prepwork for EKM integration during setup

[tomholub]

this is a subset of #279 and a part of #275

EKM = Email Key Manager https://flowcrypt.com/docs/technical/enterprise/email-deployment-overview.html

OrgRule definitions https://flowcrypt.com/docs/business/org-rules.html

As a part of #275 and after #276 and #277 , immediately after authentication when we receive the OIDC and OrgRules, we should check if orgRules.usesKeyManager() == true.

• if not, skip following steps (and instead show regular setup flow)

• if yes, follow the flow below

• 1) check if orgRules.mustAutoImportOrAutogenPrvWithKeyManager() == true and if not, show an error that this combination of rules (key_manager_url set but PRV_AUTOIMPORT_OR_AUTOGEN is missing) is not supported on this platform

• 2) check if orgRules.mustAutogenPassPhraseQuietly() == false. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + PASS_PHRASE_QUIET_AUTOGEN) is not supported on this platform

• 3) check if orgRules.forbidStoringPassPhrase() == true. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + missing FORBID_STORING_PASS_PHRASE) is not supported on this platform.

• 4) check if orgRules.mustSubmitToAttester() == false. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + ENFORCE_ATTESTER_SUBMIT) is not supported on this platform.

• 5) check if orgRules.forbidCreatingPrivateKey() == true. If not, show an error that this combination of OrgRules (PRV_AUTOIMPORT_OR_AUTOGEN + missing NO_PRV_CREATE) is not supported on this platform.

• 6) get the EKM URL from key_manager_url OrgRule (already includes https://, but may or may not include a trailing slash

• 7) please normalize the URL to contain a trailing slash before you use the URL

• 8) call GET <ekm>/v1/keys/private. Into authorization header please put Bearer <ID_TOKEN>. On error, offer retry

Now this last step that follows differs from #279 to allow a smaller PR at first:

• 9) show a toast that says ignoring <n> keys returned by EKM <url> (not implemented), then proceed to regular setup flow as before

[tomholub]

When not sure, please ask - it's important that this is implemented correctly.

[ekievsky]

@tomholub Should all the checks happen on the login or startup(if user logged in)? What is the UX if there are more than 1 error? Should we show the list of errors in one alert, show only the first error or show couple of alerts?

[tomholub]

These particular checks should happen during the login flow. Please show alert and abort action on first error, no need to show more than one error.

[ekievsky]

What do you mean by abort action? Should it abort login flow?

[tomholub]

1. user clicks the login button Continue with Gmail and approves permission on Google prompt
2. various steps are taken as described above, and one of them fails
3. user is shown an alert describing the promlem, with an [ok] button
4. user presses ok
5. user is sent back to whichever screen they originally took the action on (I think in this case, it would be the splash screen that shows Continue with Gmail, with Outlook etc.)

[tomholub]

That means user can naturally choose to retry the whole flow after it fails this way, by doing what they did earlier (clicking Continue with Gmail again)

[ekievsky]

as a summary:

• All these checks happens on Login only.
• If any error happens user routes back to Splash Screen.

[tomholub]

This is correct. Before the user is sent back to splash screen, they are shown the error first. Thanks 👍

[tomholub]

Or the error can be shown over the splash screen, either way is fine.