schleuder 4.0.2 → 5.0.0

data/lib/schleuder/gpgme/ctx.rb

@@ -7,6 +7,9 @@ module GPGME
       'new_subkeys' => 8
     }
 
+    # This differs from import_filtered() in that it doesn't filter the keys at
+    # all, and that it returns the import-results themselves, not strings based
+    # on those results.
     def keyimport(keydata)
       self.import_keys(GPGME::Data.new(keydata))
       result = self.import_result
@@ -33,13 +36,11 @@ module GPGME
     end
 
     def find_keys(input=nil, secret_only=nil)
-      _, input = clean_and_classify_input(input)
-      keys(input, secret_only)
+      keys(normalize_key_identifier(input), secret_only)
     end
 
     def find_distinct_key(input=nil, secret_only=nil)
-      _, input = clean_and_classify_input(input)
-      keys = keys(input, secret_only)
+      keys = keys(normalize_key_identifier(input), secret_only)
       if keys.size == 1
         keys.first
       else
@@ -47,16 +48,16 @@ module GPGME
       end
     end
 
-    def clean_and_classify_input(input)
+    def normalize_key_identifier(input)
       case input
       when /.*?([^ <>]+@[^ <>]+).*?/
-        [:email, "<#{$1}>"]
+        "<#{$1}>"
       when /^http/
-        [:url, input]
+        input
       when Conf::FINGERPRINT_REGEXP
-        [:fingerprint, "0x#{input.gsub(/^0x/, '')}"]
+        "0x#{input.gsub(/^0x/, '')}"
       else
-        [nil, input]
+        input
       end
     end
 
@@ -88,85 +89,23 @@ module GPGME
       GPGME::Engine.info.find {|e| e.protocol == GPGME::PROTOCOL_OpenPGP }
     end
 
-    def refresh_keys(keys)
-      # reorder keys so the update pattern is random
-      output = keys.shuffle.map do |key|
-        # Sleep a short while to make traffic analysis less easy.
-        sleep rand(1.0..5.0)
-        refresh_key(key.fingerprint).presence
-      end
-      `gpgconf --kill dirmngr`
-      output.compact.join("\n")
-    end
-
-    def refresh_key(fingerprint)
-      args = "#{keyserver_arg} #{import_filter_arg} --refresh-keys #{fingerprint}"
-      gpgerr, gpgout, exitcode = self.class.gpgcli(args)
-
-      if exitcode > 0
-        # Return filtered error messages. Include gpgkeys-messages from stdout
-        # (gpg 2.0 does that), which could e.g. report a failure to connect to
-        # the keyserver.
-        # TODO: Revisit this once we don't do network access via GPG
-        # anymore.
-        res = [
-          refresh_key_filter_messages(gpgerr),
-          refresh_key_filter_messages(gpgout).grep(/^gpgkeys: /)
-        ].flatten.compact
-        # if there was an error that we don't filter out,
-        # we better kill dirmngr, so it hopefully won't suffer
-        # from the same error during the next run.
-        # See #309 for background
-        if !res.empty?
-          `gpgconf --kill dirmngr`
-        end
-        res.join("\n")
-      else
-        lines = translate_output('key_updated', gpgout).reject do |line|
-          # Reduce the noise a little.
-          line.match(/.* \(unchanged\):$/)
+    def import_filtered(input, gpg_extra_arg='')
+      # Import through gpgcli so we can use import-filter. GPGME still does
+      # not provide that feature (as of summer 2023): <https://dev.gnupg.org/T4721> :(
+      gpgerr, gpgout, exitcode = self.class.gpgcli("#{import_filter_arg} #{gpg_extra_arg} --import") do |stdin, stdout, stderr|
+        # Wrap this into a block because gpg breaks the pipe if it encounters invalid data.
+        begin
+          stdin.print input
+        rescue Errno::EPIPE
         end
-        lines.join("\n")
+        stdin.close
+        stdout.readlines
       end
-    end
-
-    def fetch_key(input)
-      arguments, error = fetch_key_gpg_arguments_for(input)
-      return error if error
-
-      gpgerr, gpgout, exitcode = self.class.gpgcli("#{import_filter_arg} #{arguments}")
-
-      # Unfortunately gpg doesn't exit with code > 0 if `--fetch-key` fails.
-      if exitcode > 0 || gpgerr.grep(/ unable to fetch /).presence
-        "Fetching #{input} did not succeed:\n#{gpgerr.join("\n")}"
-      else
-        translate_output('key_fetched', gpgout).join("\n")
-      end
-    end
-
-    def fetch_key_gpg_arguments_for(input)
-      case input
-      when Conf::FINGERPRINT_REGEXP
-        "#{keyserver_arg} --recv-key #{input}"
-      when /^http/
-        "--fetch-key #{input}"
-      when /@/
-        # --recv-key doesn't work with email-addresses, so we use --locate-key
-        # restricted to keyservers.
-        "#{keyserver_arg} --auto-key-locate keyserver --locate-key #{input}"
+      if exitcode > 0
+        RuntimeError.new(gpgerr.join("\n"))
       else
-        [nil, I18n.t('fetch_key.invalid_input')]
-      end
-    end
-
-    def translate_output(locale_key, gpgoutput)
-      import_states = translate_import_data(gpgoutput)
-      strings = import_states.map do |fingerprint, states|
-        key = find_distinct_key(fingerprint)
-        I18n.t(locale_key, key_summary: key.summary,
-                           states: states.to_sentence)
+        translate_import_data(gpgout)
       end
-      strings
     end
 
     def translate_import_data(gpgoutput)
@@ -210,7 +149,7 @@ module GPGME
       errors = []
       output = []
       base_cmd = gpg_engine.file_name
-      base_args = '--no-greeting --no-permission-warning --quiet --armor --trust-model always --no-tty --command-fd 0 --status-fd 1'
+      base_args = '--no-greeting --quiet --armor --trust-model always --no-tty --command-fd 0 --status-fd 1'
       cmd = [base_cmd, base_args, args].flatten.join(' ')
       Open3.popen3(cmd) do |stdin, stdout, stderr, thread|
         if block_given?
@@ -223,19 +162,21 @@ module GPGME
         exitcode = thread.value.exitstatus
       end
 
+      # Don't treat warnings as errors but log them.
+      errors = errors.map do |line|
+        if line.match?(/gpg: WARNING: (unsafe permissions on homedir|using insecure memory)/i)
+          Schleuder.logger.warn(line)
+          nil
+        else
+          line
+        end
+      end.compact
+
       [errors, output, exitcode]
     rescue Errno::ENOENT
       raise 'Need gpg in $PATH or in $GPGBIN'
     end
 
-    def keyserver_arg
-      if Conf.keyserver.present?
-        "--keyserver #{Conf.keyserver}"
-      else
-        ''
-      end
-    end
-
     def import_filter_arg
       %{ --import-filter drop-sig='sig_created_d > 0000-00-00'}
     end

data/lib/schleuder/gpgme/key.rb

@@ -82,7 +82,7 @@ module GPGME
     end
 
     def self.valid_fingerprint?(fp)
-      fp =~ Schleuder::Conf::FINGERPRINT_REGEXP
+      fp.present? && fp.match?(Schleuder::Conf::FINGERPRINT_REGEXP)
     end
   end
 end

data/lib/schleuder/gpgme/key_extractor.rb

@@ -0,0 +1,30 @@
+module GPGME
+  class KeyExtractor
+    # This takes key material and returns those keys from it, that have a UID
+    # matching the given email address, stripped by all other UIDs.
+    def self.extract_by_email_address(email_address, keydata)
+      orig_gnupghome = ENV['GNUPGHOME']
+      ENV['GNUPGHOME'] = Dir.mktmpdir
+      gpg = GPGME::Ctx.new(armor: true)
+      gpg_arg = %{ --import-filter keep-uid='mbox = #{email_address}'}
+      gpg.import_filtered(keydata, gpg_arg)
+      # Return the fingerprint and the exported, filtered keydata, because
+      # passing the key objects around led to strange problems with some keys,
+      # which produced only a blank string as return value of export().
+      result = {}
+      gpg.keys.each do |tmp_key|
+        # Skip this key if it has
+        # * no UID – because none survived the import-filter,
+        # * more than one UID – which means the import-filtering failed or
+        #   something else went wrong during import.
+        if tmp_key.uids.size == 1
+          result[tmp_key.fingerprint] = tmp_key.armored
+        end
+      end
+      result
+    ensure
+      FileUtils.remove_entry(ENV['GNUPGHOME'])
+      ENV['GNUPGHOME'] = orig_gnupghome
+    end
+  end
+end

data/lib/schleuder/http.rb

@@ -0,0 +1,56 @@
+module Schleuder
+  class NetworkError < StandardError; end
+
+  class NotFoundError < StandardError; end
+
+  class Http
+    attr_reader :request, :response
+
+    def initialize(url, options={})
+      @request = Typhoeus::Request.new(url, default_options.merge(options))
+    end
+
+    def run
+      @response = @request.run
+      if @response.success?
+        @response.body
+      elsif @response.timed_out?
+        raise_network_error(response, 'HTTP Request timed out.')
+      elsif @response.code == 404
+        NotFoundError.new
+      elsif @response.code == 0
+        # This happens e.g. if no response could be received.
+        raise_network_error(@response, 'No HTTP response received.')
+      else
+        RuntimeError.new(@response.body.to_s.presence || @response.return_message)
+      end
+    end
+
+    def self.get(url)
+      nth_attempt ||= 1
+      new(url).run
+    rescue NetworkError => error
+      nth_attempt += 1
+      if nth_attempt < 4
+        retry
+      else
+        return error
+      end
+    end
+
+    private
+
+    def raise_network_error(response, fallback_msg)
+      raise NetworkError.new(
+        response.body.to_s.presence || response.return_message || fallback_msg
+      )
+    end
+
+    def default_options
+      {
+        followlocation: true,
+        proxy: Conf.http_proxy.presence
+      }
+    end
+  end
+end

data/lib/schleuder/key_fetcher.rb

@@ -0,0 +1,89 @@
+module Schleuder
+  class KeyFetcher
+    def initialize(list)
+      @list = list
+    end
+
+    def fetch(input, locale_key='key_fetched')
+      result = case input
+               when /^http/
+                 fetch_key_by_url(input)
+               when Conf::EMAIL_REGEXP
+                 fetch_key_from_keyserver('email', input)
+               when Conf::FINGERPRINT_REGEXP
+                 fetch_key_from_keyserver('fingerprint', input)
+               else
+                 return I18n.t('key_fetcher.invalid_input')
+               end
+      interpret_fetch_result(result, locale_key)
+    end
+
+    def fetch_key_by_url(url)
+      case result = Schleuder::Http.get(url)
+      when NotFoundError
+        NotFoundError.new(I18n.t('key_fetcher.url_not_found', url: url))
+      else
+        result
+      end
+    end
+
+    def fetch_key_from_keyserver(type, input)
+      if Conf.vks_keyserver.present?
+        result = Schleuder::VksClient.get(type, input)
+      end
+      if (result.blank? || ! result.is_a?(String)) && Conf.sks_keyserver.present?
+        result = Schleuder::SksClient.get(input)
+      end
+
+      case result
+      when nil
+        RuntimeError.new('No keyserver configured, cannot query anything')
+      when NotFoundError
+        NotFoundError.new(I18n.t('key_fetcher.not_found', input: input))
+      else
+        result
+      end
+    end
+
+    private
+
+    def interpret_fetch_result(result, locale_key)
+      case result
+      when ''
+        I18n.t('key_fetcher.general_error', error: 'Empty response from server')
+      when String
+        import(result, locale_key)
+      when NotFoundError
+        result.to_s
+      when StandardError
+        I18n.t('key_fetcher.general_error', error: result)
+      else
+        raise_unexpected_error(result)
+      end
+    end
+
+    def import(input, locale_key)
+      result = @list.gpg.import_filtered(input)
+      case result
+      when StandardError
+        I18n.t('key_fetcher.import_error', error: result)
+      when Hash
+        translate_output(locale_key, result).join("\n")
+      else
+        raise_unexpected_error(result)
+      end
+    end
+
+    def translate_output(locale_key, import_states)
+      import_states.map do |fingerprint, states|
+        key = @list.gpg.find_distinct_key(fingerprint)
+        I18n.t(locale_key, key_summary: key.summary,
+                           states: states.to_sentence)
+      end
+    end
+
+    def raise_unexpected_error(thing)
+      raise "Unexpected output => #{thing.inspect}"
+    end
+  end
+end

data/lib/schleuder/keyword_handlers/key_management.rb

@@ -15,7 +15,7 @@ module Schleuder
             import_key_from_body
           else
             @list.logger.debug 'Found no attachments and an empty body - sending error message'
-            I18n.t('keyword_handlers.key_management.no_content_found')
+            return I18n.t('keyword_handlers.key_management.no_content_found')
           end
 
         import_stati = results.compact.collect(&:imports).flatten
@@ -125,7 +125,7 @@ module Schleuder
 
       def import_keys_from_attachments
         @mail.attachments.map do |attachment|
-          import_from_string(attachment.body.raw_source)
+          import_from_string(attachment.body.decoded)
         end
       end
 

data/lib/schleuder/keyword_handlers/subscription_management.rb

@@ -22,9 +22,25 @@ module Schleuder
           while @arguments.first.present? && @arguments.first.match(/^(0x)?[a-f0-9]+$/i)
             fingerprint << @arguments.shift.downcase
           end
-          # Use possibly remaining args as flags.
-          adminflag = @arguments.shift.to_s.downcase.presence
-          deliveryflag = @arguments.shift.to_s.downcase.presence
+          # If the collected values aren't a valid fingerprint, then the input
+          # didn't conform with what this code expects, and then the other
+          # values shouldn't be used.
+          unless GPGME::Key.valid_fingerprint?(fingerprint)
+            return I18n.t('keyword_handlers.subscription_management.subscribe_requires_arguments')
+          end
+          if @arguments.present?
+            # Use possibly remaining args as flags.
+            adminflag = @arguments.shift.to_s.downcase.presence
+            unless ['true', 'false'].include?(adminflag)
+              return I18n.t('keyword_handlers.subscription_management.subscribe_requires_arguments')
+            end
+            if @arguments.present?
+              deliveryflag = @arguments.shift.to_s.downcase.presence
+              unless ['true', 'false'].include?(deliveryflag)
+                return I18n.t('keyword_handlers.subscription_management.subscribe_requires_arguments')
+              end
+            end
+          end
         end
 
         sub, _ = @list.subscribe(email, fingerprint, adminflag, deliveryflag)

data/lib/schleuder/list.rb

@@ -4,10 +4,10 @@ module Schleuder
     has_many :subscriptions, dependent: :destroy
     before_destroy :delete_listdirs
 
-    serialize :headers_to_meta, JSON
-    serialize :bounces_drop_on_headers, JSON
-    serialize :keywords_admin_only, JSON
-    serialize :keywords_admin_notify, JSON
+    serialize :headers_to_meta, coder: JSON
+    serialize :bounces_drop_on_headers, coder: JSON
+    serialize :keywords_admin_only, coder: JSON
+    serialize :keywords_admin_notify, coder: JSON
 
     validates :email, presence: true, uniqueness: true, email: true
     validates :fingerprint, presence: true, fingerprint: true
@@ -23,7 +23,8 @@ module Schleuder
         :bounces_notify_admins,
         :include_list_headers,
         :include_openpgp_header,
-        :forward_all_incoming_to_admins, boolean: true
+        :forward_all_incoming_to_admins,
+        :key_auto_import_from_email, boolean: true
     validates_each :headers_to_meta,
         :keywords_admin_only,
         :keywords_admin_notify do |record, attrib, value|
@@ -197,11 +198,26 @@ module Schleuder
     end
 
     def refresh_keys
-      gpg.refresh_keys(self.keys)
+      # reorder keys so the update pattern is random
+      output = self.keys.shuffle.map do |key|
+        # Sleep a short while to make traffic analysis less easy.
+        sleep rand(1.0..5.0)
+        key_fetcher.fetch(key.fingerprint, 'key_updated').presence
+      end
+      # Filter out some "noise" (if a key was unchanged, it wasn't really updated, was it?)
+      # It would be nice to prevent these "false" lines in the first place, but I don't know how.
+      output.reject! do |line|
+        line.match('updated \(unchanged\)')
+      end
+      output.compact.join("\n")
     end
 
     def fetch_keys(input)
-      gpg.fetch_key(input)
+      key_fetcher.fetch(input)
+    end
+
+    def key_fetcher
+      @key_fetcher ||= KeyFetcher.new(self)
     end
 
     def self.by_recipient(recipient)
@@ -350,7 +366,7 @@ module Schleuder
             next
           end
           
-          if ! self.deliver_selfsent && incoming_mail.was_validly_signed? && ( subscription == incoming_mail.signer )
+          if ! self.deliver_selfsent && incoming_mail&.was_validly_signed? && ( subscription == incoming_mail&.signer )
             logger.info "Not sending to #{subscription.email}: delivery of self sent is disabled."
             next
           end
@@ -373,14 +389,14 @@ module Schleuder
     end
 
     def delete_listdirs
-      if File.exists?(self.listdir)
+      if File.exist?(self.listdir)
         FileUtils.rm_rf(self.listdir, secure: true)
         Schleuder.logger.info "Deleted #{self.listdir}"
       end
       # If listlogs_dir is different from lists_dir, the logfile still exists
       # and needs to be deleted, too.
       logfile_dir = File.dirname(self.logfile)
-      if File.exists?(logfile_dir)
+      if File.exist?(logfile_dir)
         FileUtils.rm_rf(logfile_dir, secure: true)
         Schleuder.logger.info "Deleted #{logfile_dir}"
       end

data/lib/schleuder/list_builder.rb

@@ -122,7 +122,7 @@ module Schleuder
     end
 
     def create_or_test_dir(dir)
-      if File.exists?(dir)
+      if File.exist?(dir)
         if ! File.directory?(dir)
           raise Errors::ListdirProblem.new(dir, :not_a_directory)
         end

data/lib/schleuder/logger.rb

@@ -9,7 +9,7 @@ module Schleuder
     def initialize
       super('Schleuder', Syslog::LOG_MAIL)
       # We need some sender-address different from the superadmin-address.
-      @from = "#{Etc.getlogin}@#{Socket.gethostname}"
+      @from = "#{Etc.getlogin}@#{Addrinfo.getaddrinfo(Socket.gethostname, nil).first.getnameinfo.first}"
       @adminaddresses = Conf.superadmin
       @level = ::Logger.const_get(Conf.log_level.upcase)
     end

data/lib/schleuder/mail/gpg/decrypted_part.rb

@@ -0,0 +1,20 @@
+require 'schleuder/mail/gpg/verified_part'
+module Mail
+  module Gpg
+    class DecryptedPart < VerifiedPart
+
+      # options are:
+      #
+      # :verify: decrypt and verify
+      def initialize(cipher_part, options = {})
+        if cipher_part.mime_type != EncryptedPart::CONTENT_TYPE
+          raise EncodingError.new("RFC 3156 incorrect mime type for encrypted part '#{cipher_part.mime_type}'")
+        end
+
+        decrypted = GpgmeHelper.decrypt(cipher_part.body.decoded, options)
+        self.verify_result = decrypted.verify_result if options[:verify]
+        super(decrypted)
+      end
+    end
+  end
+end

data/lib/schleuder/mail/gpg/delivery_handler.rb

@@ -0,0 +1,38 @@
+module Mail
+  module Gpg
+    class DeliveryHandler
+
+      def self.deliver_mail(mail)
+        if mail.gpg
+          encrypted_mail = nil
+          begin
+            options = mail.gpg.is_a?(TrueClass) ? { encrypt: true } : mail.gpg
+            if options[:encrypt]
+              encrypted_mail = Mail::Gpg.encrypt(mail, options)
+            elsif options[:sign] || options[:sign_as]
+              encrypted_mail = Mail::Gpg.sign(mail, options)
+            else
+              # encrypt and sign are off -> do not encrypt or sign
+              yield
+            end
+          rescue StandardError
+            raise $! if mail.raise_encryption_errors
+          end
+          if encrypted_mail
+            if dm = mail.delivery_method
+              encrypted_mail.instance_variable_set :@delivery_method, dm
+            end
+            encrypted_mail.perform_deliveries = mail.perform_deliveries
+            encrypted_mail.raise_delivery_errors = mail.raise_delivery_errors
+            encrypted_mail.deliver
+          end
+        else
+          yield
+        end
+      rescue StandardError
+        raise $! if mail.raise_delivery_errors
+      end
+
+    end
+  end
+end

data/lib/schleuder/mail/gpg/encrypted_part.rb

@@ -1,13 +1,37 @@
-module Mail                                                                                                                                            
-  module Gpg                                                                                                                                           
-    class EncryptedPart < Mail::Part                                                                                                                   
-      alias_method :initialize_mailgpg, :initialize
+module Mail
+  module Gpg
+    class EncryptedPart < Mail::Part
 
+      CONTENT_TYPE = 'application/octet-stream'
+
+      # options are:
+      #
+      # :signers : sign using this key (give the corresponding email address)
+      # :password: passphrase for the signing key
+      # :recipients : array of receiver addresses
+      # :keys : A hash mapping recipient email addresses to public keys or public
+      # key ids. Imports any keys given here that are not already part of the
+      # local keychain before sending the mail. If this option is given, strictly
+      # only the key material from this hash is used, ignoring any keys for
+      # recipients that might have been added to the local key chain but are
+      # not mentioned here.
+      # :always_trust : send encrypted mail to untrusted receivers, true by default
+      # :filename : define a custom name for the encrypted file attachment
       def initialize(cleartext_mail, options = {})
         if cleartext_mail.protected_headers_subject
           cleartext_mail.content_type_parameters['protected-headers'] = 'v1'                                                                       
         end
-        initialize_mailgpg(cleartext_mail, options)
+
+        options = { always_trust: true }.merge options
+
+        encrypted = GpgmeHelper.encrypt(cleartext_mail.encoded, options)
+        super() do
+          body encrypted.to_s
+          filename = options[:filename] || 'encrypted.asc'
+          content_type "#{CONTENT_TYPE}; name=\"#{filename}\""
+          content_disposition "inline; filename=\"#{filename}\""
+          content_description 'OpenPGP encrypted message'
+        end
       end
     end
   end

data/lib/schleuder/mail/gpg/gpgme_ext.rb

@@ -0,0 +1,8 @@
+require 'schleuder/mail/gpg/verify_result_attribute'
+
+# extend GPGME::Data with an attribute to hold the result of signature
+# verifications
+class GPGME::Data
+  include Mail::Gpg::VerifyResultAttribute
+end
+