postfix: Implement authentication in wiki bounce handler

Signed-off-by: Florian Pritz <bluewind@xinu.at>

host_vars/orion.archlinux.org/wiki-bouncehandler

@@ -0,0 +1,17 @@
+$ANSIBLE_VAULT;1.1;AES256
+39396466326266613063333338356431653461636562643535363038613865343230303430363564
+3632646531646565336366396635353834633939316237610a343933366465663939303930376339
+37363636363531323866653962353335613366333137343737316639323661636363633364346138
+6462666365626134660a313632636537663137386437343662383335616665393561356165613333
+38353364356238386364303065343333636463333234326234643332343137373639366130656335
+64633533363034303664633435653937633566303537666164306130383738386235633232623965
+38663164633230613432356266313135383838343331326534353365656432376463313366356231
+61656338623134636265356561313630353935633037306430376430383034313631303538336637
+33623733376363366336373337366663356434303931313132356164643334363630333834313665
+32356336643436653763346333326432616438313530316530353937306237376563313032373333
+34353763396166636161633036343935356334353335623034383238316532663930613864623335
+61666165376662633934336232633634643961363064356566626235653530643261643039336436
+62616438376161643930613063323739393237383563646630373430373734386430353933353433
+35646463633034613166623233623164363638636533623037303465346239623962343337646665
+31363065306539383066386362613635346431333135326461636136336232643030336464613430
+35376537386236353236

roles/postfix/defaults/main.yml

@@ -7,3 +7,7 @@ postfix_patchwork_user: "patchwork"
 postfix_patchwork_mail_handler: "/usr/local/bin/patchwork-parsemail-wrapper.sh"
 
 mail_domain: "mail.archlinux.org"
+
+postfix_wiki_bounce_mail_handler: "/usr/local/bin/wiki-bouncehandler.pl"
+postfix_wiki_bounce_user: "wiki_bouncehandler"
+postfix_wiki_bounce_config: "/etc/wiki-bouncehandler.conf"

roles/postfix/files/bouncehandler.pl

@@ -0,0 +1,28 @@
+#!/usr/bin/env perl
+use strict;
+use warnings;
+
+use Config::Simple;
+use Data::Dumper;
+use MediaWiki::API;
+
+die "Missing required argument (config file path)" if @ARGV == 0;
+
+my $config = Config::Simple->new($ARGV[0]) or die Config::Simple->error();
+
+my $mw = MediaWiki::API->new({api_url => 'https://wiki.archlinux.org/api.php'});
+
+$mw->login( { lgname => $config->param('bot_credentials.username'), lgpassword => $config->param('bot_credentials.password') } )
+  || die $mw->{error}->{code} . ': ' . $mw->{error}->{details};
+
+
+my $stdin = do { local $/; <STDIN> };
+
+my $reply = $mw->api({
+		action => "bouncehandler",
+		email => $stdin,
+	}) || die $mw->{error}->{code} . ': ' . $mw->{error}->{details};;
+
+# output reply in case of error. doc doesn't say what the replies are so we just output everything for now
+warn Dumper($reply);
+

roles/postfix/tasks/main.yml

@@ -11,6 +11,7 @@
     - main.cf
     - master.cf
     - transport
+    - transport.pcre
     - aliases
     - relay_transport_map
     - users.pcre
@@ -60,6 +61,21 @@
   template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postfix owner=root group=root mode=0755
   when: postfix_smtpd_public
 
+- name: install bouncehandler config
+  template: src=wiki-bouncehandler.conf.j2 dest={{postfix_wiki_bounce_config}} owner={{postfix_wiki_bounce_user}} group=root mode=0600
+  when: postfix_server
+
+- name: install packages for bounce handler
+  pacman: name=perl-mediawiki-api,perl-config-simple state=present
+  when: postfix_server
+
+- name: install bouncehandler script
+  copy: src=bouncehandler.pl dest={{postfix_wiki_bounce_mail_handler}} owner=root group=root mode=0755
+  when: postfix_server
+
+- name: make bouncehandler user
+  user: name={{postfix_wiki_bounce_user}} shell=/bin/false skeleton=/var/empty state={{"present" if postfix_server else "absent"}}
+
 - name: start and enable postfix
   service: name=postfix enabled=yes state=started
 

roles/postfix/templates/aliases.j2

@@ -28,5 +28,3 @@ abuse:      postmaster
 decode:     root
 
 devnull: /dev/null
-
-wiki_bounce: "|curl -d action=bouncehandler --data-urlencode email@- https://wiki.archlinux.org/api.php"

roles/postfix/templates/main.cf.j2

@@ -182,6 +182,7 @@ local_recipient_maps =
   $alias_maps
   ${indexed}/mailman_compat
   ${indexed}/relay_transport_map
+  pcre:${config_directory}/transport.pcre
 relocated_maps = ${indexed}/relocated
 {% endif %}
 
@@ -193,12 +194,17 @@ relay_domains =
 transport_maps =
   ${indexed}/transport
   ${indexed}/relay_transport_map
+  pcre:${config_directory}/transport.pcre
   #${indexed}/temporary_mailman_maps
 
 {% if postfix_patchwork_enabled %}
 patchwork_destination_recipient_limit = 1
 {% endif %}
 
+{% if postfix_server %}
+wiki_bouncehandler_destination_recipient_limit = 1
+{% endif %}
+
 authorized_mailq_users = root
 
 header_checks = pcre:/etc/postfix/header_checks

roles/postfix/templates/master.cf.j2

@@ -124,3 +124,8 @@ scache    unix  -       -       n       -       1       scache
 patchwork   unix  -       n       n       -       -       pipe
   flags=DFRX user={{postfix_patchwork_user}} argv={{postfix_patchwork_mail_handler}}
 {% endif %}
+
+{% if postfix_server %}
+wiki_bouncehandler unix - n       n       -       -       pipe
+  flags=DFRX user={{postfix_wiki_bounce_user}} argv=/usr/bin/systemd-cat {{postfix_wiki_bounce_mail_handler}} {{postfix_wiki_bounce_config}}
+{% endif %}

roles/postfix/templates/users.pcre.j2

@@ -1 +0,0 @@
-/wiki-bounce-[\w.]+-\w+-\w+-\w...............@archlinux.org/  wiki_bounce

roles/postfix/templates/wiki-bouncehandler.conf.j2

@@ -0,0 +1,3 @@
+[bot_credentials]
+username = {{wiki_bouncehandler_username}}
+password = {{wiki_bouncehandler_password}}