emailengine-app 2.67.3 → 2.68.1

package/lib/imapproxy/imap-server.js

@@ -71,6 +71,30 @@ async function call(message, transferList) {
     });
 }
 
+// Resolve pending call() promises when the main thread answers. Without this any
+// RPC issued from this worker (via the `call` passed into Account) would never settle
+// and would reject on timeout. Mirrors the handlers in workers/imap.js and smtp.js.
+parentPort.on('message', message => {
+    if (message && message.cmd === 'resp' && message.mid && callQueue.has(message.mid)) {
+        let { resolve, reject, timer } = callQueue.get(message.mid);
+        clearTimeout(timer);
+        callQueue.delete(message.mid);
+
+        if (message.error) {
+            let err = new Error(message.error);
+            if (message.code) {
+                err.code = message.code;
+            }
+            if (message.statusCode) {
+                err.statusCode = message.statusCode;
+            }
+            return reject(err);
+        }
+
+        return resolve(message.response);
+    }
+});
+
 async function metrics(logger, key, method, ...args) {
     try {
         parentPort.postMessage({
@@ -86,7 +110,7 @@ async function metrics(logger, key, method, ...args) {
 
 const { ImapFlow } = require('imapflow');
 const { IMAPServer, imapHandler } = require('./imap-core/index.js');
-const { PassThrough } = require('./imap-core/lib/length-limiter.js');
+const { PassThrough } = require('stream');
 
 const packageInfo = require('../../package.json');
 const util = require('util');
@@ -113,7 +137,7 @@ class PassThroughLogger extends PassThrough {
                 data: chunk.toString('base64'),
                 compress: !!this.imapClient._deflate,
                 secure: !!this.imapClient.secureConnection,
-                cid: this.id
+                cid: this.cid
             });
         }
 
@@ -361,7 +385,7 @@ const createServer = function (options = {}) {
                 message = util.format(message, ...args);
             }
             data.msg = message;
-            if (typeof logger[level] === 'function') {
+            if (typeof serverLogger[level] === 'function') {
                 serverLogger[level](data);
             } else {
                 serverLogger.debug(data);
@@ -408,39 +432,78 @@ const createServer = function (options = {}) {
                                 logger: proxyLogger.child({ src: 'C' })
                             });
 
+                            // Idempotent teardown for both legs of the proxy. ImapFlow.close() is
+                            // safe after unbind(): it sends no LOGOUT, clears timers (including
+                            // autoidle), removes the deflate/writeSocket error forwarders and
+                            // destroys the upstream socket. Without it the upstream connection and
+                            // its idle timer would leak (most visibly with COMPRESS enabled).
+                            let proxyClosed = false;
+                            const closeProxy = () => {
+                                if (proxyClosed) {
+                                    return;
+                                }
+                                proxyClosed = true;
+
+                                try {
+                                    downstream.imapClient.close();
+                                } catch (err) {
+                                    proxyLogger.error({ msg: 'Failed to close upstream connection', err });
+                                }
+
+                                try {
+                                    if (upstream.socket && !upstream.socket.destroyed) {
+                                        upstream.socket.end();
+                                    }
+                                } catch (err) {
+                                    // ignore
+                                }
+                            };
+
+                            // Every terminal event from either leg funnels into the idempotent
+                            // closeProxy(). The helper keeps that wiring declarative; pass a message
+                            // to log (level defaults to 'error', use 'info' for graceful closes).
+                            const teardownOn = (emitter, event, msg, level = 'error') => {
+                                emitter.on(event, err => {
+                                    if (msg) {
+                                        let entry = { msg };
+                                        if (err) {
+                                            entry.err = err;
+                                        }
+                                        proxyLogger[level](entry);
+                                    }
+                                    closeProxy();
+                                });
+                            };
+
                             downstream.readSocket.pipe(upstreamLogger).pipe(upstream.socket);
                             upstream.socket.pipe(downstreamLogger).pipe(downstream.writeSocket);
 
-                            upstreamLogger.on('error', err => {
-                                proxyLogger.error({ msg: 'Client error', err });
-                                upstream.socket.end();
-                            });
-
-                            downstreamLogger.on('error', err => {
-                                proxyLogger.error({ msg: 'Server error', err });
-                                downstream.writeSocket.end();
-                                downstream.readSocket.end();
-                            });
+                            teardownOn(upstreamLogger, 'error', 'Proxy stream error (to client)');
+                            teardownOn(downstreamLogger, 'error', 'Proxy stream error (to upstream)');
+                            teardownOn(upstream.socket, 'error', 'Client socket error');
+                            teardownOn(upstream.socket, 'end', 'Client connection closed', 'info');
+                            teardownOn(upstream.socket, 'close');
+                            teardownOn(downstream.readSocket, 'end', 'Upstream connection closed', 'info');
 
                             downstream.readSocket.on('error', err => {
-                                proxyLogger.error({ msg: 'Client error', err });
-                                upstreamLogger.end('* BYE Upstream connection error\r\n');
-                            });
-
-                            upstream.socket.on('error', err => {
-                                proxyLogger.error({ msg: 'Upstream error', err });
-                                downstreamLogger.end();
+                                proxyLogger.error({ msg: 'Upstream read error', err });
+                                try {
+                                    // best-effort notice to the client before tearing down
+                                    upstream.socket.write('* BYE Upstream connection error\r\n');
+                                } catch (e) {
+                                    // ignore
+                                }
+                                closeProxy();
                             });
 
-                            downstream.readSocket.on('end', () => {
-                                proxyLogger.info({ msg: 'Client connection closed' });
-                                upstreamLogger.end();
-                            });
-
-                            upstream.socket.on('end', () => {
-                                proxyLogger.info({ msg: 'Server connection closed' });
-                                downstreamLogger.end();
-                            });
+                            // With COMPRESS enabled, readSocket/writeSocket are the inflate/deflate
+                            // streams, not the raw upstream socket, and unbind() removed ImapFlow's
+                            // own listeners from that socket. An upstream reset would then emit an
+                            // 'error' with no listener and crash the worker - guard it explicitly.
+                            if (downstream.imapClient.socket && downstream.imapClient.socket !== downstream.readSocket) {
+                                teardownOn(downstream.imapClient.socket, 'error', 'Upstream socket error');
+                                teardownOn(downstream.imapClient.socket, 'close');
+                            }
 
                             proxyLogger.info({ msg: 'Proxy mode enabled' });
                         };

package/lib/oauth/external-account-config.js

@@ -0,0 +1,132 @@
+'use strict';
+
+// Pure configuration helpers for Google external_account (Workload Identity
+// Federation) credentials. This module intentionally has NO heavy dependencies
+// (no Redis, no undici, no settings) so it can be imported from request
+// validation (lib/schemas.js) as well as the runtime signer without dragging in
+// the database layer.
+
+const ACCEPTED_SUBJECT_TOKEN_TYPES = new Set(['urn:ietf:params:oauth:token-type:jwt', 'urn:ietf:params:oauth:token-type:id_token']);
+const IMPERSONATION_URL_RE = /\/v1\/projects\/-\/serviceAccounts\/([^/]+):generateAccessToken$/;
+
+function makeError(message, code, statusCode, extra) {
+    let err = new Error(message);
+    err.code = code;
+    if (statusCode) {
+        err.statusCode = statusCode;
+    }
+    if (extra && typeof extra === 'object') {
+        Object.assign(err, extra);
+    }
+    return err;
+}
+
+// Validates the structural shape of an external_account credential config and
+// returns the derived target service account email. Throws an error tagged with
+// code 'EExternalAccountConfig' on any problem so callers can surface a clean
+// validation message instead of a late runtime failure.
+function validateConfig(config) {
+    if (!config || typeof config !== 'object') {
+        throw makeError('External account configuration must be a JSON object', 'EExternalAccountConfig');
+    }
+
+    if (config.type !== 'external_account') {
+        throw makeError(`External account configuration must have type "external_account" (got ${JSON.stringify(config.type)})`, 'EExternalAccountConfig');
+    }
+
+    for (let key of ['audience', 'subject_token_type', 'token_url', 'service_account_impersonation_url']) {
+        let value = config[key];
+        if (typeof value !== 'string' || !value) {
+            throw makeError(`External account configuration is missing required string field "${key}"`, 'EExternalAccountConfig');
+        }
+    }
+
+    if (!ACCEPTED_SUBJECT_TOKEN_TYPES.has(config.subject_token_type)) {
+        throw makeError(
+            `External account subject_token_type ${JSON.stringify(config.subject_token_type)} is not supported. ` +
+                `Supported types: ${Array.from(ACCEPTED_SUBJECT_TOKEN_TYPES).join(', ')}.`,
+            'EExternalAccountConfig'
+        );
+    }
+
+    let impersonationMatch = IMPERSONATION_URL_RE.exec(config.service_account_impersonation_url);
+    if (!impersonationMatch) {
+        throw makeError(
+            'External account service_account_impersonation_url must point at iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/{EMAIL}:generateAccessToken',
+            'EExternalAccountConfig'
+        );
+    }
+    let targetServiceAccountEmail = decodeURIComponent(impersonationMatch[1]);
+
+    let source = config.credential_source;
+    if (!source || typeof source !== 'object') {
+        throw makeError('External account configuration is missing credential_source', 'EExternalAccountConfig');
+    }
+
+    let hasFile = typeof source.file === 'string' && source.file;
+    let hasUrl = typeof source.url === 'string' && source.url;
+    let hasExecutable = source.executable && typeof source.executable === 'object';
+    let hasEnvironmentId = typeof source.environment_id === 'string' && source.environment_id;
+
+    if (hasExecutable) {
+        throw makeError('credential_source.executable is not supported by EmailEngine', 'EExternalAccountConfig');
+    }
+    if (hasEnvironmentId) {
+        throw makeError(
+            `credential_source.environment_id (${source.environment_id}) is not supported by EmailEngine. Use a file or url credential source.`,
+            'EExternalAccountConfig'
+        );
+    }
+    if (hasFile && hasUrl) {
+        throw makeError('credential_source must specify either "file" or "url", not both', 'EExternalAccountConfig');
+    }
+    if (!hasFile && !hasUrl) {
+        throw makeError('credential_source must specify a "file" or "url" field', 'EExternalAccountConfig');
+    }
+
+    if (source.format && typeof source.format === 'object') {
+        let formatType = source.format.type;
+        if (formatType && formatType !== 'text' && formatType !== 'json') {
+            throw makeError(`credential_source.format.type must be "text" or "json" (got ${JSON.stringify(formatType)})`, 'EExternalAccountConfig');
+        }
+        if (formatType === 'json' && (typeof source.format.subject_token_field_name !== 'string' || !source.format.subject_token_field_name)) {
+            throw makeError('credential_source.format.subject_token_field_name is required when format.type is "json"', 'EExternalAccountConfig');
+        }
+    }
+
+    return { targetServiceAccountEmail };
+}
+
+// Extracts the subject token string from a raw credential-source payload,
+// honouring the optional text/json format descriptor.
+function extractFromFormat(rawText, format) {
+    let formatType = (format && format.type) || 'text';
+    if (formatType === 'text') {
+        let trimmed = rawText.trim();
+        if (!trimmed) {
+            throw makeError('Subject token source returned an empty value', 'ESubjectTokenRead');
+        }
+        return trimmed;
+    }
+
+    let parsed;
+    try {
+        parsed = JSON.parse(rawText);
+    } catch (err) {
+        throw makeError(`Subject token source did not return valid JSON: ${err.message}`, 'ESubjectTokenRead');
+    }
+    let field = format.subject_token_field_name;
+    let value = parsed && typeof parsed === 'object' ? parsed[field] : undefined;
+    if (typeof value !== 'string' || !value.trim()) {
+        throw makeError(`Subject token JSON did not contain a non-empty string at field "${field}"`, 'ESubjectTokenRead');
+    }
+    return value.trim();
+}
+
+module.exports = {
+    ACCEPTED_SUBJECT_TOKEN_TYPES,
+    IMPERSONATION_URL_RE,
+    makeError,
+    validateConfig,
+    extractFromFormat
+};

package/lib/oauth/external-account-signer.js

@@ -0,0 +1,256 @@
+'use strict';
+
+const fs = require('fs');
+const { fetch: undiciFetch } = require('undici');
+const packageData = require('../../package.json');
+const { httpAgent } = require('../tools');
+const { makeError, validateConfig, extractFromFormat } = require('./external-account-config');
+
+const STS_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:token-exchange';
+const REQUESTED_TOKEN_TYPE = 'urn:ietf:params:oauth:token-type:access_token';
+const CLOUD_PLATFORM_SCOPE = 'https://www.googleapis.com/auth/cloud-platform';
+const DEFAULT_IAM_CREDENTIALS_BASE_URL = 'https://iamcredentials.googleapis.com';
+const SIGN_JWT_URL_TEMPLATE = '/v1/projects/-/serviceAccounts/{email}:signJwt';
+const TOKEN_EXPIRY_SKEW_MS = 60 * 1000;
+const DEFAULT_FEDERATED_TOKEN_TTL_MS = 3600 * 1000;
+const USER_AGENT = `${packageData.name}/${packageData.version} (+${packageData.homepage})`;
+
+class ExternalAccountSigner {
+    constructor(opts) {
+        opts = opts || {};
+
+        let { targetServiceAccountEmail } = validateConfig(opts.config);
+
+        this.config = opts.config;
+        // The service account whose Google-managed key signs the JWT. Exposed so
+        // callers can keep the JWT `iss` claim consistent with the signing identity.
+        this.serviceAccountEmail = targetServiceAccountEmail;
+        this.logger = opts.logger || null;
+        this.logRaw = !!opts.logRaw;
+
+        // Injection points for tests; production code uses undici/fs/Date as defaults.
+        this._fetch = opts.fetchImpl || undiciFetch;
+        this._readFile = opts.readFileImpl || fs.promises.readFile;
+        this._now = opts.nowImpl || (() => Date.now());
+
+        // Allow overriding the IAM Credentials base URL so integration tests
+        // (and unusual forward-proxy deployments) can redirect signJwt traffic.
+        this._iamCredentialsBaseUrl = (opts.iamCredentialsBaseUrl || DEFAULT_IAM_CREDENTIALS_BASE_URL).replace(/\/+$/, '');
+
+        this._cachedToken = null;
+        this._cachedTokenExpiresAt = 0;
+        this._pendingRefresh = null;
+    }
+
+    describeCredentialSource() {
+        let source = this.config.credential_source;
+        if (source.file) {
+            return { type: 'file', location: source.file };
+        }
+        return { type: 'url', location: source.url };
+    }
+
+    async _readSubjectToken() {
+        let source = this.config.credential_source;
+        let format = source.format || { type: 'text' };
+
+        if (source.file) {
+            let rawText;
+            try {
+                rawText = await this._readFile(source.file, 'utf8');
+            } catch (err) {
+                throw makeError(`Failed to read subject token file ${source.file}: ${err.message}`, 'ESubjectTokenRead', null, { cause: err });
+            }
+            return extractFromFormat(rawText, format);
+        }
+
+        let headers = { 'User-Agent': USER_AGENT };
+        if (source.headers && typeof source.headers === 'object') {
+            for (let key of Object.keys(source.headers)) {
+                headers[key] = source.headers[key];
+            }
+        }
+
+        let res;
+        try {
+            res = await this._fetch(source.url, {
+                method: 'GET',
+                headers,
+                dispatcher: httpAgent.retry
+            });
+        } catch (err) {
+            throw makeError(`Failed to fetch subject token from ${source.url}: ${err.message}`, 'ESubjectTokenRead', null, { cause: err });
+        }
+
+        let body = await res.text();
+
+        this._log('readSubjectToken', 'GET', source.url, res.ok, res.status);
+
+        if (!res.ok) {
+            throw makeError(`Subject token endpoint ${source.url} returned HTTP ${res.status}`, 'ESubjectTokenRead', res.status, {
+                responseText: body.slice(0, 1024)
+            });
+        }
+
+        return extractFromFormat(body, format);
+    }
+
+    // Exchange the subject token for a Google federated access token. The
+    // federated identity (the workload principal) carries the cloud-platform
+    // scope and, given roles/iam.serviceAccountTokenCreator on the target
+    // service account, may call signJwt directly. Returns the access token and
+    // its absolute expiry so it can be cached and reused across signJwt calls.
+    async _exchangeAtSts(subjectToken) {
+        let body = new URLSearchParams({
+            grant_type: STS_GRANT_TYPE,
+            audience: this.config.audience,
+            scope: CLOUD_PLATFORM_SCOPE,
+            requested_token_type: REQUESTED_TOKEN_TYPE,
+            subject_token_type: this.config.subject_token_type,
+            subject_token: subjectToken
+        });
+
+        let res;
+        let responseJson;
+        try {
+            res = await this._fetch(this.config.token_url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    Accept: 'application/json',
+                    'User-Agent': USER_AGENT
+                },
+                body: body.toString(),
+                dispatcher: httpAgent.retry
+            });
+            responseJson = await res.json().catch(() => null);
+        } catch (err) {
+            throw makeError(`STS token exchange request failed: ${err.message}`, 'ESTSExchange', null, { cause: err });
+        }
+
+        this._log('exchangeAtSts', 'POST', this.config.token_url, res.ok, res.status);
+
+        if (!res.ok) {
+            throw makeError(`STS token exchange at ${this.config.token_url} returned HTTP ${res.status}`, 'ESTSExchange', res.status, {
+                response: responseJson || null
+            });
+        }
+
+        let token = responseJson && responseJson.access_token;
+        if (typeof token !== 'string' || !token) {
+            throw makeError('STS response did not include an access_token', 'ESTSExchange', res.status, { response: responseJson || null });
+        }
+
+        let expiresInSec = responseJson && Number(responseJson.expires_in);
+        let ttlMs = Number.isFinite(expiresInSec) && expiresInSec > 0 ? expiresInSec * 1000 : DEFAULT_FEDERATED_TOKEN_TTL_MS;
+
+        return { accessToken: token, expiresAtMs: this._now() + ttlMs };
+    }
+
+    async _ensureFederatedToken() {
+        if (this._cachedToken && this._now() + TOKEN_EXPIRY_SKEW_MS < this._cachedTokenExpiresAt) {
+            return this._cachedToken;
+        }
+
+        // Deduplicate concurrent refreshes: when many accounts hit a cold cache
+        // at once, share the single in-flight exchange rather than stampeding STS
+        // with redundant token exchanges.
+        if (!this._pendingRefresh) {
+            this._pendingRefresh = (async () => {
+                try {
+                    let subjectToken = await this._readSubjectToken();
+                    let { accessToken, expiresAtMs } = await this._exchangeAtSts(subjectToken);
+                    this._cachedToken = accessToken;
+                    this._cachedTokenExpiresAt = expiresAtMs;
+                    return accessToken;
+                } finally {
+                    this._pendingRefresh = null;
+                }
+            })();
+        }
+
+        return this._pendingRefresh;
+    }
+
+    async _callSignJwt(accessToken, jwtPayload) {
+        let url = this._iamCredentialsBaseUrl + SIGN_JWT_URL_TEMPLATE.replace('{email}', encodeURIComponent(this.serviceAccountEmail));
+        let res;
+        let responseJson;
+        try {
+            res = await this._fetch(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    Accept: 'application/json',
+                    Authorization: `Bearer ${accessToken}`,
+                    'User-Agent': USER_AGENT
+                },
+                body: JSON.stringify({ payload: JSON.stringify(jwtPayload) }),
+                dispatcher: httpAgent.retry
+            });
+            responseJson = await res.json().catch(() => null);
+        } catch (err) {
+            throw makeError(`signJwt request failed: ${err.message}`, 'ESignJwt', null, { cause: err });
+        }
+
+        this._log('callSignJwt', 'POST', url, res.ok, res.status);
+
+        if (!res.ok) {
+            let retryAfter = null;
+            if (res.status === 429) {
+                let header = res.headers.get('retry-after');
+                if (header) {
+                    let parsed = parseInt(header, 10);
+                    retryAfter = isNaN(parsed) ? null : parsed;
+                }
+            }
+            throw makeError(`signJwt returned HTTP ${res.status}`, 'ESignJwt', res.status, {
+                response: responseJson || null,
+                retryAfter
+            });
+        }
+
+        let signedJwt = responseJson && responseJson.signedJwt;
+        if (typeof signedJwt !== 'string' || !signedJwt) {
+            throw makeError('signJwt response did not include signedJwt', 'ESignJwt', res.status, { response: responseJson || null });
+        }
+        return signedJwt;
+    }
+
+    /**
+     * Sign a JWT payload using the configured external account identity.
+     * Returns the compact JWT string suitable for the `assertion` parameter
+     * in a jwt-bearer grant exchange.
+     */
+    async sign(jwtPayload) {
+        let accessToken = await this._ensureFederatedToken();
+        return this._callSignJwt(accessToken, jwtPayload);
+    }
+
+    _log(fn, method, url, ok, status) {
+        if (!this.logger) {
+            return;
+        }
+        this.logger.info({
+            msg: 'External account signer request',
+            action: 'externalAccountFetch',
+            fn,
+            method,
+            url,
+            success: !!ok,
+            status,
+            credentialSource: this.describeCredentialSource().type,
+            targetServiceAccountEmail: this.serviceAccountEmail
+        });
+    }
+
+    // Test-only: clear the cached federated token.
+    _clearCache() {
+        this._cachedToken = null;
+        this._cachedTokenExpiresAt = 0;
+        this._pendingRefresh = null;
+    }
+}
+
+module.exports.ExternalAccountSigner = ExternalAccountSigner;
+module.exports.__test__ = { validateConfig, extractFromFormat, makeError };