mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14673 Commits
29 Branches
Tree: c77208a34e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c77208a34e'
${ noResults }
rspamd/lualib/lua_dkim_tools.lua

lua_dkim_tools.lua 21KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2017, Vsevolod Stakhov <vsevolod@highsecure.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local exports = {}

  19. 

  20. local E = {}

  21. local lua_util = require "lua_util"

  22. local rspamd_util = require "rspamd_util"

  23. local logger = require "rspamd_logger"

  24. local fun = require "fun"

  25. 

  26. local function check_violation(N, task, domain)

  27.   -- Check for DKIM_REJECT

  28.   local sym_check = 'R_DKIM_REJECT'

  29. 

  30.   if N == 'arc' then sym_check = 'ARC_REJECT' end

  31.   if task:has_symbol(sym_check) then

  32.     local sym = task:get_symbol(sym_check)

  33.     logger.infox(task, 'skip signing for %s: violation %s found: %s',

  34.         domain, sym_check, sym.options)

  35.     return false

  36.   end

  37. 

  38.   return true

  39. end

  40. 

  41. local function insert_or_update_prop(N, task, p, prop, origin, data)

  42.   if #p == 0 then

  43.     local k = {}

  44.     k[prop] = data

  45.     table.insert(p, k)

  46.     lua_util.debugm(N, task, 'add %s "%s" using %s', prop, data, origin)

  47.   else

  48.     for _, k in ipairs(p) do

  49.       if not k[prop] then

  50.         k[prop] = data

  51.         lua_util.debugm(N, task, 'set %s to "%s" using %s', prop, data, origin)

  52.       end

  53.     end

  54.   end

  55. end

  56. 

  57. local function get_mempool_selectors(N, task)

  58.   local p = {}

  59.   local key_var = "dkim_key"

  60.   local selector_var = "dkim_selector"

  61.   if N == "arc" then

  62.     key_var = "arc_key"

  63.     selector_var = "arc_selector"

  64.   end

  65. 

  66.   p.key = task:get_mempool():get_variable(key_var)

  67.   p.selector = task:get_mempool():get_variable(selector_var)

  68. 

  69.   if (not p.key or not p.selector) then

  70.     return false, {}

  71.   end

  72. 

  73.   lua_util.debugm(N, task, 'override selector and key to %s:%s', p.key, p.selector)

  74.   return true, p

  75. end

  76. 

  77. local function parse_dkim_http_headers(N, task, settings)

  78.   -- Configure headers

  79.   local headers = {

  80.     sign_header = settings.http_sign_header or "PerformDkimSign",

  81.     sign_on_reject_header = settings.http_sign_on_reject_header_header or 'SignOnAuthFailed',

  82.     domain_header = settings.http_domain_header or 'DkimDomain',

  83.     selector_header = settings.http_selector_header or 'DkimSelector',

  84.     key_header = settings.http_key_header or 'DkimPrivateKey'

  85.   }

  86. 

  87.   if task:get_request_header(headers.sign_header) then

  88.     local domain = task:get_request_header(headers.domain_header)

  89.     local selector = task:get_request_header(headers.selector_header)

  90.     local key = task:get_request_header(headers.key_header)

  91. 

  92.     if not (domain and selector and key) then

  93. 

  94.       logger.errx(task, 'missing required headers to sign email')

  95.       return false,{}

  96.     end

  97. 

  98.     -- Now check if we need to check the existing auth

  99.     local hdr = task:get_request_header(headers.sign_on_reject_header)

  100.     if not hdr or tostring(hdr) == '0' or tostring(hdr) == 'false' then

  101.       if not check_violation(N, task, domain, selector) then

  102.         return false, {}

  103.       end

  104.     end

  105. 

  106.     local p = {}

  107.     local k = {

  108.       domain = tostring(domain),

  109.       rawkey = tostring(key),

  110.       selector = tostring(selector),

  111.     }

  112.     table.insert(p, k)

  113.     return true, p

  114.   end

  115. 

  116.   lua_util.debugm(N, task, 'no sign header %s', headers.sign_header)

  117.   return false,{}

  118. end

  119. 

  120. local function prepare_dkim_signing(N, task, settings)

  121.   local is_local, is_sign_networks

  122. 

  123.   if settings.use_http_headers then

  124.     local res,tbl = parse_dkim_http_headers(N, task, settings)

  125. 

  126.     if not res then

  127.       if not settings.allow_headers_fallback then

  128.         return res,{}

  129.       else

  130.         lua_util.debugm(N, task, 'failed to read http headers, fallback to normal schema')

  131.       end

  132.     else

  133.       return res,tbl

  134.     end

  135.   end

  136. 

  137.   local auser = task:get_user()

  138.   local ip = task:get_from_ip()

  139. 

  140.   if ip and ip:is_local() then

  141.     is_local = true

  142.   end

  143. 

  144.   if settings.auth_only and auser then

  145.     lua_util.debugm(N, task, 'user is authenticated')

  146.   elseif (settings.sign_networks and settings.sign_networks:get_key(ip)) then

  147.     is_sign_networks = true

  148.     lua_util.debugm(N, task, 'mail is from address in sign_networks')

  149.   elseif settings.sign_local and is_local then

  150.     lua_util.debugm(N, task, 'mail is from local address')

  151.   elseif settings.sign_inbound and not is_local and not auser then

  152.     lua_util.debugm(N, task, 'mail was sent to us')

  153.   else

  154.     lua_util.debugm(N, task, 'ignoring unauthenticated mail')

  155.     return false,{}

  156.   end

  157. 

  158.   local efrom = task:get_from('smtp')

  159.   if not settings.allow_envfrom_empty and

  160.       #(((efrom or E)[1] or E).addr or '') == 0 then

  161.     lua_util.debugm(N, task, 'empty envelope from not allowed')

  162.     return false,{}

  163.   end

  164. 

  165.   local hfrom = task:get_from('mime')

  166.   if not settings.allow_hdrfrom_multiple and (hfrom or E)[2] then

  167.     lua_util.debugm(N, task, 'multiple header from not allowed')

  168.     return false,{}

  169.   end

  170. 

  171.   local eto = task:get_recipients(0)

  172. 

  173.   local dkim_domain

  174.   local hdom = ((hfrom or E)[1] or E).domain

  175.   local edom = ((efrom or E)[1] or E).domain

  176.   local tdom = ((eto or E)[1] or E).domain

  177.   local udom = string.match(auser or '', '.*@(.*)')

  178. 

  179.   local function get_dkim_domain(dtype)

  180.     if settings[dtype] == 'header' then

  181.       return hdom

  182.     elseif settings[dtype] == 'envelope' then

  183.       return edom

  184.     elseif settings[dtype] == 'auth' then

  185.       return udom

  186.     elseif settings[dtype] == 'recipient' then

  187.       return tdom

  188.     else

  189.       return settings[dtype]:lower()

  190.     end

  191.   end

  192. 

  193.   if hdom then

  194.     hdom = hdom:lower()

  195.   end

  196.   if edom then

  197.     edom = edom:lower()

  198.   end

  199.   if udom then

  200.     udom = udom:lower()

  201.   end

  202.   if tdom then

  203.     tdom = tdom:lower()

  204.   end

  205. 

  206.   if settings.signing_table and (settings.key_table or settings.use_vault) then

  207.     -- OpenDKIM style

  208.     if settings.sign_networks and not is_sign_networks then

  209.       lua_util.debugm(N, task,

  210.           'signing_table: sign networks specified but IP is not from that network, skip signing')

  211.       return false,{}

  212.     end

  213. 

  214.     if not hfrom or not hfrom[1] or not hfrom[1].addr then

  215.       lua_util.debugm(N, task,

  216.           'signing_table: cannot get data when no header from is presented')

  217.       return false,{}

  218.     end

  219.     local sign_entry = settings.signing_table:get_key(hfrom[1].addr)

  220. 

  221.     if sign_entry then

  222.       lua_util.debugm(N, task,

  223.           'signing_table: found entry for %s: %s', hfrom[1].addr, sign_entry)

  224.       if sign_entry == '%' then

  225.         sign_entry = hdom

  226.       end

  227. 

  228.       if settings.key_table then

  229.       -- Now search in key table

  230.       local key_entry = settings.key_table:get_key(sign_entry)

  231. 

  232.         if key_entry then

  233.           local parts = lua_util.str_split(key_entry, ':')

  234. 

  235.           if #parts == 2 then

  236.             -- domain + key

  237.             local selector = settings.selector

  238. 

  239.             if not selector then

  240.               logger.errx(task, 'no selector defined for sign_entry %s, key_entry %s',

  241.                   sign_entry, key_entry)

  242.               return false,{}

  243.             end

  244. 

  245.             local res = {

  246.               selector = selector,

  247.               domain = parts[1]:gsub('%%', hdom)

  248.             }

  249. 

  250.             local st = parts[2]:sub(1, 2)

  251. 

  252.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  253.               res.key = parts[2]:gsub('%%', hdom)

  254.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  255.                   hdom, selector, res.domain, res.key)

  256.             else

  257.               res.rawkey = parts[2] -- No sanity check here

  258.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  259.                   hdom, selector, res.domain)

  260.             end

  261. 

  262.             return true,{res}

  263.           elseif #parts == 3 then

  264.             -- domain, selector, key

  265.             local selector = parts[2]

  266. 

  267.             local res = {

  268.               selector = selector,

  269.               domain = parts[1]:gsub('%%', hdom)

  270.             }

  271. 

  272.             local st = parts[3]:sub(1, 2)

  273. 

  274.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  275.               res.key = parts[3]:gsub('%%', hdom)

  276.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  277.                   hdom, selector, res.domain, res.key)

  278.             else

  279.               res.rawkey = parts[3] -- No sanity check here

  280.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  281.                   hdom, selector, res.domain)

  282.             end

  283. 

  284.             return true,{res}

  285.           else

  286.             logger.errx(task, 'invalid key entry for sign entry %s: %s; when signing %s domain',

  287.                 sign_entry, key_entry, hdom)

  288.             return false,{}

  289.           end

  290.         elseif settings.use_vault then

  291.           -- Sign table is presented, the rest is covered by vault

  292.           lua_util.debugm(N, task, 'check vault for %s, by sign entry %s, key entry is missing',

  293.               hdom, sign_entry)

  294.           return true, {

  295.             domain = sign_entry,

  296.             vault = true

  297.           }

  298.         else

  299.           logger.errx(task, 'missing key entry for sign entry %s; when signing %s domain',

  300.               sign_entry, hdom)

  301.           return false,{}

  302.         end

  303.       else

  304.         logger.errx(task, 'cannot get key entry for signing entry %s, when signing %s domain',

  305.             sign_entry, hdom)

  306.         return false,{}

  307.       end

  308.     else

  309.       lua_util.debugm(N, task,

  310.           'signing_table: no entry for %s', hfrom[1].addr)

  311.       return false,{}

  312.     end

  313.   else

  314.     if settings.use_domain_sign_networks and is_sign_networks then

  315.       dkim_domain = get_dkim_domain('use_domain_sign_networks')

  316.       lua_util.debugm(N, task,

  317.           'sign_networks: use domain(%s) for signature: %s',

  318.           settings.use_domain_sign_networks, dkim_domain)

  319.     elseif settings.use_domain_sign_local and is_local then

  320.       dkim_domain = get_dkim_domain('use_domain_sign_local')

  321.       lua_util.debugm(N, task, 'local: use domain(%s) for signature: %s',

  322.           settings.use_domain_sign_local, dkim_domain)

  323.     elseif settings.use_domain_sign_inbound and not is_local and not auser then

  324.       dkim_domain = get_dkim_domain('use_domain_sign_inbound')

  325.       lua_util.debugm(N, task, 'inbound: use domain(%s) for signature: %s',

  326.           settings.use_domain_sign_inbound, dkim_domain)

  327.     elseif settings.use_domain_custom then

  328.       if type(settings.use_domain_custom) == 'string' then

  329.         -- Load custom function

  330.         local loadstring = loadstring or load

  331.         local ret, res_or_err = pcall(loadstring(settings.use_domain_custom))

  332.         if ret then

  333.           if type(res_or_err) == 'function' then

  334.             settings.use_domain_custom = res_or_err

  335.             dkim_domain = settings.use_domain_custom(task)

  336.             lua_util.debugm(N, task, 'use custom domain for signing: %s',

  337.                 dkim_domain)

  338.           else

  339.             logger.errx(task, 'cannot load dkim domain custom script: invalid type: %s, expected function',

  340.                 type(res_or_err))

  341.             settings.use_domain_custom = nil

  342.           end

  343.         else

  344.           logger.errx(task, 'cannot load dkim domain custom script: %s', res_or_err)

  345.           settings.use_domain_custom = nil

  346.         end

  347.       else

  348.         dkim_domain = settings.use_domain_custom(task)

  349.         lua_util.debugm(N, task, 'use custom domain for signing: %s',

  350.             dkim_domain)

  351.       end

  352.     else

  353.       dkim_domain = get_dkim_domain('use_domain')

  354.       lua_util.debugm(N, task, 'use domain(%s) for signature: %s',

  355.           settings.use_domain, dkim_domain)

  356.     end

  357.   end

  358. 

  359.   if not dkim_domain then

  360.     lua_util.debugm(N, task, 'could not extract dkim domain')

  361.     return false,{}

  362.   end

  363. 

  364.   if settings.use_esld then

  365.     dkim_domain = rspamd_util.get_tld(dkim_domain)

  366.     if hdom then

  367.       hdom = rspamd_util.get_tld(hdom)

  368.     end

  369.     if edom then

  370.       edom = rspamd_util.get_tld(edom)

  371.     end

  372.   end

  373. 

  374.   lua_util.debugm(N, task, 'final DKIM domain: %s', dkim_domain)

  375. 

  376.   -- Sanity checks

  377.   if edom and hdom and not settings.allow_hdrfrom_mismatch and hdom ~= edom then

  378.     if settings.allow_hdrfrom_mismatch_local and is_local then

  379.       lua_util.debugm(N, task, 'domain mismatch allowed for local IP: %1 != %2', hdom, edom)

  380.     elseif settings.allow_hdrfrom_mismatch_sign_networks and is_sign_networks then

  381.       lua_util.debugm(N, task, 'domain mismatch allowed for sign_networks: %1 != %2', hdom, edom)

  382.     else

  383.       lua_util.debugm(N, task, 'domain mismatch not allowed: %1 != %2', hdom, edom)

  384.       return false,{}

  385.     end

  386.   end

  387. 

  388.   if auser and not settings.allow_username_mismatch then

  389.     if not udom then

  390.       lua_util.debugm(N, task, 'couldnt find domain in username')

  391.       return false,{}

  392.     end

  393.     if settings.use_esld then

  394.       udom = rspamd_util.get_tld(udom)

  395.     end

  396.     if udom ~= dkim_domain then

  397.       lua_util.debugm(N, task, 'user domain mismatch')

  398.       return false,{}

  399.     end

  400.   end

  401. 

  402.   local p = {}

  403. 

  404.   if settings.use_vault then

  405.     if settings.vault_domains then

  406.       if settings.vault_domains:get_key(dkim_domain) then

  407.         return true, {

  408.           domain = dkim_domain,

  409.           vault = true,

  410.         }

  411.       else

  412.         lua_util.debugm(N, task, 'domain %s is not designated for vault',

  413.           dkim_domain)

  414.         return false,{}

  415.       end

  416.     else

  417.       -- TODO: try every domain in the vault

  418.       return true, {

  419.         domain = dkim_domain,

  420.         vault = true,

  421.       }

  422.     end

  423.   end

  424. 

  425.   if settings.domain[dkim_domain] then

  426.     -- support old style selector/paths

  427.     if settings.domain[dkim_domain].selector or

  428.        settings.domain[dkim_domain].path then

  429.       local k = {}

  430.       k.selector = settings.domain[dkim_domain].selector

  431.       k.key = settings.domain[dkim_domain].path

  432.       table.insert(p, k)

  433.     end

  434.     for _, s in ipairs((settings.domain[dkim_domain].selectors or {})) do

  435.       lua_util.debugm(N, task, 'adding selector: %1', s)

  436.       local k = {}

  437.       k.selector = s.selector

  438.       k.key = s.path

  439.       table.insert(p, k)

  440.     end

  441.   end

  442. 

  443.   if #p == 0 then

  444.     local ret, k = get_mempool_selectors(N, task)

  445.     if ret then

  446.       table.insert(p, k)

  447.       lua_util.debugm(N, task, 'using mempool selector %s with key %s',

  448.                       k.selector, k.key)

  449.     end

  450.   end

  451. 

  452.   if settings.selector_map then

  453.     local data = settings.selector_map:get_key(dkim_domain)

  454.     if data then

  455.       insert_or_update_prop(N, task, p, 'selector', 'selector_map', data)

  456.     else

  457.       lua_util.debugm(N, task, 'no selector in map for %s', dkim_domain)

  458.     end

  459.   end

  460. 

  461.   if settings.path_map then

  462.     local data = settings.path_map:get_key(dkim_domain)

  463.     if data then

  464.       insert_or_update_prop(N, task, p, 'key', 'path_map', data)

  465.     else

  466.       lua_util.debugm(N, task, 'no key in map for %s', dkim_domain)

  467.     end

  468.   end

  469. 

  470.   if #p == 0 and not settings.try_fallback then

  471.     lua_util.debugm(N, task, 'dkim unconfigured and fallback disabled')

  472.     return false,{}

  473.   end

  474. 

  475.   if not settings.use_redis then

  476.     insert_or_update_prop(N, task, p, 'key',

  477.         'default path', settings.path)

  478.   end

  479. 

  480.   insert_or_update_prop(N, task, p, 'selector',

  481.         'default selector', settings.selector)

  482. 

  483.   if settings.check_violation then

  484.     if not check_violation(N, task, p.domain) then

  485.       return false,{}

  486.     end

  487.   end

  488. 

  489.   insert_or_update_prop(N, task, p, 'domain', 'dkim_domain',

  490.     dkim_domain)

  491. 

  492.   return true,p

  493. end

  494. 

  495. exports.prepare_dkim_signing = prepare_dkim_signing

  496. 

  497. exports.sign_using_redis = function(N, task, settings, selectors, sign_func, err_func)

  498.   local lua_redis = require "lua_redis"

  499. 

  500.   local function try_redis_key(selector, p)

  501.     p.key = nil

  502.     p.selector = selector

  503.     local rk = string.format('%s.%s', p.selector, p.domain)

  504.     local function redis_key_cb(err, data)

  505.       if err then

  506.         err_func(string.format("cannot make request to load DKIM key for %s: %s",

  507.             rk, err))

  508.       elseif type(data) ~= 'string' then

  509.         lua_util.debugm(N, task, "missing DKIM key for %s", rk)

  510.       else

  511.         p.rawkey = data

  512.         lua_util.debugm(N, task, 'found and parsed key for %s:%s in Redis',

  513.             p.domain, p.selector)

  514.         sign_func(task, p)

  515.       end

  516.     end

  517.     local rret = lua_redis.redis_make_request(task,

  518.         settings.redis_params, -- connect params

  519.         rk, -- hash key

  520.         false, -- is write

  521.         redis_key_cb, --callback

  522.         'HGET', -- command

  523.         {settings.key_prefix, rk} -- arguments

  524.     )

  525.     if not rret then

  526.       err_func(task,

  527.           string.format( "cannot make request to load DKIM key for %s", rk))

  528.     end

  529.   end

  530. 

  531.   for _, p in ipairs(selectors) do

  532.     if settings.selector_prefix then

  533.       logger.infox(task, "using selector prefix '%s' for domain '%s'",

  534.           settings.selector_prefix, p.domain);

  535.       local function redis_selector_cb(err, data)

  536.         if err or type(data) ~= 'string' then

  537.           err_func(task, string.format("cannot make request to load DKIM selector for domain %s: %s",

  538.               p.domain, err))

  539.         else

  540.           try_redis_key(data, p)

  541.         end

  542.       end

  543.       local rret = lua_redis.redis_make_request(task,

  544.           settings.redis_params, -- connect params

  545.           p.domain, -- hash key

  546.           false, -- is write

  547.           redis_selector_cb, --callback

  548.           'HGET', -- command

  549.           {settings.selector_prefix, p.domain} -- arguments

  550.       )

  551.       if not rret then

  552.         err_func(task, string.format("cannot make Redis request to load DKIM selector for domain %s",

  553.             p.domain))

  554.       end

  555.     else

  556.       try_redis_key(p.selector, p)

  557.     end

  558.   end

  559. end

  560. 

  561. exports.sign_using_vault = function(N, task, settings, selectors, sign_func, err_func)

  562.   local http = require "rspamd_http"

  563.   local ucl = require "ucl"

  564. 

  565.   local full_url = string.format('%s/v1/%s/%s',

  566.       settings.vault_url, settings.vault_path or 'dkim', selectors.domain)

  567. 

  568.   local function vault_callback(err, code, body, _)

  569.     if code ~= 200 then

  570.       err_func(task, string.format('cannot request data from the vault url: %s; %s (%s)',

  571.           full_url, err, body))

  572.     else

  573.       local parser = ucl.parser()

  574.       local res,parser_err = parser:parse_string(body)

  575.       if not res then

  576.         err_func(task, string.format('vault reply for %s (data=%s) cannot be parsed: %s',

  577.             full_url, body, parser_err))

  578.       else

  579.         local obj = parser:get_object()

  580. 

  581.         if not obj or not obj.data then

  582.           err_func(task, string.format('vault reply for %s (data=%s) is invalid, no data',

  583.               full_url, body))

  584.         else

  585.           local elts = obj.data.selectors or {}

  586. 

  587.           -- Filter selectors by time/sanity

  588.           local function is_selector_valid(p)

  589.             if not p.key or not p.selector then

  590.               return false

  591.             end

  592. 

  593.             if p.valid_start then

  594.               -- Check start time

  595.               if rspamd_util.get_time() < tonumber(p.valid_start) then

  596.                 return false

  597.               end

  598.             end

  599. 

  600.             if p.valid_end then

  601.               if rspamd_util.get_time() >= tonumber(p.valid_end) then

  602.                 return false

  603.               end

  604.             end

  605. 

  606.             return true

  607.           end

  608.           fun.each(function(p)

  609.             local dkim_sign_data = {

  610.               rawkey = p.key,

  611.               selector = p.selector,

  612.               domain = p.domain or selectors.domain

  613.             }

  614.             lua_util.debugm(N, task, 'found and parsed key for %s:%s in Vault',

  615.                 dkim_sign_data.domain, dkim_sign_data.selector)

  616.             sign_func(task, dkim_sign_data)

  617.           end, fun.filter(is_selector_valid, elts))

  618.         end

  619.       end

  620.     end

  621.   end

  622. 

  623.   local ret = http.request{

  624.     task = task,

  625.     url = full_url,

  626.     callback = vault_callback,

  627.     timeout = settings.http_timeout or 5.0,

  628.     no_ssl_verify = settings.no_ssl_verify,

  629.     keepalive = true,

  630.     headers = {

  631.       ['X-Vault-Token'] = settings.vault_token,

  632.     },

  633.   }

  634. 

  635.   if not ret then

  636.     err_func(task, string.format("cannot make HTTP request to load DKIM data domain %s",

  637.         selectors.domain))

  638.   end

  639. end

  640. 

  641. exports.validate_signing_settings = function(settings)

  642.   return settings.use_redis or

  643.       settings.path or

  644.       settings.domain or

  645.       settings.path_map or

  646.       settings.selector_map or

  647.       settings.use_http_headers or

  648.       (settings.signing_table and settings.key_table) or

  649.       (settings.use_vault and settings.vault_url and settings.vault_token)

  650. end

  651. 

  652. exports.process_signing_settings = function(N, settings, opts)

  653.   local lua_maps = require "lua_maps"

  654.   for k,v in pairs(opts) do

  655.     if k == 'sign_networks' then

  656.       settings[k] = lua_maps.map_add(N, k, 'radix', 'DKIM signing networks')

  657.     elseif k == 'path_map' then

  658.       settings[k] = lua_maps.map_add(N, k, 'map', 'Paths to DKIM signing keys')

  659.     elseif k == 'selector_map' then

  660.       settings[k] = lua_maps.map_add(N, k, 'map', 'DKIM selectors')

  661.     elseif k == 'signing_table' then

  662.       settings[k] = lua_maps.map_add(N, k, 'glob', 'DKIM signing table')

  663.     elseif k == 'key_table' then

  664.       settings[k] = lua_maps.map_add(N, k, 'glob', 'DKIM keys table')

  665.     elseif k == 'vault_domains' then

  666.       settings[k] = lua_maps.map_add(N, k, 'glob', 'DKIM signing domains in vault')

  667.     else

  668.       settings[k] = v

  669.     end

  670.   end

  671. end

  672. 

  673. return exports