fleet/server/mail/ses.go

package mail

import (
	"errors"
	"fmt"
	"net/url"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/ses"
	"github.com/fleetdm/fleet/v4/server/fleet"
)

type fleetSESSender interface {
	SendRawEmail(input *ses.SendRawEmailInput) (*ses.SendRawEmailOutput, error)
}

type sesSender struct {
	client    fleetSESSender
	sourceArn string
}

func getFromSES(e fleet.Email) (string, error) {
	serverURL, err := url.Parse(e.ServerURL)
	if err != nil || len(serverURL.Host) == 0 {
		return "", fmt.Errorf("failed to parse server url %s err: %w", e.ServerURL, err)
	}
	return fmt.Sprintf("From: %s\r\n", fmt.Sprintf("do-not-reply@%s", serverURL.Host)), nil
}

func (s *sesSender) SendEmail(e fleet.Email) error {
	if s.client == nil {
		return errors.New("ses sender not configured")
	}
	msg, err := getMessageBody(e, getFromSES)
	if err != nil {
		return err
	}
	return s.sendMail(e, msg)
}

func NewSESSender(region, endpointURL, id, secret, stsAssumeRoleArn, sourceArn string) (*sesSender, error) {
	conf := &aws.Config{
		Region:   &region,
		Endpoint: &endpointURL, // empty string or nil will use default values
	}

	// Only provide static credentials if we have them
	// otherwise use the default credentials provider chain
	if id != "" && secret != "" {
		conf.Credentials = credentials.NewStaticCredentials(id, secret, "")
	}

	sess, err := session.NewSession(conf)
	if err != nil {
		return nil, fmt.Errorf("create SES client: %w", err)
	}

	if stsAssumeRoleArn != "" {
		creds := stscreds.NewCredentials(sess, stsAssumeRoleArn)
		conf.Credentials = creds

		sess, err = session.NewSession(conf)

		if err != nil {
			return nil, fmt.Errorf("create SES client: %w", err)
		}
	}
	return &sesSender{client: ses.New(sess), sourceArn: sourceArn}, nil
}

func (s *sesSender) sendMail(e fleet.Email, msg []byte) error {
	toAddresses := make([]*string, len(e.To))
	for i := range e.To {
		t := e.To[i]
		toAddresses[i] = &t
	}

	_, err := s.client.SendRawEmail(&ses.SendRawEmailInput{
		Destinations: toAddresses,
		FromArn:      &s.sourceArn,
		RawMessage:   &ses.RawMessage{Data: msg},
		SourceArn:    &s.sourceArn,
	})
	if err != nil {
		return err
	}
	return nil
}
add support for AWS SES email backend (#10847) 2023-04-06 18:21:07 +00:00			`package mail`

			`import (`
			`"errors"`
			`"fmt"`
			`"net/url"`

			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/aws/credentials/stscreds"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/ses"`
			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`)`

			`type fleetSESSender interface {`
			`SendRawEmail(input ses.SendRawEmailInput) (ses.SendRawEmailOutput, error)`
			`}`

			`type sesSender struct {`
			`client fleetSESSender`
			`sourceArn string`
			`}`

			`func getFromSES(e fleet.Email) (string, error) {`
Do not return empty SSO and SMTP settings for non-global-admins (#12180) #11266 PS: I first attempted a serialization trick by introducing a new `appConfigResponse` and implementing `json.Marshal` to exclude these fields but it was too hacky and hard to maintain moving forward, so I'm bitting the bullet now. Happy to hear other ideas. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-06-07 19:06:36 +00:00			`serverURL, err := url.Parse(e.ServerURL)`
add support for AWS SES email backend (#10847) 2023-04-06 18:21:07 +00:00			`if err != nil \|\| len(serverURL.Host) == 0 {`
Do not return empty SSO and SMTP settings for non-global-admins (#12180) #11266 PS: I first attempted a serialization trick by introducing a new `appConfigResponse` and implementing `json.Marshal` to exclude these fields but it was too hacky and hard to maintain moving forward, so I'm bitting the bullet now. Happy to hear other ideas. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ 2023-06-07 19:06:36 +00:00			`return "", fmt.Errorf("failed to parse server url %s err: %w", e.ServerURL, err)`
add support for AWS SES email backend (#10847) 2023-04-06 18:21:07 +00:00			`}`
			`return fmt.Sprintf("From: %s\r\n", fmt.Sprintf("do-not-reply@%s", serverURL.Host)), nil`
			`}`

			`func (s *sesSender) SendEmail(e fleet.Email) error {`
			`if s.client == nil {`
			`return errors.New("ses sender not configured")`
			`}`
			`msg, err := getMessageBody(e, getFromSES)`
			`if err != nil {`
			`return err`
			`}`
			`return s.sendMail(e, msg)`
			`}`

			`func NewSESSender(region, endpointURL, id, secret, stsAssumeRoleArn, sourceArn string) (*sesSender, error) {`
			`conf := &aws.Config{`
			`Region: &region,`
			`Endpoint: &endpointURL, // empty string or nil will use default values`
			`}`

			`// Only provide static credentials if we have them`
			`// otherwise use the default credentials provider chain`
			`if id != "" && secret != "" {`
			`conf.Credentials = credentials.NewStaticCredentials(id, secret, "")`
			`}`

			`sess, err := session.NewSession(conf)`
			`if err != nil {`
			`return nil, fmt.Errorf("create SES client: %w", err)`
			`}`

			`if stsAssumeRoleArn != "" {`
			`creds := stscreds.NewCredentials(sess, stsAssumeRoleArn)`
			`conf.Credentials = creds`

			`sess, err = session.NewSession(conf)`

			`if err != nil {`
			`return nil, fmt.Errorf("create SES client: %w", err)`
			`}`
			`}`
			`return &sesSender{client: ses.New(sess), sourceArn: sourceArn}, nil`
			`}`

			`func (s *sesSender) sendMail(e fleet.Email, msg []byte) error {`
			`toAddresses := make([]*string, len(e.To))`
			`for i := range e.To {`
			`t := e.To[i]`
			`toAddresses[i] = &t`
			`}`

			`_, err := s.client.SendRawEmail(&ses.SendRawEmailInput{`
			`Destinations: toAddresses,`
			`FromArn: &s.sourceArn,`
			`RawMessage: &ses.RawMessage{Data: msg},`
			`SourceArn: &s.sourceArn,`
			`})`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`