Initial commit
This commit is contained in:
peio
198
internal/kcpolicy/policy.go
Normal file
198
internal/kcpolicy/policy.go
Normal file
@@ -0,0 +1,198 @@
|
||||
package kcpolicy
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"fmt"
|
||||
"log"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
type Cache struct {
|
||||
ttl time.Duration
|
||||
m map[string]cacheItem
|
||||
}
|
||||
|
||||
type cacheItem struct {
|
||||
val string
|
||||
expires time.Time
|
||||
ok bool
|
||||
}
|
||||
|
||||
func NewCache(ttl time.Duration) *Cache {
|
||||
return &Cache{ttl: ttl, m: make(map[string]cacheItem)}
|
||||
}
|
||||
|
||||
func (c *Cache) Get(key string) (string, bool, bool) {
|
||||
it, ok := c.m[key]
|
||||
if !ok || time.Now().After(it.expires) {
|
||||
return "", false, false
|
||||
}
|
||||
return it.val, it.ok, true
|
||||
}
|
||||
|
||||
func (c *Cache) Put(key, val string, ok bool) {
|
||||
c.m[key] = cacheItem{val: val, ok: ok, expires: time.Now().Add(c.ttl)}
|
||||
}
|
||||
|
||||
func RunPolicy(ctx context.Context, cfg *Config, db *AliasDB, kc *Keycloak, cache *Cache) error {
|
||||
sock := cfg.Sockets.PolicySocket
|
||||
_ = os.Remove(sock)
|
||||
|
||||
l, err := net.Listen("unix", sock)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer l.Close()
|
||||
|
||||
if err := ChownChmodSocket(sock, cfg); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for {
|
||||
conn, err := l.Accept()
|
||||
if err != nil {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return nil
|
||||
default:
|
||||
return err
|
||||
}
|
||||
}
|
||||
go handlePolicyConn(conn, cfg, db, kc, cache)
|
||||
}
|
||||
}
|
||||
|
||||
func handlePolicyConn(conn net.Conn, cfg *Config, db *AliasDB, kc *Keycloak, cache *Cache) {
|
||||
defer conn.Close()
|
||||
r := bufio.NewReader(conn)
|
||||
|
||||
req := map[string]string{}
|
||||
for {
|
||||
line, err := r.ReadString('\n')
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
line = strings.TrimRight(line, "\r\n")
|
||||
if line == "" {
|
||||
break
|
||||
}
|
||||
if i := strings.IndexByte(line, '='); i > 0 {
|
||||
req[line[:i]] = line[i+1:]
|
||||
}
|
||||
}
|
||||
|
||||
// Decide based on protocol_state
|
||||
state := req["protocol_state"] // e.g. RCPT, MAIL
|
||||
saslUser := req["sasl_username"]
|
||||
sender := strings.ToLower(req["sender"])
|
||||
rcpt := strings.ToLower(req["recipient"])
|
||||
|
||||
action := "DUNNO"
|
||||
|
||||
switch state {
|
||||
case "RCPT":
|
||||
action = policyRCPT(cfg, db, kc, cache, rcpt)
|
||||
case "MAIL":
|
||||
// On MAIL stage we can validate sender if authenticated (submission)
|
||||
if saslUser != "" && sender != "" {
|
||||
action = policyMAIL(cfg, db, kc, cache, saslUser, sender)
|
||||
}
|
||||
default:
|
||||
action = "DUNNO"
|
||||
}
|
||||
|
||||
fmt.Fprintf(conn, "action=%s\n\n", action)
|
||||
}
|
||||
|
||||
func policyRCPT(cfg *Config, db *AliasDB, kc *Keycloak, cache *Cache, rcpt string) string {
|
||||
if rcpt == "" {
|
||||
return "DUNNO"
|
||||
}
|
||||
// Only enforce for our domain
|
||||
if !strings.HasSuffix(rcpt, "@"+strings.ToLower(cfg.Policy.Domain)) {
|
||||
return "DUNNO"
|
||||
}
|
||||
|
||||
// 1) exists in keycloak primary email?
|
||||
key := "email_exists:" + rcpt
|
||||
if _, ok, hit := cache.Get(key); hit {
|
||||
if ok {
|
||||
return "DUNNO"
|
||||
}
|
||||
} else {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
exists, err := kc.EmailExists(ctx, rcpt)
|
||||
if err != nil {
|
||||
if cfg.Policy.KeycloakFailureMode == "dunno" {
|
||||
return "DUNNO"
|
||||
}
|
||||
return "451 4.3.0 Temporary authentication/lookup failure"
|
||||
}
|
||||
cache.Put(key, "", exists)
|
||||
if exists {
|
||||
return "DUNNO"
|
||||
}
|
||||
}
|
||||
|
||||
// 2) exists as sqlite alias?
|
||||
_, ok, err := db.AliasOwner(rcpt)
|
||||
if err != nil {
|
||||
log.Printf("sqlite rcpt lookup error: %v", err)
|
||||
return "451 4.3.0 Temporary internal error"
|
||||
}
|
||||
if ok {
|
||||
return "DUNNO"
|
||||
}
|
||||
|
||||
return "550 5.1.1 No such user"
|
||||
}
|
||||
|
||||
func policyMAIL(cfg *Config, db *AliasDB, kc *Keycloak, cache *Cache, saslUser, sender string) string {
|
||||
// Allow empty sender (bounce)
|
||||
if sender == "" || sender == "<>" {
|
||||
return "DUNNO"
|
||||
}
|
||||
// Only enforce our domain senders (optional)
|
||||
if !strings.HasSuffix(sender, "@"+strings.ToLower(cfg.Policy.Domain)) {
|
||||
return "DUNNO"
|
||||
}
|
||||
|
||||
// primary email from keycloak (cached)
|
||||
key := "email_by_username:" + strings.ToLower(saslUser)
|
||||
email, ok, hit := cache.Get(key)
|
||||
if !hit {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
|
||||
defer cancel()
|
||||
e, exists, err := kc.EmailByUsername(ctx, saslUser)
|
||||
if err != nil {
|
||||
if cfg.Policy.KeycloakFailureMode == "dunno" {
|
||||
return "DUNNO"
|
||||
}
|
||||
return "451 4.3.0 Temporary authentication/lookup failure"
|
||||
}
|
||||
cache.Put(key, e, exists)
|
||||
email, ok = e, exists
|
||||
}
|
||||
|
||||
// 1) sender == primary email
|
||||
if ok && strings.EqualFold(sender, email) {
|
||||
return "DUNNO"
|
||||
}
|
||||
|
||||
// 2) sender is sqlite alias belonging to this user
|
||||
belongs, err := db.AliasBelongsTo(sender, saslUser)
|
||||
if err != nil {
|
||||
log.Printf("sqlite sender lookup error: %v", err)
|
||||
return "451 4.3.0 Temporary internal error"
|
||||
}
|
||||
if belongs {
|
||||
return "DUNNO"
|
||||
}
|
||||
|
||||
return "553 5.7.1 Sender not owned by authenticated user"
|
||||
}
|
||||
Reference in New Issue
Block a user