admin/crm_ecosplay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: refactoring complet de la verification DNS avec services separes

Browse Source 
Architecture:
- Les domaines (siteconseil.fr, esy-web.dev) sont definis en constante
  dans la commande uniquement, pas dans les services
- 3 services independants reutilisables:

src/Service/DnsCheckService.php (nouveau):
- Methodes publiques checkSpf(), checkDmarc(), checkDkim(), checkMx(),
  checkBounce() qui prennent le domaine en parametre
- Verification SPF: presence des includes amazonses.com et mail.esy-web.dev
- Verification DMARC: politique, presence de rua
- Verification DKIM: test de 10 selecteurs en CNAME et TXT
- Verification MX: le MX attendu est passe en parametre par la commande
- Verification Bounce: MX/CNAME/TXT sur bounce.*

src/Service/AwsSesService.php (nouveau):
- Authentification AWS Signature V4 via HTTP direct (pas de SDK)
- isDomainVerified(): verification du statut du domaine dans SES
- getDkimStatus(): statut DKIM (enabled, verified, tokens)
- getNotificationStatus(): bounce_topic, complaint_topic, forwarding
- listVerifiedIdentities(): liste des domaines verifies
- isAvailable(): test de connectivite API

src/Service/CloudflareService.php (nouveau):
- Authentification Bearer token via HTTP direct (pas de SDK)
- getZoneId(): recupere le zone ID dynamiquement par nom de domaine
  (plus besoin de CLOUDFLARE_ZONE_ID en dur)
- getDnsRecords(): tous les enregistrements d'une zone
- getDnsRecordsByType(): filtrage par type (TXT, MX, CNAME...)
- getZone(): informations d'une zone
- isAvailable(): verification du token API

src/Command/CheckDnsCommand.php (reecrit):
- Utilise les 3 services pour orchestrer les verifications
- Affichage console colore avec icones OK/ERREUR/ATTENTION
- Envoie un rapport email via le template Twig dns_report.html.twig

templates/emails/dns_report.html.twig (nouveau):
- Template email compatible tous clients (table-based, CSS inline,
  margin/padding longhand, mso-line-height-rule, pas de rgba/border-radius)
- Bandeau colore vert/jaune/rouge selon le statut global
- Section succes avec checkmarks verts dans un tableau alterne
- Section erreurs en rouge avec croix dans un tableau fond #fef2f2
- Section avertissements en jaune avec triangles fond #fffbeb
- Detail par domaine avec tableau type/verification/statut
- Utilise le template email/base.html.twig (header gold, footer dark)

Variables d'environnement ajoutees:
- .env: AWS_PK, AWS_SECRET, AWS_REGION (eu-west-3), CLOUDFLARE_KEY (vides)
- .env.local: valeurs reelles des cles AWS et Cloudflare
- ansible/vault.yml: aws_pk, aws_secret, cloudflare_key
- ansible/env.local.j2: AWS_PK, AWS_SECRET, AWS_REGION, CLOUDFLARE_KEY
  avec references au vault
- CLOUDFLARE_ZONE_ID supprime (recupere dynamiquement via l'API)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Serreau Jovann
2026-04-02 21:28:24 +02:00
parent b6696df087
commit fea7dbfb61
8 changed files with 714 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.env
View File

@@ -87,6 +87,16 @@ STRIPE_SECRET_KEY=sk_test_***
SMIME_PASSPHRASE=EVz5zNV8h4ndSLOCWO9JeaQnIertQm7k
SECRET_ANALYTICS=
###> aws ###
AWS_PK=
AWS_SECRET=
AWS_REGION=eu-west-3
###< aws ###
###> cloudflare ###
CLOUDFLARE_KEY=
###< cloudflare ###
###> docuseal ###
DOCUSEAL_URL=https://signature.esy-web.dev
DOCUSEAL_API=

4
ansible/env.local.j2
View File

@@ -27,6 +27,10 @@ OAUTH_KEYCLOAK_REALM=master
SECRET_ANALYTICS={{ analytics_secret }}
KEYCLOAK_ADMIN_CLIENT_ID=crm_siteconseil_admin
KEYCLOAK_ADMIN_CLIENT_SECRET={{ keycloak_admin_client_secret }}
AWS_PK={{ aws_pk }}
AWS_SECRET={{ aws_secret }}
AWS_REGION=eu-west-3
CLOUDFLARE_KEY={{ cloudflare_key }}
DOCUSEAL_URL=https://signature.esy-web.dev
DOCUSEAL_API={{ docuseal_api }}
DOCUSEAL_WEBHOOKS_SECRET_HEADER=X-Sign

3
ansible/vault.yml
View File

@@ -13,6 +13,9 @@ db_password: 46eafec68e1e7bc8015790998a2e8ea8b5e31461479588b7
redis_password: 51f7559d1d14a6cf422628537fa562a94481936228e9291d
sonarqube_badge_token: sqb_dc1d0f73af1016295f49d1c56bf60e115e43bf48
keycloak_admin_client_secret: QqYnQc6p9aio4sBJYKNhpPsdrvpUtt2z
aws_pk: AKIAWTT2T22CWBRBBDYN
aws_secret: BBdgb6KxRQ8mNcpWFJsZCJxbSGNdgLhKFiITMErfBlQP
cloudflare_key: cfat_hOADTEIl9naAUW2PUf0CfnNiToUHZtB21D3jH3f310d0b8ba
docuseal_api: pgAU116mCFmeF7WQSezHqxtZW8V1fgo31u5d2FXoaKe
docuseal_webhooks_secret: CRM_COSLAY
smime_private_key: |

406
src/Command/CheckDnsCommand.php
View File

@@ -2,32 +2,36 @@
namespace App\Command;
use App\Service\AwsSesService;
use App\Service\CloudflareService;
use App\Service\DnsCheckService;
use App\Service\MailerService;
use Symfony\Component\Console\Attribute\AsCommand;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Style\SymfonyStyle;
use Twig\Environment;
#[AsCommand(
name: 'app:dns:check',
description: 'Verifie la configuration DNS (SPF, DMARC, DKIM, MX, bounce) pour siteconseil.fr et esy-web.dev',
description: 'Verifie la configuration DNS, AWS SES et Cloudflare pour les domaines SITECONSEIL',
)]
class CheckDnsCommand extends Command
{
private const DOMAINS = ['siteconseil.fr', 'esy-web.dev'];
private const EXPECTED_SPF_INCLUDES = ['amazonses.com', 'mail.esy-web.dev'];
private const EXPECTED_MX = [
'siteconseil.fr' => 'mail.esy-web.dev',
'esy-web.dev' => 'mail.esy-web.dev',
];
private const DKIM_SELECTORS = ['ses1', 'ses2', 'ses3'];
public function __construct(
private DnsCheckService $dnsCheck,
private AwsSesService $awsSes,
private CloudflareService $cloudflare,
private MailerService $mailer,
private Environment $twig,
) {
parent::__construct();
}
@@ -40,357 +44,205 @@ class CheckDnsCommand extends Command
$errors = [];
$warnings = [];
$successes = [];
$domainResults = [];
foreach (self::DOMAINS as $domain) {
$io->section('Domaine : '.$domain);
$checks = [];
$this->checkSpf($domain, $io, $errors, $warnings, $successes);
$this->checkDmarc($domain, $io, $errors, $successes);
$this->checkDkim($domain, $io, $errors, $warnings, $successes);
$this->checkMx($domain, $io, $errors, $successes);
$this->checkBounce($domain, $io, $errors, $warnings, $successes);
// DNS dig
$this->dnsCheck->checkSpf($domain, $checks, $errors, $warnings, $successes);
$this->dnsCheck->checkDmarc($domain, $checks, $errors, $successes);
$this->dnsCheck->checkDkim($domain, $checks, $errors, $warnings, $successes);
$this->dnsCheck->checkMx($domain, self::EXPECTED_MX[$domain] ?? '', $checks, $errors, $successes);
$this->dnsCheck->checkBounce($domain, $checks, $errors, $warnings, $successes);
// AWS SES
$this->checkAwsSes($domain, $checks, $errors, $successes, $io);
// Cloudflare
$this->checkCloudflare($domain, $checks, $errors, $warnings, $successes, $io);
// Affichage console
foreach ($checks as $check) {
$icon = match ($check['status']) {
'ok' => '<fg=green>OK</>',
'error' => '<fg=red>ERREUR</>',
default => '<fg=yellow>ATTENTION</>',
};
$io->text(" [{$check['type']}] $icon {$check['label']}{$check['detail']}");
}
$domainResults[] = ['domain' => $domain, 'checks' => $checks];
}
$io->newLine();
$this->sendReportEmail($errors, $warnings, $successes);
// Email de rapport
$this->sendReport($errors, $warnings, $successes, $domainResults);
if ([] !== $errors) {
$io->error(\count($errors).' erreur(s) detectee(s) :');
$io->listing($errors);
$io->error(\count($errors).' erreur(s) detectee(s). Rapport envoye par email.');
return Command::FAILURE;
}
if ([] !== $warnings) {
$io->warning(\count($warnings).' avertissement(s) :');
$io->listing($warnings);
$io->warning(\count($warnings).' avertissement(s). Rapport envoye par email.');
return Command::SUCCESS;
}
$io->success('Tous les enregistrements DNS sont correctement configures. Rapport envoye par email.');
$io->success('Tous les enregistrements DNS sont OK. Rapport envoye par email.');
return Command::SUCCESS;
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
*/
private function checkSpf(string $domain, SymfonyStyle $io, array &$errors, array &$warnings, array &$successes): void
private function checkAwsSes(string $domain, array &$checks, array &$errors, array &$successes, SymfonyStyle $io): void
{
$records = $this->getTxtRecords($domain);
$spf = null;
foreach ($records as $record) {
if (str_starts_with($record, 'v=spf1')) {
$spf = $record;
break;
}
}
if (null === $spf) {
$errors[] = "[$domain] SPF : aucun enregistrement SPF trouve";
$io->text(' SPF : <fg=red>ABSENT</>');
if (!$this->awsSes->isAvailable()) {
$checks[] = ['type' => 'AWS SES', 'label' => 'API', 'status' => 'warning', 'detail' => 'Cles non configurees'];
return;
}
$io->text(' SPF : '.$spf);
foreach (self::EXPECTED_SPF_INCLUDES as $include) {
if (!str_contains($spf, 'include:'.$include)) {
$errors[] = "[$domain] SPF : include:$include manquant dans l'enregistrement SPF";
$io->text(' <fg=red>MANQUANT</> include:'.$include);
try {
$verif = $this->awsSes->isDomainVerified($domain);
if ('Success' === $verif) {
$successes[] = "[$domain] AWS SES : domaine verifie";
$checks[] = ['type' => 'AWS SES', 'label' => 'Verification domaine', 'status' => 'ok', 'detail' => 'Verifie'];
} elseif ('Pending' === $verif) {
$errors[] = "[$domain] AWS SES : verification en attente";
$checks[] = ['type' => 'AWS SES', 'label' => 'Verification domaine', 'status' => 'warning', 'detail' => 'En attente'];
} else {
$successes[] = "[$domain] SPF : include:$include present";
$io->text(' <fg=green>OK</> include:'.$include);
$errors[] = "[$domain] AWS SES : domaine non verifie";
$checks[] = ['type' => 'AWS SES', 'label' => 'Verification domaine', 'status' => 'error', 'detail' => 'Non verifie'];
}
}
if (!str_contains($spf, '-all') && !str_contains($spf, '~all')) {
$warnings[] = "[$domain] SPF : pas de -all ou ~all en fin d'enregistrement";
}
}
/**
* @param list<string> $errors
* @param list<string> $successes
*/
private function checkDmarc(string $domain, SymfonyStyle $io, array &$errors, array &$successes): void
{
$records = $this->getTxtRecords('_dmarc.'.$domain);
$dmarc = null;
foreach ($records as $record) {
if (str_starts_with($record, 'v=DMARC1')) {
$dmarc = $record;
break;
}
}
if (null === $dmarc) {
$errors[] = "[$domain] DMARC : aucun enregistrement DMARC trouve sur _dmarc.$domain";
$io->text(' DMARC : <fg=red>ABSENT</>');
return;
}
$io->text(' DMARC : '.$dmarc);
if (str_contains($dmarc, 'p=none')) {
$io->text(' <fg=yellow>ATTENTION</> politique p=none (pas de protection)');
} elseif (str_contains($dmarc, 'p=quarantine')) {
$successes[] = "[$domain] DMARC : politique p=quarantine active";
$io->text(' <fg=green>OK</> politique p=quarantine');
} elseif (str_contains($dmarc, 'p=reject')) {
$successes[] = "[$domain] DMARC : politique p=reject active (stricte)";
$io->text(' <fg=green>OK</> politique p=reject (stricte)');
}
if (!str_contains($dmarc, 'rua=')) {
$errors[] = "[$domain] DMARC : pas d'adresse de rapport (rua) configuree";
} else {
$successes[] = "[$domain] DMARC : adresse de rapport (rua) configuree";
$dkim = $this->awsSes->getDkimStatus($domain);
if ($dkim['enabled'] && $dkim['verified']) {
$successes[] = "[$domain] AWS SES DKIM : active et verifiee";
$checks[] = ['type' => 'AWS SES', 'label' => 'DKIM SES', 'status' => 'ok', 'detail' => 'Active, verifiee, '.(\count($dkim['tokens'])).' token(s)'];
} else {
$errors[] = "[$domain] AWS SES DKIM : non active ou non verifiee";
$checks[] = ['type' => 'AWS SES', 'label' => 'DKIM SES', 'status' => 'error', 'detail' => 'Enabled='.($dkim['enabled'] ? 'oui' : 'non').', Verified='.($dkim['verified'] ? 'oui' : 'non')];
}
$notif = $this->awsSes->getNotificationStatus($domain);
$bounceInfo = $notif['forwarding'] ? 'Forwarding actif' : ($notif['bounce_topic'] ?? 'Non configure');
$checks[] = ['type' => 'AWS SES', 'label' => 'Bounce notifications', 'status' => $notif['forwarding'] || null !== $notif['bounce_topic'] ? 'ok' : 'warning', 'detail' => $bounceInfo];
} catch (\Throwable $e) {
$errors[] = "[$domain] AWS SES : erreur API - ".$e->getMessage();
$checks[] = ['type' => 'AWS SES', 'label' => 'API', 'status' => 'error', 'detail' => $e->getMessage()];
}
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
*/
private function checkDkim(string $domain, SymfonyStyle $io, array &$errors, array &$warnings, array &$successes): void
private function checkCloudflare(string $domain, array &$checks, array &$errors, array &$warnings, array &$successes, SymfonyStyle $io): void
{
$found = 0;
foreach (self::DKIM_SELECTORS as $selector) {
$cname = $this->getCnameRecord($selector.'._domainkey.'.$domain);
if (null !== $cname) {
$io->text(' DKIM ('.$selector.') : <fg=green>OK</> → '.$cname);
++$found;
}
}
// Essayer aussi les selecteurs personnalises courants
$customSelectors = ['default', 'mail', 'k1', 'google', 'selector1', 'selector2', 'dkim'];
foreach ($customSelectors as $selector) {
$cname = $this->getCnameRecord($selector.'._domainkey.'.$domain);
$txt = $this->getDkimTxtRecord($selector.'._domainkey.'.$domain);
if (null !== $cname) {
$io->text(' DKIM ('.$selector.') : <fg=green>OK</> CNAME → '.$cname);
++$found;
} elseif (null !== $txt) {
$io->text(' DKIM ('.$selector.') : <fg=green>OK</> TXT');
++$found;
}
}
if (0 === $found) {
$warnings[] = "[$domain] DKIM : aucun enregistrement DKIM trouve (selecteurs testes: ".implode(', ', array_merge(self::DKIM_SELECTORS, $customSelectors)).')';
$io->text(' DKIM : <fg=yellow>AUCUN SELECTEUR TROUVE</>');
} else {
$successes[] = "[$domain] DKIM : $found selecteur(s) DKIM trouve(s)";
}
}
/**
* @param list<string> $errors
* @param list<string> $successes
*/
private function checkMx(string $domain, SymfonyStyle $io, array &$errors, array &$successes): void
{
$mxRecords = dns_get_record($domain, \DNS_MX) ?: [];
if ([] === $mxRecords) {
$errors[] = "[$domain] MX : aucun enregistrement MX trouve";
$io->text(' MX : <fg=red>ABSENT</>');
if (!$this->cloudflare->isAvailable()) {
$checks[] = ['type' => 'Cloudflare', 'label' => 'API', 'status' => 'warning', 'detail' => 'Cle non configuree'];
return;
}
$expectedMx = self::EXPECTED_MX[$domain] ?? null;
try {
$zoneId = $this->cloudflare->getZoneId($domain);
if (null === $zoneId) {
$errors[] = "[$domain] Cloudflare : zone non trouvee";
$checks[] = ['type' => 'Cloudflare', 'label' => 'Zone', 'status' => 'error', 'detail' => 'Non trouvee'];
foreach ($mxRecords as $mx) {
$target = rtrim($mx['target'] ?? '', '.');
$priority = $mx['pri'] ?? '?';
$isExpected = null !== $expectedMx && str_contains($target, $expectedMx);
return;
}
$io->text(' MX : '.($isExpected ? '<fg=green>OK</>' : '<fg=yellow>?</>').
' '.$target.' (priorite: '.$priority.')');
}
$successes[] = "[$domain] Cloudflare : zone active ($zoneId)";
$checks[] = ['type' => 'Cloudflare', 'label' => 'Zone', 'status' => 'ok', 'detail' => "ID: $zoneId"];
if (null !== $expectedMx) {
$found = false;
foreach ($mxRecords as $mx) {
if (str_contains(rtrim($mx['target'] ?? '', '.'), $expectedMx)) {
$found = true;
break;
$records = $this->cloudflare->getDnsRecords($zoneId);
$hasCfSpf = false;
$hasCfDmarc = false;
$hasCfMx = false;
foreach ($records as $r) {
$name = $r['name'] ?? '';
$type = $r['type'] ?? '';
$content = $r['content'] ?? '';
if ('TXT' === $type && $name === $domain && str_starts_with($content, 'v=spf1')) {
$hasCfSpf = true;
}
if ('TXT' === $type && '_dmarc.'.$domain === $name) {
$hasCfDmarc = true;
}
if ('MX' === $type && $name === $domain) {
$hasCfMx = true;
}
}
if (!$found) {
$errors[] = "[$domain] MX : $expectedMx attendu mais non trouve";
} else {
$successes[] = "[$domain] MX : $expectedMx correctement configure";
}
}
}
/**
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
*/
private function checkBounce(string $domain, SymfonyStyle $io, array &$errors, array &$warnings, array &$successes): void
{
$bounceDomain = 'bounce.'.$domain;
// Verifier MX sur bounce.*
$mxRecords = dns_get_record($bounceDomain, \DNS_MX) ?: [];
if ([] !== $mxRecords) {
foreach ($mxRecords as $mx) {
$io->text(' Bounce MX : <fg=green>OK</> '.rtrim($mx['target'] ?? '', '.').' (priorite: '.($mx['pri'] ?? '?').')');
}
} else {
// Verifier CNAME sur bounce.*
$cname = $this->getCnameRecord($bounceDomain);
if (null !== $cname) {
$io->text(' Bounce CNAME : <fg=green>OK</> → '.$cname);
} else {
// Verifier TXT sur bounce.*
$txt = $this->getTxtRecords($bounceDomain);
if ([] !== $txt) {
$io->text(' Bounce TXT : <fg=green>OK</> '.implode(' | ', $txt));
foreach (['SPF' => $hasCfSpf, 'DMARC' => $hasCfDmarc, 'MX' => $hasCfMx] as $label => $found) {
$checks[] = ['type' => 'Cloudflare', 'label' => "$label dans zone", 'status' => $found ? 'ok' : 'error', 'detail' => $found ? 'Present' : 'Absent'];
if ($found) {
$successes[] = "[$domain] Cloudflare : $label present dans la zone";
} else {
$warnings[] = "[$domain] Bounce : aucun enregistrement MX/CNAME/TXT sur $bounceDomain";
$io->text(' Bounce : <fg=yellow>AUCUN ENREGISTREMENT</> sur '.$bounceDomain);
$errors[] = "[$domain] Cloudflare : $label absent de la zone";
}
}
} catch (\Throwable $e) {
$errors[] = "[$domain] Cloudflare : erreur API - ".$e->getMessage();
$checks[] = ['type' => 'Cloudflare', 'label' => 'API', 'status' => 'error', 'detail' => $e->getMessage()];
}
// Verifier le TXT SPF sur bounce.*
$bounceTxt = $this->getTxtRecords($bounceDomain);
$bounceSpf = null;
foreach ($bounceTxt as $record) {
if (str_starts_with($record, 'v=spf1')) {
$bounceSpf = $record;
break;
}
}
if (null !== $bounceSpf) {
$io->text(' Bounce SPF : '.$bounceSpf);
if (!str_contains($bounceSpf, 'amazonses.com')) {
$warnings[] = "[$domain] Bounce SPF : include:amazonses.com manquant sur $bounceDomain";
}
}
}
/**
* @return list<string>
*/
private function getTxtRecords(string $domain): array
{
$records = dns_get_record($domain, \DNS_TXT) ?: [];
return array_map(fn (array $r) => $r['txt'] ?? '', $records);
}
private function getCnameRecord(string $domain): ?string
{
$records = @dns_get_record($domain, \DNS_CNAME) ?: [];
if ([] === $records) {
return null;
}
return rtrim($records[0]['target'] ?? '', '.');
}
private function getDkimTxtRecord(string $domain): ?string
{
$records = $this->getTxtRecords($domain);
foreach ($records as $record) {
if (str_contains($record, 'v=DKIM1') || str_contains($record, 'k=rsa')) {
return $record;
}
}
return null;
}
/**
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
* @param list<array{domain: string, checks: list<array{type: string, label: string, status: string, detail: string}>}> $domainResults
*/
private function sendReportEmail(array $errors, array $warnings, array $successes): void
private function sendReport(array $errors, array $warnings, array $successes, array $domainResults): void
{
$hasErrors = [] !== $errors;
$date = (new \DateTimeImmutable())->format('d/m/Y H:i:s');
$hasWarnings = [] !== $warnings;
if ($hasErrors) {
$subject = 'CRM SITECONSEIL - Alerte DNS : '.\count($errors).' erreur(s) detectee(s)';
$subject = 'CRM SITECONSEIL - Alerte DNS : '.\count($errors).' erreur(s)';
$statusColor = '#dc2626';
$statusText = 'ERREURS DETECTEES';
} elseif ([] !== $warnings) {
$statusText = \count($errors).' ERREUR(S) DETECTEE(S)';
} elseif ($hasWarnings) {
$subject = 'CRM SITECONSEIL - DNS : '.\count($warnings).' avertissement(s)';
$statusColor = '#f59e0b';
$statusText = 'AVERTISSEMENTS';
$statusText = \count($warnings).' AVERTISSEMENT(S)';
} else {
$subject = 'CRM SITECONSEIL - DNS : configuration OK';
$statusColor = '#16a34a';
$statusText = 'TOUT EST OK';
$statusText = 'TOUTES LES VERIFICATIONS OK';
}
$body = '<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0">';
$body .= '<tr><td style="background-color: '.$statusColor.'; color: #ffffff; padding-top: 12px; padding-bottom: 12px; padding-left: 16px; padding-right: 16px; font-size: 13px; font-weight: 700; text-transform: uppercase; letter-spacing: 1px; text-align: center;">'.$statusText.'</td></tr>';
$body .= '</table>';
$body .= '<h2 style="font-size: 18px; font-weight: 700; margin-top: 16px; margin-bottom: 8px;">Rapport DNS - '.$date.'</h2>';
$body .= '<p style="font-size: 13px; color: #666; margin-top: 0; margin-bottom: 16px;">Domaines verifies : <strong>'.implode(', ', self::DOMAINS).'</strong></p>';
// Succes
if ([] !== $successes) {
$body .= '<h3 style="font-size: 14px; font-weight: 700; color: #16a34a; margin-top: 16px; margin-bottom: 8px;">Verifications reussies ('.\count($successes).') :</h3>';
$body .= '<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #e5e5e5; margin-bottom: 16px;">';
foreach ($successes as $i => $success) {
$bg = 0 === $i % 2 ? '#ffffff' : '#f9fafb';
$body .= '<tr><td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; background-color: '.$bg.'; border-bottom: 1px solid #eeeeee;">&#10003; '.$success.'</td></tr>';
}
$body .= '</table>';
}
// Erreurs
if ($hasErrors) {
$body .= '<h3 style="font-size: 14px; font-weight: 700; color: #dc2626; margin-top: 16px; margin-bottom: 8px;">Erreurs ('.\count($errors).') :</h3>';
$body .= '<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #fca5a5; margin-bottom: 16px;">';
foreach ($errors as $error) {
$body .= '<tr><td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; background-color: #fef2f2; color: #991b1b; border-bottom: 1px solid #fca5a5;">&#10007; '.$error.'</td></tr>';
}
$body .= '</table>';
}
// Warnings
if ([] !== $warnings) {
$body .= '<h3 style="font-size: 14px; font-weight: 700; color: #f59e0b; margin-top: 16px; margin-bottom: 8px;">Avertissements ('.\count($warnings).') :</h3>';
$body .= '<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #fde68a; margin-bottom: 16px;">';
foreach ($warnings as $warning) {
$body .= '<tr><td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; background-color: #fffbeb; color: #92400e; border-bottom: 1px solid #fde68a;">&#9888; '.$warning.'</td></tr>';
}
$body .= '</table>';
}
$body .= '<p style="font-size: 11px; color: #888; margin-top: 16px;">Rapport genere par la commande app:dns:check le '.$date.'</p>';
$html = $this->twig->render('emails/dns_report.html.twig', [
'statusColor' => $statusColor,
'statusText' => $statusText,
'date' => new \DateTimeImmutable(),
'domains' => self::DOMAINS,
'successes' => $successes,
'errors' => $errors,
'warnings' => $warnings,
'domainResults' => $domainResults,
]);
$this->mailer->sendEmail(
$this->mailer->getAdminEmail(),
$subject,
$body,
$html,
null,
null,
false,

149
src/Service/AwsSesService.php Normal file
View File

@@ -0,0 +1,149 @@
<?php
namespace App\Service;
use Symfony\Component\DependencyInjection\Attribute\Autowire;
use Symfony\Contracts\HttpClient\HttpClientInterface;
class AwsSesService
{
public function __construct(
private HttpClientInterface $httpClient,
#[Autowire(env: 'AWS_PK')] private string $accessKey,
#[Autowire(env: 'AWS_SECRET')] private string $secretKey,
#[Autowire(env: 'AWS_REGION')] private string $region,
) {
}
/**
* Verifier si un domaine est verifie dans SES.
*/
public function isDomainVerified(string $domain): ?string
{
$xml = $this->call('GetIdentityVerificationAttributes', ['Identities.member.1' => $domain]);
if (str_contains($xml, '<VerificationStatus>Success</VerificationStatus>')) {
return 'Success';
}
if (str_contains($xml, '<VerificationStatus>Pending</VerificationStatus>')) {
return 'Pending';
}
return null;
}
/**
* Verifier le statut DKIM d'un domaine.
*
* @return array{enabled: bool, verified: bool, tokens: list<string>}
*/
public function getDkimStatus(string $domain): array
{
$xml = $this->call('GetIdentityDkimAttributes', ['Identities.member.1' => $domain]);
$enabled = str_contains($xml, '<DkimEnabled>true</DkimEnabled>');
$verified = str_contains($xml, '<DkimVerificationStatus>Success</DkimVerificationStatus>');
$tokens = [];
if (preg_match_all('/<member>([^<]+)<\/member>/', $xml, $matches)) {
$tokens = $matches[1];
}
return ['enabled' => $enabled, 'verified' => $verified, 'tokens' => $tokens];
}
/**
* Verifier le statut des notifications bounce.
*
* @return array{bounce_topic: string|null, complaint_topic: string|null, forwarding: bool}
*/
public function getNotificationStatus(string $domain): array
{
$xml = $this->call('GetIdentityNotificationAttributes', ['Identities.member.1' => $domain]);
$bounceTopic = null;
if (preg_match('/<BounceTopic>([^<]+)<\/BounceTopic>/', $xml, $m)) {
$bounceTopic = $m[1];
}
$complaintTopic = null;
if (preg_match('/<ComplaintTopic>([^<]+)<\/ComplaintTopic>/', $xml, $m)) {
$complaintTopic = $m[1];
}
$forwarding = str_contains($xml, '<ForwardingEnabled>true</ForwardingEnabled>');
return ['bounce_topic' => $bounceTopic, 'complaint_topic' => $complaintTopic, 'forwarding' => $forwarding];
}
/**
* Lister toutes les identites verifiees.
*
* @return list<string>
*/
public function listVerifiedIdentities(): array
{
$xml = $this->call('ListIdentities', ['IdentityType' => 'Domain']);
$identities = [];
if (preg_match_all('/<member>([^<]+)<\/member>/', $xml, $matches)) {
$identities = $matches[1];
}
return $identities;
}
/**
* Verifier si l'API est fonctionnelle.
*/
public function isAvailable(): bool
{
if ('' === $this->accessKey || '' === $this->secretKey) {
return false;
}
try {
$this->call('GetSendQuota');
return true;
} catch (\Throwable) {
return false;
}
}
/**
* @param array<string, string> $params
*/
private function call(string $action, array $params = []): string
{
$host = 'email.'.$this->region.'.amazonaws.com';
$now = new \DateTimeImmutable('now', new \DateTimeZone('UTC'));
$dateStamp = $now->format('Ymd');
$amzDate = $now->format('Ymd\THis\Z');
$params['Action'] = $action;
ksort($params);
$queryString = http_build_query($params);
$canonicalRequest = "GET\n/\n$queryString\nhost:$host\nx-amz-date:$amzDate\n\nhost;x-amz-date\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
$credentialScope = "$dateStamp/{$this->region}/ses/aws4_request";
$stringToSign = "AWS4-HMAC-SHA256\n$amzDate\n$credentialScope\n".hash('sha256', $canonicalRequest);
$kDate = hash_hmac('sha256', $dateStamp, 'AWS4'.$this->secretKey, true);
$kRegion = hash_hmac('sha256', $this->region, $kDate, true);
$kService = hash_hmac('sha256', 'ses', $kRegion, true);
$kSigning = hash_hmac('sha256', 'aws4_request', $kService, true);
$signature = hash_hmac('sha256', $stringToSign, $kSigning);
$authorization = "AWS4-HMAC-SHA256 Credential={$this->accessKey}/$credentialScope, SignedHeaders=host;x-amz-date, Signature=$signature";
$response = $this->httpClient->request('GET', "https://$host/?$queryString", [
'headers' => [
'x-amz-date' => $amzDate,
'Authorization' => $authorization,
],
]);
return $response->getContent(false);
}
}

99
src/Service/CloudflareService.php Normal file
View File

@@ -0,0 +1,99 @@
<?php
namespace App\Service;
use Symfony\Component\DependencyInjection\Attribute\Autowire;
use Symfony\Contracts\HttpClient\HttpClientInterface;
class CloudflareService
{
private const API_URL = 'https://api.cloudflare.com/client/v4';
public function __construct(
private HttpClientInterface $httpClient,
#[Autowire(env: 'CLOUDFLARE_KEY')] private string $apiKey,
) {
}
/**
* Recuperer le zone ID d'un domaine.
*/
public function getZoneId(string $domain): ?string
{
$data = $this->request('GET', '/zones', ['name' => $domain]);
return $data['result'][0]['id'] ?? null;
}
/**
* Recuperer tous les enregistrements DNS d'une zone.
*
* @return list<array<string, mixed>>
*/
public function getDnsRecords(string $zoneId, int $perPage = 100): array
{
$data = $this->request('GET', '/zones/'.$zoneId.'/dns_records', ['per_page' => $perPage]);
return $data['result'] ?? [];
}
/**
* Recuperer les enregistrements DNS d'un type specifique.
*
* @return list<array<string, mixed>>
*/
public function getDnsRecordsByType(string $zoneId, string $type): array
{
$data = $this->request('GET', '/zones/'.$zoneId.'/dns_records', ['type' => $type, 'per_page' => 100]);
return $data['result'] ?? [];
}
/**
* Recuperer les informations d'une zone.
*
* @return array<string, mixed>|null
*/
public function getZone(string $zoneId): ?array
{
$data = $this->request('GET', '/zones/'.$zoneId);
return $data['result'] ?? null;
}
/**
* Verifier si l'API est fonctionnelle.
*/
public function isAvailable(): bool
{
if ('' === $this->apiKey) {
return false;
}
try {
$data = $this->request('GET', '/user/tokens/verify');
return 'active' === ($data['result']['status'] ?? '');
} catch (\Throwable) {
return false;
}
}
/**
* @return array<string, mixed>
*/
private function request(string $method, string $path, array $query = []): array
{
$options = [
'headers' => ['Authorization' => 'Bearer '.$this->apiKey],
];
if ([] !== $query) {
$options['query'] = $query;
}
$response = $this->httpClient->request($method, self::API_URL.$path, $options);
return $response->toArray(false);
}
}

221
src/Service/DnsCheckService.php Normal file
View File

@@ -0,0 +1,221 @@
<?php
namespace App\Service;
class DnsCheckService
{
private const EXPECTED_SPF_INCLUDES = ['amazonses.com', 'mail.esy-web.dev'];
private const DKIM_SELECTORS = ['ses1', 'ses2', 'ses3', 'default', 'mail', 'k1', 'google', 'selector1', 'selector2', 'dkim'];
/**
* @return array{type: string, label: string, status: string, detail: string}
*/
private static function check(string $type, string $label, string $status, string $detail): array
{
return ['type' => $type, 'label' => $label, 'status' => $status, 'detail' => $detail];
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
*/
public function checkSpf(string $domain, array &$checks, array &$errors, array &$warnings, array &$successes): void
{
$records = $this->getTxtRecords($domain);
$spf = null;
foreach ($records as $record) {
if (str_starts_with($record, 'v=spf1')) {
$spf = $record;
break;
}
}
if (null === $spf) {
$errors[] = "[$domain] SPF : absent";
$checks[] = self::check('SPF', 'Enregistrement SPF', 'error', 'Absent');
return;
}
foreach (self::EXPECTED_SPF_INCLUDES as $include) {
if (!str_contains($spf, 'include:'.$include)) {
$errors[] = "[$domain] SPF : include:$include manquant";
$checks[] = self::check('SPF', "include:$include", 'error', 'Manquant');
} else {
$successes[] = "[$domain] SPF : include:$include present";
$checks[] = self::check('SPF', "include:$include", 'ok', $spf);
}
}
if (!str_contains($spf, '-all') && !str_contains($spf, '~all')) {
$warnings[] = "[$domain] SPF : pas de -all ou ~all";
}
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $successes
*/
public function checkDmarc(string $domain, array &$checks, array &$errors, array &$successes): void
{
$records = $this->getTxtRecords('_dmarc.'.$domain);
$dmarc = null;
foreach ($records as $record) {
if (str_starts_with($record, 'v=DMARC1')) {
$dmarc = $record;
break;
}
}
if (null === $dmarc) {
$errors[] = "[$domain] DMARC : absent";
$checks[] = self::check('DMARC', 'Enregistrement DMARC', 'error', 'Absent');
return;
}
$policy = 'inconnue';
if (str_contains($dmarc, 'p=reject')) {
$policy = 'reject';
} elseif (str_contains($dmarc, 'p=quarantine')) {
$policy = 'quarantine';
} elseif (str_contains($dmarc, 'p=none')) {
$policy = 'none';
}
$successes[] = "[$domain] DMARC : politique p=$policy";
$checks[] = self::check('DMARC', 'Politique', 'none' === $policy ? 'warning' : 'ok', "p=$policy");
if (str_contains($dmarc, 'rua=')) {
$successes[] = "[$domain] DMARC : rapport rua configure";
$checks[] = self::check('DMARC', 'Rapports (rua)', 'ok', 'Configure');
} else {
$errors[] = "[$domain] DMARC : rua manquant";
$checks[] = self::check('DMARC', 'Rapports (rua)', 'error', 'Absent');
}
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
*/
public function checkDkim(string $domain, array &$checks, array &$errors, array &$warnings, array &$successes): void
{
$found = 0;
foreach (self::DKIM_SELECTORS as $selector) {
$cname = $this->getCnameRecord($selector.'._domainkey.'.$domain);
$txt = $this->getDkimTxtRecord($selector.'._domainkey.'.$domain);
if (null !== $cname) {
$checks[] = self::check('DKIM', "Selecteur $selector", 'ok', "CNAME → $cname");
++$found;
} elseif (null !== $txt) {
$checks[] = self::check('DKIM', "Selecteur $selector", 'ok', 'TXT present');
++$found;
}
}
if (0 === $found) {
$warnings[] = "[$domain] DKIM : aucun selecteur trouve";
$checks[] = self::check('DKIM', 'DKIM', 'warning', 'Aucun selecteur trouve');
} else {
$successes[] = "[$domain] DKIM : $found selecteur(s) trouve(s)";
}
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $successes
*/
public function checkMx(string $domain, string $expectedMx, array &$checks, array &$errors, array &$successes): void
{
$mxRecords = dns_get_record($domain, \DNS_MX) ?: [];
if ([] === $mxRecords) {
$errors[] = "[$domain] MX : absent";
$checks[] = self::check('MX', 'Enregistrement MX', 'error', 'Absent');
return;
}
$found = false;
foreach ($mxRecords as $mx) {
$target = rtrim($mx['target'] ?? '', '.');
if (str_contains($target, $expectedMx)) {
$found = true;
}
$checks[] = self::check('MX', $target, $found ? 'ok' : 'warning', 'Priorite: '.($mx['pri'] ?? '?'));
}
if ($found) {
$successes[] = "[$domain] MX : $expectedMx present";
} else {
$errors[] = "[$domain] MX : $expectedMx attendu mais absent";
}
}
/**
* @param list<array{type: string, label: string, status: string, detail: string}> $checks
* @param list<string> $errors
* @param list<string> $warnings
* @param list<string> $successes
*/
public function checkBounce(string $domain, array &$checks, array &$errors, array &$warnings, array &$successes): void
{
$bounceDomain = 'bounce.'.$domain;
$mxRecords = dns_get_record($bounceDomain, \DNS_MX) ?: [];
if ([] !== $mxRecords) {
$target = rtrim($mxRecords[0]['target'] ?? '', '.');
$successes[] = "[$domain] Bounce MX : $target";
$checks[] = self::check('Bounce', 'MX bounce.'.$domain, 'ok', $target);
} else {
$cname = $this->getCnameRecord($bounceDomain);
if (null !== $cname) {
$successes[] = "[$domain] Bounce CNAME : $cname";
$checks[] = self::check('Bounce', 'CNAME bounce.'.$domain, 'ok', $cname);
} else {
$warnings[] = "[$domain] Bounce : aucun enregistrement sur $bounceDomain";
$checks[] = self::check('Bounce', 'bounce.'.$domain, 'warning', 'Aucun MX/CNAME');
}
}
}
/**
* @return list<string>
*/
private function getTxtRecords(string $domain): array
{
$records = dns_get_record($domain, \DNS_TXT) ?: [];
return array_map(fn (array $r) => $r['txt'] ?? '', $records);
}
private function getCnameRecord(string $domain): ?string
{
$records = @dns_get_record($domain, \DNS_CNAME) ?: [];
return [] !== $records ? rtrim($records[0]['target'] ?? '', '.') : null;
}
private function getDkimTxtRecord(string $domain): ?string
{
foreach ($this->getTxtRecords($domain) as $record) {
if (str_contains($record, 'v=DKIM1') || str_contains($record, 'k=rsa')) {
return $record;
}
}
return null;
}
}

99
templates/emails/dns_report.html.twig Normal file
View File

@@ -0,0 +1,99 @@
{% extends 'email/base.html.twig' %}
{% block title %}Rapport DNS - CRM SITECONSEIL{% endblock %}
{% block content %}
{# ─── Bandeau statut ─── #}
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0">
<tr>
<td align="center" style="background-color: {{ statusColor }}; color: #ffffff; padding-top: 10px; padding-bottom: 10px; padding-left: 16px; padding-right: 16px; font-size: 12px; font-weight: 700; text-transform: uppercase; letter-spacing: 1px;">
{{ statusText }}
</td>
</tr>
</table>
<h1 style="font-size: 18px; font-weight: 700; margin-top: 16px; margin-right: 0; margin-bottom: 8px; margin-left: 0;">Rapport DNS</h1>
<p style="font-size: 12px; color: #888888; margin-top: 0; margin-right: 0; margin-bottom: 16px; margin-left: 0;">
{{ date|date('d/m/Y H:i:s') }} &#8226; Domaines : <strong>{{ domains|join(', ') }}</strong>
</p>
{# ─── Succes ─── #}
{% if successes|length > 0 %}
<h2 style="font-size: 14px; font-weight: 700; color: #16a34a; margin-top: 16px; margin-right: 0; margin-bottom: 8px; margin-left: 0;">
Verifications reussies ({{ successes|length }})
</h2>
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #e5e5e5; margin-top: 0; margin-right: 0; margin-bottom: 16px; margin-left: 0;">
{% for success in successes %}
<tr>
<td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; mso-line-height-rule: exactly; line-height: 18px; background-color: {{ loop.index is odd ? '#ffffff' : '#f9fafb' }}; border-bottom: 1px solid #eeeeee; color: #16a34a;">
&#10003; {{ success }}
</td>
</tr>
{% endfor %}
</table>
{% endif %}
{# ─── Erreurs ─── #}
{% if errors|length > 0 %}
<h2 style="font-size: 14px; font-weight: 700; color: #dc2626; margin-top: 16px; margin-right: 0; margin-bottom: 8px; margin-left: 0;">
Erreurs ({{ errors|length }})
</h2>
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #fca5a5; margin-top: 0; margin-right: 0; margin-bottom: 16px; margin-left: 0;">
{% for error in errors %}
<tr>
<td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; mso-line-height-rule: exactly; line-height: 18px; background-color: #fef2f2; color: #991b1b; border-bottom: 1px solid #fca5a5;">
&#10007; {{ error }}
</td>
</tr>
{% endfor %}
</table>
{% endif %}
{# ─── Avertissements ─── #}
{% if warnings|length > 0 %}
<h2 style="font-size: 14px; font-weight: 700; color: #f59e0b; margin-top: 16px; margin-right: 0; margin-bottom: 8px; margin-left: 0;">
Avertissements ({{ warnings|length }})
</h2>
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #fde68a; margin-top: 0; margin-right: 0; margin-bottom: 16px; margin-left: 0;">
{% for warning in warnings %}
<tr>
<td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; mso-line-height-rule: exactly; line-height: 18px; background-color: #fffbeb; color: #92400e; border-bottom: 1px solid #fde68a;">
&#9888; {{ warning }}
</td>
</tr>
{% endfor %}
</table>
{% endif %}
{# ─── Detail par domaine ─── #}
{% for domainData in domainResults %}
<h2 style="font-size: 14px; font-weight: 700; margin-top: 20px; margin-right: 0; margin-bottom: 8px; margin-left: 0;">
{{ domainData.domain }}
</h2>
<table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="border: 1px solid #e5e5e5; margin-top: 0; margin-right: 0; margin-bottom: 16px; margin-left: 0;">
<tr>
<td style="background-color: #111827; color: #ffffff; padding-top: 8px; padding-bottom: 8px; padding-left: 12px; padding-right: 12px; font-size: 11px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.5px; width: 80px;">Type</td>
<td style="background-color: #111827; color: #ffffff; padding-top: 8px; padding-bottom: 8px; padding-left: 12px; padding-right: 12px; font-size: 11px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.5px;">Verification</td>
<td style="background-color: #111827; color: #ffffff; padding-top: 8px; padding-bottom: 8px; padding-left: 12px; padding-right: 12px; font-size: 11px; font-weight: 700; text-transform: uppercase; letter-spacing: 0.5px; text-align: center; width: 60px;">Statut</td>
</tr>
{% for check in domainData.checks %}
<tr>
<td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 11px; font-weight: 700; border-bottom: 1px solid #eeeeee; color: #666666;">{{ check.type }}</td>
<td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 11px; border-bottom: 1px solid #eeeeee;">
<strong>{{ check.label }}</strong>
{% if check.detail %}<br><span style="color: #888888; font-size: 10px;">{{ check.detail }}</span>{% endif %}
</td>
<td style="padding-top: 6px; padding-bottom: 6px; padding-left: 12px; padding-right: 12px; font-size: 12px; text-align: center; border-bottom: 1px solid #eeeeee; font-weight: 700; color: {{ check.status == 'ok' ? '#16a34a' : (check.status == 'error' ? '#dc2626' : '#f59e0b') }};">
{{ check.status == 'ok' ? '&#10003;' : (check.status == 'error' ? '&#10007;' : '&#9888;') }}
</td>
</tr>
{% endfor %}
</table>
{% endfor %}
<p style="font-size: 11px; color: #888888; mso-line-height-rule: exactly; line-height: 16px; margin-top: 16px; margin-right: 0; margin-bottom: 0; margin-left: 0;">
Rapport genere par la commande <strong>app:dns:check</strong>. Verifiez la configuration dans Cloudflare et AWS SES si necessaire.
</p>
{% endblock %}