Merge pull request #988 from fatalbanana/localauth

[Minor] Allow for re-enabling default-disabled checks

8 files changed, 105 insertions, 7 deletions

diff --git a/src/libserver/cfg_file.h b/src/libserver/cfg_file.h
index 9a0fa0d22..3bfeee98c 100644
--- a/src/libserver/cfg_file.h
+++ b/src/libserver/cfg_file.h
@@ -298,6 +298,8 @@ struct rspamd_config {
 	gboolean vectorized_hyperscan;                  /**< use vectorized hyperscan matching					*/
 	gboolean enable_shutdown_workaround;            /**< enable workaround for legacy SA clients (exim)		*/
 	gboolean ignore_received;                       /**< Ignore data from the first received header			*/
+	gboolean check_local;				/** Don't disable any checks for local networks */
+	gboolean check_authed;				/** Don't disable any checks for authenticated users */
 
 	gsize max_diff;                                 /**< maximum diff size for text parts					*/
 	gsize max_cores_size;                           /**< maximum size occupied by rspamd core files			*/
diff --git a/src/libserver/cfg_rcl.c b/src/libserver/cfg_rcl.c
index c89392207..8ada11f88 100644
--- a/src/libserver/cfg_rcl.c
+++ b/src/libserver/cfg_rcl.c
@@ -1837,6 +1837,18 @@ rspamd_rcl_config_init (struct rspamd_config *cfg)
 			0,
 			"Emit errors if there are unknown HTTP headers in a request");
 	rspamd_rcl_add_default_handler (sub,
+			"check_local",
+			rspamd_rcl_parse_struct_boolean,
+			G_STRUCT_OFFSET (struct rspamd_config, check_local),
+			0,
+			"Don't disable any checks for local networks");
+	rspamd_rcl_add_default_handler (sub,
+			"check_authed",
+			rspamd_rcl_parse_struct_boolean,
+			G_STRUCT_OFFSET (struct rspamd_config, check_authed),
+			0,
+			"Don't disable any checks for authenticated users");
+	rspamd_rcl_add_default_handler (sub,
 			"check_all_filters",
 			rspamd_rcl_parse_struct_boolean,
 			G_STRUCT_OFFSET (struct rspamd_config, check_all_filters),
diff --git a/src/plugins/dkim_check.c b/src/plugins/dkim_check.c
index 7f9122212..3eb44c386 100644
--- a/src/plugins/dkim_check.c
+++ b/src/plugins/dkim_check.c
@@ -69,6 +69,8 @@ struct dkim_ctx {
 	guint max_sigs;
 	gboolean trusted_only;
 	gboolean skip_multi;
+	gboolean check_local;
+	gboolean check_authed;
 };
 
 struct dkim_check_result {
@@ -286,6 +288,20 @@ dkim_module_config (struct rspamd_config *cfg)
 
 	dkim_module_ctx->whitelist_ip = radix_create_compressed ();
 
+        if ((value =
+		rspamd_config_get_module_opt (cfg, "options", "check_local")) != NULL) {
+		dkim_module_ctx->check_local = ucl_obj_toboolean (value);
+	}
+	else {
+		dkim_module_ctx->check_local = FALSE;
+	}
+	if ((value =
+		rspamd_config_get_module_opt (cfg, "options", "check_authed")) != NULL) {
+		dkim_module_ctx->check_authed = ucl_obj_toboolean (value);
+	}
+	else {
+		dkim_module_ctx->check_authed = FALSE;
+	}
 	if ((value =
 		rspamd_config_get_module_opt (cfg, "dkim", "symbol_reject")) != NULL) {
 		dkim_module_ctx->symbol_reject = ucl_obj_tostring (value);
@@ -693,7 +709,8 @@ dkim_symbol_callback (struct rspamd_task *task, void *unused)
 	guint checked = 0, i;
 
 	/* First check if plugin should be enabled */
-	if (task->user != NULL || rspamd_inet_address_is_local (task->from_addr)) {
+	if ((!dkim_module_ctx->check_authed && task->user != NULL)
+			|| (!dkim_module_ctx->check_local && rspamd_inet_address_is_local (task->from_addr))) {
 		msg_info_task ("skip DKIM checks for local networks and authorized users");
 		return;
 	}
diff --git a/src/plugins/lua/dmarc.lua b/src/plugins/lua/dmarc.lua
index caf20b2fd..da5837d2b 100644
--- a/src/plugins/lua/dmarc.lua
+++ b/src/plugins/lua/dmarc.lua
@@ -22,6 +22,8 @@ local rspamd_logger = require "rspamd_logger"
 local rspamd_redis = require "rspamd_redis"
 local upstream_list = require "rspamd_upstream_list"
 local rspamd_util = require "rspamd_util"
+local check_local = false
+local check_authed = false
 
 local symbols = {
   spf_allow_symbol = 'R_SPF_ALLOW',
@@ -78,7 +80,8 @@ local function dmarc_callback(task)
   local dmarc_domain
   local ip_addr = task:get_ip()
 
-  if task:get_user() or (ip_addr and ip_addr:is_local()) then
+  if ((not check_user and task:get_user()) or
+      (not check_local and ip_addr and ip_addr:is_local())) then
     rspamd_logger.infox(task, "skip DMARC checks for local networks and authorized users");
     return
   end
@@ -345,6 +348,16 @@ local function dmarc_callback(task)
     forced = true})
 end
 
+local opts = rspamd_config:get_all_opt('options')
+if opts and type(opts) ~= 'table' then
+  if type(opts['check_local']) == 'boolean' then
+    check_local = opts['check_local']
+  end
+  if type(opts['check_authed']) == 'boolean' then
+    check_authed = opts['check_authed']
+  end
+end
+
 local opts = rspamd_config:get_all_opt('dmarc')
 if not opts or type(opts) ~= 'table' then
   return
diff --git a/src/plugins/lua/hfilter.lua b/src/plugins/lua/hfilter.lua
index c1d0e22b2..61595c253 100644
--- a/src/plugins/lua/hfilter.lua
+++ b/src/plugins/lua/hfilter.lua
@@ -113,6 +113,9 @@ local config = {
   ['url_enabled'] = false
 }
 
+local check_local = false
+local check_authed = false
+
 local function check_regexp(str, regexp_text)
   if not compiled_regexp[regexp_text] then
     compiled_regexp[regexp_text] = rspamd_regexp.create(regexp_text, 'i')
@@ -296,7 +299,8 @@ local function hfilter(task)
 
   --No more checks for auth user or local network
   local rip = task:get_from_ip()
-  if task:get_user() or (rip and rip:is_local()) then
+  if ((not check_user and task:get_user()) or
+      (not check_local and rip and rip:is_local())) then
     return false
   end
 
@@ -479,6 +483,16 @@ local symbols_from = {
   "HFILTER_FROM_BOUNCE"
 }
 
+local opts = rspamd_config:get_all_opt('options')
+if opts and type(opts) ~= 'table' then
+  if type(opts['check_local']) == 'boolean' then
+    check_local = opts['check_local']
+  end
+  if type(opts['check_authed']) == 'boolean' then
+    check_authed = opts['check_authed']
+  end
+end
+
 local opts = rspamd_config:get_all_opt('hfilter')
 if opts then
   for k,v in pairs(opts) do
diff --git a/src/plugins/lua/ip_score.lua b/src/plugins/lua/ip_score.lua
index c1489717e..140109e5e 100644
--- a/src/plugins/lua/ip_score.lua
+++ b/src/plugins/lua/ip_score.lua
@@ -26,6 +26,7 @@ local _ = require "fun"
 local redis_params = nil
 local whitelist = nil
 local asn_cc_whitelist = nil
+local check_authed = false
 
 local options = {
   actions = { -- how each action is treated in scoring
@@ -315,7 +316,13 @@ end
 
 -- Configuration options
 local configure_ip_score_module = function()
-  local opts =  rspamd_config:get_all_opt('ip_score')
+  local opts = rspamd_config:get_all_opt('options')
+  if opts and type(opts) ~= 'table' then
+    if type(opts['check_authed']) == 'boolean' then
+      check_authed = opts['check_authed']
+    end
+  end
+  opts = rspamd_config:get_all_opt('ip_score')
   if opts then
     for k,v in pairs(opts) do
       options[k] = v
@@ -324,6 +331,8 @@ local configure_ip_score_module = function()
     if not redis_params then
       rspamd_logger.infox(rspamd_config, 'no servers are specified')
     end
+  else
+    return false
   end
   if options['whitelist'] then
     whitelist = rspamd_config:add_radix_map(opts['whitelist'])
@@ -334,7 +343,7 @@ local configure_ip_score_module = function()
 end
 
 
-configure_ip_score_module()
+if not configure_ip_score_module() then return end
 if redis_params then
   -- Register ip_score module
   rspamd_config:register_symbol({
diff --git a/src/plugins/lua/once_received.lua b/src/plugins/lua/once_received.lua
index 86ada799a..202041869 100644
--- a/src/plugins/lua/once_received.lua
+++ b/src/plugins/lua/once_received.lua
@@ -24,6 +24,8 @@ local bad_hosts = {}
 local good_hosts = {}
 local whitelist = nil
 local rspamd_logger = require "rspamd_logger"
+local check_local = false
+local check_authed = false
 
 local function check_quantity_received (task)
   local recvh = task:get_received_headers()
@@ -61,7 +63,9 @@ local function check_quantity_received (task)
 
   local task_ip = task:get_ip()
 
-  if task:get_user() or (task_ip and task_ip:is_local()) then
+  if ((not check_user and task:get_user()) or
+      (not check_local and ip_addr and ip_addr:is_local())) then
+    rspamd_logger.infox(task, 'Skipping once_received for authenticated user or local network')
     return
   end
   if whitelist and task_ip and whitelist:get_key(task_ip) then
@@ -134,6 +138,15 @@ if type(rspamd_config.get_api_version) ~= 'nil' then
   end
 end
 
+local opts = rspamd_config:get_all_opt('options')
+if opts and type(opts) ~= 'table' then
+  if type(opts['check_local']) == 'boolean' then
+    check_local = opts['check_local']
+  end
+  if type(opts['check_authed']) == 'boolean' then
+    check_authed = opts['check_authed']
+  end
+end
 -- Configuration
 local opts =  rspamd_config:get_all_opt('once_received')
 if opts then
diff --git a/src/plugins/spf.c b/src/plugins/spf.c
index aa09eecac..d01f2b4da 100644
--- a/src/plugins/spf.c
+++ b/src/plugins/spf.c
@@ -57,6 +57,9 @@ struct spf_ctx {
 	rspamd_mempool_t *spf_pool;
 	radix_compressed_t *whitelist_ip;
 	rspamd_lru_hash_t *spf_hash;
+
+	gboolean check_local;
+	gboolean check_authed;
 };
 
 static struct spf_ctx *spf_module_ctx = NULL;
@@ -196,6 +199,20 @@ spf_module_config (struct rspamd_config *cfg)
 	spf_module_ctx->whitelist_ip = radix_create_compressed ();
 
 	if ((value =
+		rspamd_config_get_module_opt (cfg, "options", "check_local")) != NULL) {
+		spf_module_ctx->check_local = ucl_obj_toboolean (value);
+	}
+	else {
+		spf_module_ctx->check_local = FALSE;
+	}
+	if ((value =
+		rspamd_config_get_module_opt (cfg, "options", "check_authed")) != NULL) {
+		spf_module_ctx->check_authed = ucl_obj_toboolean (value);
+	}
+	else {
+		spf_module_ctx->check_authed = FALSE;
+	}
+	if ((value =
 		rspamd_config_get_module_opt (cfg, "spf", "symbol_fail")) != NULL) {
 		spf_module_ctx->symbol_fail = ucl_obj_tostring (value);
 	}
@@ -535,7 +552,8 @@ spf_symbol_callback (struct rspamd_task *task, void *unused)
 		return;
 	}
 
-	if (task->user != NULL || rspamd_inet_address_is_local (task->from_addr)) {
+	if ((!spf_module_ctx->check_authed && task->user != NULL)
+			|| (!spf_module_ctx->check_local && rspamd_inet_address_is_local (task->from_addr))) {
 		msg_info_task ("skip SPF checks for local networks and authorized users");
 		return;
 	}