From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 14 Oct 2022 13:23:28 +0000 (+0000)
Subject: messages: Use a client certificate to send any emails
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=182706fb24cfe7b27275405d8cd568420aea6bef;p=pbs.git

messages: Use a client certificate to send any emails

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/buildservice/__init__.py b/src/buildservice/__init__.py
index 6ead74ac..2cdd2f56 100644
--- a/src/buildservice/__init__.py
+++ b/src/buildservice/__init__.py
@@ -7,6 +7,7 @@ import logging
 import os
 import pakfire
 import shutil
+import ssl
 import systemd.journal
 import tempfile
 import urllib.parse
@@ -286,6 +287,41 @@ class Backend(object):
 		# Open the archive
 		return p.open(path)
 
+	@property
+	def ssl_context(self):
+		# Create SSL context
+		context = ssl.create_default_context()
+
+		# Fetch client certificate
+		certificate = self.settings.get("client-certificate", None)
+		key         = self.settings.get("client-key", None)
+
+		# Apply client certificate
+		if certificate and key:
+			with tempfile.NamedTemporaryFile(mode="w") as f_cert:
+				f_cert.write(certificate)
+				f_cert.flush()
+
+				with tempfile.NamedTemporaryFile(mode="w") as f_key:
+					f_key.write(key)
+					f_key.flush()
+
+					context.load_cert_chain(f_cert.name, f_key.name)
+
+		return context
+
+	async def load_certificate(self, certfile, keyfile):
+		with self.db.transaction():
+			# Load certificate
+			with open(certfile) as f:
+				self.settings.set("client-certificate", f.read())
+
+			# Load key file
+			with open(keyfile) as f:
+				self.settings.set("client-key", f.read())
+
+			log.info("Updated certificates")
+
 	async def cleanup(self):
 		"""
 			Called regularly to cleanup any left-over resources
diff --git a/src/buildservice/messages.py b/src/buildservice/messages.py
index 14572d56..cde53e8c 100644
--- a/src/buildservice/messages.py
+++ b/src/buildservice/messages.py
@@ -191,7 +191,7 @@ class Queue(base.Object):
 		conn = smtplib.SMTP(hostname)
 
 		# Start TLS connection
-		conn.starttls()
+		conn.starttls(context=self.backend.ssl_context)
 
 		return conn
 
diff --git a/src/scripts/pakfire-build-service b/src/scripts/pakfire-build-service
index 51127c1e..836ac936 100644
--- a/src/scripts/pakfire-build-service
+++ b/src/scripts/pakfire-build-service
@@ -18,6 +18,9 @@ class Cli(object):
 			# Bugzilla
 			"bugzilla:version"    : self.backend.bugzilla.version,
 
+			# Certificates
+			"load-certificate"    : self.backend.load_certificate,
+
 			# Cleanup
 			"cleanup"             : self.backend.cleanup,