Skip to content

[code ok] Disallow attester organisational rule #591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tomholub merged 1 commit into from
Oct 3, 2021
Merged

[code ok] Disallow attester organisational rule #591

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion FlowCrypt/Functionality/Services/AttesterApi.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,14 @@ final class AttesterApi: AttesterApiType {
}

private let core: Core
private let organisationalRules: OrganisationalRules

init(core: Core = .shared) {
init(
core: Core = .shared,
organisationalRulesService: OrganisationalRulesServiceType = OrganisationalRulesService()
) {
self.core = core
self.organisationalRules = organisationalRulesService.getSavedOrganisationalRulesForCurrentUser()
}

private func urlPub(emailOrLongid: String) -> String {
Expand All @@ -46,6 +51,10 @@ extension AttesterApi {
Promise { [weak self] () -> [KeyDetails] in
guard let self = self else { throw AppErr.nilSelf }

if !(try self.organisationalRules.canLookupThisRecipientOnAttester(recipient: email)) {
return []
}

let res = try awaitPromise(URLSession.shared.call(self.urlPub(emailOrLongid: email), tolerateStatus: [404]))

if res.status >= 200, res.status <= 299 {
Expand Down
13 changes: 11 additions & 2 deletions FlowCrypt/Models/OrganisationalRule.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,8 +120,17 @@ class OrganisationalRules {

/// Some orgs have a list of email domains where they do NOT want such emails to be looked up on public sources (such as Attester)
/// This is because they already have other means to obtain public keys for these domains, such as from their own internal keyserver
func canLookupThisRecipientOnAttester(recipient email: String) -> Bool {
!(clientConfiguration.disallowAttesterSearchForDomains ?? []).contains(email.recipientDomain ?? "")
func canLookupThisRecipientOnAttester(recipient email: String) throws -> Bool {
let disallowedDomains = clientConfiguration.disallowAttesterSearchForDomains ?? []

if disallowedDomains.contains("*") {
return false
}

guard let recipientDomain = email.recipientDomain else {
throw AppErr.general("organisational_wrong_email_error".localizeWithArguments(email))
}
return !disallowedDomains.contains(recipientDomain)
}

/// Some orgs use flows that are only implemented in POST /initial/legacy_submit and not in POST /pub/email@corp.co:
Expand Down
1 change: 1 addition & 0 deletions FlowCrypt/Resources/en.lproj/Localizable.strings
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,7 @@
"organisational_rules_ekm_private_keys_message" = "Ignoring %d keys returned by EKM %@ (not implemented)";
"organisational_rules_ekm_empty_private_keys_error" = "There are no private keys configured for you. Please ask yout systems administrator or help desk";
"organisational_rules_ekm_keys_are_not_decrypted_error" = "Received private keys are not fully decrypted. Please try login flow again";
"organisational_wrong_email_error" = "Not a valid email %@";

// Email key manager api error
"emai_keymanager_api_no_google_id_token_error_description" = "There is no Google ID token were found while getting client configuration";
Expand Down