get dkim working, closes #5924

4 files changed, 135 insertions, 52 deletions

diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index 44b97d4a..b98d591f 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -298,6 +298,7 @@ remove this directory if you don't use it.
         nodes = manager.nodes[:environment => env]
         next unless nodes.any?
         spf = nil
+        dkim = nil
         lines << ENV_HEADER % (env.nil? ? 'default' : env)
         nodes.each_node do |node|
           if node.dns.public
@@ -314,9 +315,11 @@ remove this directory if you don't use it.
             mx_domain = relative_hostname(node.domain.full_suffix, provider)
             lines << [mx_domain, "IN MX 10  #{relative_hostname(node.domain.full, provider)}"]
             spf ||= [mx_domain, spf_record(node)]
+            dkim ||= dkim_record(node)
           end
         end
         lines << spf if spf
+        lines << dkim if dkim
       end
 
       # print the lines
@@ -331,6 +334,8 @@ remove this directory if you don't use it.
       end
     end
 
+    private
+
     #
     # allow mail from any mx node, plus the webapp nodes.
     #
@@ -346,6 +351,43 @@ remove this directory if you don't use it.
       %(IN TXT    "#{strings}")
     end
 
+    #
+    # for example:
+    #
+    # selector._domainkey IN TXT "v=DKIM1;h=sha256;k=rsa;s=email;p=MIGfMA0GCSq...GSIb3DQ"
+    #
+    # specification: http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.7.4
+    #
+    def dkim_record(node)
+      # PEM encoded public key (base64), without the ---PUBLIC KEY--- armor parts.
+      assert_files_exist! :dkim_pub_key
+      dkim_pub_key = Path.named_path(:dkim_pub_key)
+      public_key = File.readlines(dkim_pub_key).grep(/^[^\-]+/).join
+
+      host = node.mx.dkim.selector + "._domainkey"
+      attrs = [
+        "v=DKIM1",
+        "h=sha256",
+        "k=rsa",
+        "s=email",
+        "p=" + public_key
+      ]
+
+      return [host, "IN TXT    " + txt_wrap(attrs.join(';'))]
+    end
+
+    #
+    # DNS TXT records cannot be longer than 255 characters.
+    #
+    # However, multiple responses will be concatenated together.
+    # It looks like this:
+    #
+    #   IN TXT "v=spf1 .... first" "second string..."
+    #
+    def txt_wrap(str)
+      '"' + str.scan(/.{1,255}/).join('" "') + '"'
+    end
+
     ENV_HEADER = %[
 ;;
 ;; ENVIRONMENT %s
@@ -381,6 +423,8 @@ $ORIGIN %{domain}.
     ## FIREWALL
     ##
 
+    public
+
     def compile_firewall
       manager.nodes.each_node(&:evaluate)
 
diff --git a/lib/leap_cli/macros/core.rb b/lib/leap_cli/macros/core.rb
index 7de50f2f..ebea3a6e 100644
--- a/lib/leap_cli/macros/core.rb
+++ b/lib/leap_cli/macros/core.rb
@@ -4,13 +4,6 @@ module LeapCli
   module Macro
 
     #
-    # return a fingerprint for a x509 certificate
-    #
-    def fingerprint(filename)
-      "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename))
-    end
-
-    #
     # Creates a hash from the ssh key info in users directory, for use in
     # updating authorized_keys file. Additionally, the 'monitor' public key is
     # included, which is used by the monitor nodes to run particular commands
diff --git a/lib/leap_cli/macros/files.rb b/lib/leap_cli/macros/files.rb
index 958958bc..d3972485 100644
--- a/lib/leap_cli/macros/files.rb
+++ b/lib/leap_cli/macros/files.rb
@@ -37,18 +37,10 @@ module LeapCli
     end
 
     #
-    # returns what the file path will be, once the file is rsynced to the server.
-    # an internal list of discovered file paths is saved, in order to rsync these files when needed.
+    # returns the location of a file that is stored on the local
+    # host, under PROVIDER_DIR/files.
     #
-    # notes:
-    #
-    # * argument 'path' is relative to Path.provider/files or Path.provider_base/files
-    # * the path returned by this method is absolute
-    # * the path stored for use later by rsync is relative to Path.provider
-    # * if the path does not exist locally, but exists in provider_base, then the default file from
-    #   provider_base is copied locally. this is required for rsync to work correctly.
-    #
-    def file_path(path, options={})
+    def local_file_path(path, options={})
       if path.is_a? Symbol
         path = [path, @node.name]
       elsif path.is_a? String
@@ -57,32 +49,72 @@ module LeapCli
           path = "files/" + path
         end
       end
-      actual_path = Path.find_file(path)
-      if actual_path.nil?
+      local_path = Path.find_file(path)
+      if local_path.nil?
         if options[:missing]
           raise FileMissing.new(Path.named_path(path), options)
+        elsif block_given?
+          yield
+          return local_file_path(path, options) # try again.
         else
-          Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file."
+          Util::log 2, :skipping, "local_file_path(\"#{path}\") because there is no such file."
+          return nil
         end
-        nil
       else
-        if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/
-          # if file is under Path.provider_base, we must copy the default file to
-          # to Path.provider in order for rsync to be able to sync the file.
-          local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider)
-          FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700
-          FileUtils.install actual_path, local_provider_path, :mode => 0600
-          Util.log :created, Path.relative_path(local_provider_path)
-          actual_path = local_provider_path
-        end
-        if File.directory?(actual_path) && actual_path !~ /\/$/
-          actual_path += '/' # ensure directories end with /, important for building rsync command
-        end
-        relative_path = Path.relative_path(actual_path)
-        relative_path.sub!(/^files\//, '') # remove "files/" prefix
-        @node.file_paths << relative_path
-        File.join(Leap::Platform.files_dir, relative_path)
+        local_path
+      end
+    end
+
+    #
+    # Returns the location of a file once it is deployed via rsync to the a
+    # remote server. An internal list of discovered file paths is saved, in
+    # order to rsync these files when needed.
+    #
+    # If there is a block given and the file does not actually exist, the
+    # block will be yielded to give an opportunity for some code to create the
+    # file.
+    #
+    # For example:
+    #
+    #   file_path(:dkim_priv_key) {generate_dkim_key}
+    #
+    # notes:
+    #
+    # * argument 'path' is relative to Path.provider/files or
+    #   Path.provider_base/files
+    # * the path returned by this method is absolute
+    # * the path stored for use later by rsync is relative to Path.provider
+    # * if the path does not exist locally, but exists in provider_base,
+    #   then the default file from provider_base is copied locally. this
+    #   is required for rsync to work correctly.
+    #
+    def remote_file_path(path, options={}, &block)
+      local_path = local_file_path(path, options, &block)
+
+      # if file is under Path.provider_base, we must copy the default file to
+      # to Path.provider in order for rsync to be able to sync the file.
+      if local_path =~ /^#{Regexp.escape(Path.provider_base)}/
+        local_provider_path = local_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider)
+        FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700
+        FileUtils.install local_path, local_provider_path, :mode => 0600
+        Util.log :created, Path.relative_path(local_provider_path)
+        local_path = local_provider_path
+      end
+
+      # ensure directories end with /, important for building rsync command
+      if File.directory?(local_path) && local_path !~ /\/$/
+        local_path += '/'
       end
+
+      relative_path = Path.relative_path(local_path)
+      relative_path.sub!(/^files\//, '') # remove "files/" prefix
+      @node.file_paths << relative_path
+      File.join(Leap::Platform.files_dir, relative_path)
+    end
+
+    # deprecated
+    def file_path(path, options={})
+      remote_file_path(path, options)
     end
 
   end
diff --git a/lib/leap_cli/macros/keys.rb b/lib/leap_cli/macros/keys.rb
index 0ed7ccd0..e7a75cfb 100644
--- a/lib/leap_cli/macros/keys.rb
+++ b/lib/leap_cli/macros/keys.rb
@@ -8,17 +8,28 @@ module LeapCli
   module Macro
 
     #
+    # return a fingerprint for a key or certificate
+    #
+    def fingerprint(filename, options={})
+      options[:mode] ||= :x509
+      if options[:mode] == :x509
+        "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename))
+      elsif options[:mode] == :rsa
+        key = OpenSSL::PKey::RSA.new(File.read(filename))
+        Digest::SHA1.new.hexdigest(key.to_der)
+      end
+    end
+
+    ##
+    ## TOR
+    ##
+
+    #
     # return the path to the tor public key
     # generating key if it is missing
     #
     def tor_public_key_path(path_name, key_type)
-      path = file_path(path_name)
-      if path.nil?
-        generate_tor_key(key_type)
-        file_path(path_name)
-      else
-        path
-      end
+      file_path(path_name) { generate_tor_key(key_type) }
     end
 
     #
@@ -26,13 +37,7 @@ module LeapCli
     # generating key if it is missing
     #
     def tor_private_key_path(path_name, key_type)
-      path = file_path(path_name)
-      if path.nil?
-        generate_tor_key(key_type)
-        file_path(path_name)
-      else
-        path
-      end
+      file_path(path_name) { generate_tor_key(key_type) }
     end
 
     #
@@ -62,6 +67,15 @@ module LeapCli
       end
     end
 
+    def generate_dkim_key(bit_size=2048)
+      LeapCli.log :generating, "%s bit RSA DKIM key" % bit_size do
+        private_key = OpenSSL::PKey::RSA.new(bit_size)
+        public_key = private_key.public_key
+        LeapCli::Util.write_file! :dkim_priv_key, private_key.to_pem
+        LeapCli::Util.write_file! :dkim_pub_key, public_key.to_pem
+      end
+    end
+
     private
 
     def generate_tor_key(key_type)