From 4dfa24723aff93bc6954ecd0d317c962144d08da Mon Sep 17 00:00:00 2001
From: Dennis Camera <dennis.camera@ssrq-sds-fds.ch>
Date: Mon, 1 Jun 2020 17:07:35 +0200
Subject: [PATCH] [type/__dma] Implement config file updates

---
 type/__dma/explorer/conf               |  30 ++++
 type/__dma/gencode-remote              | 197 ++++++++++++++++++++++++-
 type/__dma/man.rst                     |  24 +++
 type/__dma/manifest                    | 165 ++++++---------------
 type/__dma/parameter/default/security  |   1 +
 type/__dma/parameter/optional          |   2 +
 type/__dma/parameter/optional_multiple |   1 +
 7 files changed, 302 insertions(+), 118 deletions(-)
 create mode 100755 type/__dma/explorer/conf
 create mode 100644 type/__dma/parameter/default/security
 create mode 100644 type/__dma/parameter/optional_multiple

diff --git a/type/__dma/explorer/conf b/type/__dma/explorer/conf
new file mode 100755
index 0000000..129e3c3
--- /dev/null
+++ b/type/__dma/explorer/conf
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+#
+# 2020 Dennis Camera (dennis.camera at ssrq-sds-fds.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+# This explorer looks for lines matching the server parameter in dma's auth.conf
+# and reports the login and server fields (password is cksummed)
+
+CONF_PATH=/etc/dma  # set in Makefile
+dma_conf="${CONF_PATH:?}/dma.conf"
+
+test -f "${dma_conf}" || exit 0
+
+grep -v -e '^[ \t]*#\|^$' "${dma_conf}" \
+| sed -e 's/[ \t]*#.*$//' \
+| sort -s -k 1,1
diff --git a/type/__dma/gencode-remote b/type/__dma/gencode-remote
index 2e3a80d..1091aeb 100755
--- a/type/__dma/gencode-remote
+++ b/type/__dma/gencode-remote
@@ -1,5 +1,200 @@
 #!/bin/sh -e
 
+CONF_PATH=/etc/dma  # set in Makefile
+
+# Generate config
+conf_should=$(
+	if test -s "${__object}/parameter/smart-host"
+	then
+		printf 'SMARTHOST %s\n' "$(cat "${__object}/parameter/smart-host")"
+		#printf 'AUTHPATH %s\n' "$(cat "${__type}/
+	fi
+
+	case $(cat "${__object}/parameter/security")
+	in
+		(ssl|tls)
+			default_smtp_port=465
+			echo 'SECURETRANSFER'
+			;;
+		(starttls)
+			default_smtp_port=587
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			;;
+		(opportunistic)
+			default_smtp_port=25  # XXX: correct?
+			echo 'SECURETRANSFER'
+			echo 'STARTTLS'
+			echo 'OPPORTUNISTIC_TLS'
+			;;
+		(insecure)
+			default_smtp_port=25
+			echo 'INSECURE'
+			;;
+	esac
+
+	if test -s "${__object}/parameter/port"
+	then
+		printf 'PORT %u\n' "$(cat "${__object}/parameter/port")"
+	elif test "${default_smtp_port}" -ne 25
+	then
+		printf 'PORT %u\n' "${default_smtp_port}"
+	fi
+
+	if test -f "${__object}/parameter/masquerade"
+	then
+		while read -r line
+		do
+			printf 'MASQUERADE %s\n' "${line}"
+		done <"${__object}/parameter/masquerade"
+	fi
+
+
+)
+conf_should=$(echo "$conf_should" | sort -s -k 1,1)
+
+config_updated=false
+if ! echo "$conf_should" | cmp -s "${__object}/explorer/conf" -
+then
+	# config needs to be updated
+	echo "dma_conf='${CONF_PATH:?}/dma.conf'"
+	cat <<'EOF'
+awk -F '\n' '
+function comment_line(line) { return match(line, /^[ \t]*#+[ \t]*/) }
+function empty_line(line) { return match(line, /^[ \t]*$/) }
+function is_word(s) { return s ~ /^[A-Z_]+$/ }
+
+function first(line, sep) {
+	if (!sep) sep = SUBSEP
+	return index(line, sep) ? substr(line, 0, index(line, sep)) : line
+}
+
+function rest(line, sep) {
+	if (!sep) sep = SUBSEP
+	if (index(line, sep))
+		return substr(line, index(line, sep) + 1)
+}
+
+function conf_pop(word, value) {
+	if (!(word in conf)) return 0
+	if (!value) {
+		if (index(conf[word], SUBSEP))  # more than one element?
+			value = substr(conf[word], 0, index(conf[word], SUBSEP))
+		else
+			value = conf[word]
+	}
+
+	if (index(conf[word], SUBSEP)) {
+		if (index(conf[word], value SUBSEP) != 1) return 0
+		conf[word] = substr(conf[word], length(value) + 2)
+	} else {
+		if (conf[word] != value) return 0
+		delete conf[word]
+	}
+	return value
+}
+
+function print_conf(word, value) {
+	printf "%s", word
+	if (value) printf " %s", value
+	printf "\n"
+}
+
+function print_confs(word,    value) {
+	if (!(word in conf)) return
+	if (conf[word]) {
+		while (value = conf_pop(word))
+			print_conf(word, value)
+	} else {
+		print_conf(word)
+		delete conf[word]
+	}
+}
+
+BEGIN {
+	while (getline < "/dev/stdin") {
+		word = first($0, " ")
+		if ((word in conf))
+			conf[word] = conf[word] SUBSEP rest($0, " ")
+		else
+			conf[word] = rest($0, " ")
+	}
+}
+
+# first pass, gather information
+NR == FNR {
+	if (comment_line($0)) {
+		# comment line
+		word = first(substr($0, RLENGTH + 1), " ")
+		if (is_word(word)) last_occ["#" word] = FNR
+	} else {
+		word = first($0, " ")
+		if (is_word(word)) last_occ[word] = FNR
+	}
+}
+
+NR > FNR && FNR == 1 {
+	# before second pass prepare hashes
+
+	for (k in last_occ)
+		if (k ~ /^\#/ && (substr(k, 2) in last_occ))
+			delete last_occ[k]
+
+	for (k in last_occ) {
+		line_map[last_occ[k]] = k
+	}
+}
+
+# second pass, output new config
+NR > FNR {
+	if (comment_line($0) || empty_line($0)) {
+		# comment or empty line
+		print
+
+		if ((FNR in line_map)) {
+			if (line_map[FNR] ~ /^\#/) {
+				# the "matching" comment line is here
+				k = substr(line_map[FNR], 2)
+				if ((k in conf)) print_confs(k)
+			}
+
+			if (("INSECURE" in conf) && line_map[FNR] ~ /^\#?SECURE$/) {
+				# INSECURE goes where SECURE comment is
+				print_confs("INSECURE")
+			}
+		}
+	} else {
+		sub(/[ \t]*\#.*$/, "", $0)  # ignore comments
+		word = first($0, " ")
+
+		if ((word in conf) && rest($0, " ") == first(conf[word])) {
+			# keep config options we want
+			conf_pop(word)
+			print
+		}
+
+		if ((FNR in line_map) && line_map[FNR] == word) {
+			# rest of config options should be here
+			print_confs(word)
+		}
+	}
+}
+
+END {
+	# print rest of config options
+	for (word in conf) print_confs(word)
+}
+' "${dma_conf}" "${dma_conf}" <<'EOF' >"${dma_conf}.tmp" \
+ && mv "${dma_conf}.tmp" "${dma_conf}"
+EOF
+	echo "${conf_should}"
+	echo 'EOF'
+
+	config_updated=true
+	echo 'config updated' >>"${__messages_out}"
+fi
+
+
 if test -f "${__object}/parameter/send-test-email"
 then
 	modified=false
@@ -10,7 +205,7 @@ then
 	elif grep -q '^__dma_auth/' "${__messages_in}"
 	then
 		modified=true
-	elif grep -q '^__dma/' "${__messages_in}"
+	elif $config_updated
 	then
 		modified=true
 	fi
diff --git a/type/__dma/man.rst b/type/__dma/man.rst
index af9298e..cb3c35f 100644
--- a/type/__dma/man.rst
+++ b/type/__dma/man.rst
@@ -39,7 +39,31 @@ mailname
     If not defined, it defaults to `/etc/mailname` on Debian-derived Operating
     Systems and to `__target_host` otherwise.
     See `dma(8)` for more information.
+masquerade
+    Masquerade the envelope-from addresses with this address/hostname.
+    Use this setting if mails are not accepted by destination mail servers
+    because your sender domain is invalid.
+    This option can be used multiple times.
+    For more information see the `dma(8)` man page.
+port
+    The port on which to deliver email.
+    If not provided, a sensible default port will be used based on the
+    `--security` argument.
+security
+    Configures whether and how DMA should use secure connections.
 
+    ssl/tls
+        Enable TLS/SSL secured transfer.
+    starttls
+        Use STARTTLS to establish a secure connection.
+    opportunistic (default)
+        Will try to establish a secure connection using STARTTLS, but allow
+        unencrypted transfer if STARTTLS fails.
+        Most useful when dma is used without a smarthost, delivering remote
+        messages directly to the outside mail exchangers.
+    insecure
+        allow plain text SMTP login over an insecure connection.
+        Should really not be used anymore!
 
 EXAMPLES
 --------
diff --git a/type/__dma/manifest b/type/__dma/manifest
index e07fbfc..814e3ef 100755
--- a/type/__dma/manifest
+++ b/type/__dma/manifest
@@ -2,54 +2,57 @@
 
 os=$(cat "${__global}/explorer/os")
 
-smart_host="$(cat "${__object}/parameter/smart-host")"
-
-if [ -f "${__object}/parameter/mailname" ]; then
-	mailname="$(cat "${__object}/parameter/mailname")"
+# mailname: default behaviour is different on certain systems
+if test -f "${__object}/parameter/mailname"
+then
+	mailname=$(cat "${__object}/parameter/mailname")
 else
-	# default mailname behaviour is different in certain systems
-	case ${os} in
-		debian|devuan|ubuntu)
-			# Debian-like default to /etc/mailname
-			mailname="/etc/mailname"
-		;;
-		*)
-			# Otherwise let's use the hostname
-			mailname="${__target_host}"
-		;;
-	esac
+	# Otherwise use the hostname
+	mailname=$(cat "${__global}/explorer/hostname")
 fi
 
-case ${os} in
-	debian|devuan|ubuntu)
-		# Debian-like requires installing DMA
-		__package dma
-		# Moving forward without DMA doesn't make much sense
-		export require="__package/dma"
-	;;
-	freebsd)
-		# Disable sendmail + stop if necessary
-		__key_value \
-			--file      "/etc/rc.conf" \
-			--comment   "# Disable sendmail " \
-			--key       "sendmail_enable" \
-			--delimiter "=" \
-			--value     "NONE" \
-			--onchange  "service sendmail onestop || true" \
-			"sendmail_enable"
+case $os
+in
+	(debian|devuan|ubuntu)
+		# On Debian-like systems use /etc/mailname
+		if test -f "${__object}/parameter/mailname"
+		then
+			echo "$mailname" | __file '/etc/mailname' --state present \
+				--mode 0644 --owner root --group root --source -
+		fi
+
+		mailname='/etc/mailname'
+		;;
+esac
+
+# Install DMA
+case $os
+in
+	(debian|devuan|ubuntu)
+		__package dma --state present
+		export require='__package/dma'
+		;;
+	(freebsd)
+		# Stop sendmail if necessary
+		__process 'sendmail' --name 'sendmail.*' --state absent \
+			--stop '/etc/rc.d/sendmail onestop'
+
+		# ... and disable it
+		__key_value 'rcconf-sendmail-enable' --file '/etc/rc.conf' \
+			--key 'sendmail_enable' --delimiter '=' --value '"NONE"' \
+			--exact_delimiter
+
 		# Setup mailwrapper accordingly
-		__file /etc/mail/mailer.conf \
-			--mode 0644 \
-			--source '-' <<EOF
-sendmail	/usr/libexec/dma
-send-mail	/usr/libexec/dma
-mailq		/usr/libexec/dma
-newaliases	/usr/libexec/dma
-rmail		/usr/libexec/dma
-EOF
-	;;
-	*)
-		cat > /dev/stderr <<EOF
+		__file '/etc/mail/mailer.conf' --mode 0644 --source - <<-'EOF'
+			sendmail	/usr/libexec/dma
+			send-mail	/usr/libexec/dma
+			mailq		/usr/libexec/dma
+			newaliases	/usr/libexec/dma
+			rmail		/usr/libexec/dma
+		EOF
+		;;
+	(*)
+		cat <<EOF >&2
 Your OS (${os}) is not supported yet.
 
 Maybe adding support is as simple as adapting the packages or allowing it,
@@ -57,77 +60,5 @@ we highly encourage you to open a PR with the necessary changes.
 See: https://code.ungleich.ch/ungleich-public/cdist-contrib/
 EOF
 		exit 1
-	;;
+		;;
 esac
-
-DMA_CONF="$(cat <<EOF
-# Managed remotely, changes will be lost
-#
-# Your smarthost (also called relayhost).  Leave blank if you don't want
-# smarthost support.
-SMARTHOST ${smart_host}
-
-# Use this SMTP port.  Most users will be fine with the default (25)
-#PORT 25
-
-# Path to your alias file.  Just stay with the default.
-#ALIASES /etc/aliases
-
-# Path to your spooldir.  Just stay with the default.
-#SPOOLDIR /var/spool/dma
-
-# SMTP authentication
-#AUTHPATH /etc/dma/auth.conf
-
-# Uncomment if yout want TLS/SSL support
-SECURETRANSFER
-
-# Uncomment if you want STARTTLS support (only used in combination with
-# SECURETRANSFER)
-STARTTLS
-
-# Uncomment if you have specified STARTTLS above and it should be allowed
-# to fail ("opportunistic TLS", use an encrypted connection when available
-# but allow an unencrypted one to servers that do not support it)
-#OPPORTUNISTIC_TLS
-
-# Path to your local SSL certificate
-#CERTFILE
-
-# If you want to use plain text SMTP login without using encryption, change
-# the SECURE entry below to INSECURE.  Otherwise plain login will only work
-# over a secure connection.  Use this option with caution.
-#SECURE
-
-# Uncomment if you want to defer your mails.  This is useful if you are
-# behind a dialup line.  You have to submit your mails manually with dma -q
-#DEFER
-
-# Uncomment if you want the bounce message to include the complete original
-# message, not just the headers.
-#FULLBOUNCE
-
-# The internet hostname dma uses to identify the host.
-# If not set or empty, the result of gethostname(2) is used.
-# If MAILNAME is an absolute path to a file, the first line of this file
-# will be used as the hostname.
-MAILNAME ${mailname}
-
-# Masquerade envelope from addresses with this address/hostname.
-# Use this if mails are not accepted by destination mail servers because
-# your sender domain is invalid.
-# By default, MASQUERADE is not set.
-# Format: MASQUERADE [user@][host]
-# Examples:
-# MASQUERADE john@  on host "hamlet" will send all mails as john@hamlet
-# MASQUERADE percolator  will send mails as \$username@percolator, e.g. fish@percolator
-# MASQUERADE herb@ert  will send all mails as herb@ert
-
-# Directly forward the mail to the SMARTHOST bypassing aliases and local delivery
-#NULLCLIENT
-EOF
-)"
-
-__file /etc/dma/dma.conf --mode 0644 --source '-' <<EOF
-${DMA_CONF}
-EOF
diff --git a/type/__dma/parameter/default/security b/type/__dma/parameter/default/security
new file mode 100644
index 0000000..9f1e0a6
--- /dev/null
+++ b/type/__dma/parameter/default/security
@@ -0,0 +1 @@
+opportunistic
diff --git a/type/__dma/parameter/optional b/type/__dma/parameter/optional
index 0288f48..3f6cb5d 100644
--- a/type/__dma/parameter/optional
+++ b/type/__dma/parameter/optional
@@ -1 +1,3 @@
 mailname
+port
+security
diff --git a/type/__dma/parameter/optional_multiple b/type/__dma/parameter/optional_multiple
new file mode 100644
index 0000000..70f4146
--- /dev/null
+++ b/type/__dma/parameter/optional_multiple
@@ -0,0 +1 @@
+masquerade