.       insert_or_update_prop(N, task, p, 'key', 'path_map', data)

  497.     else

  498.       lua_util.debugm(N, task, 'no key in map for %s', dkim_domain)

  499.     end

  500.   end

  501. 

  502.   if #p == 0 and not settings.try_fallback then

  503.     lua_util.debugm(N, task, 'dkim unconfigured and fallback disabled')

  504.     return false,{}

  505.   end

  506. 

  507.   if not settings.use_redis then

  508.     insert_or_update_prop(N, task, p, 'key',

  509.         'default path', settings.path)

  510.   end

  511. 

  512.   insert_or_update_prop(N, task, p, 'selector',

  513.         'default selector', settings.selector)

  514. 

  515.   if settings.check_violation then

  516.     if not check_violation(N, task, p.domain) then

  517.       return false,{}

  518.     end

  519.   end

  520. 

  521.   insert_or_update_prop(N, task, p, 'domain', 'dkim_domain',

  522.     dkim_domain)

  523. 

  524.   return true,p

  525. end

  526. 

  527. exports.prepare_dkim_signing = prepare_dkim_signing

  528. 

  529. exports.sign_using_redis = function(N, task, settings, selectors, sign_func, err_func)

  530.   local lua_redis = require "lua_redis"

  531. 

  532.   local function try_redis_key(selector, p)

  533.     p.key = nil

  534.     p.selector = selector

  535.     local rk = string.format('%s.%s', p.selector, p.domain)

  536.     local function redis_key_cb(err, data)

  537.       if err then

  538.         err_func(string.format("cannot make request to load DKIM key for %s: %s",

  539.             rk, err))

  540.       elseif type(data) ~= 'string' then

  541.         lua_util.debugm(N, task, "missing DKIM key for %s", rk)

  542.       else

  543.         p.rawkey = data

  544.         lua_util.debugm(N, task, 'found and parsed key for %s:%s in Redis',

  545.             p.domain, p.selector)

  546.         sign_func(task, p)

  547.       end

  548.     end

  549.     local rret = lua_redis.redis_make_request(task,

  550.         settings.redis_params, -- connect params

  551.         rk, -- hash key

  552.         false, -- is write

  553.         redis_key_cb, --callback

  554.         'HGET', -- command

  555.         {settings.key_prefix, rk} -- arguments

  556.     )

  557.     if not rret then

  558.       err_func(task,

  559.           string.format( "cannot make request to load DKIM key for %s", rk))

  560.     end

  561.   end

  562. 

  563.   for _, p in ipairs(selectors) do

  564.     if settings.selector_prefix then

  565.       logger.infox(task, "using selector prefix '%s' for domain '%s'",

  566.           settings.selector_prefix, p.domain);

  567.       local function redis_selector_cb(err, data)

  568.         if err or type(data) ~= 'string' then

  569.           err_func(task, string.format("cannot make request to load DKIM selector for domain %s: %s",

  570.               p.domain, err))

  571.         else

  572.           try_redis_key(data, p)

  573.         end

  574.       end

  575.       local rret = lua_redis.redis_make_request(task,

  576.           settings.redis_params, -- connect params

  577.           p.domain, -- hash key

  578.           false, -- is write

  579.           redis_selector_cb, --callback

  580.           'HGET', -- command

  581.           {settings.selector_prefix, p.domain} -- arguments

  582.       )

  583.       if not rret then

  584.         err_func(task, string.format("cannot make Redis request to load DKIM selector for domain %s",

  585.             p.domain))

  586.       end

  587.     else

  588.       try_redis_key(p.selector, p)

  589.     end

  590.   end

  591. end

  592. 

  593. exports.sign_using_vault = function(N, task, settings, selectors, sign_func, err_func)

  594.   local http = require "rspamd_http"

  595.   local ucl = require "ucl"

  596. 

  597.   local full_url = string.format('%s/v1/%s/%s',

  598.       settings.vault_url, settings.vault_path or 'dkim', selectors.domain)

  599. 

  600.   local function vault_callback(err, code, body, _)

  601.     if code ~= 200 then

  602.       err_func(task, string.format('cannot request data from the vault url: %s; %s (%s)',

  603.           full_url, err, body))

  604.     else

  605.       local parser = ucl.parser()

  606.       local res,parser_err = parser:parse_string(body)

  607.       if not res then

  608.         err_func(task, string.format('vault reply for %s (data=%s) cannot be parsed: %s',

  609.             full_url, body, parser_err))

  610.       else

  611.         local obj = parser:get_object()

  612. 

  613.         if not obj or not obj.data then

  614.           err_func(task, string.format('vault reply for %s (data=%s) is invalid, no data',

  615.               full_url, body))

  616.         else

  617.           local elts = obj.data.selectors or {}

  618. 

  619.           -- Filter selectors by time/sanity

  620.           local function is_selector_valid(p)

  621.             if not p.key or not p.selector then

  622.               return false

  623.             end

  624. 

  625.             if p.valid_start then

  626.               -- Check start time

  627.               if rspamd_util.get_time() < tonumber(p.valid_start) then

  628.                 return false

  629.               end

  630.             end

  631. 

  632.             if p.valid_end then

  633.               if rspamd_util.get_time() >= tonumber(p.valid_end) then

  634.                 return false

  635.               end

  636.             end

  637. 

  638.             return true

  639.           end

  640.           fun.each(function(p)

  641.             local dkim_sign_data = {

  642.               rawkey = p.key,

  643.               selector = p.selector,

  644.               domain = p.domain or selectors.domain,

  645.               alg = p.alg,

  646.             }

  647.             lua_util.debugm(N, task, 'found and parsed key for %s:%s in Vault',

  648.                 dkim_sign_data.domain, dkim_sign_data.selector)

  649.             sign_func(task, dkim_sign_data)

  650.           end, fun.filter(is_selector_valid, elts))

  651.         end

  652.       end

  653.     end

  654.   end

  655. 

  656.   local ret = http.request{

  657.     task = task,

  658.     url = full_url,

  659.     callback = vault_callback,

  660.     timeout = settings.http_timeout or 5.0,

  661.     no_ssl_verify = settings.no_ssl_verify,

  662.     keepalive = true,

  663.     headers = {

  664.       ['X-Vault-Token'] = settings.vault_token,

  665.     },

  666.   }

  667. 

  668.   if not ret then

  669.     err_func(task, string.format("cannot make HTTP request to load DKIM data domain %s",

  670.         selectors.domain))

  671.   end

  672. end

  673. 

  674. exports.validate_signing_settings = function(settings)

  675.   return settings.use_redis or

  676.       settings.path or

  677.       settings.domain or

  678.       settings.path_map or

  679.       settings.selector_map or

  680.       settings.use_http_headers or

  681.       (settings.signing_table and settings.key_table) or

  682.       (settings.use_vault and settings.vault_url and settings.vault_token) or

  683.       settings.sign_condition

  684. end

  685. 

  686. exports.process_signing_settings = function(N, settings, opts)

  687.   local lua_maps = require "lua_maps"

  688.   for k,v in pairs(opts) do

  689.     if k == 'sign_networks' then

  690.       settings[k] = lua_maps.map_add(N, k, 'radix', 'DKIM signing networks')

  691.     elseif k == 'path_map' then

  692.       settings[k] = lua_maps.map_add(N, k, 'map', 'Paths to DKIM signing keys')

  693.     elseif k == 'selector_map' then

  694.       settings[k] = lua_maps.map_add(N, k, 'map', 'DKIM selectors')

  695.     elseif k == 'signing_table' then

  696.       settings[k] = lua_maps.map_add(N, k, 'glob', 'DKIM signing table')

  697.     elseif k == 'key_table' then

  698.       settings[k] = lua_maps.map_add(N, k, 'glob', 'DKIM keys table')

  699.     elseif k == 'vault_domains' then

  700.       settings[k] = lua_maps.map_add(N, k, 'glob', 'DKIM signing domains in vault')

  701.     elseif k == 'sign_condition' then

  702.       local ret,f = lua_util.callback_from_string(v)

  703.       if ret then

  704.         settings[k] = f

  705.       else

  706.         logger.errx(rspamd_config, 'cannot load sign condition %s: %s', v, f)

  707.       end

  708.     else

  709.       settings[k] = v

  710.     end

  711.   end

  712. end

  713. 

  714. return exports