PoC rspamd use dkimkeys from admin using vault api

2024-12-14 10:53:30 +02:00 · 2021-10-14 19:07:11 +02:00 · 2021-10-14 19:07:11 +02:00 · 893705169e
commit 893705169e
parent 8c8c1b2015
5 changed files with 41 additions and 6 deletions
--- a/core/admin/mailu/internal/views/init.py
+++ b/core/admin/mailu/internal/views/init.py
@ -1,3 +1,3 @@
 __all__ = [
-    'auth', 'postfix', 'dovecot', 'fetch'
+    'auth', 'postfix', 'dovecot', 'fetch', 'rspamd'
 ]
--- a/core/admin/mailu/internal/views/rspamd.py
+++ b/core/admin/mailu/internal/views/rspamd.py
@ -0,0 +1,30 @@
+from mailu import models, dkim
+from mailu.internal import internal
+
+import flask
+
+def vault_error(*messages, status=404):
+    return flask.make_response(flask.jsonify({'errors':messages}), status)
+
+# rspamd key format:
+# {"selectors":[{"pubkey":"...","domain":"...","valid_start":TS,"valid_end":TS,"key":"...","selector":"...","bits":...,"alg":"..."}]}
+
+# hashicorp vault answer format:
+# {"request_id":"...","lease_id":"","renewable":false,"lease_duration":2764800,"data":{...see above...},"wrap_info":null,"warnings":null,"auth":null}
+
+@internal.route("/rspamd/vault/v1/dkim/<domain_name>")
+def rspamd_dkim_key(domain_name):
+    domain = models.Domain.query.get(domain_name) or flask.abort(vault_error('unknown domain'))
+    key = domain.dkim_key or flask.abort(vault_error('no dkim key', status=400))
+    return flask.jsonify({
+        'data': {
+            'selectors': [
+                {
+                    'domain'  : domain.name,
+                    'key'     : key.decode('utf8'),
+                    'selector': 'dkim',
+                }
+            ]
+        }
+    })
+
--- a/core/rspamd/conf/arc.conf
+++ b/core/rspamd/conf/arc.conf
@ -1,4 +1,6 @@
-try_fallback = true;
-path = "/dkim/$domain.$selector.key";
-selector = "dkim"
+try_fallback = false;
 use_esld = false;
+allow_username_mismatch = true;
+use_vault = true;
+vault_url = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/vault";
+vault_token = "mailu";
--- a/core/rspamd/conf/dkim_signing.conf
+++ b/core/rspamd/conf/dkim_signing.conf
@ -1,4 +1,6 @@
-try_fallback = true;
-path = "/dkim/$domain.$selector.key";
+try_fallback = false;
 use_esld = false;
 allow_username_mismatch = true;
+use_vault = true;
+vault_url = "http://{{ ADMIN_ADDRESS }}/internal/rspamd/vault";
+vault_token = "mailu";
--- a/core/rspamd/start.py
+++ b/core/rspamd/start.py
@ -11,6 +11,7 @@ log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "WARNING"))
 # Actual startup script

 os.environ["REDIS_ADDRESS"] = system.get_host_address_from_environment("REDIS", "redis")
+os.environ["ADMIN_ADDRESS"] = system.get_host_address_from_environment("ADMIN", "admin")

 if os.environ.get("ANTIVIRUS") == 'clamav':
    os.environ["ANTIVIRUS_ADDRESS"] = system.get_host_address_from_environment("ANTIVIRUS", "antivirus:3310")