Added code to derive SES SMTP password from existing AWS API keys #348
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nicksantamaria
changed the title
nicksantamaria
commented
Feb 13, 2025
| @@ -155,7 +155,38 @@ | |||
| $config['smtp.settings']['smtp_allowhtml'] = 1; | |||
|
|
|||
| // @see baywatch.module for SMTP_REPLYTO setting. | |||
| $config['system.site']['mail'] = getenv('SMTP_FROM') ?: '[email protected]'; | |||
| $config['system.site']['mail'] = getenv('SMTP_FROM') ?: sprintf("%s.%[email protected]", getenv('LAGOON_ENVIRONMENT'), getenv('LAGOON_PROJECT')); | |||
There was a problem hiding this comment.
Sets the default FROM address to [env].[project]@sdp.delivery. This should be overridden in prod.
nicksantamaria
commented
Feb 13, 2025
Comment on lines
+161
to
+162
| if (empty($config['smtp.settings']['smtp_password']) && | ||
| str_contains($config['smtp.settings']['smtp_host'], "amazonaws.com")) { |
There was a problem hiding this comment.
Only enter this block if SMTP_PASSWORD is empty, and the host points to SES.
nicksantamaria
commented
Feb 13, 2025
nicksantamaria
commented
Feb 13, 2025
Comment on lines
+169
to
+186
| $config['smtp.settings']['smtp_password'] = (function(string $region, string $awsSecretAccessKey): string { | ||
| // Adapted from AWS SDK. | ||
| // @see https://github.com/aws/aws-sdk-php/blob/a63e79c15a972c54bf015a16cce3f3572e0c8221/src/Ses/SesClient.php#L195 | ||
| $date = "11111111"; | ||
| $service = "ses"; | ||
| $terminal = "aws4_request"; | ||
| $message = "SendRawEmail"; | ||
| $version = 0x04; | ||
|
|
||
| $signature = hash_hmac('sha256', $date, "AWS4" . $awsSecretAccessKey, true); | ||
| $signature = hash_hmac('sha256', $region, $signature, true); | ||
| $signature = hash_hmac('sha256', $service, $signature, true); | ||
| $signature = hash_hmac('sha256', $terminal, $signature, true); | ||
| $signature = hash_hmac('sha256', $message, $signature, true); | ||
| $signatureAndVersion = pack('c', $version) . $signature; | ||
|
|
||
| return base64_encode($signatureAndVersion); | ||
| })($region, $aws_key); |
There was a problem hiding this comment.
Went with a closure to prevent the function scope vars leaking out into the rest of settings.php
GROwen
reviewed
Feb 13, 2025
| $signatureAndVersion = pack('c', $version) . $signature; | ||
|
|
||
| return base64_encode($signatureAndVersion); | ||
| })($region, $aws_key); |
There was a problem hiding this comment.
Is this passing $region and $aws_key out to the parent scope?
There was a problem hiding this comment.
No this is passing those vars into the function.
To include parent scope vars the use ($region, $aws_key) syntax is used.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SES can not use the AWS_SECRET_ACCESS_KEY directly via the SMTP interfaces.
Changes
Sets default values for
SMTP_USERNAMEandSMTP_PASSWORDwhen none set, and AWS credentials are available.