From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 66B801FF141
	for <inbox@lore.proxmox.com>; Tue, 05 May 2026 10:36:31 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 20FC41D0A6;
	Tue,  5 May 2026 10:34:07 +0200 (CEST)
From: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
To: pve-devel@lists.proxmox.com,
	pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox v5 09/27] notify: smtp: add XOAUTH2 authentication
 support
Date: Tue,  5 May 2026 10:32:30 +0200
Message-ID: <20260505083248.36450-10-a.bied-charreton@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260505083248.36450-1-a.bied-charreton@proxmox.com>
References: <20260505083248.36450-1-a.bied-charreton@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.114 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery
 methods
	RDNS_NONE               0.793 Delivered to internal network by a host with no
 rDNS
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_NONE                0.001 SPF: sender does not publish an SPF Record
Message-ID-Hash: VFJX5UBWEG52TKV73YZPNWLS5K337TNZ
X-Message-ID-Hash: VFJX5UBWEG52TKV73YZPNWLS5K337TNZ
X-MailFrom: abied-charreton@jett.proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

Extend the transport building logic to authenticate via XOAUTH2 if
configured.

Previously, the authentication method was determined based on the
presence of a password in the config. In order to ensure backwards
compatibility with older configurations, continue to do so if
auth_method is not set, ensuring configurations that used PLAIN auth
before this series keep working as expected.

Signed-off-by: Arthur Bied-Charreton <a.bied-charreton@proxmox.com>
---
 proxmox-notify/src/endpoints/smtp.rs | 87 +++++++++++++++++++++++-----
 1 file changed, 74 insertions(+), 13 deletions(-)

diff --git a/proxmox-notify/src/endpoints/smtp.rs b/proxmox-notify/src/endpoints/smtp.rs
index dcc01bb5..353fe4cd 100644
--- a/proxmox-notify/src/endpoints/smtp.rs
+++ b/proxmox-notify/src/endpoints/smtp.rs
@@ -3,11 +3,12 @@ use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
 use lettre::message::header::{HeaderName, HeaderValue};
 use lettre::message::{Mailbox, MultiPart, SinglePart};
+use lettre::transport::smtp::authentication::{Credentials, Mechanism};
 use lettre::transport::smtp::client::{Tls, TlsParameters};
 use lettre::{message::header::ContentType, Message, SmtpTransport, Transport};
 use oauth2::{ClientId, ClientSecret, RefreshToken};
 use serde::{Deserialize, Serialize};
-use tracing::info;
+use tracing::{debug, info};
 
 use proxmox_schema::api_types::COMMENT_SCHEMA;
 use proxmox_schema::{api, Updater};
@@ -199,7 +200,7 @@ pub struct SmtpPrivateConfig {
     pub oauth2_client_secret: Option<String>,
 }
 
-/// A sendmail notification endpoint.
+/// A SMTP notification endpoint.
 pub struct SmtpEndpoint {
     pub config: SmtpConfig,
     pub private_config: SmtpPrivateConfig,
@@ -243,22 +244,82 @@ impl SmtpEndpoint {
         }
     }
 
+    /// Infer the auth method based on the presence of a password field in the private config.
+    ///
+    /// This is required for backwards compatibility for configs created before the `auth_method`
+    /// field was added, i.e., the presence of a password implicitly meant plain authentication
+    /// was to be used.
+    fn auth_method(&self) -> Option<SmtpAuthMethod> {
+        self.config.auth_method.or_else(|| {
+            if self.private_config.password.is_some() {
+                Some(SmtpAuthMethod::Plain)
+            } else {
+                None
+            }
+        })
+    }
+
+    /// Build an [`SmtpTransport`] for [`Endpoint::send`].
+    ///
+    /// For OAuth2 auth methods this loads the refresh token from the per-endpoint state file
+    /// and performs a token exchange at every call. It never persists a rotated token, that
+    /// responsibility is on [`Self::trigger_state_refresh`], which is called under a notifications
+    /// config lock.
     fn build_transport(&self, tls: Tls, port: u16) -> Result<SmtpTransport, Error> {
-        let mut transport_builder = SmtpTransport::builder_dangerous(&self.config.server)
+        let transport_builder = SmtpTransport::builder_dangerous(&self.config.server)
             .tls(tls)
             .port(port)
             .timeout(Some(Duration::from_secs(SMTP_TIMEOUT.into())));
 
-        if let Some(username) = self.config.username.as_deref() {
-            if let Some(password) = self.private_config.password.as_deref() {
-                transport_builder = transport_builder.credentials((username, password).into());
-            } else {
-                return Err(Error::NotifyFailed(
-                    self.name().into(),
-                    Box::new(Error::Generic(
-                        "username is set but no password was provided".to_owned(),
-                    )),
-                ));
+        let transport_builder = match &self.auth_method() {
+            None => transport_builder,
+            Some(SmtpAuthMethod::Plain) => match (
+                self.config.username.as_deref(),
+                self.private_config.password.as_deref(),
+            ) {
+                (Some(username), Some(password)) => {
+                    transport_builder.credentials((username, password).into())
+                }
+                (Some(_), None) => {
+                    return Err(Error::NotifyFailed(
+                        self.name().into(),
+                        Box::new(Error::Generic(
+                            "username is set but no password was provided".to_owned(),
+                        )),
+                    ))
+                }
+                _ => transport_builder,
+            },
+            Some(method) => {
+                let state = context().load_oauth_state(self.name())?;
+
+                let refresh_token =
+                    state
+                        .oauth2_refresh_token
+                        .clone()
+                        .ok_or(Error::NotifyFailed(
+                            self.name().into(),
+                            Box::new(Error::Generic("no refresh token found".into())),
+                        ))?;
+
+                debug!(
+                    "requesting OAuth2 access token for endpoint '{}'",
+                    self.config.name
+                );
+
+                let token_exchange_result = self.get_access_token(&refresh_token, method)?;
+
+                debug!(
+                    "OAuth2 token exchange successful for endpoint '{}'",
+                    self.config.name
+                );
+
+                transport_builder
+                    .credentials(Credentials::new(
+                        self.config.from_address.to_owned(),
+                        token_exchange_result.access_token.into_secret(),
+                    ))
+                    .authentication(vec![Mechanism::Xoauth2])
             }
         };
 
-- 
2.47.3