diff options
3 files changed, 91 insertions, 0 deletions
diff --git a/app/controllers/action_mailbox/ingresses/mandrill/inbound_emails_controller.rb b/app/controllers/action_mailbox/ingresses/mandrill/inbound_emails_controller.rb new file mode 100644 index 0000000000..825ec6eabd --- /dev/null +++ b/app/controllers/action_mailbox/ingresses/mandrill/inbound_emails_controller.rb @@ -0,0 +1,59 @@ +class ActionMailbox::Ingresses::Mandrill::InboundEmailsController < ActionMailbox::BaseController + before_action :ensure_authenticated + + def create + raw_emails.each { |raw_email| ActionMailbox::InboundEmail.create_and_extract_message_id! raw_email } + head :ok + rescue JSON::ParserError => error + log.error error.message + head :unprocessable_entity + end + + private + def raw_emails + events.lazy. + select { |event| event["event"] == "inbound" }. + collect { |event| event.dig("msg", "raw_msg") }. + collect { |message| StringIO.new message } + end + + def events + JSON.parse params.require(:mandrill_events) + end + + + def ensure_authenticated + head :unauthorized unless authenticated? + end + + def authenticated? + Authenticator.new(request).authenticated? + end + + class Authenticator + cattr_accessor :key + + attr_reader :request + + def initialize(request) + @request = request + end + + def authenticated? + ActiveSupport::SecurityUtils.secure_compare given_signature, expected_signature + end + + private + def given_signature + request.headers["X-Mandrill-Signature"] + end + + def expected_signature + Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, key, message)).strip + end + + def message + [ request.original_url, request.POST.sort ].flatten.join + end + end +end diff --git a/config/routes.rb b/config/routes.rb index dea6cbd659..4a337dcc5c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -5,6 +5,7 @@ Rails.application.routes.draw do post "/amazon/inbound_emails" => "action_mailbox/ingresses/amazon/inbound_emails#create", as: :rails_amazon_inbound_emails post "/postfix/inbound_emails" => "action_mailbox/ingresses/postfix/inbound_emails#create", as: :rails_postfix_inbound_emails post "/sendgrid/inbound_emails" => "action_mailbox/ingresses/sendgrid/inbound_emails#create", as: :rails_sendgrid_inbound_emails + post "/mandrill/inbound_emails" => "action_mailbox/ingresses/mandrill/inbound_emails#create", as: :rails_mandrill_inbound_emails # Mailgun requires that the webhook's URL end in 'mime' for it to receive the raw contents of emails. post "/mailgun/inbound_emails/mime" => "action_mailbox/ingresses/mailgun/inbound_emails#create", as: :rails_mailgun_inbound_emails diff --git a/test/controllers/ingresses/mandrill/inbound_emails_controller_test.rb b/test/controllers/ingresses/mandrill/inbound_emails_controller_test.rb new file mode 100644 index 0000000000..abef6baa4f --- /dev/null +++ b/test/controllers/ingresses/mandrill/inbound_emails_controller_test.rb @@ -0,0 +1,31 @@ +require "test_helper" + +ActionMailbox::Ingresses::Mandrill::InboundEmailsController::Authenticator.key = "1l9Qf7lutEf7h73VXfBwhw" + +class ActionMailbox::Ingresses::Mandrill::InboundEmailsControllerTest < ActionDispatch::IntegrationTest + setup do + @events = JSON.generate([{ event: "inbound", msg: { raw_msg: file_fixture("../files/welcome.eml").read } }]) + end + + test "receiving an inbound email from Mandrill" do + assert_difference -> { ActionMailbox::InboundEmail.count }, +1 do + post rails_mandrill_inbound_emails_url, + headers: { "X-Mandrill-Signature" => "gldscd2tAb/G+DmpiLcwukkLrC4=" }, params: { mandrill_events: @events } + end + + assert_response :ok + + inbound_email = ActionMailbox::InboundEmail.last + assert_equal file_fixture("../files/welcome.eml").read, inbound_email.raw_email.download + assert_equal "0CB459E0-0336-41DA-BC88-E6E28C697DDB@37signals.com", inbound_email.message_id + end + + test "rejecting a forged inbound email from Mandrill" do + assert_no_difference -> { ActionMailbox::InboundEmail.count } do + post rails_mandrill_inbound_emails_url, + headers: { "X-Mandrill-Signature" => "forged" }, params: { mandrill_events: @events } + end + + assert_response :unauthorized + end +end |