From 13b560c191ae885900d9f8213b4ae97418734bc8 Mon Sep 17 00:00:00 2001 From: fruzitent Date: Wed, 9 Jul 2025 23:15:26 +0200 Subject: [PATCH] feat: add _URI entries for mail config (#8116) For the mailer and incoming_mailer config, allow passwords to be read from a file. Add `_URI` config values and use the existing `loadSecret` function to do this. Resolves https://codeberg.org/forgejo/forgejo/issues/8113 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8116 Reviewed-by: Gusted Reviewed-by: oliverpool Co-authored-by: fruzitent Co-committed-by: fruzitent --- custom/conf/app.example.ini | 6 ++++++ modules/setting/incoming_email.go | 7 ++++++- modules/setting/incoming_email_test.go | 18 ++++++++++++++++++ modules/setting/mailer.go | 4 ++++ modules/setting/mailer_test.go | 20 ++++++++++++++++++++ 5 files changed, 54 insertions(+), 1 deletion(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 37d67df5f0..71598663b2 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1768,6 +1768,9 @@ LEVEL = Info ;; Use PASSWD = `your password` for quoting if you use special characters in the password. ;PASSWD = ;; +;; Alternative location to specify mailer password. You cannot specify both this and PASSWD, and must pick one +;PASSWD_URI = file:/etc/forgejo/mailer_passwd +;; ;; Send mails only in plain text, without HTML alternative ;SEND_AS_PLAIN_TEXT = false ;; @@ -1820,6 +1823,9 @@ LEVEL = Info ;; Password of the receiving account ;PASSWORD = ;; +;; Alternative location to specify password of the receiving account. You cannot specify both this and PASSWORD, and must pick one +;PASSWORD_URI = file:/etc/forgejo/email_incoming_password +;; ;; Whether the IMAP server uses TLS. ;USE_TLS = false ;; diff --git a/modules/setting/incoming_email.go b/modules/setting/incoming_email.go index e592220de6..a890a4a328 100644 --- a/modules/setting/incoming_email.go +++ b/modules/setting/incoming_email.go @@ -44,9 +44,14 @@ func loadIncomingEmailFrom(rootCfg ConfigProvider) { if sec.HasKey("USER") && !sec.HasKey("USERNAME") { IncomingEmail.Username = sec.Key("USER").String() } + if sec.HasKey("PASSWD") && !sec.HasKey("PASSWORD") { - IncomingEmail.Password = sec.Key("PASSWD").String() + sec.Key("PASSWORD").SetValue(sec.Key("PASSWD").String()) } + if sec.HasKey("PASSWD_URI") && !sec.HasKey("PASSWORD_URI") { + sec.Key("PASSWORD_URI").SetValue(sec.Key("PASSWD_URI").String()) + } + IncomingEmail.Password = loadSecret(sec, "PASSWORD_URI", "PASSWORD") // Infer Port if not set if IncomingEmail.Port == 0 { diff --git a/modules/setting/incoming_email_test.go b/modules/setting/incoming_email_test.go index 6d181cae3c..4ea740bafd 100644 --- a/modules/setting/incoming_email_test.go +++ b/modules/setting/incoming_email_test.go @@ -4,6 +4,8 @@ package setting import ( + "os" + "path/filepath" "testing" "github.com/stretchr/testify/assert" @@ -35,6 +37,22 @@ func Test_loadIncomingEmailFrom(t *testing.T) { assert.Equal(t, "y0u'll n3v3r gUess th1S!!1", IncomingEmail.Password) }) + t.Run("Secrets", func(t *testing.T) { + uri := filepath.Join(t.TempDir(), "email_incoming_password") + + if err := os.WriteFile(uri, []byte("th1S gUess n3v3r y0u'll!!1"), 0o644); err != nil { + t.Fatal(err) + } + + cfg, sec := makeBaseConfig() + sec.NewKey("PASSWORD_URI", "file:"+uri) + + IncomingEmail.Password = "" + loadIncomingEmailFrom(cfg) + + assert.Equal(t, "th1S gUess n3v3r y0u'll!!1", IncomingEmail.Password) + }) + t.Run("Port settings", func(t *testing.T) { t.Run("no port, no tls", func(t *testing.T) { defer resetIncomingEmailPort()() diff --git a/modules/setting/mailer.go b/modules/setting/mailer.go index 9c004c6ce0..b43484a90f 100644 --- a/modules/setting/mailer.go +++ b/modules/setting/mailer.go @@ -147,6 +147,10 @@ func loadMailerFrom(rootCfg ConfigProvider) { if sec.HasKey("PASSWORD") && !sec.HasKey("PASSWD") { sec.Key("PASSWD").SetValue(sec.Key("PASSWORD").String()) } + if sec.HasKey("PASSWORD_URI") && !sec.HasKey("PASSWD_URI") { + sec.Key("PASSWD_URI").SetValue(sec.Key("PASSWORD_URI").String()) + } + sec.Key("PASSWD").SetValue(loadSecret(sec, "PASSWD_URI", "PASSWD")) // Set default values & validate sec.Key("NAME").MustString(AppName) diff --git a/modules/setting/mailer_test.go b/modules/setting/mailer_test.go index 4523cc91dd..47eaf3ffbb 100644 --- a/modules/setting/mailer_test.go +++ b/modules/setting/mailer_test.go @@ -4,6 +4,8 @@ package setting import ( + "os" + "path/filepath" "testing" "github.com/stretchr/testify/assert" @@ -52,6 +54,24 @@ func Test_loadMailerFrom(t *testing.T) { assert.Equal(t, "y0u'll n3v3r gUess th1S!!1", MailService.Passwd) }) + t.Run("Secrets", func(t *testing.T) { + uri := filepath.Join(t.TempDir(), "mailer_passwd") + + if err := os.WriteFile(uri, []byte("th1S gUess n3v3r y0u'll!!1"), 0o644); err != nil { + t.Fatal(err) + } + + cfg, _ := NewConfigProviderFromData("") + sec := cfg.Section("mailer") + sec.NewKey("ENABLED", "true") + sec.NewKey("PASSWD_URI", "file:"+uri) + + MailService.Passwd = "" + loadMailerFrom(cfg) + + assert.Equal(t, "th1S gUess n3v3r y0u'll!!1", MailService.Passwd) + }) + t.Run("sendmail argument sanitization", func(t *testing.T) { cfg, _ := NewConfigProviderFromData("") sec := cfg.Section("mailer")