Commit graph

135 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
29648a137c crypto: actually stash session keys when decrypt=true
If you're going to store the cleartext index of an encrypted message,
in most situations you might just as well store the session key.
Doing this storage has efficiency and recoverability advantages.

Combined with a schedule of regular OpenPGP subkey rotation and
destruction, this can also offer security benefits, like "deletable
e-mail", which is the store-and-forward analog to "forward secrecy".

But wait, i hear you saying, i have a special need to store cleartext
indexes but it's really bad for me to store session keys!  Maybe
(let's imagine) i get lots of e-mails with incriminating photos
attached, and i want to be able to search for them by the text in the
e-mail, but i don't want someone with access to the index to be
actually able to see the photos themselves.

Fret not, the next patch in this series will support your wacky
uncommon use case.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
6a9626a2fd cli/reindex: destroy stashed session keys when --decrypt=false
There are some situations where the user wants to get rid of the
cleartext index of a message.  For example, if they're indexing
encrypted messages normally, but suddenly they run across a message
that they really don't want any trace of in their index.

In that case, the natural thing to do is:

   notmuch reindex --decrypt=false id:whatever@example.biz

But of course, clearing the cleartext index without clearing the
stashed session key is just silly.  So we do the expected thing and
also destroy any stashed session keys while we're destroying the index
of the cleartext.

Note that stashed session keys are stored in the xapian database, but
xapian does not currently allow safe deletion (see
https://trac.xapian.org/ticket/742).

As a workaround, after removing session keys and cleartext material
from the database, the user probably should do something like "notmuch
compact" to try to purge whatever recoverable data is left in the
xapian freelist.  This problem really needs to be addressed within
xapian, though, if we want it fixed right.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
076f86025d cli/new, insert, reindex: change index.decrypt to "auto" by default
The new "auto" decryption policy is not only good for "notmuch show"
and "notmuch reindex".  It's also useful for indexing messages --
there's no good reason to not try to go ahead and index the cleartext
of a message that we have a stashed session key for.

This change updates the defaults and tunes the test suite to make sure
that they have taken effect.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
181d4091c4 cli/new, insert, reindex: update documentation for --decrypt=auto
we also include --decrypt=auto in the tab completion.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
a1260896f6 cli/show: use decryption policy "auto" by default.
When showing a message, if the user doesn't specify --decrypt= at all,
but a stashed session key is known to notmuch, notmuch should just go
ahead and try to decrypt the message with the session key (without
bothering the user for access to their asymmetric secret key).

The user can disable this at the command line with --decrypt=false if
they really don't want to look at the e-mail that they've asked
notmuch to show them.

and of course, "notmuch show --decrypt" still works for accessing the
user's secret keys if necessary.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
6802b333eb cli/reply: use decryption policy "auto" by default.
If the user doesn't specify --decrypt= at all, but a stashed session
key is known to notmuch, when replying to an encrypted message,
notmuch should just go ahead and decrypt.

The user can disable this at the command line with --decrypt=false,
though it's not clear why they would ever want to do that.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
d3964e81ac indexing: Change from try_decrypt to decrypt
the command-line interface for indexing (reindex, new, insert) used
--try-decrypt; and the configuration records used index.try_decrypt.
But by comparison with "show" and "reply", there doesn't seem to be
any reason for the "try" prefix.

This changeset adjusts the command-line interface and the
configuration interface.

For the moment, i've left indexopts_{set,get}_try_decrypt alone.  The
subsequent changeset will address those.
2017-12-08 08:05:53 -04:00
Jani Nikula
733ccfabca cli: allow empty strings for notmuch insert --folder argument
Now that it's easy to add argument specific modifiers in opt
descriptions, add a new .allow_empty field to allow empty strings for
individual string arguments while retaining strict checks
elsewhere. Use this for notmuch insert --folder, where the empty
string means top level folder.
2017-11-08 09:46:44 -05:00
Daniel Kahn Gillmor
8116891744 cli/reindex: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-run basis
when invoking "notmuch reindex".  This allows the possibility of (for
example) an emacs keybinding that adds the cleartext of the currently
shown decrypted message to the index, making it searchable in the
future.

It also enables one-time indexing of all messages matching some query,
like so:

    notmuch reindex tag:encrypted and\
       not property:index.decryption=success and\
       from:alice@example.org

We also update the documentation and tab completion, and add a few
more tests.
2017-10-21 19:58:52 -03:00
Daniel Kahn Gillmor
c5356b9ed5 cli/insert: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-message
basis when invoking "notmuch insert".

We also update the documentation and tab completion, and add more tests.
2017-10-21 19:58:43 -03:00
Daniel Kahn Gillmor
35456d4b0c cli/new: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting during "notmuch new"
on a per-invocation basis.

We update the documentation and tab completion, and also add a test.
2017-10-21 19:58:32 -03:00
Daniel Kahn Gillmor
d0da7a0a1c config: define new option index.try_decrypt
By default, notmuch won't try to decrypt on indexing.  With this
patch, we make it possible to indicate a per-database preference using
the config variable "index.try_decrypt", which by default will be
false.

At indexing time, the database needs some way to know its internal
defaults for how to index encrypted parts.  It shouldn't be contingent
on an external config file (since that can't be retrieved from the
database object itself), so we store it in the database.

This behaves similarly to the query.* configurations, which are also
stored in the database itself, so we're not introducing any new
dependencies by requiring that it be stored in the database.
2017-10-21 19:54:33 -03:00
Daniel Kahn Gillmor
886c0b1666 config: test whether an item is stored in the database by name
QUERY_STRING was only used in two places, both to test whether a
variable should be stored in (or retrieved from) the database.

Since other configuration variables might be stored in the database in
the future, consolidate that test into a single function.

We also document that these configuration options should not be placed
in the config file.
2017-10-21 19:54:24 -03:00
Daniel Kahn Gillmor
6575b7eb31 doc: add notmuch-properties(7)
We will want a user-facing place to record details about the use of
notmuch properties shortly.  This establishes a new manual page for
that purpose.
2017-10-21 19:52:55 -03:00
Daniel Kahn Gillmor
6499fce391 doc: make SEE ALSO references one-per-line
This will make future diffs cleaner, make it easier to keep them
alphabetical, and make it easier to scan and search the documentation
sources.
2017-10-18 22:36:39 -03:00
Daniel Kahn Gillmor
5fb0f5f113 doc: fix documentation typos and copy/paste-os 2017-10-18 22:36:09 -03:00
Daniel Kahn Gillmor
e5beec39d6 add "notmuch reindex" subcommand
This new subcommand takes a set of search terms, and re-indexes the
list of matching messages.
2017-08-01 21:17:47 -04:00
David Bremner
ed4a9082c0 cli/search: print total number of files matched in summary output.
The structured output formats already have all of the filenames. This
is an easy bit of UI change to make the multiple files visible.
2017-08-01 21:17:47 -04:00
Daniel Kahn Gillmor
87bdfbc91f Fix orthography 2017-07-18 06:50:44 -03:00
Daniel Kahn Gillmor
e142de643d config: deprecate/drop crypto.gpg_path under gmime 2.6/3.0
gmime 3.0 no longer offers a means to set the path for gpg.

Users can set $PATH anyway if they want to pick a
differently-installed gpg (e.g. /usr/local/bin/gpg), so this isn't
much of a reduction in functionality.

The one main difference is for people who have tried to use "gpg2" to
make use of gpg 2.1, but that isn't usefully co-installable anyway.
2017-07-14 21:23:52 -03:00
David Bremner
a32dd81a55 cli: add space separator for keyword, string, and int arguments
Defer the complication of optional boolean arguments for later (never?).
2017-07-12 17:46:29 -03:00
David Bremner
d47e184118 cli/dump: bump dump format version to 3
No changes to the format of the body, but the header format was
fixed, and version 2 headers probably shouldn't be relied on.
2017-04-01 09:10:15 -03:00
Jani Nikula
02421015fd man: document external subcommand handling in notmuch(1)
The documentation for this was overlooked when adding the subcommand
handling. This seems like the proper place for it.
2017-03-07 09:05:50 -04:00
David Bremner
5de84d0752 Merge branch 'release'
Add back in no-display parameter by hand.
2016-12-15 21:57:10 +09:00
David Bremner
3d312e2577 cli/insert: document the use of EX_TEMPFAIL 2016-12-15 20:21:02 +09:00
Tomi Ollila
ef763a9e8b doc: whitespace cleanup
In most part, our .rst documents are indented with 8 spaces instead
of tabs. Bring the rest of the lines to the same format.
Also, on one (supposedly empty) line, trailing spaces were removed.
2016-11-28 21:58:17 -04:00
David Bremner
c970de6dc5 Merge branch 'release'
Add Jani's fix for notmuch-new
2016-11-26 08:43:31 -04:00
Jani Nikula
a5df39c276 notmuch-emacs-mua: add --hello parameter
If the --hello parameter is given, display the notmuch hello buffer
instead of the message composition buffer if no message composition
parameters are given.

Signed-off-by: Jani Nikula <jani@nikula.org>
2016-11-26 08:15:11 -04:00
Jani Nikula
caa9dcb707 man: advertize notmuch-emacs-mua as notmuch emacs-mua subcommand
With subcommand handling for external commands we can now hide the
implementation detail of emacs-mua being a separate notmuch-emacs-mua
script.
2016-11-26 08:09:58 -04:00
David Bremner
0ca7900727 cli/new: document new exit code
It seems important to give the numeric return code for people writing
scripts. Hopefully deviations from this convention are rare.
2016-11-25 22:44:05 -04:00
Jani Nikula
cbeb0685c7 notmuch-emacs-mua: add support for mailto: URL handling
Add support for composing an email in the Notmuch Emacs UI using a
mailto: URL. The mailto: URL mode is mutually exclusive with
specifying other message modifying parameters and positional
arguments.
2016-11-02 07:40:33 -03:00
David Bremner
651da30c09 cli: optionally restore message properties from dump file
This somewhat mimics the config line parsing, except there can be
arbitrarily many key value pairs, so one more level of looping is
required.
2016-09-21 18:14:25 -03:00
David Bremner
b7345d277e CLI: add properties to dump output
Part of providing extensibility via properties is to make sure that user
data is not lost. Thus we need to be able to dump and restore
properties.
2016-09-21 18:14:25 -03:00
Daniel Kahn Gillmor
89c8d27948 clean up spelling 2016-09-12 08:16:35 -03:00
David Bremner
3ba1b938b5 doc: update cross references for notmuch.1
In particular add notmuch-compact(1) (Debian bug #825884)
2016-08-23 20:53:52 -03:00
David Bremner
d9d2d535b3 doc: document notmuch-dump header line
This was introduced with the libconfig changes, but not documented then.
2016-06-07 07:52:34 -03:00
Daniel Kahn Gillmor
6a833a6e83 Use https instead of http where possible
Many of the external links found in the notmuch source can be resolved
using https instead of http.  This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
2016-06-05 08:32:17 -03:00
David Bremner
2d2a13966c CLI: add notmuch-config support for named queries
Most of the infrastructure here is general, only the validation/dispatch
is hardcoded to a particular prefix.

A notable change in behaviour is that notmuch-config now opens the
database e.g. on every call to list, which fails with an error message
if the database doesn't exit yet.
2016-05-25 07:40:44 -03:00
David Bremner
c6fcc555dd CLI: optionally restore config data.
The default to restore config data seems safest, especially since
currently we have no config data to mess up.
2016-05-25 07:40:44 -03:00
David Bremner
e042a25a3f CLI: add optional config data to dump output.
Note that it changes the default dump output format, but doesn't break
existing notmuch-restore. It might break user scripts though.
2016-05-25 07:07:56 -03:00
David Bremner
792bea5aff lib/cli: add library API / CLI for compile time options
This is intentionally low tech; if we have more than two options it may
make sense to build up what infrastructure is provided.
2016-05-13 07:29:12 -03:00
Michal Sojka
557965b8fa doc/reply: Clarify how reply-to header is handled
Current documentation and comments in the code do not correspond to
the actual code and tests in the test suite ("Un-munging Reply-To" in
T230-reply-to-sender.sh). Fix it.
2016-03-14 20:34:17 -03:00
Tomi Ollila
7b7dadb93f notmuch-emacs-mua: make --auto-daemon imply --create-frame
Before this change with --auto-daemon but without --create-frame
emacs server was started but no clients stay connected to it
(in both graphical and terminal displays).

Note that this changes how --client --auto-daemon works on
graphical display; New emacs frame is now created for the
message (and message-exit-actions hook appended).
2015-10-01 08:40:32 -03:00
Jani Nikula
b69201da5d notmuch-emacs-mua: do not create a frame by default with --client
Make the default behaviour for --client the same as emacsclient
default: do not create a new frame. Add a new option --create-frame,
passing the same option to emacsclient to create a frame.
2015-09-29 08:25:25 -03:00
Jani Nikula
17fcf24d8b notmuch-emacs-mua: add --auto-daemon option to start Emacs daemon as needed
Automatically starting Emacs in daemon mode if the Emacs server is not
running is a matter of preference better not hard coded in
notmuch-emacs-mua. Add an option to control the behaviour.
2015-09-29 08:25:25 -03:00
Jani Nikula
ac609e5a3b man: clean up notmuch-emacs-mua man page
Move --client description to a more suitable location, stylistic
changes.
2015-09-29 08:25:25 -03:00
Jani Nikula
02e394aed2 cli: do not sort addresses on --output=count or --deduplicate=address
The order of the results with --output=count and --deduplicate=address
are unspecified as they're based on a hash table traversal. This being
the case, optimize the query by explicitly requesting unsorted
results. Clarify the documentation accordingly.
2015-09-26 07:41:05 -03:00
Jani Nikula
71fae18fba man: document notmuch address --deduplicate=address option
Document the deduplication based on case insensitive address.
2015-09-26 07:40:39 -03:00
Jani Nikula
36b75cd441 man: document notmuch address --deduplicate=(no|mailbox) option
Document the deduplication of results.
2015-09-24 07:34:39 -03:00
David Bremner
f76d8f82dd cli: add global option "--uuid"
The function notmuch_exit_if_unmatched_db_uuid is split from
notmuch_process_shared_options because it needs an open notmuch
database.

There are two exceptional cases in uuid handling.

1) notmuch config and notmuch setup don't currently open the database,
   so it doesn't make sense to check the UUID.

2) notmuch compact opens the database inside the library, so we either
   need to open the database just to check uuid, or change the API.
2015-08-14 18:23:49 +02:00
David Bremner
5a3b42fb8c cli/count: add --lastmod
In the short term we need a way to get lastmod information e.g. for
the test suite. In the long term we probably want to add lastmod
information to at least the structured output for several other
clients (e.g. show, search).
2015-08-14 18:07:55 +02:00
David Bremner
653190bf2a cli: enable notmuch --help command
This functionality seems to have been undocumented, if it ever
existed. Document it now.
2015-07-30 07:45:26 +02:00
David Bremner
83e9df98a0 doc: whitespace cleanup for notmuch.rst
replace leading spaces with tabs
2015-07-30 07:45:26 +02:00
David Bremner
9f57b7e8c5 doc: add minimal note about shared options.
The example is a bit silly, but notmuch subcommand --help is actually
not equivalent to "notmuch --help subcommand".
2015-06-05 18:51:15 +02:00
David Bremner
c883e632bf CLI: make gpg binary used by libgmime configurable.
Previously we set up a way for the top level notmuch command to choose
which gpg binary was invoked by libgmime. In this commit we add the
(mostly boilerplate) code to allow the notmuch-config command to read
and write this path, and use it in the appropriate struct.

Update tests for new default variable
2015-03-11 08:04:00 +01:00
Jani Nikula
a00b4abc27 man: fix notmuch-emacs-mua environment section
It's emacsclient command, not comment. Document default values. While
at it, format the environment section similarly to other man pages.
2015-03-08 08:27:43 +01:00
Jani Nikula
5240c438f5 notmuch-emacs-mua: remove -C to keep short options compatible with mutt
Notmuch uses long options exclusively all around. The short options in
notmuch-emacs-mua are intentionally just a compatible subset of
mutt(1). Keep it this way, if only to make documenting the fact easy!

The Notmuch style --client long option remains, of course.
2015-03-08 08:27:28 +01:00
Jani Nikula
f4a5a534c8 cli: add a tool for starting new message in the emacs ui
Add a tool to start composing an email in the Notmuch Emacs UI with
the specified subject, recipients, and message body.
2015-03-06 08:02:08 +01:00
Jani Nikula
45038b44b7 doc: document notmuch-restore --input=filename option
Document all options for completeness.
2015-02-23 21:47:55 +01:00
Jani Nikula
1e5b4b72c9 doc: document notmuch-dump --output=filename option
Document all options for completeness.
2015-02-23 21:47:46 +01:00
Jani Nikula
6cc1c8d149 doc: bring notmuch-dump manual page in line with the rest
Fix indentation of options. Move search terms description before
options. Fix synopsis.
2015-02-23 21:47:32 +01:00
David Bremner
625401eb2f doc: remove reference to sender,recipients from notmuch-search.1
Apparently these were missed when notmuch-address was split to it's
own subcommand.
2015-02-22 19:52:42 +01:00
Sergei Shilovsky
7b31f54ed9 Add default configuration values to the man page 2015-01-01 16:48:18 +01:00
Tomi Ollila
32855b91d9 NEWS & doc: typing fixes
Some inconsistent formatting in NEWS for 0.19, 0.18 & 0.17 fixed.

Extra `*` when making bold text in doc/man1/notmuch-search.rst removed.
2014-11-16 09:36:50 +01:00
Michal Sojka
9710f0886a doc: Minor fixes related to notmuch-address
- Add notmuch-address to HTML index
- Remove extra '*'
2014-11-13 21:25:07 +01:00
Tomi Ollila
0d8251dbe2 cli: notmuch address option defaults update
When no --output option were given, change default to display senders
only.

When only --count option is given, display senders (in contrary to not
displaying anything).

Document that --count with --sort=**order** is not supported option
combination.

Clean up some whitespace in the documentation.

One test updated to have --output=count without sender nor recipient
output option.
2014-11-09 10:09:51 +01:00
Tomi Ollila
8e3ee13abc doc: whitespace cleanup
Changed one tab in doc/man1/notmuch-show.rst to 8 spaces.

Removed one leading tab in doc/man5/notmuch-hooks.rst to make
the SYNOPSIS style consistent with other pages.
2014-11-09 10:08:33 +01:00
Michal Sojka
a5a6859197 cli: address: Add --output=count
This output prints how many times was each address encountered during
search.
2014-11-05 23:25:05 +01:00
Michal Sojka
4176e527fc cli: address: Do not output duplicate addresses
This filters out duplicate addresses from address command output.

It also also adds tests for the address command.

The code here is an extended version of a patch from Jani Nikula.
2014-11-05 23:23:01 +01:00
Michal Sojka
5c32365d87 cli: search: Convert --output to keyword argument
Now, when address related outputs are in a separate command, it makes
no sense to combine multiple --output options in search command line.
Using switch statement to handle different outputs is more readable
than a series of if statements.
2014-11-05 23:20:17 +01:00
Michal Sojka
5c27136e64 cli: Introduce "notmuch address" command
This moves address-related functionality from search command to the
new address command. The implementation shares almost all code and
some command line options.

Options --offset and --limit were intentionally not included in the
address command, because they refer to messages numbers, which users
do not see in the output. This could confuse users because, for
example, they could see more addresses in the output that what was
specified with --limit. This functionality can be correctly
reimplemented for address subcommand later.

Also useless values of --exclude flag were not included in the address
command.

This was inspired by a patch from Jani Nikula.
2014-11-05 23:19:12 +01:00
Jani Nikula
4366b9b88c cli: add support for notmuch search --duplicate=N with --output=messages
Print the message IDs of all messages matching the search terms that
have at least N files associated with them.
2014-11-02 19:42:12 +01:00
Michal Sojka
3cc8ed5978 cli: search: Add --output={sender,recipients}
The new outputs allow printing senders, recipients or both of matching
messages. To print both, the user can use --output=sender and
--output=recipients simultaneously.

Currently, the same address can appear multiple times in the output.
The next commit will change this. For this reason, tests are
introduced there.

We use mailbox_t rather than InternetAddressMailbox because we will
need to extend it in a following commit.

This code is based on a patch from Jani Nikula.
2014-11-01 08:02:58 +01:00
Jani Nikula
19c09d870f cli/insert: add post-insert hook
The post-new hook might no longer be needed or run very often if
notmuch insert is being used. Therefore a post-insert hook is needed
(arguably pre-insert not so much, so don't add one). Also add the
--no-hooks option to skip hooks.
2014-10-28 19:19:30 +01:00
Jani Nikula
dc20a0eedc cli/insert: require succesful message indexing for success status
Add --keep option to keep any remaining stuff in index or file. We
could distinguish between failures to index and failures to apply tags
or maildir sync, but for simplicity just have one.
2014-10-18 07:54:25 +02:00
Austin Clements
827a69f639 doc: Simplify and clarify notmuch show --format=sexp description
Previously, this was a verbatim copy of the --format=json text.
Change it to instead reference the JSON text and actually describe how
the S-expression format works.
2014-04-21 21:51:54 +09:00
Austin Clements
a39a69ca0f doc: Clarify charset encoding of JSON output 2014-04-21 21:51:35 +09:00
Austin Clements
3cd00fdb8f doc: Fix minor formatting issues in notmuch-show.rst
There were some extra line breaks and missing periods.
2014-04-21 21:51:08 +09:00
Austin Clements
56871c628b doc: Clarify notmuch show --format=raw description
In addition to being generally more precise, this is explicit that
there is no charset conversion.
2014-04-21 21:50:57 +09:00
David Bremner
99d351360b doc: make notmuch-new summary line more generic
Since 'notmuch new' now takes multiple options, it's confusing to show
only one of them in the summary.
2014-04-19 14:29:06 +09:00
David Bremner
4c62d9366a restore: transparently support gzipped input
We rely completely on zlib to do the right thing in detecting gzipped
input. Since our dump format is chosen to be 7 bit ascii, this should
be fine.
2014-04-12 07:59:44 -03:00
David Bremner
3c13bc0321 dump: support gzipped and atomic output
The main goal is to support gzipped output for future internal
calls (e.g. from notmuch-new) to notmuch_database_dump.

The additional dependency is not very heavy since xapian already pulls
in zlib.

We want the dump to be "atomic", in the sense that after running the
dump file is either present and complete, or not present.  This avoids
certain classes of mishaps involving overwriting a good backup with a
bad or partial one.
2014-04-12 07:59:44 -03:00
Jani Nikula
5348d1987c man: try to clarify the folder: and path: vs. --output=files confusion 2014-03-11 19:51:22 -03:00
David Bremner
d736260385 doc: convert sphinx based docs
This is the output from sphinx-quickstart, massaged a bit, along with
our existing man pages converted to rst.

A skeleton notmuch-emacs manual is also included. It is not suitable
for end user use yet.
2014-03-09 10:41:08 -03:00