-
Notifications
You must be signed in to change notification settings - Fork 0
/
bay_platform_dependencies.module
126 lines (110 loc) · 4.24 KB
/
bay_platform_dependencies.module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<?php
/**
* @file
* Primary module hooks for bay-platform-dependencies module.
*/
use Drupal\Core\Render\BubbleableMetadata;
const BPD_ENV_SMTP_ALLOWLIST = "SMTP_FROM_WHITELIST";
const K8S_SERVICE_ACCOUNT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
/**
* Implements hook_mail_alter().
*/
function bay_platform_dependencies_mail_alter(&$message) {
// Ensures that the Reply-To header points to a no-reply address if it is
// using the default value. This is to ensure the SES verified address
// doesn't get spammed. The second check ensures that modules which change
// the reply-to (such as webform) still function correctly.
//
// The SMTP_REPLYTO environment variable is set in lagoon.
$reply_to = getenv("SMTP_REPLYTO") ?: '';
if ($reply_to && ($message['from'] == $message['reply-to'])) {
$message['reply-to'] = $reply_to;
$message['headers']['Reply-to'] = $reply_to;
}
}
/**
* Implements hook_form_FORM_ID_alter().
*/
function bay_platform_dependencies_form_webform_handler_form_alter(&$form, \Drupal\Core\Form\FormStateInterface $form_state) {
$smtp_allowlist = _bay_platform_dependencies_smtp_allowlist();
if (!$smtp_allowlist) {
return;
}
_bay_platform_dependencies_form_webform_handler_form_options($form["settings"]["from"]["from_mail"]["from_mail"], $smtp_allowlist);
_bay_platform_dependencies_form_webform_handler_form_options($form["settings"]["additional"]["return_path"]["return_path"], $smtp_allowlist);
_bay_platform_dependencies_form_webform_handler_form_options($form["settings"]["additional"]["sender_mail"]["sender_mail"], $smtp_allowlist);
}
function _bay_platform_dependencies_form_webform_handler_form_options(&$element, array $smtp_allowlist) {
// Remove ability to choose element values.
unset($element['#options']["Elements"]);
unset($element['#options']["Options"]);
// Remove ability to choose contextual values.
$element['#options']["Other"] = [];
foreach ($smtp_allowlist as $email) {
$element['#options']["Other"][$email] = $email;
}
// Add validation to ensure "other" values meet allowlist.
$element["#element_validate"][] = "bay_platform_dependencies_form_webform_handler_form_element_validate";
}
/**
* Validation handler for email options elements.
*/
function bay_platform_dependencies_form_webform_handler_form_element_validate($element, &$form_state) {
$value = $form_state->getValue($element['#parents']);
if (empty($value) || $value == "_default") {
return;
}
if (!in_array($value, _bay_platform_dependencies_smtp_allowlist())) {
$error = \Drupal::translation()->translate("Disallowed email address submitted - %email", ["%email" => $value]);
$form_state->setErrorByName(implode("][", $element['#parents']), $error);
}
}
/**
* Helper function which returns the permitted email addresses.
*
* @returns array|bool
* Array of allowed emails, or
* FALSE is not configured.
*/
function _bay_platform_dependencies_smtp_allowlist() {
$list = getenv(BPD_ENV_SMTP_ALLOWLIST);
if (empty($list)) {
return FALSE;
}
return explode(",", $list);
}
/**
* Implements hook_token_info().
*/
function bay_platform_dependencies_token_info() {
$info = [];
$info['tokens']['bay_platform_dependencies']['k8s-service-account-token'] = [
'name' => t('Kubernetes Service Account Token'),
'description' => t('A token which retrieves the current value from /var/run/secrets/kubernetes.io/serviceaccount/token.'),
];
return $info;
}
/**
* Implements hook_tokens().
*/
function bay_platform_dependencies_tokens($type, $tokens, array $data, array $options, BubbleableMetadata $bubbleable_metadata) {
$replacements = [];
if ($type == 'bay_platform_dependencies') {
foreach ($tokens as $name => $original) {
switch ($name) {
case 'k8s-service-account-token':
if (file_exists(K8S_SERVICE_ACCOUNT_PATH)) {
$token = file_get_contents(K8S_SERVICE_ACCOUNT_PATH);
if ($token === FALSE) {
throw new \Exception(sprintf("Failed to read service account token at %s", K8S_SERVICE_ACCOUNT_PATH));
}
$replacements[$original] = $token;
} else {
$replacements[$original] = '';
}
break;
}
}
}
return $replacements;
}