mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19574 Commits
29 Branches
Tree: e4446ad2c2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e4446ad2c2'
${ noResults }
rspamd/lualib/lua_dkim_tools.lua

lua_dkim_tools.lua 23KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local exports = {}

  19. 

  20. local E = {}

  21. local lua_util = require "lua_util"

  22. local rspamd_util = require "rspamd_util"

  23. local logger = require "rspamd_logger"

  24. local fun = require "fun"

  25. 

  26. local function check_violation(N, task, domain)

  27.   -- Check for DKIM_REJECT

  28.   local sym_check = 'R_DKIM_REJECT'

  29. 

  30.   if N == 'arc' then sym_check = 'ARC_REJECT' end

  31.   if task:has_symbol(sym_check) then

  32.     local sym = task:get_symbol(sym_check)[1]

  33.     logger.infox(task, 'skip signing for %s: violation %s found: %s',

  34.         domain, sym_check, sym.options)

  35.     return false

  36.   end

  37. 

  38.   return true

  39. end

  40. 

  41. local function insert_or_update_prop(N, task, p, prop, origin, data)

  42.   if #p == 0 then

  43.     local k = {}

  44.     k[prop] = data

  45.     table.insert(p, k)

  46.     lua_util.debugm(N, task, 'add %s "%s" using %s', prop, data, origin)

  47.   else

  48.     for _, k in ipairs(p) do

  49.       if not k[prop] then

  50.         k[prop] = data

  51.         lua_util.debugm(N, task, 'set %s to "%s" using %s', prop, data, origin)

  52.       end

  53.     end

  54.   end

  55. end

  56. 

  57. local function get_mempool_selectors(N, task)

  58.   local p = {}

  59.   local key_var = "dkim_key"

  60.   local selector_var = "dkim_selector"

  61.   if N == "arc" then

  62.     key_var = "arc_key"

  63.     selector_var = "arc_selector"

  64.   end

  65. 

  66.   p.key = task:get_mempool():get_variable(key_var)

  67.   p.selector = task:get_mempool():get_variable(selector_var)

  68. 

  69.   if (not p.key or not p.selector) then

  70.     return false, {}

  71.   end

  72. 

  73.   lua_util.debugm(N, task, 'override selector and key to %s:%s', p.key, p.selector)

  74.   return true, p

  75. end

  76. 

  77. local function parse_dkim_http_headers(N, task, settings)

  78.   -- Configure headers

  79.   local headers = {

  80.     sign_header = settings.http_sign_header or "PerformDkimSign",

  81.     sign_on_reject_header = settings.http_sign_on_reject_header_header or 'SignOnAuthFailed',

  82.     domain_header = settings.http_domain_header or 'DkimDomain',

  83.     selector_header = settings.http_selector_header or 'DkimSelector',

  84.     key_header = settings.http_key_header or 'DkimPrivateKey'

  85.   }

  86. 

  87.   if task:get_request_header(headers.sign_header) then

  88.     local domain = task:get_request_header(headers.domain_header)

  89.     local selector = task:get_request_header(headers.selector_header)

  90.     local key = task:get_request_header(headers.key_header)

  91. 

  92.     if not (domain and selector and key) then

  93. 

  94.       logger.errx(task, 'missing required headers to sign email')

  95.       return false,{}

  96.     end

  97. 

  98.     -- Now check if we need to check the existing auth

  99.     local hdr = task:get_request_header(headers.sign_on_reject_header)

  100.     if not hdr or tostring(hdr) == '0' or tostring(hdr) == 'false' then

  101.       if not check_violation(N, task, domain, selector) then

  102.         return false, {}

  103.       end

  104.     end

  105. 

  106.     local p = {}

  107.     local k = {

  108.       domain = tostring(domain),

  109.       rawkey = tostring(key),

  110.       selector = tostring(selector),

  111.     }

  112.     table.insert(p, k)

  113.     return true, p

  114.   end

  115. 

  116.   lua_util.debugm(N, task, 'no sign header %s', headers.sign_header)

  117.   return false,{}

  118. end

  119. 

  120. local function prepare_dkim_signing(N, task, settings)

  121.   local is_local, is_sign_networks, is_authed

  122. 

  123.   if settings.use_http_headers then

  124.     local res,tbl = parse_dkim_http_headers(N, task, settings)

  125. 

  126.     if not res then

  127.       if not settings.allow_headers_fallback then

  128.         return res,{}

  129.       else

  130.         lua_util.debugm(N, task, 'failed to read http headers, fallback to normal schema')

  131.       end

  132.     else

  133.       return res,tbl

  134.     end

  135.   end

  136. 

  137.   if settings.sign_condition and type(settings.sign_condition) == 'function' then

  138.     -- Use sign condition only

  139.     local ret = settings.sign_condition(task)

  140. 

  141.     if not ret then

  142.       return false,{}

  143.     end

  144. 

  145.     if ret[1] then

  146.       return true,ret

  147.     else

  148.       return true,{ret}

  149.     end

  150.   end

  151. 

  152.   local auser = task:get_user()

  153.   local ip = task:get_from_ip()

  154. 

  155.   if ip and ip:is_local() then

  156.     is_local = true

  157.   end

  158. 

  159.   local has_pre_result = task:has_pre_result()

  160.   if has_pre_result then

  161.     local metric_action = task:get_metric_action()

  162. 

  163.     if metric_action == 'reject' or metric_action == 'drop' then

  164.       -- No need to sign what we are already rejecting/dropping

  165.       lua_util.debugm(N, task, 'task result is already %s, no need to sign', metric_action)

  166.       return false,{}

  167.     end

  168. 

  169.     if metric_action == 'soft reject' then

  170.       -- Same here, we are going to delay an email, signing is just a waste of time

  171.       lua_util.debugm(N, task, 'task result is %s, skip signing', metric_action)

  172.       return false,{}

  173.     end

  174. 

  175.     -- For spam actions, there is no clear distinction

  176.     if metric_action ~= 'no action' and type(settings.skip_spam_sign) == 'boolean' and settings.skip_spam_sign then

  177.       lua_util.debugm(N, task, 'task result is %s, no need to sign', metric_action)

  178.       return false,{}

  179.     end

  180.   end

  181. 

  182.   if settings.sign_authenticated and auser then

  183.     lua_util.debugm(N, task, 'user is authenticated')

  184.     is_authed = true

  185.   elseif (settings.sign_networks and settings.sign_networks:get_key(ip)) then

  186.     is_sign_networks = true

  187.     lua_util.debugm(N, task, 'mail is from address in sign_networks')

  188.   elseif settings.sign_local and is_local then

  189.     lua_util.debugm(N, task, 'mail is from local address')

  190.   elseif settings.sign_inbound and not is_local and not auser then

  191.     lua_util.debugm(N, task, 'mail was sent to us')

  192.   else

  193.     lua_util.debugm(N, task, 'mail is ineligible for signing')

  194.     return false,{}

  195.   end

  196. 

  197.   local efrom = task:get_from('smtp')

  198.   local empty_envelope = false

  199.   if #(((efrom or E)[1] or E).addr or '') == 0 then

  200.     if not settings.allow_envfrom_empty then

  201.       lua_util.debugm(N, task, 'empty envelope from not allowed')

  202.       return false,{}

  203.     else

  204.       empty_envelope = true

  205.     end

  206.   end

  207. 

  208.   local hfrom = task:get_from('mime')

  209.   if not settings.allow_hdrfrom_multiple and (hfrom or E)[2] then

  210.     lua_util.debugm(N, task, 'multiple header from not allowed')

  211.     return false,{}

  212.   end

  213. 

  214.   local eto = task:get_recipients(0)

  215. 

  216.   local dkim_domain

  217.   local hdom = ((hfrom or E)[1] or E).domain

  218.   local edom = ((efrom or E)[1] or E).domain

  219.   local tdom = ((eto or E)[1] or E).domain

  220.   local udom = string.match(auser or '', '.*@(.*)')

  221. 

  222.   local function get_dkim_domain(dtype)

  223.     if settings[dtype] == 'header' then

  224.       return hdom

  225.     elseif settings[dtype] == 'envelope' then

  226.       return edom

  227.     elseif settings[dtype] == 'auth' then

  228.       return udom

  229.     elseif settings[dtype] == 'recipient' then

  230.       return tdom

  231.     else

  232.       return settings[dtype]:lower()

  233.     end

  234.   end

  235. 

  236.   local function is_skip_sign()

  237.     return not (settings.sign_networks and is_sign_networks) and

  238.         not (settings.sign_authenticated and is_authed) and

  239.         not (settings.sign_local and is_local)

  240.   end

  241. 

  242.   if hdom then

  243.     hdom = hdom:lower()

  244.   end

  245.   if edom then

  246.     edom = edom:lower()

  247.   end

  248.   if udom then

  249.     udom = udom:lower()

  250.   end

  251.   if tdom then

  252.     tdom = tdom:lower()

  253.   end

  254. 

  255.   if settings.signing_table and (settings.key_table or settings.use_vault) then

  256.     -- OpenDKIM style

  257.     if is_skip_sign() then

  258.       lua_util.debugm(N, task,

  259.           'skip signing: is_sign_network: %s, is_authed: %s, is_local: %s',

  260.           is_sign_networks, is_authed, is_local)

  261.       return false,{}

  262.     end

  263. 

  264.     if not hfrom or not hfrom[1] or not hfrom[1].addr then

  265.       lua_util.debugm(N, task,

  266.           'signing_table: cannot get data when no header from is presented')

  267.       return false,{}

  268.     end

  269.     local sign_entry = settings.signing_table:get_key(hfrom[1].addr)

  270. 

  271.     if sign_entry then

  272.       -- Check opendkim style entries

  273.       lua_util.debugm(N, task,

  274.           'signing_table: found entry for %s: %s', hfrom[1].addr, sign_entry)

  275.       if sign_entry == '%' then

  276.         sign_entry = hdom

  277.       end

  278. 

  279.       if settings.key_table then

  280.       -- Now search in key table

  281.       local key_entry = settings.key_table:get_key(sign_entry)

  282. 

  283.         if key_entry then

  284.           local parts = lua_util.str_split(key_entry, ':')

  285. 

  286.           if #parts == 2 then

  287.             -- domain + key

  288.             local selector = settings.selector

  289. 

  290.             if not selector then

  291.               logger.errx(task, 'no selector defined for sign_entry %s, key_entry %s',

  292.                   sign_entry, key_entry)

  293.               return false,{}

  294.             end

  295. 

  296.             local res = {

  297.               selector = selector,

  298.               domain = parts[1]:gsub('%%', hdom)

  299.             }

  300. 

  301.             local st = parts[2]:sub(1, 2)

  302. 

  303.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  304.               res.key = parts[2]:gsub('%%', hdom)

  305.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  306.                   hdom, selector, res.domain, res.key)

  307.             else

  308.               res.rawkey = parts[2] -- No sanity check here

  309.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  310.                   hdom, selector, res.domain)

  311.             end

  312. 

  313.             return true,{res}

  314.           elseif #parts == 3 then

  315.             -- domain, selector, key

  316.             local selector = parts[2]

  317. 

  318.             local res = {

  319.               selector = selector,

  320.               domain = parts[1]:gsub('%%', hdom)

  321.             }

  322. 

  323.             local st = parts[3]:sub(1, 2)

  324. 

  325.             if st:sub(1, 1) == '/' or st == './' or st == '..' then

  326.               res.key = parts[3]:gsub('%%', hdom)

  327.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, key file=%s',

  328.                   hdom, selector, res.domain, res.key)

  329.             else

  330.               res.rawkey = parts[3] -- No sanity check here

  331.               lua_util.debugm(N, task, 'perform dkim signing for %s, selector=%s, domain=%s, raw key used',

  332.                   hdom, selector, res.domain)

  333.             end

  334. 

  335.             return true,{res}

  336.           else

  337.             logger.errx(task, 'invalid key entry for sign entry %s: %s; when signing %s domain',

  338.                 sign_entry, key_entry, hdom)

  339.             return false,{}

  340.           end

  341.         elseif settings.use_vault then

  342.           -- Sign table is presented, the rest is covered by vault

  343.           lua_util.debugm(N, task, 'check vault for %s, by sign entry %s, key entry is missing',

  344.               hdom, sign_entry)

  345.           return true, {

  346.             domain = sign_entry,

  347.             vault = true

  348.           }

  349.         else

  350.           logger.errx(task, 'missing key entry for sign entry %s; when signing %s domain',

  351.               sign_entry, hdom)

  352.           return false,{}

  353.         end

  354.       else

  355.         logger.errx(task, 'cannot get key entry for signing entry %s, when signing %s domain',

  356.             sign_entry, hdom)

  357.         return false,{}

  358.       end

  359.     else

  360.       lua_util.debugm(N, task,

  361.           'signing_table: no entry for %s', hfrom[1].addr)

  362.       return false,{}

  363.     end

  364.   else

  365.     if settings.use_domain_sign_networks and is_sign_networks then

  366.       dkim_domain = get_dkim_domain('use_domain_sign_networks')

  367.       lua_util.debugm(N, task,

  368.           'sign_networks: use domain(%s) for signature: %s',

  369.           settings.use_domain_sign_networks, dkim_domain)

  370.     elseif settings.use_domain_sign_local and is_local then

  371.       dkim_domain = get_dkim_domain('use_domain_sign_local')

  372.       lua_util.debugm(N, task, 'local: use domain(%s) for signature: %s',

  373.           settings.use_domain_sign_local, dkim_domain)

  374.     elseif settings.use_domain_sign_inbound and not is_local and not auser then

  375.       dkim_domain = get_dkim_domain('use_domain_sign_inbound')

  376.       lua_util.debugm(N, task, 'inbound: use domain(%s) for signature: %s',

  377.           settings.use_domain_sign_inbound, dkim_domain)

  378.     elseif settings.use_domain_custom then

  379.       if type(settings.use_domain_custom) == 'string' then

  380.         -- Load custom function

  381.         local loadstring = loadstring or load

  382.         local ret, res_or_err = pcall(loadstring(settings.use_domain_custom))

  383.         if ret then

  384.           if type(res_or_err) == 'function' then

  385.             settings.use_domain_custom = res_or_err

  386.             dkim_domain = settings.use_domain_custom(task)

  387.             lua_util.debugm(N, task, 'use custom domain for signing: %s',

  388.                 dkim_domain)

  389.           else

  390.             logger.errx(task, 'cannot load dkim domain custom script: invalid type: %s, expected function',

  391.                 type(res_or_err))

  392.             settings.use_domain_custom = nil

  393.           end

  394.         else

  395.           logger.errx(task, 'cannot load dkim domain custom script: %s', res_or_err)

  396.           settings.use_domain_custom = nil

  397.         end

  398.       else

  399.         dkim_domain = settings.use_domain_custom(task)

  400.         lua_util.debugm(N, task, 'use custom domain for signing: %s',

  401.             dkim_domain)

  402.       end

  403.     else

  404.       dkim_domain = get_dkim_domain('use_domain')

  405.       lua_util.debugm(N, task, 'use domain(%s) for signature: %s',

  406.           settings.use_domain, dkim_domain)

  407.     end

  408.   end

  409. 

  410.   if not dkim_domain then

  411.     lua_util.debugm(N, task, 'could not extract dkim domain')

  412.     return false,{}

  413.   end

  414. 

  415.   if settings.use_esld then

  416.     dkim_domain = rspamd_util.get_tld(dkim_domain)

  417.     if hdom then

  418.       hdom = rspamd_util.get_tld(hdom)

  419.     end

  420.     if edom then

  421.       edom = rspamd_util.get_tld(edom)

  422.     end

  423.   end

  424. 

  425.   lua_util.debugm(N, task, 'final DKIM domain: %s', dkim_domain)

  426. 

  427.   -- Sanity checks

  428.   if edom and hdom and not settings.allow_hdrfrom_mismatch and hdom ~= edom then

  429.     if settings.allow_hdrfrom_mismatch_local and is_local then

  430.       lua_util.debugm(N, task, 'domain mismatch allowed for local IP: %1 != %2', hdom, edom)

  431.     elseif settings.allow_hdrfrom_mismatch_sign_networks and is_sign_networks then

  432.       lua_util.debugm(N, task, 'domain mismatch allowed for sign_networks: %1 != %2', hdom, edom)

  433.     else

  434.       if empty_envelope and hdom then

  435.         lua_util.debugm(N, task, 'domain mismatch allowed for empty envelope: %1 != %2', hdom, edom)

  436.       else

  437.         lua_util.debugm(N, task, 'domain mismatch not allowed: %1 != %2', hdom, edom)

  438.         return false,{}

  439.       end

  440.     end

  441.   end

  442. 

  443.   if auser and not settings.allow_username_mismatch then

  444.     if not udom then

  445.       lua_util.debugm(N, task, 'couldnt find domain in username')

  446.       return false,{}

  447.     end

  448.     if settings.use_esld then

  449.       udom = rspamd_util.get_tld(udom)

  450.     end

  451.     if udom ~= dkim_domain then

  452.       lua_util.debugm(N, task, 'user domain mismatch')

  453.       return false,{}

  454.     end

  455.   end

  456. 

  457.   local p = {}

  458. 

  459.   if settings.use_vault then

  460.     if settings.vault_domains then

  461.       if settings.vault_domains:get_key(dkim_domain) then

  462.         return true, {

  463.           domain = dkim_domain,

  464.           vault = true,

  465.         }

  466.       else

  467.         lua_util.debugm(N, task, 'domain %s is not designated for vault',

  468.           dkim_domain)

  469.         return false,{}

  470.       end

  471.     else

  472.       -- TODO: try every domain in the vault

  473.       return true, {

  474.         domain = dkim_domain,

  475.         vault = true,

  476.       }

  477.     end

  478.   end

  479. 

  480.   if settings.domain[dkim_domain] then

  481.     -- support old style selector/paths

  482.     if settings.domain[dkim_domain].selector or

  483.        settings.domain[dkim_domain].path then

  484.       local k = {}

  485.       k.selector = settings.domain[dkim_domain].selector

  486.       k.key = settings.domain[dkim_domain].path

  487.       table.insert(p, k)

  488.     end

  489.     for _, s in ipairs((settings.domain[dkim_domain].selectors or {})) do

  490.       lua_util.debugm(N, task, 'adding selector: %1', s)

  491.       local k = {}

  492.       k.selector = s.selector

  493.       k.key = s.path

  494.       table.insert(p, k)

  495.     end

  496.   end

  497. 

  498.   if #p == 0 then

  499.     local ret, k = get_mempool_selectors(N, task)

  500.     if ret then

  501.       table.insert(p, k)

  502.       lua_util.debugm(N, task, 'using mempool selector %s with key %s',

  503.                       k.selector, k.key)

  504.     end

  505.   end

  506. 

  507.   if settings.selector_map then

  508.     local data = settings.selector_map:get_key(dkim_domain)

  509.     if data then

  510.       insert_or_update_prop(N, task, p, 'selector', 'selector_map', data)

  511.     else

  512.       lua_util.debugm(N, task, 'no selector in map for %s', dkim_domain)

  513.     end

  514.   end

  515. 

  516.   if settings.path_map then

  517.     local data = settings.path_map:get_key(dkim_domain)

  518.     if data then

  519.       insert_or_update_prop(N, task, p, 'key', 'path_map', data)

  520.     else

  521.       lua_util.debugm(N, task, 'no key in map for %s', dkim_domain)

  522.     end

  523.   end

  524. 

  525.   if #p == 0 and not settings.try_fallback then

  526.     lua_util.debugm(N, task, 'dkim unconfigured and fallback disabled')

  527.     return false,{}

  528.   end

  529. 

  530.   if not settings.use_redis then

  531.     insert_or_update_prop(N, task, p, 'key',

  532.         'default path', settings.path)

  533.   end

  534. 

  535.   insert_or_update_prop(N, task, p, 'selector',

  536.         'default selector', settings.selector)

  537. 

  538.   if settings.check_violation then

  539.     if not check_violation(N, task, p.domain) then

  540.       return false,{}

  541.     end

  542.   end

  543. 

  544.   insert_or_update_prop(N, task, p, 'domain', 'dkim_domain',

  545.     dkim_domain)

  546. 

  547.   return true,p

  548. end

  549. 

  550. exports.prepare_dkim_signing = prepare_dkim_signing

  551. 

  552. exports.sign_using_redis = function(N, task, settings, selectors, sign_func, err_func)

  553.   local lua_redis = require "lua_redis"

  554. 

  555.   local function try_redis_key(selector, p)

  556.     p.key = nil

  557.     p.selector = selector

  558.     local rk = string.format('%s.%s', p.selector, p.domain)

  559.     local function redis_key_cb(err, data)

  560.       if err then

  561.         err_func(string.format("cannot make request to load DKIM key for %s: %s",

  562.             rk, err))

  563.       elseif type(data) ~= 'string' then

  564.         lua_util.debugm(N, task, "missing DKIM key for %s", rk)

  565.       else

  566.         p.rawkey = data

  567.         lua_util.debugm(N, task, 'found and parsed key for %s:%s in Redis',

  568.             p.domain, p.selector)

  569.         sign_func(task, p)

  570.       end

  571.     end

  572.     local rret = lua_redis.redis_make_request(task,

  573.         settings.redis_params, -- connect params

  574.         rk, -- hash key

  575.         false, -- is write

  576.         redis_key_cb, --callback

  577.         'HGET', -- command

  578.         {settings.key_prefix, rk} -- arguments

  579.     )

  580.     if not rret then

  581.       err_func(task,

  582.           string.format( "cannot make request to load DKIM key for %s", rk))

  583.     end

  584.   end

  585. 

  586.   for _, p in ipairs(selectors) do

  587.     if settings.selector_prefix then

  588.       logger.infox(task, "using selector prefix '%s' for domain '%s'",

  589.           settings.selector_prefix, p.domain);

  590.       local function redis_selector_cb(err, data)

  591.         if err or type(data) ~= 'string' then

  592.           err_func(task, string.format("cannot make request to load DKIM selector for domain %s: %s",

  593.               p.domain, err))

  594.         else

  595.           try_redis_key(data, p)

  596.         end

  597.       end

  598.       local rret = lua_redis.redis_make_request(task,

  599.           settings.redis_params, -- connect params

  600.           p.domain, -- hash key

  601.           false, -- is write

  602.           redis_selector_cb, --callback

  603.           'HGET', -- command

  604.           {settings.selector_prefix, p.domain} -- arguments

  605.       )

  606.       if not rret then

  607.         err_func(task, string.format("cannot make Redis request to load DKIM selector for domain %s",

  608.             p.domain))

  609.       end

  610.     else

  611.       try_redis_key(p.selector, p)

  612.     end

  613.   end

  614. end

  615. 

  616. exports.sign_using_vault = function(N, task, settings, selectors, sign_func, err_func)

  617.   local http = require "rspamd_http"

  618.   local ucl = require "ucl"

  619. 

  620.   local full_url = string.format('%s/v1/%s/%s',

  621.       settings.vault_url, settings.vault_path or 'dkim', selectors.domain)

  622. 

  623.   local function vault_callback(err, code, body, _)

  624.     if code ~= 200 then

  625.       err_func(task, string.format('cannot request data from the vault url: %s; %s (%s)',

  626.           full_url, err, body))

  627.     else

  628.       local parser = ucl.parser()

  629.       local res,parser_err = parser:parse_string(body)

  630.       if not res then

  631.         err_func(task, string.format('vault reply for %s (data=%s) cannot be parsed: %s',

  632.             full_url, body, parser_err))

  633.       else

  634.         local obj = parser:get_object()

  635. 

  636.         if not obj or not obj.data then

  637.           err_func(task, string.format('vault reply for %s (data=%s) is invalid, no data',

  638.               full_url, body))

  639.         else

  640.           local elts = obj.data.selectors or {}

  641. 

  642.           -- Filter selectors by time/sanity

  643.           local function is_selector_valid(p)

  644.             if not p.key or not p.selector then

  645.               return false

  646.             end

  647. 

  648.             if p.valid_start then

  649.               -- Check start time

  650.               if rspamd_util.get_time() < tonumber(p.valid_start) then

  651.                 return false

  652.               end

  653.             end

  654. 

  655.             if p.valid_end then

  656.               if rspamd_util.get_time() >= tonumber(p.valid_end) then

  657.                 return false

  658.               end

  659.             end

  660. 

  661.             return true

  662.           end

  663.           fun.each(function(p)

  664.             local dkim_sign_data = {

  665.               rawkey = p.key,

  666.               selector = p.selector,

  667.               domain = p.domain or selectors.domain,

  668.               alg = p.alg,

  669.             }

  670.             lua_util.debugm(N, task, 'found and parsed key for %s:%s in Vault',

  671.                 dkim_sign_data.domain, dkim_sign_data.selector)

  672.             sign_func(task, dkim_sign_data)

  673.           end, fun.filter(is_selector_valid, elts))

  674.         end

  675.       end

  676.     end

  677.   end

  678. 

  679.   local ret = http.request{

  680.     task = task,

  681.     url = full_url,

  682.     callback = vault_callback,

  683.     timeout = settings.http_timeout or 5.0,

  684.     no_ssl_verify = settings.no_ssl_verify,

  685.     keepalive = true,

  686.     headers = {

  687.       ['X-Vault-Token'] = settings.vault_token,

  688.     },

  689.   }

  690. 

  691.   if not ret then

  692.     err_func(task, string.format("cannot make HTTP request to load DKIM data domain %s",

  693.         selectors.domain))

  694.   end

  695. end

  696. 

  697. exports.validate_signing_settings = function(settings)

  698.   return settings.use_redis or

  699.       settings.path or

  700.       settings.domain or

  701.       settings.path_map or

  702.       settings.selector_map or

  703.       settings.use_http_headers or

  704.       (settings.signing_table and settings.key_table) or

  705.       (settings.use_vault and settings.vault_url and settings.vault_token) or

  706.       settings.sign_condition

  707. end

  708. 

  709. exports.process_signing_settings = function(N, settings, opts)

  710.   local lua_maps = require "lua_maps"

  711.   -- Used to convert plain options to the maps

  712.   local maps_opts = {

  713.     sign_networks = {'radix', 'DKIM signing networks'},

  714.     path_map = {'map', 'Paths to DKIM signing keys'},

  715.     selector_map = {'map', 'DKIM selectors'},

  716.     signing_table = {'glob', 'DKIM signing table'},

  717.     key_table = {'glob', 'DKIM keys table'},

  718.     vault_domains = {'glob', 'DKIM signing domains in vault'},

  719.     whitelisted_signers_map = {'set', 'ARC trusted signers domains'}

  720.   }

  721.   for k,v in pairs(opts) do

  722.     local maybe_map = maps_opts[k]

  723.     if maybe_map then

  724.       settings[k] = lua_maps.map_add_from_ucl(v, maybe_map[1], maybe_map[2])

  725.     elseif k == 'sign_condition' then

  726.       local ret,f = lua_util.callback_from_string(v)

  727.       if ret then

  728.         settings[k] = f

  729.       else

  730.         logger.errx(rspamd_config, 'cannot load sign condition %s: %s', v, f)

  731.       end

  732.     else

  733.       settings[k] = v

  734.     end

  735.   end

  736. end

  737. 

  738. return exports