1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
# frozen_string_literal: true
require 'yaml'
require 'json'
require 'pathname'
require 'active_support'
require "active_support/core_ext/module/delegation"
require_relative 'encrypted_configuration' unless defined?(Gitlab::EncryptedConfiguration)
require_relative 'redis/queues' unless defined?(Gitlab::Redis::Queues)
# This service is run independently of the main Rails process,
# therefore the `Rails` class and its methods are unavailable.
# TODO: Remove this once we're on Ruby 3
# https://gitlab.com/gitlab-org/gitlab/-/issues/393651
unless YAML.respond_to?(:safe_load_file)
module YAML
# Temporary Ruby 2 back-compat workaround.
#
# This method only exists as of stdlib 3.0.0:
# https://ruby-doc.org/stdlib-3.0.0/libdoc/psych/rdoc/Psych.html
def self.safe_load_file(path, **options)
YAML.safe_load(File.read(path), **options)
end
end
end
module Gitlab
module MailRoom
RAILS_ROOT_DIR = Pathname.new('../..').expand_path(__dir__).freeze
DELIVERY_METHOD_SIDEKIQ = 'sidekiq'
DELIVERY_METHOD_WEBHOOK = 'webhook'
INTERNAL_API_REQUEST_HEADER = 'Gitlab-Mailroom-Api-Request'
INTERNAL_API_REQUEST_JWT_ISSUER = 'gitlab-mailroom'
DEFAULT_CONFIG = {
enabled: false,
port: 143,
ssl: false,
start_tls: false,
mailbox: 'inbox',
idle_timeout: 60,
log_path: RAILS_ROOT_DIR.join('log', 'mail_room_json.log'),
expunge_deleted: false,
delivery_method: DELIVERY_METHOD_SIDEKIQ
}.freeze
# Email specific configuration which is merged with configuration
# fetched from YML config file.
MAILBOX_SPECIFIC_CONFIGS = {
incoming_email: {
queue: 'default',
worker: 'EmailReceiverWorker'
},
service_desk_email: {
queue: 'default',
worker: 'ServiceDeskEmailReceiverWorker'
}
}.freeze
# Default path strings (this is a data duplication
# with Settings which is not pulled in - see the service
# comment at the top of this file)
DEFAULT_PATHS = {
shared_path: 'shared',
encrypted_settings_path: 'encrypted_settings',
incoming_email: {
encrypted_secret_filename: 'incoming_email.yaml.enc'
},
service_desk_email: {
encrypted_secret_filename: 'service_desk_email.yaml.enc'
}
}.freeze
class << self
def enabled_configs
@enabled_configs ||= configs.select { |_key, config| enabled?(config) }
end
def enabled_mailbox_types
enabled_configs.keys.map(&:to_s)
end
def worker_for(mailbox_type)
MAILBOX_SPECIFIC_CONFIGS.try(:[], mailbox_type.to_sym).try(:[], :worker).try(:safe_constantize)
end
private
def enabled?(config)
config[:enabled] && !config[:address].to_s.empty?
end
def configs
MAILBOX_SPECIFIC_CONFIGS.to_h { |key, _value| [key, fetch_config(key)] }
end
def fetch_config(config_key)
return {} unless File.exist?(config_file)
config = merged_configs(config_key)
config.merge!(redis_config) if enabled?(config)
config[:log_path] = File.expand_path(config[:log_path], RAILS_ROOT_DIR)
# override password/user from any encrypted secrets
if secrets = decrypted_secrets(config_key)
config[:password] = secrets[:password] if secrets[:password]
config[:user] = secrets[:user] if secrets[:user]
end
config
end
def merged_configs(config_key)
yml_config = load_yaml.fetch(config_key, {})
specific_config = MAILBOX_SPECIFIC_CONFIGS.fetch(config_key, {})
DEFAULT_CONFIG.merge(specific_config, yml_config) do |_key, oldval, newval|
newval.nil? ? oldval : newval
end
end
def redis_config
gitlab_redis_queues = Gitlab::Redis::Queues.new(rails_env)
config = { redis_url: gitlab_redis_queues.url, redis_db: gitlab_redis_queues.db }
if gitlab_redis_queues.sentinels?
config[:sentinels] = gitlab_redis_queues.sentinels
end
config
end
def rails_env
@rails_env ||= ENV['RAILS_ENV'] || ENV['RACK_ENV'] || 'development'
end
def config_file
ENV['MAIL_ROOM_GITLAB_CONFIG_FILE'] || File.expand_path('../../config/gitlab.yml', __dir__)
end
def load_yaml
@yaml ||= YAML.safe_load_file(config_file, aliases: true)[rails_env].deep_symbolize_keys
end
def application_secrets_file
ENV['MAIL_ROOM_GITLAB_SECRETS_FILE'] || File.expand_path('../../config/secrets.yml', __dir__)
end
def application_secrets
@application_secrets ||= {}.tap do |application_secrets|
# Uses Rails::Secret.parse
# from: https://github.com/rails/rails/blob/v6.1.6.1/railties/lib/rails/secrets.rb#L24
erb_processed_yaml = ERB.new(File.read(application_secrets_file)).result
yaml_secrets =
YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_processed_yaml) : YAML.safe_load(erb_processed_yaml)
application_secrets.merge!(yaml_secrets["shared"].deep_symbolize_keys) if yaml_secrets["shared"]
application_secrets.merge!(yaml_secrets[rails_env].deep_symbolize_keys) if yaml_secrets[rails_env]
end
end
def default_encrypted_secret_filename(config_key)
DEFAULT_PATHS[config_key][:encrypted_secret_filename]
end
def encrypted_secret_file(config_key)
config = merged_configs(config_key)
return config[:encrypted_secret_file] if config[:encrypted_secret_file]
config_yaml = load_yaml
# Path handling for shared.path / encrypted_settings.path is a duplicate
# of the logic in config/initializers/1_settings.rb
shared_path = File.expand_path(config_yaml.dig(:shared, :path) ||
DEFAULT_PATHS[:shared_path], RAILS_ROOT_DIR)
encrypted_settings_path =
File.expand_path(config_yaml.dig(:encrypted_settings, :path) ||
File.join(shared_path, DEFAULT_PATHS[:encrypted_settings_path]),
RAILS_ROOT_DIR)
File.join(encrypted_settings_path, default_encrypted_secret_filename(config_key))
end
def encrypted_configuration_settings(config_key)
{
content_path: encrypted_secret_file(config_key),
base_key: application_secrets[:encrypted_settings_key_base],
previous_keys: application_secrets[:rotated_encrypted_settings_key_base] || []
}
end
def decrypted_secrets(config_key)
settings = encrypted_configuration_settings(config_key)
return if settings[:base_key].nil?
encrypted = Gitlab::EncryptedConfiguration.new(**settings)
encrypted.active? ? encrypted.config : nil
end
end
end
end
|
