From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bremner@tethera.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 925A36DE0A7F
 for <notmuch@notmuchmail.org>; Mon,  7 Nov 2016 04:52:21 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.006
X-Spam-Level: 
X-Spam-Status: No, score=-0.006 tagged_above=-999 required=5 tests=[AWL=0.005, 
 SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PHTc67YUU-IK for <notmuch@notmuchmail.org>;
 Mon,  7 Nov 2016 04:52:21 -0800 (PST)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
 by arlo.cworth.org (Postfix) with ESMTPS id E9D7A6DE098B
 for <notmuch@notmuchmail.org>; Mon,  7 Nov 2016 04:52:20 -0800 (PST)
Received: from remotemail by fethera.tethera.net with local (Exim 4.84_2)
 (envelope-from <bremner@tethera.net>)
 id 1c3jP7-0002nM-GB; Mon, 07 Nov 2016 07:52:01 -0500
Received: (nullmailer pid 23536 invoked by uid 1000);
 Mon, 07 Nov 2016 12:52:16 -0000
From: David Bremner <david@tethera.net>
To: notmuch@notmuchmail.org
Subject: [Patch v5 3/4] emacs: check drafts for encryption tags before saving
Date: Mon,  7 Nov 2016 08:52:10 -0400
Message-Id: <20161107125211.23405-4-david@tethera.net>
X-Mailer: git-send-email 2.10.2
In-Reply-To: <20161107125211.23405-1-david@tethera.net>
References: <20161107125211.23405-1-david@tethera.net>
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 12:52:21 -0000

In general the user may not want to save plaintext copies of messages
that they are sending encrypted, so give them a chance to abort.
---
 emacs/notmuch-draft.el   | 40 ++++++++++++++++++++++++++++++++++++++++
 test/T630-emacs-draft.sh | 13 +++++++++++++
 2 files changed, 53 insertions(+)

diff --git a/emacs/notmuch-draft.el b/emacs/notmuch-draft.el
index 11d906b..5a230e8 100644
--- a/emacs/notmuch-draft.el
+++ b/emacs/notmuch-draft.el
@@ -70,6 +70,21 @@ postponing and resuming a message."
   :type '(repeat string)
   :group 'notmuch-send)
 
+(defcustom notmuch-draft-save-plaintext 'ask
+  "Should notmuch save/postpone in plaintext messages that seem
+  like they are intended to be sent encrypted
+(i.e with an mml encryption tag in it)."
+  :type '(radio
+	  (const :tag "Never" nil)
+	  (const :tag "Ask every time" ask)
+	  (const :tag "Always" t))
+  :group 'notmuch-draft
+  :group 'notmuch-crypto)
+
+(defvar notmuch-draft-encryption-tag-regex
+  "<#\\(part encrypt\\|secure.*mode=.*encrypt>\\)"
+  "Regular expression matching mml tags indicating encryption of part or message")
+
 (defvar notmuch-draft-id nil
   "Message-id of the most recent saved draft of this message")
 (make-variable-buffer-local 'notmuch-draft-id)
@@ -102,6 +117,22 @@ Used when a new version is saved, or the message is sent."
 	  (goto-char (+ (match-beginning 0) 2))
 	  (insert "!"))))))
 
+(defun notmuch-draft--check-encryption-tag (&optional ask)
+  "Query user if there an mml tag that looks like it might indicate encryption.
+
+Returns t if there is no such tag, or the user confirms they mean
+it."
+  (save-excursion
+    (message-goto-body)
+      (or
+       ;; We are fine if no relevant tag is found, or
+       (not (re-search-forward notmuch-draft-encryption-tag-regex nil 't))
+       ;; The user confirms they means it.
+       (and ask
+	    (yes-or-no-p "(Customize `notmuch-draft-save-plaintext' to avoid this warning)
+This message contains mml tags that suggest it is intended to be encrypted.
+Really save and index an unencrypted copy? ")))))
+
 (defun notmuch-draft-save ()
   "Save the current draft message in the notmuch database.
 
@@ -109,6 +140,15 @@ This saves the current message in the database with tags
 `notmuch-draft-tags` (in addition to any default tags
 applied to newly inserted messages)."
   (interactive)
+  (case notmuch-draft-save-plaintext
+    ((ask)
+     (unless (notmuch-draft--check-encryption-tag t)
+       (error "Save aborted")))
+    ((t)
+     (ignore))
+    ((nil)
+     (unless (notmuch-draft--check-encryption-tag nil)
+       (error "Refusing to save draft with encryption tags (see `notmuch-draft-save-plaintext')"))))
   (let (;; We need the message id as we need it for tagging. Note
 	;; message-make-message-id gives the id inside a "<" ">" pair,
 	;; but notmuch doesn't want that form, so remove them.
diff --git a/test/T630-emacs-draft.sh b/test/T630-emacs-draft.sh
index e39690c..689ccfb 100755
--- a/test/T630-emacs-draft.sh
+++ b/test/T630-emacs-draft.sh
@@ -39,4 +39,17 @@ header_count=$(notmuch show --format=raw subject:draft-test-0003 | grep -c ^X-No
 body_count=$(notmuch notmuch show --format=raw subject:draft-test-0003 | grep -c '^\<#secure')
 test_expect_equal "$header_count,$body_count" "1,0"
 
+test_begin_subtest "Refusing to save an encrypted draft"
+test_emacs '(notmuch-mua-mail)
+	    (message-goto-subject)
+	    (insert "draft-test-0004")
+	    (mml-secure-message-sign-encrypt)
+	    (let ((notmuch-draft-save-plaintext nil))
+		     (notmuch-draft-save))
+	    (test-output)'
+count1=$(notmuch count tag:draft)
+count2=$(notmuch count subject:draft-test-0004)
+
+test_expect_equal "$count1,$count2" "3,0"
+
 test_done
-- 
2.10.2