123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- class PGPKey < ApplicationModel
- default_scope { order(created_at: :desc, id: :desc) }
- before_validation :ensure_ascii_key, :prepare_key_info, on: :create
- before_create :prepare_email_addresses, :prepare_domain_alias
- validates :fingerprint, uniqueness: { message: __('There is already a PGP key with the same fingerprint.') }
- KEY_UID_DELIMITER = ', '.freeze
- KEY_BEGIN_REGEXP = %r{-----BEGIN PGP (PRIVATE|PUBLIC) KEY BLOCK-----}
- KEY_END_REGEXP = %r{-----END PGP (PRIVATE|PUBLIC) KEY BLOCK-----}
- def self.find_by_uid(uid, only_valid: true, secret: false)
- find_all_by_uid(uid, only_valid:, secret:).first.tap do |result|
- raise ActiveRecord::RecordNotFound, "The PGP key for #{uid} was not found." if result.nil?
- end
- end
- def self.find_all_by_uid(uid, only_valid: true, secret: false)
- uid = uid.downcase
- email_addresses_query = SqlHelper.new(object: PGPKey).array_contains_one(:email_addresses, uid)
- query = if domain_alias_configuration_active?
- ["#{email_addresses_query} OR (? LIKE domain_alias)", SqlHelper.quote_like(uid)]
- else
- email_addresses_query
- end
- keys_selector = PGPKey.where(query)
- keys_selector = keys_selector.where(secret: true) if secret
- only_valid ? keys_selector.reject(&:expired?) : keys_selector.all
- end
- def self.for_recipient_email_addresses!(addresses)
- keys = []
- not_found = []
- addresses.each do |address|
- found_keys = find_by_uid(address)
- if found_keys.nil?
- not_found.push(address)
- next
- end
- keys.push(*found_keys)
- end
- return keys if not_found.blank?
- raise ActiveRecord::RecordNotFound, "The PGP keys for #{not_found.join(KEY_UID_DELIMITER)} could not be found."
- end
- def self.ascii_key?(given_key)
- given_key.match?(KEY_BEGIN_REGEXP) && given_key.match?(KEY_END_REGEXP)
- rescue ArgumentError => e
- return false if e.message == 'invalid byte sequence in UTF-8'
- raise e
- end
- def self.params_cleanup!(params)
- if params[:key].present?
- params[:key].strip!
- return params
- end
- return params if !params[:file].is_a? ActionDispatch::Http::UploadedFile
- params[:key] = params[:file].tempfile
- params
- end
- def self.convert_binary_key_to_ascii(binary, passphrase)
- SecureMailing::PGP::Tool.new.with_private_keyring do |pgp_tool|
- pgp_tool.import(binary)
- info = pgp_tool.info(binary)
- pgp_tool.export(info.fingerprint, passphrase, secret: info.secret).stdout
- end
- end
- def self.domain_alias_configuration_active?
- Setting.get('pgp_recipient_alias_configuration')
- end
- def key_id
- fingerprint[-16..]
- end
- def expired?
- return false if expires_at.nil?
- expires_at < Time.zone.now
- end
- def expired!
- raise "The PGP keys for #{email_addresses.join(KEY_UID_DELIMITER)} with fingerprint #{fingerprint} have expired at #{expires_at}" if expired?
- end
- def ensure_ascii_key
- raw_key_contents = read_attribute_before_type_cast('key').try(:read)
- return if raw_key_contents.nil?
- self.key = if self.class.ascii_key?(raw_key_contents)
- raw_key_contents
- else
- self.class.convert_binary_key_to_ascii(raw_key_contents, passphrase)
- end
- rescue => e
- errors.add(:key, e.message)
- end
- def prepare_key_info
- SecureMailing::PGP::Tool.new.with_private_keyring do |pgp_tool|
- apply_key_attrs(pgp_tool.info(key))
- # Validate the passphrase of a private key.
- if secret
- pgp_tool.import(key)
- pgp_tool.passphrase(fingerprint, passphrase)
- end
- end
- rescue => e
- errors.add(:key, e.message)
- end
- def prepare_email_addresses
- self.email_addresses = email_addresses_from_name(name)
- end
- private
- def prepare_domain_alias
- if domain_alias.blank?
- self.domain_alias = nil
- return
- end
- self.domain_alias = "%@#{domain_alias}"
- end
- def apply_key_attrs(info)
- self.fingerprint = info.fingerprint
- self.name = info.uids.join(KEY_UID_DELIMITER)
- self.created_at = info.created_at
- self.expires_at = info.expires_at
- self.secret = info.secret
- end
- def email_addresses_from_name(name)
- entries = name.split(KEY_UID_DELIMITER)
- entries.each_with_object([]) do |entry, result|
- email_address = entry.split.last.gsub(%r{[<>]}, '').downcase
- if !EmailAddressValidation.new(email_address).valid?
- Rails.logger.warn <<~TEXT.squish
- The PGP key #{fingerprint}
- has the malformed email address "#{email_address}"
- as part of its UID "#{entry}".
- This makes it useless in terms of PGP, please check.
- TEXT
- next
- end
- result.push(email_address)
- end
- end
- end
|