Re: [pmg-devel] [PATCH pmg-api 3/4] api: spamassassin: update local channels

From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api 3/4] api: spamassassin: update local channels
Date: Wed, 30 Dec 2020 17:11:31 +0100	[thread overview]
Message-ID: <20201230171131.11510bc1@rosa.proxmox.com> (raw)
In-Reply-To: <1609333346.zxlabc8udx.astroid@nora.none>

On Wed, 30 Dec 2020 14:07:22 +0100
Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:

> On December 16, 2020 6:18 pm, Stoiko Ivanov wrote:
> > This patch adds a helper to loop over all present Spamassassin
> > channels files in /etc/mail/spamassassin/channel.d and:
> > * import the included gpg key into sa-update's keyring
> > * run sa-update for each channel separately
> > 
> > the verbose argument of the helper is for reusing the code in
> > pmg-daily (where we only want to log errors and be less informative)
> > 
> > In order to only hardcode the path of sa-update once the definition
> > was moved to PMG::Utils.
> > 
> > The choice of invoking sa-update for each channel separately is based,
> > instead of providing multiple '--channel' and '--gpgkey' options to
> > a single command was made to prevent downloading signatures, which
> > were signed by a key not configured for the channel.
> > 
> > Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> > ---
> >  src/PMG/API2/SpamAssassin.pm |  6 +++---
> >  src/PMG/Utils.pm             | 29 +++++++++++++++++++++++++++++
> >  2 files changed, 32 insertions(+), 3 deletions(-)
> > 
> > diff --git a/src/PMG/API2/SpamAssassin.pm b/src/PMG/API2/SpamAssassin.pm
> > index 5f9c3a5..df46c64 100644
> > --- a/src/PMG/API2/SpamAssassin.pm
> > +++ b/src/PMG/API2/SpamAssassin.pm
> > @@ -11,15 +11,13 @@ use PVE::RESTHandler;
> >  use PMG::RESTEnvironment;
> >  use PVE::JSONSchema qw(get_standard_option);
> >  
> > -use PMG::Utils;
> > +use PMG::Utils qw($SAUPDATE);
> >  use PMG::Config;
> >  
> >  use Mail::SpamAssassin;
> >  
> >  use base qw(PVE::RESTHandler);
> >  
> > -my $SAUPDATE = '/usr/bin/sa-update';
> > -
> >  __PACKAGE__->register_method ({
> >      name => 'index',
> >      path => '',
> > @@ -174,6 +172,8 @@ __PACKAGE__->register_method({
> >  	    my $cmd = "$SAUPDATE -v";
> >  
> >  	    PVE::Tools::run_command($cmd, noerr => 1);
> > +
> > +	    PMG::Utils::update_local_spamassassin_channels(1);
> >  	};
> >  
> >  	return $rpcenv->fork_worker('saupdate', undef, $authuser, $realcmd);
> > diff --git a/src/PMG/Utils.pm b/src/PMG/Utils.pm
> > index 3f5b045..de74d4e 100644
> > --- a/src/PMG/Utils.pm
> > +++ b/src/PMG/Utils.pm
> > @@ -44,6 +44,7 @@ use base 'Exporter';
> >  
> >  our @EXPORT_OK = qw(
> >  postgres_admin_cmd
> > +$SAUPDATE
> >  );
> >  
> >  my $valid_pmg_realms = ['pam', 'pmg', 'quarantine'];
> > @@ -1442,6 +1443,8 @@ sub domain_regex {
> >      return $regex;
> >  }
> >  
> > +our $SAUPDATE = '/usr/bin/sa-update';
> > +
> >  sub local_spamassassin_channels {
> >  
> >      my $res = [];
> > @@ -1470,4 +1473,30 @@ sub local_spamassassin_channels {
> >      return $res;
> >  }
> >  
> > +sub update_local_spamassassin_channels {
> > +    my ($verbose) = @_;
> > +    # import all configured channel's gpg-keys to sa-update's keyring
> > +    my $importcmd = "$SAUPDATE";
> > +    $importcmd .= '-v' if $verbose;
> > +    my $localchannels = PMG::Utils::local_spamassassin_channels();
> > +    for my $channel (@$localchannels) {
> > +	$importcmd .= " --import $channel->{filename}";
> > +    }
> > +    print "Importing gpg files from locally available channel definitions\n" if $verbose;
> > +    PVE::Tools::run_command($importcmd, noerr => 1);  
> 
> why is $importcmd not an array/list? how does the import behave if one 
> of X channel files is bad/corrupt/malformed/...? wouldn't it make sense 
> to import + update each channel on their own?
Great catch - Thanks!
While the man-page of sa-update(1p) explictly states that it is supported
to import multiple keys at once with multiple '--import' options - the
Getopt::Long usage in sa-update does not - it simply imports the last
provided on the command line.
if the file is malformed - sa-updates exits with 2 (and gpg's error output)

-> will change it to run sa-update --import for each channel separately
(and provide the arguments as list).

> 
> is the noerr needed?
in this case it's wrong (I copied from the sa-update invocation below,
where it's needed) - sa-update exits quite directly after calling `gpg
--import` - with gpg's exit status.

> 
> > +    my $fresh_updates = 0;
> > +
> > +    for my $channel (@$localchannels) {
> > +	my $cmd = "$SAUPDATE -v --channel $channel->{channelurl} --gpgkey $channel->{keyid}";
> > +	print "Updating $channel->{channelurl}\n" if $verbose;
> > +	my $ret = PVE::Tools::run_command($cmd, noerr => 1);  
> 
> $cmd should also be a list..
> 
> > +	die "updating $channel->{channelurl} failed - sa-update exited with $ret\n" if $ret >= 2;
> > +
> > +	$fresh_updates = 1 if $ret == 0;
> > +    }
> > +
> > +    return $fresh_updates
> > +}
> > +
> >  1;
> > -- 
> > 2.20.1
> > 
> > 
> > 
> > _______________________________________________
> > pmg-devel mailing list
> > pmg-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel
> > 
> > 
> >