From 9ece61d8df3508e115d67de4c468b928e6ee2f33 Mon Sep 17 00:00:00 2001 From: Personal Date: Sat, 2 Oct 2021 16:48:05 +0300 Subject: [PATCH] Updated canLookupThisRecipientOnAttester OrgRule; Ignoring attester api depending on canLookupThisRecipientOnAttester; --- FlowCrypt/Functionality/Services/AttesterApi.swift | 11 ++++++++++- FlowCrypt/Models/OrganisationalRule.swift | 13 +++++++++++-- FlowCrypt/Resources/en.lproj/Localizable.strings | 1 + 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/FlowCrypt/Functionality/Services/AttesterApi.swift b/FlowCrypt/Functionality/Services/AttesterApi.swift index 3a0ab9e02..7ec0fcf4e 100644 --- a/FlowCrypt/Functionality/Services/AttesterApi.swift +++ b/FlowCrypt/Functionality/Services/AttesterApi.swift @@ -28,9 +28,14 @@ final class AttesterApi: AttesterApiType { } private let core: Core + private let organisationalRules: OrganisationalRules - init(core: Core = .shared) { + init( + core: Core = .shared, + organisationalRulesService: OrganisationalRulesServiceType = OrganisationalRulesService() + ) { self.core = core + self.organisationalRules = organisationalRulesService.getSavedOrganisationalRulesForCurrentUser() } private func urlPub(emailOrLongid: String) -> String { @@ -46,6 +51,10 @@ extension AttesterApi { Promise { [weak self] () -> [KeyDetails] in guard let self = self else { throw AppErr.nilSelf } + if !(try self.organisationalRules.canLookupThisRecipientOnAttester(recipient: email)) { + return [] + } + let res = try awaitPromise(URLSession.shared.call(self.urlPub(emailOrLongid: email), tolerateStatus: [404])) if res.status >= 200, res.status <= 299 { diff --git a/FlowCrypt/Models/OrganisationalRule.swift b/FlowCrypt/Models/OrganisationalRule.swift index aaa6b2f25..d2e247be4 100644 --- a/FlowCrypt/Models/OrganisationalRule.swift +++ b/FlowCrypt/Models/OrganisationalRule.swift @@ -120,8 +120,17 @@ class OrganisationalRules { /// Some orgs have a list of email domains where they do NOT want such emails to be looked up on public sources (such as Attester) /// This is because they already have other means to obtain public keys for these domains, such as from their own internal keyserver - func canLookupThisRecipientOnAttester(recipient email: String) -> Bool { - !(clientConfiguration.disallowAttesterSearchForDomains ?? []).contains(email.recipientDomain ?? "") + func canLookupThisRecipientOnAttester(recipient email: String) throws -> Bool { + let disallowedDomains = clientConfiguration.disallowAttesterSearchForDomains ?? [] + + if disallowedDomains.contains("*") { + return false + } + + guard let recipientDomain = email.recipientDomain else { + throw AppErr.general("organisational_wrong_email_error".localizeWithArguments(email)) + } + return !disallowedDomains.contains(recipientDomain) } /// Some orgs use flows that are only implemented in POST /initial/legacy_submit and not in POST /pub/email@corp.co: diff --git a/FlowCrypt/Resources/en.lproj/Localizable.strings b/FlowCrypt/Resources/en.lproj/Localizable.strings index 2df3dd0ac..ee2affddd 100644 --- a/FlowCrypt/Resources/en.lproj/Localizable.strings +++ b/FlowCrypt/Resources/en.lproj/Localizable.strings @@ -214,6 +214,7 @@ "organisational_rules_ekm_private_keys_message" = "Ignoring %d keys returned by EKM %@ (not implemented)"; "organisational_rules_ekm_empty_private_keys_error" = "There are no private keys configured for you. Please ask yout systems administrator or help desk"; "organisational_rules_ekm_keys_are_not_decrypted_error" = "Received private keys are not fully decrypted. Please try login flow again"; +"organisational_wrong_email_error" = "Not a valid email %@"; // Email key manager api error "emai_keymanager_api_no_google_id_token_error_description" = "There is no Google ID token were found while getting client configuration";