feat: password protected messages compliance

FlowCrypt · Dec 6, 2024 · a2d4efd · a2d4efd
1 parent 08ca0f0
commit a2d4efd
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 0 deletions.
diff --git a/extension/chrome/elements/compose-modules/compose-err-module.ts b/extension/chrome/elements/compose-modules/compose-err-module.ts
@@ -160,6 +160,15 @@ export class ComposeErrModule extends ViewModule<ComposeView> {
   };
 
   public throwIfEncryptionPasswordInvalidOrDisabled = async ({ subject, pwd }: { subject: string; pwd?: string }) => {
+    const disallowedPasswordMessageTerms = this.view.clientConfiguration.getDisallowPasswordMessagesForTerms();
+    const disallowedPasswordMessageErrorText = this.view.clientConfiguration.getDisallowPasswordMessagesErrorText();
+    if (
+      disallowedPasswordMessageErrorText &&
+      disallowedPasswordMessageTerms &&
+      subject.split(' ').some(term => disallowedPasswordMessageTerms.includes(term))
+    ) {
+      throw new ComposerUserError(disallowedPasswordMessageErrorText);
+    }
     // When DISABLE_FLOWCRYPT_HOSTED_PASSWORD_MESSAGES present, and recipients are missing a public key, and the user is using flowcrypt.com/shared-tenant-fes (not FES)
     if (this.view.clientConfiguration.shouldDisableFlowCryptHostedPasswordMessages() && !this.view.isCustomerUrlFesUsed()) {
       throw new ComposerUserError(Lang.compose.addMissingRecipientPubkeys);

diff --git a/extension/js/common/client-configuration.ts b/extension/js/common/client-configuration.ts
@@ -33,6 +33,8 @@ export type ClientConfigurationJson = {
   enforce_keygen_expire_months?: number;
   in_memory_pass_phrase_session_length?: number;
   prv_backup_to_designated_mailbox?: string;
+  disallow_password_messages_for_terms?: string[];
+  disallow_password_messages_error_text?: string;
 };
 /* eslint-enable @typescript-eslint/naming-convention */
 
@@ -110,6 +112,21 @@ export class ClientConfiguration {
     return this.clientConfigurationJson.enforce_keygen_expire_months;
   };
 
+  /**
+   * An array of strings to check against the subject of the composed password-protected message.
+   * If any string in this array is found in the subject, an error alert must be displayed.
+   */
+  public getDisallowPasswordMessagesForTerms = (): string[] | undefined => {
+    return this.clientConfigurationJson.disallow_password_messages_for_terms;
+  };
+
+  /**
+   * The text to be displayed in the password message terms error alert
+   */
+  public getDisallowPasswordMessagesErrorText = (): string | undefined => {
+    return this.clientConfigurationJson.disallow_password_messages_error_text;
+  };
+
   /**
    * pass phrase session length to be configurable with client configuraiton
    * default 4 hours

diff --git a/test/source/mock/fes/shared-tenant-fes-endpoints.ts b/test/source/mock/fes/shared-tenant-fes-endpoints.ts
@@ -49,6 +49,8 @@ export type FesClientConfiguration = {
   allow_keys_openpgp_org_search_only_for_domains?: string[];
   disallow_keys_openpgp_org_search_for_domains?: string[];
   prv_backup_to_designated_mailbox?: string;
+  disallow_password_messages_for_terms?: string[];
+  disallow_password_messages_error_text?: string;
 };
 /* eslint-enable @typescript-eslint/naming-convention */
 

diff --git a/test/source/tests/compose.ts b/test/source/tests/compose.ts
@@ -236,6 +236,42 @@ export const defineComposeTests = (testVariant: TestVariant, testWithBrowser: Te
       })
     );
 
+    test(
+      '[email protected] - disallow password  protected message terms',
+      testWithBrowser(async (t, browser) => {
+        const acct = '[email protected]';
+        const rules = getKeyManagerAutogenRules(t.context.urls!.port!);
+        const disallowedPasswordMessageErrorText = 'Password-protected messages are disabled';
+
+        t.context.mockApi!.configProvider = new ConfigurationProvider({
+          attester: {
+            pubkeyLookup: {},
+          },
+          ekm: {
+            keys: [testConstants.existingPrv],
+          },
+          fes: {
+            clientConfiguration: {
+              ...rules,
+              // eslint-disable-next-line @typescript-eslint/naming-convention
+              disallow_password_messages_for_terms: ['forbidden', 'test'],
+              // eslint-disable-next-line @typescript-eslint/naming-convention
+              disallow_password_messages_error_text: disallowedPasswordMessageErrorText,
+            },
+          },
+        });
+        const settingsPage = await BrowserRecipe.openSettingsLoginApprove(t, browser, acct);
+        await SetupPageRecipe.autoSetupWithEKM(settingsPage);
+        const composePage = await ComposePageRecipe.openStandalone(t, browser, acct);
+        await ComposePageRecipe.fillMsg(composePage, { to: '[email protected]' }, 'forbidden subject');
+        await composePage.waitAndClick('@action-send', { delay: 1 });
+        await PageRecipe.waitForModalAndRespond(composePage, 'error', {
+          contentToCheck: disallowedPasswordMessageErrorText,
+          clickOn: 'confirm',
+        });
+      })
+    );
+
     test(
       'compose - signed with entered pass phrase + will remember pass phrase in session',
       testWithBrowser(async (t, browser) => {