#!/usr/local/cpanel/3rdparty/bin/perl

# cpanel - scripts/refresh-dkim-validity-cache     Copyright 2022 cPanel, L.L.C.
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

#----------------------------------------------------------------------
# NOTE: See Cpanel/DKIM/ValidityCache/Sync.pm for a more code-friendly
# analogue to this script.
#----------------------------------------------------------------------

package scripts::refresh_dkim_validity_cache;

use strict;
use warnings;

=encoding utf-8

=head1 NAME

scripts/refresh-dkim-validity-cache

=head1 USAGE

    refresh-dkim-validity-cache ( --help | --all-domains | --initialize )

    refresh-dkim-validity-cache --domain $d1 --domain $d2 ...

=head1 DESCRIPTION

This script refreshes the DKIM validity cache so that the system
will add DKIM signatures for all messages whose sender domain has a
correct DKIM configuration—but B<only> those messages.

It notes all changes made to the cache and prints a summary at the end.

=head1 OPTIONS

=over

=item * C<--all-domains> - Refreshes every domain’s validity cache.
(This can take a while!) Excludes C<--domain> and C<--initialize>.

=item * C<--domain> - Accepts a domain as argument. May be given multiple
times.

=item * C<--initialize> - Creates the validity cache anew if it doesn’t
already exist. All users are recorded as having valid DKIM, with the
understanding that a subsequent run of this script with C<--all-domains>
will remove invalid entries. (This is to ensure that DKIM signing doesn’t
fail temporarily while the cache is being created.)
C<--initialize> excludes C<--domain> and implies C<--all-domains>.
This is only useful in rare cases and shouldn’t ordinarily be done.

=back

=cut

use Try::Tiny;

use parent qw( Cpanel::HelpfulScript );

use constant _OPTIONS => (
    'initialize',
    'all-domains',
    'domain=s@',
);

__PACKAGE__->new(@ARGV)->run() if !caller;

sub run {
    my ($self) = @_;

    my $given_domains_ar = $self->getopt('domain');

    my $every_domain_yn = $self->getopt('all-domains');

    my $init_yn = $self->getopt('initialize');

    if ($every_domain_yn) {
        if ( $init_yn || $given_domains_ar ) {
            die $self->help('“--all-domains” excludes “--initialize” and “--domain”.');
        }
    }
    elsif ($init_yn) {
        if ($given_domains_ar) {
            die $self->help('“--initialize” excludes “--all-domains” and “--domain”.');
        }
    }
    elsif ( !$given_domains_ar ) {
        die $self->help('No arguments given!');
    }

    require Cpanel::DKIM::ValidityCache;

    my $all_domains_ar = _load_all_domains();

    my $cache_all_ar = Cpanel::DKIM::ValidityCache->get_all();

    my %old_lookup;

    my $init_obj;

    if ($cache_all_ar) {
        if ($init_yn) {
            $self->say('The cache is already initialized.');
            return;
        }

        %old_lookup = map { $_ => undef } @$cache_all_ar;

        require Cpanel::Set;
        my @stale = Cpanel::Set::difference(
            [ keys %old_lookup ],
            $all_domains_ar,
        );

        for (@stale) {
            $self->say("Removing stale entry for “$_” …");
            _write_or_warn( 'unset', $_ );
        }
    }
    elsif ($init_yn) {
        require Cpanel::DKIM::ValidityCache::TempDir;
        $init_obj = Cpanel::DKIM::ValidityCache::TempDir->new();
    }

    $_ = 0 for my ( $added, $removed );

    for my $domain ( sort @$all_domains_ar ) {

        # Skip all wildcards.
        next if 0 == index( $domain, '*' );

        if ( !$every_domain_yn && !$init_yn ) {
            my $proceed_yn = grep { $_ eq $domain } @$given_domains_ar;

            next if !$proceed_yn;
        }

        if ($init_yn) {
            _write_or_warn( set => $domain );
            $added++;
        }
        else {
            $self->say("Checking “$domain” …");

            try {
                if ( _domain_has_valid_dkim($domain) ) {
                    $self->say("\t✅ Valid!");

                    if ( !exists $old_lookup{$domain} ) {
                        _write_or_warn( set => $domain );
                        $added++;
                        $self->say("\t➕ Added to cache.");
                    }
                }
                else {
                    $self->say("\t⛔ Not valid.");

                    if ( exists $old_lookup{$domain} ) {
                        require Cpanel::DKIM::ValidityCache::Write;
                        Cpanel::DKIM::ValidityCache::Write->unset($domain);
                        $removed++;
                        $self->say("\t➖ Removed from cache.");
                    }
                }
            }
            catch {
                warn "$domain: $_";
            };
        }
    }

    $self->say();

    if ($init_yn) {
        $init_obj->install();
        $self->say("The cache is initialized. ($added entries added)");
    }
    else {
        $self->say("Done! $added added, $removed removed.");
    }

    return;
}

sub _write_or_warn {
    my ( $fn, $name ) = @_;

    require Cpanel::DKIM::ValidityCache::Write;
    local $@;
    warn if !eval { Cpanel::DKIM::ValidityCache::Write->$fn($name); 1 };

    return;
}

sub _load_all_domains {

    require Cpanel::Config::LoadUserDomains;

    # 1 = give me a domain-to-user hash
    my $du_hr = Cpanel::Config::LoadUserDomains::loaduserdomains( undef, 1 );

    require Cpanel::Sys::Hostname;

    # Ensure that we can DKIM-sign mail sent from the hostname.
    my $hostname = Cpanel::Sys::Hostname::gethostname();
    $du_hr->{$hostname} ||= undef;

    return [ sort keys %$du_hr ];
}

sub _domain_has_valid_dkim {
    my ($domain) = @_;

    require Cpanel::DnsUtils::MailRecords;

    my $resp_ar = Cpanel::DnsUtils::MailRecords::validate_dkim_records_for_domains( [$domain] );

    return ( ( $resp_ar->[0]{'state'} // q<> ) eq 'VALID' );
}

1;