summaryrefslogtreecommitdiffstats
path: root/lib/redmine/menu_manager.rb
blob: 5d14fc1f4140827b367e647748aa56537d99bf2f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
# frozen_string_literal: true

# Redmine - project management software
# Copyright (C) 2006-  Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

module Redmine
  module MenuManager
    # @private
    class MenuError < StandardError
    end

    module MenuController
      def self.included(base)
        base.class_attribute :main_menu
        base.main_menu = true

        base.extend(ClassMethods)
      end

      module ClassMethods
        @@menu_items = Hash.new {|hash, key| hash[key] = {:default => key, :actions => {}}}
        mattr_accessor :menu_items

        # Set the menu item name for a controller or specific actions
        # Examples:
        #   * menu_item :tickets # => sets the menu name to :tickets for the whole controller
        #   * menu_item :tickets, :only => :list # => sets the menu name to :tickets for the 'list' action only
        #   * menu_item :tickets, :only => [:list, :show] # => sets the menu name to :tickets for 2 actions only
        #
        # The default menu item name for a controller is controller_name by default
        # Eg. the default menu item name for ProjectsController is :projects
        def menu_item(id, options = {})
          if actions = options[:only]
            actions = [] << actions unless actions.is_a?(Array)
            actions.each {|a| menu_items[controller_name.to_sym][:actions][a.to_sym] = id}
          else
            menu_items[controller_name.to_sym][:default] = id
          end
        end
      end

      def menu_items
        self.class.menu_items
      end

      def current_menu(project)
        if project && !project.new_record?
          :project_menu
        elsif self.class.main_menu
          :application_menu
        end
      end

      # Returns the menu item name according to the current action
      def current_menu_item
        @current_menu_item ||= menu_items[controller_name.to_sym][:actions][action_name.to_sym] ||
                                 menu_items[controller_name.to_sym][:default]
      end

      # Redirects user to the menu item
      # Returns false if user is not authorized
      def redirect_to_menu_item(name)
        redirect_to_project_menu_item(nil, name)
      end

      # Redirects user to the menu item of the given project
      # Returns false if user is not authorized
      def redirect_to_project_menu_item(project, name)
        menu = project.nil? ? :application_menu : :project_menu
        item = Redmine::MenuManager.items(menu).detect {|i| i.name.to_s == name.to_s}
        if item && item.allowed?(User.current, project)
          url = item.url
          url = {item.param => project}.merge(url) if project
          redirect_to url
          return true
        end
        false
      end
    end

    module MenuHelper
      # Returns the current menu item name
      def current_menu_item
        controller.current_menu_item
      end

      # Renders the application main menu
      def render_main_menu(project)
        if menu_name = controller.current_menu(project)
          render_menu(menu_name, project)
        end
      end

      def display_main_menu?(project)
        menu_name = controller.current_menu(project)
        menu_name.present? && Redmine::MenuManager.items(menu_name).children.present?
      end

      def render_menu(menu, project=nil)
        links = []
        menu_items_for(menu, project) do |node|
          links << render_menu_node(node, project)
        end
        links.empty? ? nil : content_tag('ul', links.join.html_safe)
      end

      def render_menu_node(node, project=nil)
        if node.children.present? || !node.child_menus.nil?
          return render_menu_node_with_children(node, project)
        else
          caption, url, selected = extract_node_details(node, project)
          return content_tag('li',
                             render_single_menu_node(node, caption, url, selected))
        end
      end

      def render_menu_node_with_children(node, project=nil)
        caption, url, selected = extract_node_details(node, project)

        html = [].tap do |html|
          html << '<li>'
          # Parent
          html << render_single_menu_node(node, caption, url, selected)

          # Standard children
          standard_children_list = "".html_safe.tap do |child_html|
            node.children.each do |child|
              child_html << render_menu_node(child, project) if allowed_node?(child, User.current, project)
            end
          end

          html << content_tag(:ul, standard_children_list, :class => 'menu-children') unless standard_children_list.empty?

          # Unattached children
          unattached_children_list = render_unattached_children_menu(node, project)
          html << content_tag(:ul, unattached_children_list, :class => 'menu-children unattached') unless unattached_children_list.blank?

          html << '</li>'
        end
        return html.join("\n").html_safe
      end

      # Returns a list of unattached children menu items
      def render_unattached_children_menu(node, project)
        return nil unless node.child_menus

        "".html_safe.tap do |child_html|
          unattached_children = node.child_menus.call(project)
          # Tree nodes support #each so we need to do object detection
          if unattached_children.is_a? Array
            unattached_children.each do |child|
              child_html << content_tag(:li, render_unattached_menu_item(child, project)) if allowed_node?(child, User.current, project)
            end
          else
            raise MenuError, ":child_menus must be an array of MenuItems"
          end
        end
      end

      def render_single_menu_node(item, caption, url, selected)
        options = item.html_options(:selected => selected)

        # virtual nodes are only there for their children to be displayed in the menu
        # and should not do anything on click, except if otherwise defined elsewhere
        if url.blank?
          url = '#'
          options.reverse_merge!(:onclick => 'return false;')
        end

        label = if item.icon.present?
                  sprite_icon(item.icon, h(caption), plugin: item.plugin)
                else
                  h(caption)
                end

        link_to(label, use_absolute_controller(url), options)
      end

      def render_unattached_menu_item(menu_item, project)
        raise MenuError, ":child_menus must be an array of MenuItems" unless menu_item.is_a? MenuItem

        if menu_item.allowed?(User.current, project)
          link_to(menu_item.caption, use_absolute_controller(menu_item.url), menu_item.html_options)
        end
      end

      def menu_items_for(menu, project=nil)
        items = []
        Redmine::MenuManager.items(menu).root.children.each do |node|
          if node.allowed?(User.current, project)
            if block_given?
              yield node
            else
              items << node  # TODO: not used?
            end
          end
        end
        return block_given? ? nil : items
      end

      def extract_node_details(node, project=nil)
        item = node
        url =
          case item.url
          when Hash
            project.nil? ? item.url : {item.param => project}.merge(item.url)
          when Symbol
            if project
              send(item.url, project)
            else
              send(item.url)
            end
          else
            item.url
          end
        caption = item.caption(project)
        return [caption, url, (current_menu_item == item.name)]
      end

      # See MenuItem#allowed?
      def allowed_node?(node, user, project)
        unless node.is_a? MenuItem
          raise MenuError, ":child_menus must be an array of MenuItems"
        end

        node.allowed?(user, project)
      end

      # Prevent hash type URLs (e.g. {controller: 'foo', action: 'bar}) from being namespaced
      # when menus are rendered from views in namespaced controllers in plugins or engines
      def use_absolute_controller(url)
        if url.is_a?(Hash) && url[:controller].present? && !url[:controller].start_with?('/')
          url[:controller] = "/#{url[:controller]}"
        end
        url
      end
    end

    class << self
      def map(menu_name)
        @items ||= {}
        mapper = Mapper.new(menu_name.to_sym, @items)
        if block_given?
          yield mapper
        else
          mapper
        end
      end

      def items(menu_name)
        @items[menu_name.to_sym] || MenuNode.new(:root, {})
      end
    end

    class Mapper
      attr_reader :menu, :menu_items

      def initialize(menu, items)
        items[menu] ||= MenuNode.new(:root, {})
        @menu = menu
        @menu_items = items[menu]
      end

      # Adds an item at the end of the menu. Available options:
      # * param: the parameter name that is used for the project id (default is :id)
      # * if: a Proc that is called before rendering the item, the item is displayed only if it returns true
      # * caption that can be:
      #   * a localized string Symbol
      #   * a String
      #   * a Proc that can take the project as argument
      # * before, after: specify where the menu item should be inserted (eg. :after => :activity)
      # * parent: menu item will be added as a child of another named menu (eg. :parent => :issues)
      # * children: a Proc that is called before rendering the item. The Proc should return an array of MenuItems, which will be added as children to this item.
      #   eg. :children => Proc.new {|project| [Redmine::MenuManager::MenuItem.new(...)] }
      # * last: menu item will stay at the end (eg. :last => true)
      # * html_options: a hash of html options that are passed to link_to
      def push(name, url, options={})
        options = options.dup

        if options[:parent]
          subtree = self.find(options[:parent])
          target_root = subtree || @menu_items.root

        else
          target_root = @menu_items.root
        end

        target_root.children.reject! {|item| item.name == name}

        # menu item position
        if first = options.delete(:first)
          target_root.prepend(MenuItem.new(name, url, options))
        elsif before = options.delete(:before)

          if exists?(before)
            target_root.add_at(MenuItem.new(name, url, options), position_of(before))
          else
            target_root.add(MenuItem.new(name, url, options))
          end

        elsif after = options.delete(:after)

          if exists?(after)
            target_root.add_at(MenuItem.new(name, url, options), position_of(after) + 1)
          else
            target_root.add(MenuItem.new(name, url, options))
          end

        elsif options[:last] # don't delete, needs to be stored
          target_root.add_last(MenuItem.new(name, url, options))
        else
          target_root.add(MenuItem.new(name, url, options))
        end
      end

      # Removes a menu item
      def delete(name)
        if found = self.find(name)
          @menu_items.remove!(found)
        end
      end

      # Checks if a menu item exists
      def exists?(name)
        @menu_items.any? {|node| node.name == name}
      end

      def find(name)
        @menu_items.find {|node| node.name == name}
      end

      def position_of(name)
        @menu_items.each do |node|
          if node.name == name
            return node.position
          end
        end
      end
    end

    class MenuNode
      include Enumerable
      attr_accessor :parent
      attr_reader :last_items_count, :name

      def initialize(name, content = nil)
        @name = name
        @children = []
        @last_items_count = 0
      end

      def children
        if block_given?
          @children.each {|child| yield child}
        else
          @children
        end
      end

      # Returns the number of descendants + 1
      def size
        @children.inject(1) {|sum, node| sum + node.size}
      end

      def each(...)
        yield self
        children {|child| child.each(...)}
      end

      # Adds a child at first position
      def prepend(child)
        add_at(child, 0)
      end

      # Adds a child at given position
      def add_at(child, position)
        @children.insert(position, child)
        child.parent = self
        child
      end

      # Adds a child as last child
      def add_last(child)
        add_at(child, -1)
        @last_items_count += 1
        child
      end

      # Adds a child
      def add(child)
        position = @children.size - @last_items_count
        add_at(child, position)
      end
      alias :<< :add

      # Removes a child
      def remove!(child)
        @children.delete(child)
        @last_items_count -= +1 if child && child.last
        child.parent = nil
        child
      end

      # Returns the position for this node in it's parent
      def position
        self.parent.children.index(self)
      end

      # Returns the root for this node
      def root
        root = self
        root = root.parent while root.parent
        root
      end
    end

    class MenuItem < MenuNode
      include Redmine::I18n
      attr_reader :name, :url, :param, :condition, :parent,
                  :child_menus, :last, :permission, :icon, :plugin

      def initialize(name, url, options={})
        if options[:if] && !options[:if].respond_to?(:call)
          raise ArgumentError, "Invalid option :if for menu item '#{name}'"
        end
        if options[:html] && !options[:html].is_a?(Hash)
          raise ArgumentError, "Invalid option :html for menu item '#{name}'"
        end
        if options[:parent] == name.to_sym
          raise ArgumentError, "Cannot set the :parent to be the same as this item"
        end
        if options[:children] && !options[:children].respond_to?(:call)
          raise ArgumentError, "Invalid option :children for menu item '#{name}'"
        end

        @name = name
        @url = url
        @condition = options[:if]
        @permission = options[:permission]
        @permission ||= false if options.key?(:permission)
        @param = options[:param] || :id
        @caption = options[:caption]
        @icon = options[:icon]
        @html_options = options[:html] || {}
        # Adds a unique class to each menu item based on its name
        @html_options[:class] = [@html_options[:class], @name.to_s.dasherize].compact.join(' ')
        @parent = options[:parent]
        @child_menus = options[:children]
        @last = options[:last] || false
        @plugin = options[:plugin]
        super(@name.to_sym)
      end

      def caption(project=nil)
        if @caption.is_a?(Proc)
          c = @caption.call(project).to_s
          c = @name.to_s.humanize if c.blank?
          c
        else
          if @caption.nil?
            l_or_humanize(name, :prefix => 'label_')
          else
            @caption.is_a?(Symbol) ? l(@caption) : @caption
          end
        end
      end

      def html_options(options={})
        if options[:selected]
          o = @html_options.dup
          o[:class] += ' selected'
          o
        else
          @html_options
        end
      end

      # Checks if a user is allowed to access the menu item by:
      #
      # * Checking the permission or the url target (project only)
      # * Checking the conditions of the item
      def allowed?(user, project)
        if url.blank?
          # this is a virtual node that is only there for its children to be diplayed in the menu
          # it is considered an allowed node if at least one of the children is allowed
          all_children = children
          all_children += child_menus.call(project) if child_menus
          unless all_children.detect{|child| child.allowed?(user, project)}
            return false
          end
        elsif user && project
          if permission
            unless user.allowed_to?(permission, project)
              return false
            end
          elsif permission.nil? && url.is_a?(Hash)
            unless user.allowed_to?(url, project)
              return false
            end
          end
        end
        if condition && !condition.call(project)
          # Condition that doesn't pass
          return false
        end

        return true
      end
    end
  end
end
w"> (value); } else { dkim_module_ctx->symbol_reject = DEFAULT_SYMBOL_REJECT; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "symbol_tempfail")) != NULL) { dkim_module_ctx->symbol_tempfail = ucl_object_tostring (value); } else { dkim_module_ctx->symbol_tempfail = DEFAULT_SYMBOL_TEMPFAIL; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "symbol_allow")) != NULL) { dkim_module_ctx->symbol_allow = ucl_object_tostring (value); } else { dkim_module_ctx->symbol_allow = DEFAULT_SYMBOL_ALLOW; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "symbol_na")) != NULL) { dkim_module_ctx->symbol_na = ucl_object_tostring (value); } else { dkim_module_ctx->symbol_na = DEFAULT_SYMBOL_NA; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "symbol_permfail")) != NULL) { dkim_module_ctx->symbol_permfail = ucl_object_tostring (value); } else { dkim_module_ctx->symbol_permfail = DEFAULT_SYMBOL_PERMFAIL; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "dkim_cache_size")) != NULL) { cache_size = ucl_object_toint (value); } else { cache_size = DEFAULT_CACHE_SIZE; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "sign_cache_size")) != NULL) { sign_cache_size = ucl_object_toint (value); } else { sign_cache_size = 128; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "time_jitter")) != NULL) { dkim_module_ctx->time_jitter = ucl_object_todouble (value); } else { dkim_module_ctx->time_jitter = DEFAULT_TIME_JITTER; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "max_sigs")) != NULL) { dkim_module_ctx->max_sigs = ucl_object_toint (value); } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "whitelist")) != NULL) { rspamd_config_radix_from_ucl (cfg, value, "DKIM whitelist", &dkim_module_ctx->whitelist_ip, NULL, NULL, "dkim whitelist"); } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "domains")) != NULL) { if (!rspamd_map_add_from_ucl (cfg, value, "DKIM domains", rspamd_kv_list_read, rspamd_kv_list_fin, rspamd_kv_list_dtor, (void **)&dkim_module_ctx->dkim_domains, NULL, RSPAMD_MAP_DEFAULT)) { msg_warn_config ("cannot load dkim domains list from %s", ucl_object_tostring (value)); } else { got_trusted = TRUE; } } if (!got_trusted && (value = rspamd_config_get_module_opt (cfg, "dkim", "trusted_domains")) != NULL) { if (!rspamd_map_add_from_ucl (cfg, value, "DKIM domains", rspamd_kv_list_read, rspamd_kv_list_fin, rspamd_kv_list_dtor, (void **)&dkim_module_ctx->dkim_domains, NULL, RSPAMD_MAP_DEFAULT)) { msg_warn_config ("cannot load dkim domains list from %s", ucl_object_tostring (value)); if (validate) { return FALSE; } } else { got_trusted = TRUE; } } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "strict_multiplier")) != NULL) { dkim_module_ctx->strict_multiplier = ucl_object_toint (value); } else { dkim_module_ctx->strict_multiplier = 1; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "trusted_only")) != NULL) { dkim_module_ctx->trusted_only = ucl_object_toboolean (value); } else { dkim_module_ctx->trusted_only = FALSE; } if ((value = rspamd_config_get_module_opt (cfg, "dkim", "sign_headers")) != NULL) { dkim_module_ctx->sign_headers = ucl_object_tostring (value); } if ((value = rspamd_config_get_module_opt (cfg, "arc", "sign_headers")) != NULL) { dkim_module_ctx->arc_sign_headers = ucl_object_tostring (value); } if (cache_size > 0) { dkim_module_ctx->dkim_hash = rspamd_lru_hash_new ( cache_size, g_free, dkim_module_key_dtor); rspamd_mempool_add_destructor (cfg->cfg_pool, (rspamd_mempool_destruct_t)rspamd_lru_hash_destroy, dkim_module_ctx->dkim_hash); } if (sign_cache_size > 0) { dkim_module_ctx->dkim_sign_hash = rspamd_lru_hash_new ( sign_cache_size, g_free, (GDestroyNotify) rspamd_dkim_sign_key_unref); rspamd_mempool_add_destructor (cfg->cfg_pool, (rspamd_mempool_destruct_t)rspamd_lru_hash_destroy, dkim_module_ctx->dkim_sign_hash); } if (dkim_module_ctx->trusted_only && !got_trusted) { msg_err_config ("trusted_only option is set and no trusted domains are defined"); if (validate) { return FALSE; } } else { if (!rspamd_config_is_module_enabled (cfg, "dkim")) { return TRUE; } cb_id = rspamd_symcache_add_symbol (cfg->cache, "DKIM_CHECK", 0, dkim_symbol_callback, NULL, SYMBOL_TYPE_CALLBACK, -1); rspamd_config_add_symbol (cfg, "DKIM_CHECK", 0.0, "DKIM check callback", "policies", RSPAMD_SYMBOL_FLAG_IGNORE_METRIC, 1, 1); rspamd_config_add_symbol_group (cfg, "DKIM_CHECK", "dkim"); rspamd_symcache_add_symbol (cfg->cache, dkim_module_ctx->symbol_reject, 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE, cb_id); rspamd_symcache_add_symbol (cfg->cache, dkim_module_ctx->symbol_na, 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE, cb_id); rspamd_symcache_add_symbol (cfg->cache, dkim_module_ctx->symbol_permfail, 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE, cb_id); rspamd_symcache_add_symbol (cfg->cache, dkim_module_ctx->symbol_tempfail, 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE, cb_id); rspamd_symcache_add_symbol (cfg->cache, dkim_module_ctx->symbol_allow, 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_FINE, cb_id); rspamd_symcache_add_symbol (cfg->cache, "DKIM_TRACE", 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL | SYMBOL_TYPE_NOSTAT, cb_id); rspamd_config_add_symbol (cfg, "DKIM_TRACE", 0.0, "DKIM trace symbol", "policies", RSPAMD_SYMBOL_FLAG_IGNORE_METRIC, 1, 1); rspamd_config_add_symbol_group (cfg, "DKIM_TRACE", "dkim"); msg_info_config ("init internal dkim module"); #ifndef HAVE_OPENSSL msg_warn_config ( "openssl is not found so dkim rsa check is disabled, only check body hash, it is NOT safe to trust these results"); #endif } return res; } /** * Grab a private key from the cache * or from the key content provided */ rspamd_dkim_sign_key_t * dkim_module_load_key_format (struct rspamd_task *task, struct dkim_ctx *dkim_module_ctx, const gchar *key, gsize keylen, enum rspamd_dkim_key_format key_format) { guchar h[rspamd_cryptobox_HASHBYTES], hex_hash[rspamd_cryptobox_HASHBYTES * 2 + 1]; rspamd_dkim_sign_key_t *ret = NULL; GError *err = NULL; struct stat st; memset (hex_hash, 0, sizeof (hex_hash)); rspamd_cryptobox_hash (h, key, keylen, NULL, 0); rspamd_encode_hex_buf (h, sizeof (h), hex_hash, sizeof (hex_hash)); if (dkim_module_ctx->dkim_sign_hash) { ret = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_sign_hash, hex_hash, time (NULL)); } /* * This fails for paths that are also valid base64. * Maybe the caller should have specified a format. */ if (key_format == RSPAMD_DKIM_KEY_UNKNOWN) { if (key[0] == '.' || key[0] == '/') { if (!rspamd_cryptobox_base64_is_valid (key, keylen)) { key_format = RSPAMD_DKIM_KEY_FILE; } } else if (rspamd_cryptobox_base64_is_valid (key, keylen)) { key_format = RSPAMD_DKIM_KEY_BASE64; } } if (ret != NULL && key_format == RSPAMD_DKIM_KEY_FILE) { msg_debug_task("checking for stale file key"); if (stat (key, &st) != 0) { msg_err_task("cannot stat key file: %s", strerror (errno)); return NULL; } if (rspamd_dkim_sign_key_maybe_invalidate (ret, st.st_mtime)) { msg_debug_task("removing stale file key"); /* * Invalidate DKIM key * removal from lru cache also cleanup the key and value */ if (dkim_module_ctx->dkim_sign_hash) { rspamd_lru_hash_remove (dkim_module_ctx->dkim_sign_hash, hex_hash); } ret = NULL; } } /* found key; done */ if (ret != NULL) { return ret; } ret = rspamd_dkim_sign_key_load (key, keylen, key_format, &err); if (ret == NULL) { msg_err_task ("cannot load dkim key %s: %e", key, err); g_error_free (err); } else if (dkim_module_ctx->dkim_sign_hash) { rspamd_lru_hash_insert (dkim_module_ctx->dkim_sign_hash, g_strdup (hex_hash), ret, time (NULL), 0); } return ret; } static gint lua_dkim_sign_handler (lua_State *L) { struct rspamd_task *task = lua_check_task (L, 1); gint64 arc_idx = 0, expire = 0; enum rspamd_dkim_type sign_type = RSPAMD_DKIM_NORMAL; GError *err = NULL; GString *hdr; GList *sigs = NULL; const gchar *selector = NULL, *domain = NULL, *key = NULL, *rawkey = NULL, *headers = NULL, *sign_type_str = NULL, *arc_cv = NULL, *pubkey = NULL; rspamd_dkim_sign_context_t *ctx; rspamd_dkim_sign_key_t *dkim_key; gsize rawlen = 0, keylen = 0; gboolean no_cache = FALSE, strict_pubkey_check = FALSE; struct dkim_ctx *dkim_module_ctx; luaL_argcheck (L, lua_type (L, 2) == LUA_TTABLE, 2, "'table' expected"); /* * Get the following elements: * - selector * - domain * - key */ if (!rspamd_lua_parse_table_arguments (L, 2, &err, RSPAMD_LUA_PARSE_ARGUMENTS_DEFAULT, "key=V;rawkey=V;*domain=S;*selector=S;no_cache=B;headers=S;" "sign_type=S;arc_idx=I;arc_cv=S;expire=I;pubkey=S;" "strict_pubkey_check=B", &keylen, &key, &rawlen, &rawkey, &domain, &selector, &no_cache, &headers, &sign_type_str, &arc_idx, &arc_cv, &expire, &pubkey, &strict_pubkey_check)) { msg_err_task ("cannot parse table arguments: %e", err); g_error_free (err); lua_pushboolean (L, FALSE); return 1; } dkim_module_ctx = dkim_get_context (task->cfg); if (key) { dkim_key = dkim_module_load_key_format (task, dkim_module_ctx, key, keylen, RSPAMD_DKIM_KEY_UNKNOWN); } else if (rawkey) { dkim_key = dkim_module_load_key_format (task, dkim_module_ctx, rawkey, rawlen, RSPAMD_DKIM_KEY_UNKNOWN); } else { msg_err_task ("neither key nor rawkey are specified"); lua_pushboolean (L, FALSE); return 1; } if (dkim_key == NULL) { lua_pushboolean (L, FALSE); return 1; } if (sign_type_str) { if (strcmp (sign_type_str, "dkim") == 0) { sign_type = RSPAMD_DKIM_NORMAL; if (headers == NULL) { headers = dkim_module_ctx->sign_headers; } } else if (strcmp (sign_type_str, "arc-sign") == 0) { sign_type = RSPAMD_DKIM_ARC_SIG; if (headers == NULL) { headers = dkim_module_ctx->arc_sign_headers; } if (arc_idx == 0) { lua_settop (L, 0); return luaL_error (L, "no arc idx specified"); } } else if (strcmp (sign_type_str, "arc-seal") == 0) { sign_type = RSPAMD_DKIM_ARC_SEAL; if (arc_cv == NULL) { lua_settop (L, 0); return luaL_error (L, "no arc cv specified"); } if (arc_idx == 0) { lua_settop (L, 0); return luaL_error (L, "no arc idx specified"); } } else { lua_settop (L, 0); return luaL_error (L, "unknown sign type: %s", sign_type_str); } } else { /* Unspecified sign type, assume plain dkim */ if (headers == NULL) { headers = dkim_module_ctx->sign_headers; } } if (pubkey != NULL) { /* Also check if private and public keys match */ rspamd_dkim_key_t *pk; keylen = strlen (pubkey); pk = rspamd_dkim_parse_key (pubkey, &keylen, NULL); if (pk == NULL) { if (strict_pubkey_check) { msg_err_task ("cannot parse pubkey from string: %s, skip signing", pubkey); lua_pushboolean (L, FALSE); return 1; } else { msg_warn_task ("cannot parse pubkey from string: %s", pubkey); } } else { GError *te = NULL; /* We have parsed the key, so try to check keys */ if (!rspamd_dkim_match_keys (pk, dkim_key, &te)) { if (strict_pubkey_check) { msg_err_task ("public key for %s/%s does not match private " "key: %e, skip signing", domain, selector, te); g_error_free (te); lua_pushboolean (L, FALSE); rspamd_dkim_key_unref (pk); return 1; } else { msg_warn_task ("public key for %s/%s does not match private " "key: %e", domain, selector, te); g_error_free (te); } } rspamd_dkim_key_unref (pk); } } ctx = rspamd_create_dkim_sign_context (task, dkim_key, DKIM_CANON_RELAXED, DKIM_CANON_RELAXED, headers, sign_type, &err); if (ctx == NULL) { msg_err_task ("cannot create sign context: %e", err); g_error_free (err); lua_pushboolean (L, FALSE); return 1; } hdr = rspamd_dkim_sign (task, selector, domain, 0, expire, arc_idx, arc_cv, ctx); if (hdr) { if (!no_cache) { sigs = rspamd_mempool_get_variable (task->task_pool, "dkim-signature"); if (sigs == NULL) { sigs = g_list_append (sigs, hdr); rspamd_mempool_set_variable (task->task_pool, "dkim-signature", sigs, dkim_module_free_list); } else { sigs = g_list_append (sigs, hdr); (void)sigs; } } lua_pushboolean (L, TRUE); lua_pushlstring (L, hdr->str, hdr->len); if (no_cache) { g_string_free (hdr, TRUE); } return 2; } lua_pushboolean (L, FALSE); lua_pushnil (L); return 2; } gint dkim_module_reconfig (struct rspamd_config *cfg) { return dkim_module_config (cfg, false); } /* * Parse strict value for domain in format: 'reject_multiplier:deny_multiplier' */ static gboolean dkim_module_parse_strict (const gchar *value, gdouble *allow, gdouble *deny) { const gchar *colon; gchar *err = NULL; gdouble val; gchar numbuf[64]; colon = strchr (value, ':'); if (colon) { rspamd_strlcpy (numbuf, value, MIN (sizeof (numbuf), (colon - value) + 1)); val = strtod (numbuf, &err); if (err == NULL || *err == '\0') { *deny = val; colon++; rspamd_strlcpy (numbuf, colon, sizeof (numbuf)); err = NULL; val = strtod (numbuf, &err); if (err == NULL || *err == '\0') { *allow = val; return TRUE; } } } return FALSE; } static void dkim_module_check (struct dkim_check_result *res) { gboolean all_done = TRUE; const gchar *strict_value; struct dkim_check_result *first, *cur = NULL; struct dkim_ctx *dkim_module_ctx = dkim_get_context (res->task->cfg); struct rspamd_task *task = res->task; first = res->first; DL_FOREACH (first, cur) { if (cur->ctx == NULL) { continue; } if (cur->key != NULL && cur->res == NULL) { cur->res = rspamd_dkim_check (cur->ctx, cur->key, task); if (dkim_module_ctx->dkim_domains != NULL) { /* Perform strict check */ const gchar *domain = rspamd_dkim_get_domain (cur->ctx); if ((strict_value = rspamd_match_hash_map (dkim_module_ctx->dkim_domains, domain, strlen (domain))) != NULL) { if (!dkim_module_parse_strict (strict_value, &cur->mult_allow, &cur->mult_deny)) { cur->mult_allow = dkim_module_ctx->strict_multiplier; cur->mult_deny = dkim_module_ctx->strict_multiplier; } } } } } DL_FOREACH (first, cur) { if (cur->ctx == NULL) { continue; } if (cur->res == NULL) { /* Still need a key */ all_done = FALSE; } } if (all_done) { /* Create zero terminated array of results */ struct rspamd_dkim_check_result **pres; guint nres = 0, i = 0; DL_FOREACH (first, cur) { if (cur->ctx == NULL || cur->res == NULL) { continue; } nres ++; } pres = rspamd_mempool_alloc (task->task_pool, sizeof (*pres) * (nres + 1)); pres[nres] = NULL; DL_FOREACH (first, cur) { const gchar *symbol = NULL, *trace = NULL; gdouble symbol_weight = 1.0; if (cur->ctx == NULL || cur->res == NULL) { continue; } pres[i++] = cur->res; if (cur->res->rcode == DKIM_REJECT) { symbol = dkim_module_ctx->symbol_reject; trace = "-"; symbol_weight = cur->mult_deny * 1.0; } else if (cur->res->rcode == DKIM_CONTINUE) { symbol = dkim_module_ctx->symbol_allow; trace = "+"; symbol_weight = cur->mult_allow * 1.0; } else if (cur->res->rcode == DKIM_PERM_ERROR) { trace = "~"; symbol = dkim_module_ctx->symbol_permfail; } else if (cur->res->rcode == DKIM_TRYAGAIN) { trace = "?"; symbol = dkim_module_ctx->symbol_tempfail; } if (symbol != NULL) { const gchar *domain = rspamd_dkim_get_domain (cur->ctx); const gchar *selector = rspamd_dkim_get_selector (cur->ctx); gsize tracelen; gchar *tracebuf; tracelen = strlen (domain) + strlen (selector) + 4; tracebuf = rspamd_mempool_alloc (task->task_pool, tracelen); rspamd_snprintf (tracebuf, tracelen, "%s:%s", domain, trace); rspamd_task_insert_result (cur->task, "DKIM_TRACE", 0.0, tracebuf); rspamd_snprintf (tracebuf, tracelen, "%s:s=%s", domain, selector); rspamd_task_insert_result (task, symbol, symbol_weight, tracebuf); } } rspamd_mempool_set_variable (task->task_pool, RSPAMD_MEMPOOL_DKIM_CHECK_RESULTS, pres, NULL); } } static void dkim_module_key_handler (rspamd_dkim_key_t *key, gsize keylen, rspamd_dkim_context_t *ctx, gpointer ud, GError *err) { struct dkim_check_result *res = ud; struct rspamd_task *task; struct dkim_ctx *dkim_module_ctx; task = res->task; dkim_module_ctx = dkim_get_context (task->cfg); if (key != NULL) { /* Another ref belongs to the check context */ res->key = rspamd_dkim_key_ref (key); /* * We actually receive key with refcount = 1, so we just assume that * lru hash owns this object now */ /* Release key when task is processed */ rspamd_mempool_add_destructor (res->task->task_pool, dkim_module_key_dtor, res->key); if (dkim_module_ctx->dkim_hash) { rspamd_lru_hash_insert (dkim_module_ctx->dkim_hash, g_strdup (rspamd_dkim_get_dns_key (ctx)), key, res->task->task_timestamp, rspamd_dkim_key_get_ttl (key)); msg_info_task ("stored DKIM key for %s in LRU cache for %d seconds, " "%d/%d elements in the cache", rspamd_dkim_get_dns_key (ctx), rspamd_dkim_key_get_ttl (key), rspamd_lru_hash_size (dkim_module_ctx->dkim_hash), rspamd_lru_hash_capacity (dkim_module_ctx->dkim_hash)); } } else { /* Insert tempfail symbol */ msg_info_task ("cannot get key for domain %s: %e", rspamd_dkim_get_dns_key (ctx), err); if (err != NULL) { if (err->code == DKIM_SIGERROR_NOKEY) { res->res = rspamd_dkim_create_result (ctx, DKIM_TRYAGAIN, task); res->res->fail_reason = "DNS error when getting key"; } else { res->res = rspamd_dkim_create_result (ctx, DKIM_PERM_ERROR, task); res->res->fail_reason = "invalid DKIM record"; } } } if (err) { g_error_free (err); } dkim_module_check (res); } static void dkim_symbol_callback (struct rspamd_task *task, struct rspamd_symcache_item *item, void *unused) { rspamd_dkim_context_t *ctx; rspamd_dkim_key_t *key; GError *err = NULL; struct rspamd_mime_header *rh, *rh_cur; struct dkim_check_result *res = NULL, *cur; guint checked = 0; gdouble *dmarc_checks; struct dkim_ctx *dkim_module_ctx = dkim_get_context (task->cfg); /* Allow dmarc */ dmarc_checks = rspamd_mempool_get_variable (task->task_pool, RSPAMD_MEMPOOL_DMARC_CHECKS); if (dmarc_checks) { (*dmarc_checks) ++; } else { dmarc_checks = rspamd_mempool_alloc (task->task_pool, sizeof (*dmarc_checks)); *dmarc_checks = 1; rspamd_mempool_set_variable (task->task_pool, RSPAMD_MEMPOOL_DMARC_CHECKS, dmarc_checks, NULL); } /* First check if plugin should be enabled */ if ((!dkim_module_ctx->check_authed && task->user != NULL) || (!dkim_module_ctx->check_local && rspamd_ip_is_local_cfg (task->cfg, task->from_addr))) { msg_info_task ("skip DKIM checks for local networks and authorized users"); rspamd_symcache_finalize_item (task, item); return; } /* Check whitelist */ if (rspamd_match_radix_map_addr (dkim_module_ctx->whitelist_ip, task->from_addr) != NULL) { msg_info_task ("skip DKIM checks for whitelisted address"); rspamd_symcache_finalize_item (task, item); return; } rspamd_symcache_item_async_inc (task, item, M); /* Now check if a message has its signature */ rh = rspamd_message_get_header_array (task, RSPAMD_DKIM_SIGNHEADER); if (rh) { msg_debug_task ("dkim signature found"); DL_FOREACH (rh, rh_cur) { if (rh_cur->decoded == NULL || rh_cur->decoded[0] == '\0') { msg_info_task ("cannot load empty DKIM signature"); continue; } cur = rspamd_mempool_alloc0 (task->task_pool, sizeof (*cur)); cur->first = res; cur->res = NULL; cur->task = task; cur->mult_allow = 1.0; cur->mult_deny = 1.0; cur->item = item; ctx = rspamd_create_dkim_context (rh_cur->decoded, task->task_pool, task->resolver, dkim_module_ctx->time_jitter, RSPAMD_DKIM_NORMAL, &err); if (res == NULL) { res = cur; res->first = res; res->prev = res; } else { DL_APPEND (res, cur); } if (ctx == NULL) { if (err != NULL) { msg_info_task ("cannot parse DKIM signature: %e", err); g_error_free (err); err = NULL; } else { msg_info_task ("cannot parse DKIM signature: " "unknown error"); } continue; } else { /* Get key */ cur->ctx = ctx; const gchar *domain = rspamd_dkim_get_domain (cur->ctx); if (dkim_module_ctx->trusted_only && (dkim_module_ctx->dkim_domains == NULL || rspamd_match_hash_map (dkim_module_ctx->dkim_domains, domain, strlen (domain)) == NULL)) { msg_debug_task ("skip dkim check for %s domain", rspamd_dkim_get_domain (ctx)); continue; } if (dkim_module_ctx->dkim_hash) { key = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_hash, rspamd_dkim_get_dns_key (ctx), task->task_timestamp); } else { key = NULL; } if (key != NULL) { cur->key = rspamd_dkim_key_ref (key); /* Release key when task is processed */ rspamd_mempool_add_destructor (task->task_pool, dkim_module_key_dtor, cur->key); } else { if (!rspamd_get_dkim_key (ctx, task, dkim_module_key_handler, cur)) { continue; } } } checked ++; if (checked > dkim_module_ctx->max_sigs) { msg_info_task ("message has multiple signatures but we" " stopped after %d checked signatures as limit" " is reached", checked); break; } } } else { rspamd_task_insert_result (task, dkim_module_ctx->symbol_na, 1.0, NULL); } if (res != NULL) { dkim_module_check (res); } rspamd_symcache_item_async_dec_check (task, item, M); } struct rspamd_dkim_lua_verify_cbdata { rspamd_dkim_context_t *ctx; struct rspamd_task *task; lua_State *L; rspamd_dkim_key_t *key; gint cbref; }; static void dkim_module_lua_push_verify_result (struct rspamd_dkim_lua_verify_cbdata *cbd, struct rspamd_dkim_check_result *res, GError *err) { struct rspamd_task **ptask, *task; const gchar *error_str = "unknown error"; gboolean success = FALSE; task = cbd->task; switch (res->rcode) { case DKIM_CONTINUE: error_str = NULL; success = TRUE; break; case DKIM_REJECT: if (err) { error_str = err->message; } else { error_str = "reject"; } break; case DKIM_TRYAGAIN: if (err) { error_str = err->message; } else { error_str = "tempfail"; } break; case DKIM_NOTFOUND: if (err) { error_str = err->message; } else { error_str = "not found"; } break; case DKIM_RECORD_ERROR: if (err) { error_str = err->message; } else { error_str = "bad record"; } break; case DKIM_PERM_ERROR: if (err) { error_str = err->message; } else { error_str = "permanent error"; } break; default: break; } lua_rawgeti (cbd->L, LUA_REGISTRYINDEX, cbd->cbref); ptask = lua_newuserdata (cbd->L, sizeof (*ptask)); *ptask = task; lua_pushboolean (cbd->L, success); if (error_str) { lua_pushstring (cbd->L, error_str); } else { lua_pushnil (cbd->L); } if (cbd->ctx) { if (res->domain) { lua_pushstring (cbd->L, res->domain); } else { lua_pushnil (cbd->L); } if (res->selector) { lua_pushstring (cbd->L, res->selector); } else { lua_pushnil (cbd->L); } if (res->short_b) { lua_pushstring (cbd->L, res->short_b); } else { lua_pushnil (cbd->L); } if (res->fail_reason) { lua_pushstring (cbd->L, res->fail_reason); } else { lua_pushnil (cbd->L); } } else { lua_pushnil (cbd->L); lua_pushnil (cbd->L); lua_pushnil (cbd->L); lua_pushnil (cbd->L); } if (lua_pcall (cbd->L, 7, 0, 0) != 0) { msg_err_task ("call to verify callback failed: %s", lua_tostring (cbd->L, -1)); lua_pop (cbd->L, 1); } luaL_unref (cbd->L, LUA_REGISTRYINDEX, cbd->cbref); } static void dkim_module_lua_on_key (rspamd_dkim_key_t *key, gsize keylen, rspamd_dkim_context_t *ctx, gpointer ud, GError *err) { struct rspamd_dkim_lua_verify_cbdata *cbd = ud; struct rspamd_task *task; struct rspamd_dkim_check_result *res; struct dkim_ctx *dkim_module_ctx; task = cbd->task; dkim_module_ctx = dkim_get_context (task->cfg); if (key != NULL) { /* Another ref belongs to the check context */ cbd->key = rspamd_dkim_key_ref (key); /* * We actually receive key with refcount = 1, so we just assume that * lru hash owns this object now */ if (dkim_module_ctx->dkim_hash) { rspamd_lru_hash_insert (dkim_module_ctx->dkim_hash, g_strdup (rspamd_dkim_get_dns_key (ctx)), key, cbd->task->task_timestamp, rspamd_dkim_key_get_ttl (key)); } /* Release key when task is processed */ rspamd_mempool_add_destructor (cbd->task->task_pool, dkim_module_key_dtor, cbd->key); } else { /* Insert tempfail symbol */ msg_info_task ("cannot get key for domain %s: %e", rspamd_dkim_get_dns_key (ctx), err); if (err != NULL) { if (err->code == DKIM_SIGERROR_NOKEY) { res = rspamd_dkim_create_result (ctx, DKIM_TRYAGAIN, task); res->fail_reason = "DNS error when getting key"; } else { res = rspamd_dkim_create_result (ctx, DKIM_PERM_ERROR, task); res->fail_reason = "invalid DKIM record"; } } else { res = rspamd_dkim_create_result (ctx, DKIM_TRYAGAIN, task); res->fail_reason = "DNS error when getting key"; } dkim_module_lua_push_verify_result (cbd, res, err); if (err) { g_error_free (err); } return; } res = rspamd_dkim_check (cbd->ctx, cbd->key, cbd->task); dkim_module_lua_push_verify_result (cbd, res, NULL); } static gint lua_dkim_verify_handler (lua_State *L) { struct rspamd_task *task = lua_check_task (L, 1); const gchar *sig = luaL_checkstring (L, 2); rspamd_dkim_context_t *ctx; struct rspamd_dkim_lua_verify_cbdata *cbd; rspamd_dkim_key_t *key; struct rspamd_dkim_check_result *ret; GError *err = NULL; const gchar *type_str = NULL; enum rspamd_dkim_type type = RSPAMD_DKIM_NORMAL; struct dkim_ctx *dkim_module_ctx; if (task && sig && lua_isfunction (L, 3)) { if (lua_isstring (L, 4)) { type_str = lua_tostring (L, 4); if (type_str) { if (strcmp (type_str, "dkim") == 0) { type = RSPAMD_DKIM_NORMAL; } else if (strcmp (type_str, "arc-sign") == 0) { type = RSPAMD_DKIM_ARC_SIG; } else if (strcmp (type_str, "arc-seal") == 0) { type = RSPAMD_DKIM_ARC_SEAL; } else { lua_settop (L, 0); return luaL_error (L, "unknown sign type: %s", type_str); } } } dkim_module_ctx = dkim_get_context (task->cfg); ctx = rspamd_create_dkim_context (sig, task->task_pool, task->resolver, dkim_module_ctx->time_jitter, type, &err); if (ctx == NULL) { lua_pushboolean (L, false); if (err) { lua_pushstring (L, err->message); g_error_free (err); } else { lua_pushstring (L, "unknown error"); } return 2; } cbd = rspamd_mempool_alloc (task->task_pool, sizeof (*cbd)); cbd->L = L; cbd->task = task; lua_pushvalue (L, 3); cbd->cbref = luaL_ref (L, LUA_REGISTRYINDEX); cbd->ctx = ctx; cbd->key = NULL; if (dkim_module_ctx->dkim_hash) { key = rspamd_lru_hash_lookup (dkim_module_ctx->dkim_hash, rspamd_dkim_get_dns_key (ctx), task->task_timestamp); } else { key = NULL; } if (key != NULL) { cbd->key = rspamd_dkim_key_ref (key); /* Release key when task is processed */ rspamd_mempool_add_destructor (task->task_pool, dkim_module_key_dtor, cbd->key); ret = rspamd_dkim_check (cbd->ctx, cbd->key, cbd->task); dkim_module_lua_push_verify_result (cbd, ret, NULL); } else { rspamd_get_dkim_key (ctx, task, dkim_module_lua_on_key, cbd); } } else { return luaL_error (L, "invalid arguments"); } lua_pushboolean (L, TRUE); lua_pushnil (L); return 2; } static gint lua_dkim_canonicalize_handler (lua_State *L) { gsize nlen, vlen; const gchar *hname = luaL_checklstring (L, 1, &nlen), *hvalue = luaL_checklstring (L, 2, &vlen); static gchar st_buf[8192]; gchar *buf; guint inlen; gboolean allocated = FALSE; goffset r; if (hname && hvalue && nlen > 0) { inlen = nlen + vlen + sizeof (":" CRLF); if (inlen > sizeof (st_buf)) { buf = g_malloc (inlen); allocated = TRUE; } else { /* Faster */ buf = st_buf; } r = rspamd_dkim_canonize_header_relaxed_str (hname, hvalue, buf, inlen); if (r == -1) { lua_pushnil (L); } else { lua_pushlstring (L, buf, r); } if (allocated) { g_free (buf); } } else { return luaL_error (L, "invalid arguments"); } return 1; }