diff options
| -rw-r--r-- | src/mailman_pgp/plugin.py | 2 | ||||
| -rw-r--r-- | src/mailman_pgp/rest/lists.py | 1 | ||||
| -rw-r--r-- | src/mailman_pgp/rules/signature.py | 75 | ||||
| -rw-r--r-- | src/mailman_pgp/runners/incoming.py | 1 | ||||
| -rw-r--r-- | src/mailman_pgp/runners/outgoing.py | 1 | ||||
| -rw-r--r-- | src/mailman_pgp/styles/base.py | 3 |
6 files changed, 62 insertions, 21 deletions
diff --git a/src/mailman_pgp/plugin.py b/src/mailman_pgp/plugin.py index 6c4a0d7..d3974d1 100644 --- a/src/mailman_pgp/plugin.py +++ b/src/mailman_pgp/plugin.py @@ -24,7 +24,7 @@ from zope.event import classhandler from zope.interface import implementer from mailman_pgp.config import config -from mailman_pgp.database import Database, query, transaction +from mailman_pgp.database import Database, transaction from mailman_pgp.model.list import PGPMailingList from mailman_pgp.pgp import PGP from mailman_pgp.rest.root import RESTRoot diff --git a/src/mailman_pgp/rest/lists.py b/src/mailman_pgp/rest/lists.py index 5279702..fc7bbef 100644 --- a/src/mailman_pgp/rest/lists.py +++ b/src/mailman_pgp/rest/lists.py @@ -22,7 +22,6 @@ from mailman.rest.helpers import ( from public import public from mailman_pgp.config import config -from mailman_pgp.database import query from mailman_pgp.model.list import PGPMailingList diff --git a/src/mailman_pgp/rules/signature.py b/src/mailman_pgp/rules/signature.py index 5a89ab1..0ffd76b 100644 --- a/src/mailman_pgp/rules/signature.py +++ b/src/mailman_pgp/rules/signature.py @@ -30,45 +30,90 @@ from mailman_pgp.model.list import PGPMailingList from mailman_pgp.pgp.wrapper import PGPWrapper +def _record_action(msgdata, action, sender, reason): + msgdata['moderation_action'] = action + msgdata['moderation_sender'] = sender + msgdata.setdefault('moderation_reasons', []).append(reason) + + @public @implementer(IRule) class Signature: - """""" + """The signature checking rule.""" name = 'signature' - description = _( - """ - """) - + """A rule which enforces PGP enabled list signature configuration.""") record = True - def _record_action(self, msgdata, action, sender, reason): - msgdata['moderation_action'] = action - msgdata['moderation_sender'] = sender - msgdata.setdefault('moderation_reasons', []).append(reason) - def check(self, mlist, msg, msgdata): """See `IRule`.""" + # Find the `PGPMailingList` this is for. enc_list = query(PGPMailingList).filter_by( list_id=mlist.list_id).first() if enc_list is None: raise ValueError('PGP enabled mailing list not found.') + # Wrap the message to work with it. wrapped = PGPWrapper(msg) + # Take unsigned_msg_action if unsigned. if not wrapped.is_signed(): action = enc_list.unsigned_msg_action if action is not None: - self._record_action(msgdata, action, msg.sender, - 'The message is unsigned.') + _record_action(msgdata, action, msg.sender, + 'The message is unsigned.') return True + # Take `inline_pgp_action` if inline signed. if wrapped.is_inline_signed(): action = enc_list.inline_pgp_action if action is not None: - self._record_action(msgdata, action, msg.sender, - 'Inline PGP is not allowed.') + _record_action(msgdata, action, msg.sender, + 'Inline PGP is not allowed.') + return True + + # Lookup the address by sender, and its corresponding `PGPAddress`. + user_manager = getUtility(IUserManager) + sender = msg.sender + address = user_manager.get_address(sender) + enc_address = PGPAddress.query().filter_by( + email=address.email).first() + if enc_address is None: + raise ValueError('PGP enabled address not found.') + + # See if we have a key. + key = enc_address.key + if key is None: + # TODO: how to handle this? + raise ValueError('No key?') + + # Verify, this gives us stuff we need to check. + verification = wrapped.verify(key) + + # Take the `invalid_sig_action` if the verification failed. + if not verification: + action = enc_list.invalid_sig_action + if action is not None: + _record_action(msgdata, action, msg.sender, + 'Signature did not verify.') + return True + + # TODO: handle more signatures here? + sig_obj = next(verification.good_signatures) + sig_key = sig_obj.by + sig_sig = sig_obj.signature + + # Take the `expired_sig_action` if either he signature or the key + # is expired. + if sig_sig.is_expired or sig_key.is_expired: + action = enc_list.expired_sig_action + if action is not None: + _record_action(msgdata, action, msg.sender, + 'Signature or key expired.') return True - # TODO finish this
\ No newline at end of file + # XXX: we need to track key revocation separately to use it here + # TODO: check key revocation here + + return False diff --git a/src/mailman_pgp/runners/incoming.py b/src/mailman_pgp/runners/incoming.py index e059c28..6337633 100644 --- a/src/mailman_pgp/runners/incoming.py +++ b/src/mailman_pgp/runners/incoming.py @@ -24,7 +24,6 @@ from mailman.model.mailinglist import MailingList from public import public from mailman_pgp.config import config -from mailman_pgp.database import query from mailman_pgp.model.list import PGPMailingList from mailman_pgp.pgp.wrapper import PGPWrapper diff --git a/src/mailman_pgp/runners/outgoing.py b/src/mailman_pgp/runners/outgoing.py index 92a765d..646822b 100644 --- a/src/mailman_pgp/runners/outgoing.py +++ b/src/mailman_pgp/runners/outgoing.py @@ -24,7 +24,6 @@ from mailman.model.mailinglist import MailingList from public import public from mailman_pgp.config import config -from mailman_pgp.database import query from mailman_pgp.model.list import PGPMailingList diff --git a/src/mailman_pgp/styles/base.py b/src/mailman_pgp/styles/base.py index ac3b61a..10d9c18 100644 --- a/src/mailman_pgp/styles/base.py +++ b/src/mailman_pgp/styles/base.py @@ -19,8 +19,7 @@ from public import public -from mailman_pgp.config import config -from mailman_pgp.database import query, transaction +from mailman_pgp.database import transaction from mailman_pgp.model.list import PGPMailingList |