1 # BEGIN BPS TAGGED BLOCK {{{
5 # This software is Copyright (c) 1996-2009 Best Practical Solutions, LLC
6 # <jesse@bestpractical.com>
8 # (Except where explicitly superseded by other copyright notices)
13 # This work is made available to you under the terms of Version 2 of
14 # the GNU General Public License. A copy of that license should have
15 # been provided with this software, but in any event can be snarfed
18 # This work is distributed in the hope that it will be useful, but
19 # WITHOUT ANY WARRANTY; without even the implied warranty of
20 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
21 # General Public License for more details.
23 # You should have received a copy of the GNU General Public License
24 # along with this program; if not, write to the Free Software
25 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
26 # 02110-1301 or visit their web page on the internet at
27 # http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
30 # CONTRIBUTION SUBMISSION POLICY:
32 # (The following paragraph is not intended to limit the rights granted
33 # to you to modify and distribute this software under the terms of
34 # the GNU General Public License and is only of importance to you if
35 # you choose to contribute your changes and enhancements to the
36 # community by submitting them to Best Practical Solutions, LLC.)
38 # By intentionally submitting any modifications, corrections or
39 # derivatives to this work, or any other work intended for use with
40 # Request Tracker, to Best Practical Solutions, LLC, you confirm that
41 # you are the copyright holder for those contributions and you grant
42 # Best Practical Solutions, LLC a nonexclusive, worldwide, irrevocable,
43 # royalty-free, perpetual, license to use, copy, create derivative
44 # works based on those contributions, and sublicense and distribute
45 # those contributions and any derivatives thereof.
47 # END BPS TAGGED BLOCK }}}
49 package RT::Interface::Email::Auth::GnuPG;
56 To use the gnupg-secured mail gateway, you need to do the following:
58 Set up a GnuPG key directory with a pubring containing only the keys
59 you care about and specify the following in your SiteConfig.pm
61 Set(%GnuPGOptions, homedir => '/opt/rt3/var/data/GnuPG');
62 Set(@MailPlugins, 'Auth::MailFrom', 'Auth::GnuPG', ...other filter...);
66 sub ApplyBeforeDecode { return 1 }
69 use RT::EmailParser ();
74 RawMessageRef => undef,
78 foreach my $p ( $args{'Message'}->parts_DFS ) {
79 $p->head->delete($_) for qw(
80 X-RT-GnuPG-Status X-RT-Incoming-Encrypton
81 X-RT-Incoming-Signature X-RT-Privacy
85 my $msg = $args{'Message'}->dup;
87 my ($status, @res) = VerifyDecrypt(
88 Entity => $args{'Message'}, AddStatus => 1,
90 if ( $status && !@res ) {
91 $args{'Message'}->head->add(
92 'X-RT-Incoming-Encryption' => 'Not encrypted'
98 # FIXME: Check if the message is encrypted to the address of
99 # _this_ queue. send rejecting mail otherwise.
102 $RT::Logger->error("Had a problem during decrypting and verifying");
103 my $reject = HandleErrors( Message => $args{'Message'}, Result => \@res );
104 return (0, 'rejected because of problems during decrypting and verifying')
108 # attach the original encrypted message
109 $args{'Message'}->attach(
110 Type => 'application/x-rt-original-message',
111 Disposition => 'inline',
112 Data => ${ $args{'RawMessageRef'} },
115 $args{'Message'}->head->add( 'X-RT-Privacy' => 'PGP' );
117 foreach my $part ( $args{'Message'}->parts_DFS ) {
120 my $status = $part->head->get( 'X-RT-GnuPG-Status' );
122 for ( RT::Crypt::GnuPG::ParseStatus( $status ) ) {
123 if ( $_->{Operation} eq 'Decrypt' && $_->{Status} eq 'DONE' ) {
126 if ( $_->{Operation} eq 'Verify' && $_->{Status} eq 'DONE' ) {
128 'X-RT-Incoming-Signature' => $_->{UserString}
135 'X-RT-Incoming-Encryption' =>
136 $decrypted ? 'Success' : 'Not encrypted'
153 foreach my $run ( @{ $args{'Result'} } ) {
154 my @status = RT::Crypt::GnuPG::ParseStatus( $run->{'status'} );
155 unless ( $sent_once{'NoPrivateKey'} ) {
156 unless ( CheckNoPrivateKey( Message => $args{'Message'}, Status => \@status ) ) {
157 $sent_once{'NoPrivateKey'}++;
158 $reject = 1 if RT->Config->Get('GnuPG')->{'RejectOnMissingPrivateKey'};
161 unless ( $sent_once{'BadData'} ) {
162 unless ( CheckBadData( Message => $args{'Message'}, Status => \@status ) ) {
163 $sent_once{'BadData'}++;
164 $reject = 1 if RT->Config->Get('GnuPG')->{'RejectOnBadData'};
171 sub CheckNoPrivateKey {
172 my %args = (Message => undef, Status => [], @_ );
173 my @status = @{ $args{'Status'} };
175 my @decrypts = grep $_->{'Operation'} eq 'Decrypt', @status;
176 return 1 unless @decrypts;
177 foreach my $action ( @decrypts ) {
178 # if at least one secrete key exist then it's another error
180 grep !$_->{'User'}{'SecretKeyMissing'},
181 @{ $action->{'EncryptedTo'} };
184 $RT::Logger->error("Couldn't decrypt a message: have no private key");
186 my $address = (RT::Interface::Email::ParseSenderAddressFromHead( $args{'Message'}->head ))[0];
187 my ($status) = RT::Interface::Email::SendEmailUsingTemplate(
189 Template => 'Error: no private key',
191 Message => $args{'Message'},
192 TicketObj => $args{'Ticket'},
194 InReplyTo => $args{'Message'},
197 $RT::Logger->error("Couldn't send 'Error: no private key'");
203 my %args = (Message => undef, Status => [], @_ );
204 my @bad_data_messages =
206 grep $_->{'Status'} ne 'DONE' && $_->{'Operation'} eq 'Data',
207 @{ $args{'Status'} };
208 return 1 unless @bad_data_messages;
210 $RT::Logger->error("Couldn't process a message: ". join ', ', @bad_data_messages );
212 my $address = (RT::Interface::Email::ParseSenderAddressFromHead( $args{'Message'}->head ))[0];
213 my ($status) = RT::Interface::Email::SendEmailUsingTemplate(
215 Template => 'Error: bad GnuPG data',
217 Messages => [ @bad_data_messages ],
218 TicketObj => $args{'Ticket'},
220 InReplyTo => $args{'Message'},
223 $RT::Logger->error("Couldn't send 'Error: bad GnuPG data'");
234 my @res = RT::Crypt::GnuPG::VerifyDecrypt( %args );
236 $RT::Logger->debug("No more encrypted/signed parts");
240 $RT::Logger->debug('Found GnuPG protected parts');
242 # return on any error
243 if ( grep $_->{'exit_code'}, @res ) {
244 $RT::Logger->debug("Error during verify/decrypt operation");
249 my ($status, @nested) = VerifyDecrypt( %args );
250 return $status, @res, @nested;
253 eval "require RT::Interface::Email::Auth::GnuPG_Vendor";
256 && $@ !~ qr{^Can't locate RT/Interface/Email/Auth/GnuPG_Vendor.pm} );
257 eval "require RT::Interface::Email::Auth::GnuPG_Local";
260 && $@ !~ qr{^Can't locate RT/Interface/Email/Auth/GnuPG_Local.pm} );