diff options
Diffstat (limited to 'rt/lib/RT/Interface/Email')
| -rwxr-xr-x | rt/lib/RT/Interface/Email/Auth/GnuPG.pm | 263 | ||||
| -rw-r--r-- | rt/lib/RT/Interface/Email/Auth/MailFrom.pm | 182 | ||||
| -rw-r--r-- | rt/lib/RT/Interface/Email/Filter/SpamAssassin.pm | 98 |
3 files changed, 0 insertions, 543 deletions
diff --git a/rt/lib/RT/Interface/Email/Auth/GnuPG.pm b/rt/lib/RT/Interface/Email/Auth/GnuPG.pm deleted file mode 100755 index f0fe2c917..000000000 --- a/rt/lib/RT/Interface/Email/Auth/GnuPG.pm +++ /dev/null @@ -1,263 +0,0 @@ -# BEGIN BPS TAGGED BLOCK {{{ -# -# COPYRIGHT: -# -# This software is Copyright (c) 1996-2009 Best Practical Solutions, LLC -# <jesse@bestpractical.com> -# -# (Except where explicitly superseded by other copyright notices) -# -# -# LICENSE: -# -# This work is made available to you under the terms of Version 2 of -# the GNU General Public License. A copy of that license should have -# been provided with this software, but in any event can be snarfed -# from www.gnu.org. -# -# This work is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 or visit their web page on the internet at -# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. -# -# -# CONTRIBUTION SUBMISSION POLICY: -# -# (The following paragraph is not intended to limit the rights granted -# to you to modify and distribute this software under the terms of -# the GNU General Public License and is only of importance to you if -# you choose to contribute your changes and enhancements to the -# community by submitting them to Best Practical Solutions, LLC.) -# -# By intentionally submitting any modifications, corrections or -# derivatives to this work, or any other work intended for use with -# Request Tracker, to Best Practical Solutions, LLC, you confirm that -# you are the copyright holder for those contributions and you grant -# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, -# royalty-free, perpetual, license to use, copy, create derivative -# works based on those contributions, and sublicense and distribute -# those contributions and any derivatives thereof. -# -# END BPS TAGGED BLOCK }}} - -package RT::Interface::Email::Auth::GnuPG; - -use strict; -use warnings; - -=head2 GetCurrentUser - -To use the gnupg-secured mail gateway, you need to do the following: - -Set up a GnuPG key directory with a pubring containing only the keys -you care about and specify the following in your SiteConfig.pm - - Set(%GnuPGOptions, homedir => '/opt/rt3/var/data/GnuPG'); - Set(@MailPlugins, 'Auth::MailFrom', 'Auth::GnuPG', ...other filter...); - -=cut - -sub ApplyBeforeDecode { return 1 } - -use RT::Crypt::GnuPG; -use RT::EmailParser (); - -sub GetCurrentUser { - my %args = ( - Message => undef, - RawMessageRef => undef, - @_ - ); - - foreach my $p ( $args{'Message'}->parts_DFS ) { - $p->head->delete($_) for qw( - X-RT-GnuPG-Status X-RT-Incoming-Encrypton - X-RT-Incoming-Signature X-RT-Privacy - ); - } - - my $msg = $args{'Message'}->dup; - - my ($status, @res) = VerifyDecrypt( - Entity => $args{'Message'}, AddStatus => 1, - ); - if ( $status && !@res ) { - $args{'Message'}->head->add( - 'X-RT-Incoming-Encryption' => 'Not encrypted' - ); - - return 1; - } - - # FIXME: Check if the message is encrypted to the address of - # _this_ queue. send rejecting mail otherwise. - - unless ( $status ) { - $RT::Logger->error("Had a problem during decrypting and verifying"); - my $reject = HandleErrors( Message => $args{'Message'}, Result => \@res ); - return (0, 'rejected because of problems during decrypting and verifying') - if $reject; - } - - # attach the original encrypted message - $args{'Message'}->attach( - Type => 'application/x-rt-original-message', - Disposition => 'inline', - Data => ${ $args{'RawMessageRef'} }, - ); - - $args{'Message'}->head->add( 'X-RT-Privacy' => 'PGP' ); - - foreach my $part ( $args{'Message'}->parts_DFS ) { - my $decrypted; - - my $status = $part->head->get( 'X-RT-GnuPG-Status' ); - if ( $status ) { - for ( RT::Crypt::GnuPG::ParseStatus( $status ) ) { - if ( $_->{Operation} eq 'Decrypt' && $_->{Status} eq 'DONE' ) { - $decrypted = 1; - } - if ( $_->{Operation} eq 'Verify' && $_->{Status} eq 'DONE' ) { - $part->head->add( - 'X-RT-Incoming-Signature' => $_->{UserString} - ); - } - } - } - - $part->head->add( - 'X-RT-Incoming-Encryption' => - $decrypted ? 'Success' : 'Not encrypted' - ); - } - - return 1; -} - -sub HandleErrors { - my %args = ( - Message => undef, - Result => [], - @_ - ); - - my $reject = 0; - - my %sent_once = (); - foreach my $run ( @{ $args{'Result'} } ) { - my @status = RT::Crypt::GnuPG::ParseStatus( $run->{'status'} ); - unless ( $sent_once{'NoPrivateKey'} ) { - unless ( CheckNoPrivateKey( Message => $args{'Message'}, Status => \@status ) ) { - $sent_once{'NoPrivateKey'}++; - $reject = 1 if RT->Config->Get('GnuPG')->{'RejectOnMissingPrivateKey'}; - } - } - unless ( $sent_once{'BadData'} ) { - unless ( CheckBadData( Message => $args{'Message'}, Status => \@status ) ) { - $sent_once{'BadData'}++; - $reject = 1 if RT->Config->Get('GnuPG')->{'RejectOnBadData'}; - } - } - } - return $reject; -} - -sub CheckNoPrivateKey { - my %args = (Message => undef, Status => [], @_ ); - my @status = @{ $args{'Status'} }; - - my @decrypts = grep $_->{'Operation'} eq 'Decrypt', @status; - return 1 unless @decrypts; - foreach my $action ( @decrypts ) { - # if at least one secrete key exist then it's another error - return 1 if - grep !$_->{'User'}{'SecretKeyMissing'}, - @{ $action->{'EncryptedTo'} }; - } - - $RT::Logger->error("Couldn't decrypt a message: have no private key"); - - my $address = (RT::Interface::Email::ParseSenderAddressFromHead( $args{'Message'}->head ))[0]; - my ($status) = RT::Interface::Email::SendEmailUsingTemplate( - To => $address, - Template => 'Error: no private key', - Arguments => { - Message => $args{'Message'}, - TicketObj => $args{'Ticket'}, - }, - InReplyTo => $args{'Message'}, - ); - unless ( $status ) { - $RT::Logger->error("Couldn't send 'Error: no private key'"); - } - return 0; -} - -sub CheckBadData { - my %args = (Message => undef, Status => [], @_ ); - my @bad_data_messages = - map $_->{'Message'}, - grep $_->{'Status'} ne 'DONE' && $_->{'Operation'} eq 'Data', - @{ $args{'Status'} }; - return 1 unless @bad_data_messages; - - $RT::Logger->error("Couldn't process a message: ". join ', ', @bad_data_messages ); - - my $address = (RT::Interface::Email::ParseSenderAddressFromHead( $args{'Message'}->head ))[0]; - my ($status) = RT::Interface::Email::SendEmailUsingTemplate( - To => $address, - Template => 'Error: bad GnuPG data', - Arguments => { - Messages => [ @bad_data_messages ], - TicketObj => $args{'Ticket'}, - }, - InReplyTo => $args{'Message'}, - ); - unless ( $status ) { - $RT::Logger->error("Couldn't send 'Error: bad GnuPG data'"); - } - return 0; -} - -sub VerifyDecrypt { - my %args = ( - Entity => undef, - @_ - ); - - my @res = RT::Crypt::GnuPG::VerifyDecrypt( %args ); - unless ( @res ) { - $RT::Logger->debug("No more encrypted/signed parts"); - return 1; - } - - $RT::Logger->debug('Found GnuPG protected parts'); - - # return on any error - if ( grep $_->{'exit_code'}, @res ) { - $RT::Logger->debug("Error during verify/decrypt operation"); - return (0, @res); - } - - # nesting - my ($status, @nested) = VerifyDecrypt( %args ); - return $status, @res, @nested; -} - -eval "require RT::Interface::Email::Auth::GnuPG_Vendor"; -die $@ - if ( $@ - && $@ !~ qr{^Can't locate RT/Interface/Email/Auth/GnuPG_Vendor.pm} ); -eval "require RT::Interface::Email::Auth::GnuPG_Local"; -die $@ - if ( $@ - && $@ !~ qr{^Can't locate RT/Interface/Email/Auth/GnuPG_Local.pm} ); - -1; - diff --git a/rt/lib/RT/Interface/Email/Auth/MailFrom.pm b/rt/lib/RT/Interface/Email/Auth/MailFrom.pm deleted file mode 100644 index 0673c735c..000000000 --- a/rt/lib/RT/Interface/Email/Auth/MailFrom.pm +++ /dev/null @@ -1,182 +0,0 @@ -# BEGIN BPS TAGGED BLOCK {{{ -# -# COPYRIGHT: -# -# This software is Copyright (c) 1996-2009 Best Practical Solutions, LLC -# <jesse@bestpractical.com> -# -# (Except where explicitly superseded by other copyright notices) -# -# -# LICENSE: -# -# This work is made available to you under the terms of Version 2 of -# the GNU General Public License. A copy of that license should have -# been provided with this software, but in any event can be snarfed -# from www.gnu.org. -# -# This work is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 or visit their web page on the internet at -# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. -# -# -# CONTRIBUTION SUBMISSION POLICY: -# -# (The following paragraph is not intended to limit the rights granted -# to you to modify and distribute this software under the terms of -# the GNU General Public License and is only of importance to you if -# you choose to contribute your changes and enhancements to the -# community by submitting them to Best Practical Solutions, LLC.) -# -# By intentionally submitting any modifications, corrections or -# derivatives to this work, or any other work intended for use with -# Request Tracker, to Best Practical Solutions, LLC, you confirm that -# you are the copyright holder for those contributions and you grant -# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, -# royalty-free, perpetual, license to use, copy, create derivative -# works based on those contributions, and sublicense and distribute -# those contributions and any derivatives thereof. -# -# END BPS TAGGED BLOCK }}} - -package RT::Interface::Email::Auth::MailFrom; -use RT::Interface::Email qw(ParseSenderAddressFromHead CreateUser); - -# This is what the ordinary, non-enhanced gateway does at the moment. - -sub GetCurrentUser { - my %args = ( Message => undef, - CurrentUser => undef, - AuthLevel => undef, - Ticket => undef, - Queue => undef, - Action => undef, - @_ ); - - - # We don't need to do any external lookups - my ( $Address, $Name ) = ParseSenderAddressFromHead( $args{'Message'}->head ); - unless ( $Address ) { - $RT::Logger->error("Couldn't find sender's address"); - return ( $args{'CurrentUser'}, -1 ); - } - - my $CurrentUser = new RT::CurrentUser; - $CurrentUser->LoadByEmail( $Address ); - $CurrentUser->LoadByName( $Address ) unless $CurrentUser->Id; - if ( $CurrentUser->Id ) { - $RT::Logger->debug("Mail from user #". $CurrentUser->Id ." ($Address)" ); - return ( $CurrentUser, 1 ); - } - - # If the user can't be loaded, we may need to create one. Figure out the acl situation. - my $unpriv = RT::Group->new( $RT::SystemUser ); - $unpriv->LoadSystemInternalGroup('Unprivileged'); - unless ( $unpriv->Id ) { - $RT::Logger->crit("Couldn't find the 'Unprivileged' internal group"); - return ( $args{'CurrentUser'}, -1 ); - } - - my $everyone = RT::Group->new( $RT::SystemUser ); - $everyone->LoadSystemInternalGroup('Everyone'); - unless ( $everyone->Id ) { - $RT::Logger->crit("Couldn't find the 'Everyone' internal group"); - return ( $args{'CurrentUser'}, -1 ); - } - - $RT::Logger->debug("Going to create user with address '$Address'" ); - - # but before we do that, we need to make sure that the created user would have the right - # to do what we're doing. - if ( $args{'Ticket'} && $args{'Ticket'}->Id ) { - my $qname = $args{'Queue'}->Name; - # We have a ticket. that means we're commenting or corresponding - if ( $args{'Action'} =~ /^comment$/i ) { - - # check to see whether "Everyone" or "Unprivileged users" can comment on tickets - unless ( $everyone->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'CommentOnTicket' ) - || $unpriv->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'CommentOnTicket' ) ) - { - $RT::Logger->debug("Unprivileged users have no right to comment on ticket in queue '$qname'"); - return ( $args{'CurrentUser'}, 0 ); - } - } - elsif ( $args{'Action'} =~ /^correspond$/i ) { - - # check to see whether "Everybody" or "Unprivileged users" can correspond on tickets - unless ( $everyone->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'ReplyToTicket' ) - || $unpriv->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'ReplyToTicket' ) ) - { - $RT::Logger->debug("Unprivileged users have no right to reply to ticket in queue '$qname'"); - return ( $args{'CurrentUser'}, 0 ); - } - } - elsif ( $args{'Action'} =~ /^take$/i ) { - - # check to see whether "Everybody" or "Unprivileged users" can correspond on tickets - unless ( $everyone->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'OwnTicket' ) - || $unpriv->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'OwnTicket' ) ) - { - $RT::Logger->debug("Unprivileged users have no right to own ticket in queue '$qname'"); - return ( $args{'CurrentUser'}, 0 ); - } - - } - elsif ( $args{'Action'} =~ /^resolve$/i ) { - - # check to see whether "Everybody" or "Unprivileged users" can correspond on tickets - unless ( $everyone->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'ModifyTicket' ) - || $unpriv->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'ModifyTicket' ) ) - { - $RT::Logger->debug("Unprivileged users have no right to resolve ticket in queue '$qname'"); - return ( $args{'CurrentUser'}, 0 ); - } - - } - else { - $RT::Logger->warning("Action '". ($args{'Action'}||'') ."' is unknown"); - return ( $args{'CurrentUser'}, 0 ); - } - } - - # We're creating a ticket - elsif ( $args{'Queue'} && $args{'Queue'}->Id ) { - my $qname = $args{'Queue'}->Name; - - # check to see whether "Everybody" or "Unprivileged users" can create tickets in this queue - unless ( $everyone->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'CreateTicket' ) - || $unpriv->PrincipalObj->HasRight( Object => $args{'Queue'}, - Right => 'CreateTicket' ) ) - { - $RT::Logger->debug("Unprivileged users have no right to create ticket in queue '$qname'"); - return ( $args{'CurrentUser'}, 0 ); - } - } - - $CurrentUser = CreateUser( undef, $Address, $Name, $Address, $args{'Message'} ); - - return ( $CurrentUser, 1 ); -} - -eval "require RT::Interface::Email::Auth::MailFrom_Vendor"; -die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Email/Auth/MailFrom_Vendor.pm}); -eval "require RT::Interface::Email::Auth::MailFrom_Local"; -die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Email/Auth/MailFrom_Local.pm}); - -1; diff --git a/rt/lib/RT/Interface/Email/Filter/SpamAssassin.pm b/rt/lib/RT/Interface/Email/Filter/SpamAssassin.pm deleted file mode 100644 index 49e89c570..000000000 --- a/rt/lib/RT/Interface/Email/Filter/SpamAssassin.pm +++ /dev/null @@ -1,98 +0,0 @@ -# BEGIN BPS TAGGED BLOCK {{{ -# -# COPYRIGHT: -# -# This software is Copyright (c) 1996-2009 Best Practical Solutions, LLC -# <jesse@bestpractical.com> -# -# (Except where explicitly superseded by other copyright notices) -# -# -# LICENSE: -# -# This work is made available to you under the terms of Version 2 of -# the GNU General Public License. A copy of that license should have -# been provided with this software, but in any event can be snarfed -# from www.gnu.org. -# -# This work is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 or visit their web page on the internet at -# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html. -# -# -# CONTRIBUTION SUBMISSION POLICY: -# -# (The following paragraph is not intended to limit the rights granted -# to you to modify and distribute this software under the terms of -# the GNU General Public License and is only of importance to you if -# you choose to contribute your changes and enhancements to the -# community by submitting them to Best Practical Solutions, LLC.) -# -# By intentionally submitting any modifications, corrections or -# derivatives to this work, or any other work intended for use with -# Request Tracker, to Best Practical Solutions, LLC, you confirm that -# you are the copyright holder for those contributions and you grant -# Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable, -# royalty-free, perpetual, license to use, copy, create derivative -# works based on those contributions, and sublicense and distribute -# those contributions and any derivatives thereof. -# -# END BPS TAGGED BLOCK }}} - -package RT::Interface::Email::Filter::SpamAssassin; - -use Mail::SpamAssassin; -my $spamtest = Mail::SpamAssassin->new(); - -sub GetCurrentUser { - my %args = ( - Message => undef, - CurrentUser => undef, - AuthLevel => undef, - @_ - ); - my $status = $spamtest->check( $args{'Message'} ); - return ( $args{'CurrentUser'}, $args{'AuthLevel'} ) - unless $status->is_spam(); - - eval { $status->rewrite_mail() }; - if ( $status->get_hits > $status->get_required_hits() * 1.5 ) { - - # Spammy indeed - return ( $args{'CurrentUser'}, -1 ); - } - return ( $args{'CurrentUser'}, $args{'AuthLevel'} ); - -} - -=head1 NAME - -RT::Interface::Email::Filter::SpamAssassin - Spam filter for RT - -=head1 SYNOPSIS - - # in RT config - Set(@MailPlugins, 'Filter::SpamAssassin', ...other filters...); - -=head1 DESCRIPTION - -This plugin checks to see if an incoming mail is spam (using -C<spamassassin>) and if so, rewrites its headers. If the mail is very -definitely spam - 1.5x more hits than required - then it is dropped on -the floor; otherwise, it is passed on as normal. - -=cut - -eval "require RT::Interface::Email::Filter::SpamAssassin_Vendor"; -die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Email/Filter/SpamAssassin_Vendor.pm}); -eval "require RT::Interface::Email::Filter::SpamAssassin_Local"; -die $@ if ($@ && $@ !~ qr{^Can't locate RT/Interface/Email/Filter/SpamAssassin_Local.pm}); - -1; |