3.4.3 changes

track last oom time using a global variable
because it was a local variable, we were just sending out oom mails like crazy also, fixes an issue that if docker.getEvents gets stuck because docker does not respond then we do not do any health monitoring. i guess this can happen if the docker API gets stuck. (cherry picked from commit a536e9fc4b)
2018-12-16 21:07:53 -08:00 · 2018-12-16 21:07:14 -08:00 · 2018-12-16 18:44:46 -08:00 · 2018-12-15 09:28:18 -08:00 · 2018-12-14 17:35:54 -08:00
6 changed files with 157 additions and 38 deletions
--- a/31
+++ b/31
@@ -1474,3 +1474,34 @@
 * Flexible mailbox management
 * Automatic updates can be toggled per app

+[3.4.1]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.2]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+
+[3.4.3]
+* Improve error page
+* Add system view to manage addons and view their status
+* Fix iconset regression for account and Cloudron name edits
+* Add server reboot button and warn if reboot is required for security updates
+* Backup and update tasks are now cancelable
+* Move graphite away from port 3000 (reserved by ESXi)
+* Flexible mailbox management
+* Automatic updates can be toggled per app
+* Fix issue where OOM mails are sent out without a rate limit
+
--- a/src/addons.js
+++ b/src/addons.js
@@ -815,7 +815,8 @@ function setupEmail(app, options, callback) {
            { name: 'MAIL_SIEVE_SERVER', value: 'mail' },
            { name: 'MAIL_SIEVE_PORT', value: '4190' },
            { name: 'MAIL_DOMAIN', value: app.domain },
-            { name: 'MAIL_DOMAINS', value: mailInDomains }
+            { name: 'MAIL_DOMAINS', value: mailInDomains },
+            { name: 'LDAP_MAILBOXES_BASE_DN', value: 'ou=mailboxes,dc=cloudron' }
        ];

        debugApp(app, 'Setting up Email');
--- a/src/apphealthmonitor.js
+++ b/src/apphealthmonitor.js
@@ -15,11 +15,12 @@ exports = module.exports = {
    run: run
 };

-var HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
-var UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
-var gHealthInfo = { }; // { time, emailSent }
+const HEALTHCHECK_INTERVAL = 10 * 1000; // every 10 seconds. this needs to be small since the UI makes only healthy apps clickable
+const UNHEALTHY_THRESHOLD = 10 * 60 * 1000; // 10 minutes
+let gHealthInfo = { }; // { time, emailSent }

-const NOOP_CALLBACK = function (error) { if (error) console.error(error); };
+const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
+let gLastOomMailTime = Date.now() - (5 * 60 * 1000); // pretend we sent email 5 minutes ago

 function debugApp(app) {
    assert(typeof app === 'object');
@@ -118,13 +119,11 @@ function checkAppHealth(app, callback) {
        apt-get update && apt-get install stress
        stress --vm 1 --vm-bytes 200M --vm-hang 0
 */
-function processDockerEvents(interval, callback) {
-    assert.strictEqual(typeof interval, 'number');
+function processDockerEvents(intervalSecs, callback) {
+    assert.strictEqual(typeof intervalSecs, 'number');
    assert.strictEqual(typeof callback, 'function');

-    const OOM_MAIL_LIMIT = 60 * 60 * 1000; // 60 minutes
-    let lastOomMailTime = new Date(new Date() - OOM_MAIL_LIMIT);
-    const since = ((new Date().getTime() / 1000) - interval).toFixed(0);
+    const since = ((new Date().getTime() / 1000) - intervalSecs).toFixed(0);
    const until = ((new Date().getTime() / 1000) - 1).toFixed(0);

    docker.getEvents({ since: since, until: until, filters: JSON.stringify({ event: [ 'oom' ] }) }, function (error, stream) {
@@ -136,15 +135,17 @@ function processDockerEvents(interval, callback) {
            appdb.getByContainerId(ev.id, function (error, app) { // this can error for addons
                var program = error || !app.appStoreId ? ev.id : app.appStoreId;
                var context = JSON.stringify(ev);
-                var now = new Date();
+                var now = Date.now();
                if (app) context = context + '\n\n' + JSON.stringify(app, null, 4) + '\n';

-                debug('OOM Context: %s', context);
+                const notifyUser = (!app || !app.debugMode) && (now - gLastOomMailTime > OOM_MAIL_LIMIT);
+
+                debug('OOM Context: %s. notifyUser: %s. lastOomTime: %s (now: %s)', context, notifyUser, gLastOomMailTime, now);

                // do not send mails for dev apps
-                if ((!app || !app.debugMode) && (now - lastOomMailTime > OOM_MAIL_LIMIT)) {
+                if (notifyUser) {
                    mailer.oomEvent(program, context); // app can be null if it's an addon crash
-                    lastOomMailTime = now;
+                    gLastOomMailTime = now;
                }
            });
        });
@@ -181,14 +182,13 @@ function processApp(callback) {
    });
 }

-function run(interval, callback) {
-    assert.strictEqual(typeof interval, 'number');
-
-    callback = callback || NOOP_CALLBACK;
+function run(intervalSecs, callback) {
+    assert.strictEqual(typeof intervalSecs, 'number');
+    assert.strictEqual(typeof callback, 'function');

    async.series([
-        processDockerEvents.bind(null, interval),
-        processApp
+        processApp, // this is first because docker.getEvents seems to get 'stuck' sometimes
+        processDockerEvents.bind(null, intervalSecs)
    ], function (error) {
        if (error) debug(error);

--- a/src/cron.js
+++ b/src/cron.js
@@ -22,7 +22,6 @@ var appHealthMonitor = require('./apphealthmonitor.js'),
    dyndns = require('./dyndns.js'),
    eventlog = require('./eventlog.js'),
    janitor = require('./janitor.js'),
-    reverseProxy = require('./reverseproxy.js'),
    scheduler = require('./scheduler.js'),
    settings = require('./settings.js'),
    updater = require('./updater.js'),
@@ -48,7 +47,7 @@ var gJobs = {
    appHealthMonitor: null
 };

-var NOOP_CALLBACK = function (error) { if (error) console.error(error); };
+var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 var AUDIT_SOURCE = { userId: null, username: 'cron' };

 // cron format
@@ -202,7 +201,7 @@ function recreateJobs(tz) {
    if (gJobs.appHealthMonitor) gJobs.appHealthMonitor.stop();
    gJobs.appHealthMonitor = new CronJob({
        cronTime: '*/10 * * * * *', // every 10 seconds
-        onTick: appHealthMonitor.run.bind(null, 10),
+        onTick: appHealthMonitor.run.bind(null, 10, NOOP_CALLBACK),
        start: true,
        timeZone: tz
    });
--- a/src/ldap.js
+++ b/src/ldap.js
@@ -450,8 +450,39 @@ function authorizeUserForApp(req, res, next) {
    });
 }

-function authenticateMailbox(req, res, next) {
-    debug('mailbox auth: %s (from %s)', req.dn.toString(), req.connection.ldap.id);
+function authenticateUserMailbox(req, res, next) {
+    debug('user mailbox auth: %s (from %s)', req.dn.toString(), req.connection.ldap.id);
+
+    if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+
+    var email = req.dn.rdns[0].attrs.cn.value.toLowerCase();
+    var parts = email.split('@');
+    if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+
+    mail.getDomain(parts[1], function (error, domain) {
+        if (error && error.reason === MailError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+        if (error) return next(new ldap.OperationsError(error.message));
+
+        if (!domain.enabled) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+
+        mailboxdb.getMailbox(parts[0], parts[1], function (error, mailbox) {
+            if (error && error.reason === DatabaseError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+            if (error) return next(new ldap.OperationsError(error.message));
+
+            users.verify(mailbox.ownerId, req.credentials || '', function (error, result) {
+                if (error && error.reason === UsersError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
+                if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
+                if (error) return next(new ldap.OperationsError(error.message));
+
+                eventlog.add(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', mailboxId: email }, { userId: result.id, user: users.removePrivateFields(result) });
+                res.end();
+            });
+        });
+    });
+}
+
+function authenticateMailAddon(req, res, next) {
+    debug('mail addon auth: %s (from %s)', req.dn.toString(), req.connection.ldap.id);

    if (!req.dn.rdns[0].attrs.cn) return next(new ldap.NoSuchObjectError(req.dn.toString()));

@@ -516,12 +547,13 @@ function start(callback) {
    gServer.bind('ou=users,dc=cloudron', authenticateApp, authenticateUser, authorizeUserForApp);

    // http://www.ietf.org/proceedings/43/I-D/draft-srivastava-ldap-mail-00.txt
-    gServer.search('ou=mailboxes,dc=cloudron', mailboxSearch);
-    gServer.search('ou=mailaliases,dc=cloudron', mailAliasSearch);
-    gServer.search('ou=mailinglists,dc=cloudron', mailingListSearch);
+    gServer.search('ou=mailboxes,dc=cloudron', mailboxSearch); // haraka, dovecot
+    gServer.bind('ou=mailboxes,dc=cloudron', authenticateUserMailbox); // apps like sogo can use domain=${domain} to authenticate a mailbox
+    gServer.search('ou=mailaliases,dc=cloudron', mailAliasSearch); // haraka
+    gServer.search('ou=mailinglists,dc=cloudron', mailingListSearch); // haraka

-    gServer.bind('ou=recvmail,dc=cloudron', authenticateMailbox); // dovecot
-    gServer.bind('ou=sendmail,dc=cloudron', authenticateMailbox); // haraka
+    gServer.bind('ou=recvmail,dc=cloudron', authenticateMailAddon); // dovecot
+    gServer.bind('ou=sendmail,dc=cloudron', authenticateMailAddon); // haraka

    gServer.compare('cn=users,ou=groups,dc=cloudron', authenticateApp, groupUsersCompare);
    gServer.compare('cn=admins,ou=groups,dc=cloudron', authenticateApp, groupAdminsCompare);
--- a/src/test/ldap-test.js
+++ b/src/test/ldap-test.js
@@ -110,6 +110,8 @@ function setup(done) {
                appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.domain, APP_0.ownerId, apps._translatePortBindings(APP_0.portBindings, APP_0.manifest), APP_0, callback);
            });
        },
+        (done) => mailboxdb.addMailbox(USER_0.username.toLowerCase(), DOMAIN_0.domain, USER_0.id, done),
+        (done) => mailboxdb.setAliasesForName(USER_0.username.toLowerCase(), DOMAIN_0.domain, [ USER_0_ALIAS.toLocaleLowerCase() ], done),
        appdb.update.bind(null, APP_0.id, { containerId: APP_0.containerId }),
        appdb.setAddonConfig.bind(null, APP_0.id, 'sendmail', [{ name: 'MAIL_SMTP_PASSWORD', value : 'sendmailpassword' }]),
        appdb.setAddonConfig.bind(null, APP_0.id, 'recvmail', [{ name: 'MAIL_IMAP_PASSWORD', value : 'recvmailpassword' }]),
@@ -812,10 +814,6 @@ describe('Ldap', function () {
    }

    describe('search mailbox', function () {
-        before(function (done) {
-            mailboxdb.addMailbox(USER_0.username.toLowerCase(), DOMAIN_0.domain, USER_0.id, done);
-        });
-
        it('get specific mailbox by email', function (done) {
            ldapSearch('cn=' + USER_0.username + '@example.com,ou=mailboxes,dc=cloudron', 'objectclass=mailbox', function (error, entries) {
                if (error) return done(error);
@@ -848,10 +846,6 @@ describe('Ldap', function () {
    });

    describe('search aliases', function () {
-        before(function (done) {
-            mailboxdb.setAliasesForName(USER_0.username.toLowerCase(), DOMAIN_0.domain, [ USER_0_ALIAS.toLocaleLowerCase() ], done);
-        });
-
        it('get specific alias', function (done) {
            ldapSearch('cn=' + USER_0_ALIAS + '@example.com,ou=mailaliases,dc=cloudron', 'objectclass=nismailalias', function (error, entries) {
                if (error) return done(error);
@@ -919,6 +913,68 @@ describe('Ldap', function () {
        });
    });

+    describe('user mailbox bind', function () {
+        it('email disabled - cannot find domain email', function (done) {
+            var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+            client.bind('cn=' + USER_0.username + '@example.com,domain=example.com,ou=mailboxes,dc=cloudron', USER_0.password + 'nope', function (error) {
+                expect(error).to.be.a(ldap.NoSuchObjectError);
+                client.unbind(done);
+            });
+        });
+
+        it('email enabled - does not allow with invalid password', function (done) {
+            // use maildb to not trigger further events
+            maildb.update(DOMAIN_0.domain, { enabled: true }, function (error) {
+                expect(error).not.to.be.ok();
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                client.bind('cn=' + USER_0.username + '@example.com,domain=example.com,ou=mailboxes,dc=cloudron', USER_0.password + 'nope', function (error) {
+                    expect(error).to.be.a(ldap.InvalidCredentialsError);
+
+                    client.unbind();
+
+                    maildb.update(DOMAIN_0.domain, { enabled: false }, done);
+                });
+            });
+        });
+
+        it('email enabled - allows with valid password', function (done) {
+            // use maildb to not trigger further events
+            maildb.update(DOMAIN_0.domain, { enabled: true }, function (error) {
+                expect(error).not.to.be.ok();
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                client.bind('cn=' + USER_0.username + '@example.com,domain=example.com,ou=mailboxes,dc=cloudron', USER_0.password, function (error) {
+                    expect(error).not.to.be.ok();
+
+                    client.unbind();
+
+                    maildb.update(DOMAIN_0.domain, { enabled: false }, done);
+                });
+            });
+        });
+
+        it('email enabled - cannot auth with alias', function (done) {
+            // use maildb to not trigger further events
+            maildb.update(DOMAIN_0.domain, { enabled: true }, function (error) {
+                expect(error).not.to.be.ok();
+
+                var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
+
+                client.bind('cn=' + USER_0_ALIAS + '@example.com,domain=example.com,ou=mailboxes,dc=cloudron', USER_0.password, function (error) {
+                    expect(error).to.be.a(ldap.NoSuchObjectError);
+
+                    client.unbind();
+
+                    maildb.update(DOMAIN_0.domain, { enabled: false }, done);
+                });
+            });
+        });
+    });
+
    describe('user sendmail bind', function () {
        it('email disabled - cannot find domain email', function (done) {
            var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') });
Author	SHA1	Message	Date
Girish Ramakrishnan	fd723cf7eb	3.4.3 changes	2018-12-16 21:07:53 -08:00
Girish Ramakrishnan	f2c8102a6a	track last oom time using a global variable because it was a local variable, we were just sending out oom mails like crazy also, fixes an issue that if docker.getEvents gets stuck because docker does not respond then we do not do any health monitoring. i guess this can happen if the docker API gets stuck. (cherry picked from commit `a536e9fc4b`)	2018-12-16 21:07:14 -08:00
Girish Ramakrishnan	6589ba0988	Add LDAP_MAILBOXES_BASE_DN this got removed by mistake in the email refactor assuming this was unused (but it is used by sogo)	2018-12-16 18:44:46 -08:00
Girish Ramakrishnan	2d7f0c3ebe	3.4.2 changes	2018-12-15 09:28:18 -08:00
Girish Ramakrishnan	a66bc7192d	3.4.1 changes	2018-12-14 17:35:54 -08:00