rspamd/lualib/plugins/rbl.lua

--[[
Copyright (c) 2020, Vsevolod Stakhov <vsevolod@highsecure.ru>

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
]]--

local ts = require("tableshape").types
local lua_maps = require "lua_maps"
local lua_util = require "lua_util"

-- Common RBL plugin definitions

local check_types = {
    from = {
      connfilter = true,
    },
    received = {},
    helo = {
      connfilter = true,
    },
    urls = {},
    content_urls = {},
    emails = {},
    replyto = {},
    dkim = {},
    rdns = {
      connfilter = true,
    },
    selector = {
      require_argument = true,
    },
}

local default_options = {
  ['default_enabled'] = true,
  ['default_ipv4'] = true,
  ['default_ipv6'] = true,
  ['default_unknown'] = false,
  ['default_dkim_domainonly'] = true,
  ['default_emails_domainonly'] = false,
  ['default_exclude_private_ips'] = true,
  ['default_exclude_users'] = false,
  ['default_exclude_local'] = true,
  ['default_no_ip'] = false,
  ['default_dkim_match_from'] = false,
}

local return_codes_schema = ts.map_of(
    ts.string / string.upper, -- Symbol name
    (
        ts.array_of(ts.string) +
            (ts.string / function(s)
              return { s }
            end) -- List of IP patterns
    )
)
local return_bits_schema = ts.map_of(
    ts.string / string.upper, -- Symbol name
    (
        ts.array_of(ts.number + ts.string / tonumber) +
            (ts.string / function(s)
              return { tonumber(s) }
            end) +
            (ts.number / function(s)
              return { s }
            end)
    )
)

local rule_schema_tbl = {
  content_urls = ts.boolean:is_optional(),
  disable_monitoring = ts.boolean:is_optional(),
  disabled = ts.boolean:is_optional(),
  dkim = ts.boolean:is_optional(),
  dkim_domainonly = ts.boolean:is_optional(),
  dkim_match_from = ts.boolean:is_optional(),
  emails = ts.boolean:is_optional(),
  emails_delimiter = ts.string:is_optional(),
  emails_domainonly = ts.boolean:is_optional(),
  enabled = ts.boolean:is_optional(),
  exclude_local = ts.boolean:is_optional(),
  exclude_private_ips = ts.boolean:is_optional(),
  exclude_users = ts.boolean:is_optional(),
  from = ts.boolean:is_optional(),
  hash = ts.one_of{"sha1", "sha256", "sha384", "sha512", "md5", "blake2"}:is_optional(),
  hash_format = ts.one_of{"hex", "base32", "base64"}:is_optional(),
  hash_len = (ts.integer + ts.string / tonumber):is_optional(),
  helo = ts.boolean:is_optional(),
  ignore_default = ts.boolean:is_optional(), -- alias
  ignore_defaults = ts.boolean:is_optional(),
  ignore_whitelist = ts.boolean:is_optional(),
  ignore_whitelists = ts.boolean:is_optional(), -- alias
  images = ts.boolean:is_optional(),
  ipv4 = ts.boolean:is_optional(),
  ipv6 = ts.boolean:is_optional(),
  is_whitelist = ts.boolean:is_optional(),
  local_exclude_ip_map = ts.string:is_optional(),
  monitored_address = ts.string:is_optional(),
  no_ip = ts.boolean:is_optional(),
  process_script = ts.string:is_optional(),
  rbl = ts.string,
  rdns = ts.boolean:is_optional(),
  received = ts.boolean:is_optional(),
  replyto = ts.boolean:is_optional(),
  requests_limit = (ts.integer + ts.string / tonumber):is_optional(),
  resolve_ip = ts.boolean:is_optional(),
  return_bits = return_bits_schema:is_optional(),
  return_codes = return_codes_schema:is_optional(),
  returnbits = return_bits_schema:is_optional(),
  returncodes = return_codes_schema:is_optional(),
  selector = ts.one_of{ts.string, ts.table}:is_optional(),
  symbol = ts.string:is_optional(),
  symbols_prefixes = ts.map_of(ts.string, ts.string):is_optional(),
  unknown = ts.boolean:is_optional(),
  url_compose_map = lua_maps.map_schema:is_optional(),
  urls = ts.boolean:is_optional(),
  whitelist = lua_maps.map_schema:is_optional(),
  whitelist_exception = (
      ts.array_of(ts.string) + (ts.string / function(s) return {s} end)
  ):is_optional(),
  checks = ts.array_of(ts.one_of(lua_util.keys(check_types))):is_optional(),
}

local function convert_checks(rule)
  local rspamd_logger = require "rspamd_logger"
  if rule.checks then
    local all_connfilter = true
    for _,check in ipairs(rule.checks) do
      local check_type = check_types[check]
      if check_type.require_argument then
        if not rule[check] then
          rspamd_logger.errx(rspamd_config, 'rbl rule %s has check %s which requires an argument',
              rule.symbol, check)
          return nil
        end
      end

      rule[check] = check_type

      if not check_type.connfilter then
        all_connfilter = false
      end

      if not check_type then
        rspamd_logger.errx(rspamd_config, 'rbl rule %s has invalid check type: %s',
            rule.symbol, check)
        return nil
      end
    end
    rule.connfilter = all_connfilter
  end

  -- Now check if we have any check enabled at all
  local check_found = false
  for k,_ in pairs(check_types) do
    if type(rule[k]) ~= 'nil' then
      check_found = true
      break
    end
  end

  if not check_found then
    -- Enable implicit `from` check to allow upgrade
    rspamd_logger.warnx(rspamd_config, 'rbl rule %s has no check enabled, enable default `from` check',
        rule.symbol)
    rule.from = true
  end

  return rule
end


-- Add default boolean flags to the schema
for def_k,_ in pairs(default_options) do
  rule_schema_tbl[def_k:sub(#('default_') + 1)] = ts.boolean:is_optional()
end

return {
  check_types = check_types,
  rule_schema = ts.shape(rule_schema_tbl),
  default_options = default_options,
  convert_checks = convert_checks,
}