[pmg-api.git] / PMG / Utils.pm

package PMG::Utils;

use strict;
use warnings;
use Carp;
use DBI;
use Net::Cmd;
use Net::SMTP;
use IO::File;
use File::stat;
use File::Basename;
use MIME::Words;
use MIME::Parser;
use Time::HiRes qw (gettimeofday);
use Xdgmime;
use Data::Dumper;
use Net::IP;

use PVE::Network;
use PVE::Tools;
use PVE::SafeSyslog;
use PVE::ProcFSTools;
use PMG::AtomicFile;
use PMG::MailQueue;

sub msgquote {
    my $msg = shift || '';
    $msg =~ s/%/%%/g;
    return $msg;
}

sub lastid {
    my ($dbh, $seq) = @_;

    return $dbh->last_insert_id(
	undef, undef, undef, undef, { sequence => $seq});
}

sub file_older_than {
    my ($filename, $lasttime) = @_;

    my $st = stat($filename);

    return 0 if !defined($st);

    return ($lasttime >= $st->ctime);
}

sub extract_filename {
    my ($head) = @_;

    if (my $value = $head->recommended_filename()) {
	chomp $value;
	if (my $decvalue = MIME::Words::decode_mimewords($value)) {
	    $decvalue =~ s/\0/ /g;
	    $decvalue = PVE::Tools::trim($decvalue);
	    return $decvalue;
	}
    }

    return undef;
}

sub remove_marks {
    my ($entity, $add_id, $id) = @_;

    $id //= 1;

    foreach my $tag (grep {/^x-proxmox-tmp/i} $entity->head->tags) {
	$entity->head->delete ($tag);
    }

    $entity->head->replace('X-Proxmox-tmp-AID', $id) if $add_id;

    foreach my $part ($entity->parts)  {
	$id = remove_marks($part, $add_id, $id + 1);
    }

    return $id;
}

sub subst_values {
    my ($body, $dh) = @_;

    return if !$body;

    foreach my $k (keys %$dh) {
	my $v = $dh->{$k};
	if (defined($v)) {
	    $body =~ s/__\Q${k}\E__/$v/gs;
	}
    }

    return $body;
}

sub reinject_mail {
    my ($entity, $sender, $targets, $xforward, $me, $nodsn) = @_;

    my $smtp;
    my $resid;
    my $rescode;
    my $resmess;

    eval {
	my $smtp = Net::SMTP->new('127.0.0.1', Port => 10025, Hello => $me) ||
	    die "unable to connect to localhost at port 10025";

	if (defined($xforward)) {
	    my $xfwd;

	    foreach my $attr (keys %{$xforward}) {
		$xfwd .= " $attr=$xforward->{$attr}";
	    }

	    if ($xfwd && $smtp->command("XFORWARD", $xfwd)->response() != CMD_OK) {
		syslog('err', "xforward error - got: %s %s", $smtp->code, scalar($smtp->message));
	    }
	}

	if (!$smtp->mail($sender)) {
	    syslog('err', "smtp error - got: %s %s", $smtp->code, scalar ($smtp->message));
	    die "smtp from: ERROR";
	}

	my $dsnopts = $nodsn ? {Notify => ['NEVER']} : {};

	if (!$smtp->to (@$targets, $dsnopts)) {
	    syslog ('err', "smtp error - got: %s %s", $smtp->code, scalar($smtp->message));
	    die "smtp to: ERROR";
	}

	# Output the head:
	#$entity->sync_headers ();
	$smtp->data();

	my $out = PMG::SMTPPrinter->new($smtp);
	$entity->print($out);

	# make sure we always have a newline at the end of the mail
	# else dataend() fails
	$smtp->datasend("\n");

	if ($smtp->dataend()) {
	    my @msgs = $smtp->message;
	    $resmess = $msgs[$#msgs];
	    ($resid) = $resmess =~ m/Ok: queued as ([0-9A-Z]+)/;
	    $rescode = $smtp->code;
	    if (!$resid) {
		die sprintf("unexpected SMTP result - got: %s %s : WARNING", $smtp->code, $resmess);
	    }
	} else {
	    my @msgs = $smtp->message;
	    $resmess = $msgs[$#msgs];
	    $rescode = $smtp->code;
	    die sprintf("sending data failed - got: %s %s : ERROR", $smtp->code, $resmess);
	}
    };
    my $err = $@;

    $smtp->quit if $smtp;

    if ($err) {
	syslog ('err', $err);
    }

    return wantarray ? ($resid, $rescode, $resmess) : $resid;
}

sub analyze_virus_clam {
    my ($queue, $dname, $pmg_cfg) = @_;

    my $timeout = 60*5;
    my $vinfo;

    my $clamdscan_opts = "--stdout";

    my ($csec, $usec) = gettimeofday();

    my $previous_alarm;

    eval {

	$previous_alarm = alarm($timeout);

	$SIG{ALRM} = sub {
	    die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " .
		"virus analyze (clamav) failed: ERROR";
	};

	open(CMD, "/usr/bin/clamdscan $clamdscan_opts '$dname'|") ||
	    die "$queue->{logid}: can't exec clamdscan: $! : ERROR";

	my $ifiles;

	my $response = '';
	while (defined(my $line = <CMD>)) {
	    if ($line =~ m/^$dname.*:\s+([^ :]*)\s+FOUND$/) {
		# we just use the first detected virus name
		$vinfo = $1 if !$vinfo;
	    } elsif ($line =~ m/^Infected files:\s(\d*)$/i) {
		$ifiles = $1;
	    }

	    $response .= $line;
	}

	close(CMD);

	alarm(0); # avoid race conditions

	if (!defined($ifiles)) {
	    die "$queue->{logid}: got undefined output from " .
		"virus detector: $response : ERROR";
	}

	if ($vinfo) {
	    syslog('info', "$queue->{logid}: virus detected: $vinfo (clamav)");
	}
    };
    my $err = $@;

    alarm($previous_alarm);

    my ($csec_end, $usec_end) = gettimeofday();
    $queue->{ptime_clam} =
	int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000);

    if ($err) {
	syslog ('err', $err);
	$vinfo = undef;
	$queue->{errors} = 1;
    }

    $queue->{vinfo_clam} = $vinfo;

    return $vinfo ? "$vinfo (clamav)" : undef;
}

sub analyze_virus {
    my ($queue, $filename, $pmg_cfg, $testmode) = @_;

    # TODO: support other virus scanners?

    # always scan with clamav
    return analyze_virus_clam($queue, $filename, $pmg_cfg);
}

sub magic_mime_type_for_file {
    my ($filename) = @_;
    
    # we do not use get_mime_type_for_file, because that considers
    # filename extensions - we only want magic type detection

    my $bufsize = Xdgmime::xdg_mime_get_max_buffer_extents();
    die "got strange value for max_buffer_extents" if $bufsize > 4096*10;

    my $ct = "application/octet-stream";

    my $fh = IO::File->new("<$filename") || 
	die "unable to open file '$filename' - $!";

    my ($buf, $len);
    if (($len = $fh->read($buf, $bufsize)) > 0) {
	$ct = xdg_mime_get_mime_type_for_data($buf, $len);
    }
    $fh->close();
    
    die "unable to read file '$filename' - $!" if ($len < 0);
    
    return $ct;
}

sub add_ct_marks {
    my ($entity) = @_;

    if (my $path = $entity->{PMX_decoded_path}) {

	# set a reasonable default if magic does not give a result
	$entity->{PMX_magic_ct} = $entity->head->mime_attr('content-type');

	if (my $ct = magic_mime_type_for_file($path)) {
	    if ($ct ne 'application/octet-stream' || !$entity->{PMX_magic_ct}) {
		$entity->{PMX_magic_ct} = $ct;
	    }
	}

	my $filename = $entity->head->recommended_filename;
	$filename = basename($path) if !defined($filename) || $filename eq '';

	if (my $ct = xdg_mime_get_mime_type_from_file_name($filename)) {
	    $entity->{PMX_glob_ct} = $ct;
	}
    }

    foreach my $part ($entity->parts)  {
	add_ct_marks ($part);
    }
}

# x509 certificate utils

my $proxmox_tls_cert_fn = "/etc/proxmox/proxmox-tls.pem";

sub gen_proxmox_tls_cert {
    my ($force, $company, $cn) = @_;

    return if !$force && -f $proxmox_tls_cert_fn;

    my $sslconf = <<__EOD__;
RANDFILE = /root/.rnd
extensions = v3_req

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
string_mask = nombstr

[ req_distinguished_name ]
organizationalUnitName = Proxmox Mail Gateway
organizationName = $company
commonName = $cn

[ v3_req ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
__EOD__

    my $cfgfn = "/tmp/proxmoxtlsconf-$$.tmp";
    my $fh = IO::File->new ($cfgfn, "w");
    print $fh $sslconf;
    close ($fh);

    eval {
	PVE::Tools::run_command(['openssl', 'req', '-batch', '-x509', '-new', '-sha256',
				 '-config', $cfgfn, '-days', 3650, '-nodes',
				 '-out', $proxmox_tls_cert_fn,
				 '-keyout', $proxmox_tls_cert_fn]);
    };

    if (my $err = $@) {
	unlink $proxmox_tls_cert_fn;
	unlink $cfgfn;
	die "unable to generate proxmox certificate request:\n$err";
    }

    unlink $cfgfn;
}

sub find_local_network_for_ip {
    my ($ip) = @_;

    my $testip = Net::IP->new($ip);

    my $isv6 = $testip->version == 6;
    my $routes = $isv6 ?
	PVE::ProcFSTools::read_proc_net_ipv6_route() :
	PVE::ProcFSTools::read_proc_net_route();

    foreach my $entry (@$routes) {
	my $mask;
	if ($isv6) {
	    $mask = $entry->{prefix};
	    next if !$mask; # skip the default route...
	} else {
	    $mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
	    next if !defined($mask);
	}
	my $cidr = "$entry->{dest}/$mask";
	my $testnet = Net::IP->new($cidr);
	my $overlap = $testnet->overlaps($testip);
	if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP ||
	    $overlap == $Net::IP::IP_IDENTICAL)
	{
	    return $cidr;
	}
    }

    die "unable to detect local network for ip '$ip'\n";
}

1;
Commit	Line	Data
758c7b6b DM	1	package PMG::Utils;
	2
	3	use strict;
	4	use warnings;
	5	use Carp;
	6	use DBI;
b8ea5d5d	7	use Net::Cmd;
758c7b6b	8	use Net::SMTP;
26357b0a	9	use IO::File;
cad3d400	10	use File::stat;
ff1c5a81	11	use File::Basename;
758c7b6b DM	12	use MIME::Words;
758c7b6b DM	13	use MIME::Parser;
8210c7fa	14	use Time::HiRes qw (gettimeofday);
26357b0a	15	use Xdgmime;
d0d91cda	16	use Data::Dumper;
f609bf7f	17	use Net::IP;
758c7b6b	18
f609bf7f	19	use PVE::Network;
5953119e	20	use PVE::Tools;
758c7b6b	21	use PVE::SafeSyslog;
f609bf7f	22	use PVE::ProcFSTools;
d0d91cda	23	use PMG::AtomicFile;
8210c7fa	24	use PMG::MailQueue;
758c7b6b	25
c881fe35 DM	26	sub msgquote {
	27	my $msg = shift \|\| '';
	28	$msg =~ s/%/%%/g;
	29	return $msg;
	30	}
	31
758c7b6b DM	32	sub lastid {
	33	my ($dbh, $seq) = @_;
	34
	35	return $dbh->last_insert_id(
	36	undef, undef, undef, undef, { sequence => $seq});
	37	}
	38
cad3d400 DM	39	sub file_older_than {
	40	my ($filename, $lasttime) = @_;
	41
	42	my $st = stat($filename);
	43
	44	return 0 if !defined($st);
	45
	46	return ($lasttime >= $st->ctime);
	47	}
	48
758c7b6b DM	49	sub extract_filename {
	50	my ($head) = @_;
	51
	52	if (my $value = $head->recommended_filename()) {
8210c7fa	53	chomp $value;
758c7b6b DM	54	if (my $decvalue = MIME::Words::decode_mimewords($value)) {
758c7b6b DM	55	$decvalue =~ s/\0/ /g;
5953119e	56	$decvalue = PVE::Tools::trim($decvalue);
758c7b6b DM	57	return $decvalue;
	58	}
	59	}
	60
	61	return undef;
	62	}
	63
	64	sub remove_marks {
	65	my ($entity, $add_id, $id) = @_;
	66
	67	$id //= 1;
	68
	69	foreach my $tag (grep {/^x-proxmox-tmp/i} $entity->head->tags) {
	70	$entity->head->delete ($tag);
	71	}
	72
	73	$entity->head->replace('X-Proxmox-tmp-AID', $id) if $add_id;
	74
	75	foreach my $part ($entity->parts) {
	76	$id = remove_marks($part, $add_id, $id + 1);
	77	}
	78
	79	return $id;
	80	}
	81
	82	sub subst_values {
	83	my ($body, $dh) = @_;
	84
	85	return if !$body;
	86
	87	foreach my $k (keys %$dh) {
	88	my $v = $dh->{$k};
bd98f5a1 DM	89	if (defined($v)) {
bd98f5a1 DM	90	$body =~ s/__\Q${k}\E__/$v/gs;
758c7b6b DM	91	}
	92	}
	93
	94	return $body;
	95	}
	96
	97	sub reinject_mail {
	98	my ($entity, $sender, $targets, $xforward, $me, $nodsn) = @_;
	99
	100	my $smtp;
	101	my $resid;
	102	my $rescode;
	103	my $resmess;
	104
	105	eval {
	106	my $smtp = Net::SMTP->new('127.0.0.1', Port => 10025, Hello => $me) \|\|
	107	die "unable to connect to localhost at port 10025";
	108
	109	if (defined($xforward)) {
	110	my $xfwd;
8210c7fa	111
758c7b6b DM	112	foreach my $attr (keys %{$xforward}) {
	113	$xfwd .= " $attr=$xforward->{$attr}";
	114	}
	115
	116	if ($xfwd && $smtp->command("XFORWARD", $xfwd)->response() != CMD_OK) {
	117	syslog('err', "xforward error - got: %s %s", $smtp->code, scalar($smtp->message));
	118	}
	119	}
	120
	121	if (!$smtp->mail($sender)) {
	122	syslog('err', "smtp error - got: %s %s", $smtp->code, scalar ($smtp->message));
	123	die "smtp from: ERROR";
	124	}
	125
	126	my $dsnopts = $nodsn ? {Notify => ['NEVER']} : {};
	127
	128	if (!$smtp->to (@$targets, $dsnopts)) {
	129	syslog ('err', "smtp error - got: %s %s", $smtp->code, scalar($smtp->message));
	130	die "smtp to: ERROR";
	131	}
	132
	133	# Output the head:
	134	#$entity->sync_headers ();
	135	$smtp->data();
	136
	137	my $out = PMG::SMTPPrinter->new($smtp);
	138	$entity->print($out);
8210c7fa DM	139
8210c7fa DM	140	# make sure we always have a newline at the end of the mail
758c7b6b DM	141	# else dataend() fails
	142	$smtp->datasend("\n");
	143
	144	if ($smtp->dataend()) {
	145	my @msgs = $smtp->message;
8210c7fa DM	146	$resmess = $msgs[$#msgs];
8210c7fa DM	147	($resid) = $resmess =~ m/Ok: queued as ([0-9A-Z]+)/;
758c7b6b DM	148	$rescode = $smtp->code;
	149	if (!$resid) {
	150	die sprintf("unexpected SMTP result - got: %s %s : WARNING", $smtp->code, $resmess);
8210c7fa	151	}
758c7b6b DM	152	} else {
758c7b6b DM	153	my @msgs = $smtp->message;
8210c7fa	154	$resmess = $msgs[$#msgs];
758c7b6b DM	155	$rescode = $smtp->code;
	156	die sprintf("sending data failed - got: %s %s : ERROR", $smtp->code, $resmess);
	157	}
	158	};
	159	my $err = $@;
8210c7fa	160
758c7b6b	161	$smtp->quit if $smtp;
8210c7fa	162
758c7b6b DM	163	if ($err) {
	164	syslog ('err', $err);
	165	}
	166
	167	return wantarray ? ($resid, $rescode, $resmess) : $resid;
	168	}
	169
8210c7fa DM	170	sub analyze_virus_clam {
	171	my ($queue, $dname, $pmg_cfg) = @_;
	172
	173	my $timeout = 60*5;
	174	my $vinfo;
	175
	176	my $clamdscan_opts = "--stdout";
	177
	178	my ($csec, $usec) = gettimeofday();
	179
	180	my $previous_alarm;
	181
	182	eval {
	183
	184	$previous_alarm = alarm($timeout);
	185
	186	$SIG{ALRM} = sub {
	187	die "$queue->{logid}: Maximum time ($timeout sec) exceeded. " .
	188	"virus analyze (clamav) failed: ERROR";
	189	};
	190
	191	open(CMD, "/usr/bin/clamdscan $clamdscan_opts '$dname'\|") \|\|
	192	die "$queue->{logid}: can't exec clamdscan: $! : ERROR";
	193
	194	my $ifiles;
8210c7fa	195
54eaf7df DM	196	my $response = '';
	197	while (defined(my $line = <CMD>)) {
	198	if ($line =~ m/^$dname.:\s+([^ :])\s+FOUND$/) {
8210c7fa DM	199	# we just use the first detected virus name
8210c7fa DM	200	$vinfo = $1 if !$vinfo;
54eaf7df	201	} elsif ($line =~ m/^Infected files:\s(\d*)$/i) {
8210c7fa DM	202	$ifiles = $1;
	203	}
	204
54eaf7df	205	$response .= $line;
8210c7fa DM	206	}
	207
	208	close(CMD);
	209
	210	alarm(0); # avoid race conditions
	211
	212	if (!defined($ifiles)) {
	213	die "$queue->{logid}: got undefined output from " .
54eaf7df	214	"virus detector: $response : ERROR";
8210c7fa DM	215	}
	216
	217	if ($vinfo) {
54eaf7df	218	syslog('info', "$queue->{logid}: virus detected: $vinfo (clamav)");
8210c7fa DM	219	}
	220	};
	221	my $err = $@;
	222
	223	alarm($previous_alarm);
	224
	225	my ($csec_end, $usec_end) = gettimeofday();
	226	$queue->{ptime_clam} =
	227	int (($csec_end-$csec)*1000 + ($usec_end - $usec)/1000);
	228
	229	if ($err) {
	230	syslog ('err', $err);
	231	$vinfo = undef;
	232	$queue->{errors} = 1;
	233	}
	234
	235	$queue->{vinfo_clam} = $vinfo;
	236
	237	return $vinfo ? "$vinfo (clamav)" : undef;
	238	}
	239
	240	sub analyze_virus {
	241	my ($queue, $filename, $pmg_cfg, $testmode) = @_;
	242
	243	# TODO: support other virus scanners?
	244
	245	# always scan with clamav
	246	return analyze_virus_clam($queue, $filename, $pmg_cfg);
	247	}
	248
26357b0a DM	249	sub magic_mime_type_for_file {
	250	my ($filename) = @_;
	251
	252	# we do not use get_mime_type_for_file, because that considers
	253	# filename extensions - we only want magic type detection
	254
	255	my $bufsize = Xdgmime::xdg_mime_get_max_buffer_extents();
	256	die "got strange value for max_buffer_extents" if $bufsize > 4096*10;
	257
	258	my $ct = "application/octet-stream";
	259
	260	my $fh = IO::File->new("<$filename") \|\|
	261	die "unable to open file '$filename' - $!";
	262
	263	my ($buf, $len);
	264	if (($len = $fh->read($buf, $bufsize)) > 0) {
	265	$ct = xdg_mime_get_mime_type_for_data($buf, $len);
	266	}
	267	$fh->close();
	268
	269	die "unable to read file '$filename' - $!" if ($len < 0);
	270
	271	return $ct;
	272	}
758c7b6b	273
1d4193a1 DM	274	sub add_ct_marks {
	275	my ($entity) = @_;
	276
	277	if (my $path = $entity->{PMX_decoded_path}) {
	278
	279	# set a reasonable default if magic does not give a result
	280	$entity->{PMX_magic_ct} = $entity->head->mime_attr('content-type');
	281
	282	if (my $ct = magic_mime_type_for_file($path)) {
	283	if ($ct ne 'application/octet-stream' \|\| !$entity->{PMX_magic_ct}) {
	284	$entity->{PMX_magic_ct} = $ct;
	285	}
	286	}
	287
	288	my $filename = $entity->head->recommended_filename;
	289	$filename = basename($path) if !defined($filename) \|\| $filename eq '';
	290
	291	if (my $ct = xdg_mime_get_mime_type_from_file_name($filename)) {
	292	$entity->{PMX_glob_ct} = $ct;
	293	}
	294	}
	295
	296	foreach my $part ($entity->parts) {
	297	add_ct_marks ($part);
	298	}
	299	}
	300
f609bf7f DM	301	# x509 certificate utils
	302
	303	my $proxmox_tls_cert_fn = "/etc/proxmox/proxmox-tls.pem";
	304
	305	sub gen_proxmox_tls_cert {
	306	my ($force, $company, $cn) = @_;
	307
	308	return if !$force && -f $proxmox_tls_cert_fn;
	309
	310	my $sslconf = <<__EOD__;
	311	RANDFILE = /root/.rnd
	312	extensions = v3_req
	313
	314	[ req ]
	315	default_bits = 4096
	316	distinguished_name = req_distinguished_name
	317	req_extensions = v3_req
	318	prompt = no
	319	string_mask = nombstr
	320
	321	[ req_distinguished_name ]
	322	organizationalUnitName = Proxmox Mail Gateway
	323	organizationName = $company
	324	commonName = $cn
	325
	326	[ v3_req ]
	327	basicConstraints = CA:FALSE
	328	nsCertType = server
	329	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	330	__EOD__
	331
	332	my $cfgfn = "/tmp/proxmoxtlsconf-$$.tmp";
	333	my $fh = IO::File->new ($cfgfn, "w");
	334	print $fh $sslconf;
	335	close ($fh);
	336
	337	eval {
	338	PVE::Tools::run_command(['openssl', 'req', '-batch', '-x509', '-new', '-sha256',
	339	'-config', $cfgfn, '-days', 3650, '-nodes',
	340	'-out', $proxmox_tls_cert_fn,
	341	'-keyout', $proxmox_tls_cert_fn]);
	342	};
	343
	344	if (my $err = $@) {
	345	unlink $proxmox_tls_cert_fn;
	346	unlink $cfgfn;
	347	die "unable to generate proxmox certificate request:\n$err";
	348	}
	349
	350	unlink $cfgfn;
	351	}
	352
	353	sub find_local_network_for_ip {
	354	my ($ip) = @_;
	355
	356	my $testip = Net::IP->new($ip);
	357
	358	my $isv6 = $testip->version == 6;
	359	my $routes = $isv6 ?
	360	PVE::ProcFSTools::read_proc_net_ipv6_route() :
	361	PVE::ProcFSTools::read_proc_net_route();
	362
	363	foreach my $entry (@$routes) {
	364	my $mask;
365	if ($isv6) {
366	$mask = $entry->{prefix};
367	next if !$mask; # skip the default route...
368	} else {
369	$mask = $PVE::Network::ipv4_mask_hash_localnet->{$entry->{mask}};
370	next if !defined($mask);
371	}
372	my $cidr = "$entry->{dest}/$mask";
373	my $testnet = Net::IP->new($cidr);
374	my $overlap = $testnet->overlaps($testip);
375	if ($overlap == $Net::IP::IP_B_IN_A_OVERLAP \|\|
376	$overlap == $Net::IP::IP_IDENTICAL)
377	{
378	return $cidr;
379	}
380	}
381
382	die "unable to detect local network for ip '$ip'\n";
383	}
d0d91cda	384
758c7b6b	385	1;