Commit graph

1144 commits

Author SHA1 Message Date
David Bremner
ae6b52488d cli/show: avoid empty write to stdout in format_part_raw
Previously if the input was exactly a multiple of the internal buffer
size, notmuch would attempt to fwrite nothing to stdout, but still
expected fwrite to return 1, causing a failure that looked like this:

  $ notmuch show --format=raw id:87o96f1cya.fsf@codeaurora.org
    ...entire message shown as expected..
  Error: Write failed
  $ echo $?
  1

To fix the problem don't call fwrite at all when there's nothing to
write.

Amended by db: add some tests of message sizes likely to cause this
problem.
2019-05-05 08:01:17 -03:00
David Bremner
103c11822e cli/notmuch-show: support gzipped files
This drops "file" from mime_node_context and just uses a local
variable. It also uses the new gzip aware utility routines recently
added to util/gmime-extra.c. The use of gzopen / gzfile in addition is
a bit icky, but the choice is between that, and providing yet another
readline implimentation that understands GMime streams.
2019-05-03 07:48:43 -03:00
David Bremner
852167479f lib/message_file: open gzipped files
Rather than storing the lower level stdio FILE object, we store a
GMime stream. This allows both transparent decompression, and passing
the stream into GMime for parsing. As a side effect, we can let GMime
close the underlying OS stream (indeed, that stream isn't visible here
anymore).

This change is enough to get notmuch-{new,search} working, but there is still
some work required for notmuch-show, to be done in a following commit.
2019-05-03 07:48:43 -03:00
Daniel Kahn Gillmor
7e6f55b268 gmime-cleanup: simplify T355-smime.sh
GMime 3.0 and later can handle User ID as expected.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:52 -03:00
Daniel Kahn Gillmor
652baa6fe6 gmime-cleanup: tests should only care about gmime 3
note that "notmuch-show for message with invalid From" is still broken
in T310-emacs.sh.  It would be good to debug what's going on there and
try to get it fixed!

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:44 -03:00
Daniel Kahn Gillmor
bb0b119358 gmime-cleanup: always support session keys
Our minimum version of GMime 3.0 always supports good session key
handling.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:32 -03:00
Daniel Kahn Gillmor
096d45a878 gmime-cleanup: remove obsolete gpg_path configuration option and crypto contexts
Note that we do keep ignoring the gpg_path configuration option,
though, to avoid breakage of existing installations.  It is ignored
like any other unknown configuration option, but we at least document
that it is ignored so that people who find it in their legacy configs
can know that it's safe to drop.

signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-05-03 06:55:04 -03:00
Daniel Kahn Gillmor
afb0b11dcd crypto: Avoid pretending to verify signatures on unsigned encrypted mail
Unsigned encrypted mail shows up with a weird empty signature list.
If we successfully decrypted and there was no signature in it, we
should just not show a sigstatus at all.

The documentation for g_mime_decrypt_result_get_signatures says:

    a GMimeSignatureList or NULL if the stream was not signed.
2019-04-26 08:03:15 -03:00
Daniel Kahn Gillmor
22ec4a36e6 tests: move FINGERPRINT definition to add_gnupg_home
If a test has added a GnuPG homedir, it may well want to know the
fingerprint.  This saves us from having to redefine this magic string
in multiple places when more tests eventually use the GnuPG homedir.
2019-04-24 07:16:46 -03:00
David Bremner
319dd95ebb lib: add 'body:' field, stop indexing headers twice.
The new `body:` field (in Xapian terms) or prefix (in slightly
sloppier notmuch) terms allows matching terms that occur only in the
body.

Unprefixed query terms should continue to match anywhere (header or
body) in the message.

This follows a suggestion of Olly Betts to use the facility (since
Xapian 1.0.4) to add the same field with multiple prefixes. The double
indexing of previous versions is thus replaced with a query time
expension of unprefixed query terms to the various prefixed
equivalent.

Reindexing will be needed for 'body:' searches to work correctly;
otherwise they will also match messages where the term occur in
headers (demonstrated by the new tests in T530-upgrade.sh)
2019-04-17 08:48:16 -03:00
Örjan Ekeberg
bfe0f8dcc4 test: add test for checking forwarded messages
Add test of forwarding messages from within emacs.
The first test checks that a references header is properly
added to the new message.  The second test checks that the
send-hook of the forwarding message adds a forwarded-tag
to the original message.
2019-04-14 08:01:30 -03:00
David Edmondson
639d21d5b9 test: Add emacs attachment check tests. 2019-03-28 14:37:21 -03:00
David Bremner
d25dcc589c lib: use phrase search for anything not ending in '*'
Anything that does not look like a wildcard should be safe to
quote. This should fix the problem searching for xapian keywords.
2019-03-28 14:34:37 -03:00
David Bremner
168211c563 test: add two known broken tests searching for xapian keywords
Thanks to plujon for pointing out this problem on IRC. The underlying
issue is that the quotes are stripped before the field processors get
the query string, and the heuristic for putting them back is not quite
right.
2019-03-28 14:32:11 -03:00
Luis Ressel
9f7e851263 Prepend regerror() messages with "regexp error: "
The exact error messages returned by regerror() aren't standardized;
relying on them isn't portable. Thus, add a a prefix to make clear that
the subsequent message is a regexp parsing error, and only look for this
prefix in the test suite, ignoring the rest of the message.
2019-03-11 22:24:55 -03:00
Luis Ressel
a1e649276e test/T030-config: Separate stdout and stderr output
POSIX doesn't specify the flushing behaviour of the STDOUT stream, so
it's invalid to assume a particular order between the stdout and stderr
output. The current test breaks on musl due to this.
2019-03-11 22:13:54 -03:00
David Bremner
71eaa19350 Merge branch 'release'
Changes from 0.28.3
2019-03-06 08:53:26 -04:00
David Bremner
e88297c072 lib/string_map: fix return type of string_cmp
I can't figure out how checking the sign of a bool ever worked. The
following program demonstrates the problem (i.e. for me it prints 1).

 #include <stdio.h>
 #include <stdbool.h>
 int main(int argc, char **argv) {
    bool x;
    x = -1;
    printf("x = %d\n", x);
 }

This seems to be mandated by the C99 standard 6.3.1.2.
2019-03-05 21:46:41 -04:00
David Bremner
09595cf577 lib: Add known broken test for string_map binary search.
Because the string_map functions are not exported, we test via message
properties.
2019-03-05 21:46:41 -04:00
rhn
b350c688e1 test: Check for replies obeying lifetime guarantees
The test attempts to check that a message coming from a thread outlives its messages list and gets destroyed together with the thread.
2019-01-25 20:37:26 -04:00
David Edmondson
576cff7654 reply: Include sender as recipient if they were the original recipient
When generating a reply message, if the user was the originator and
only recipient of the original message, include the user as a
recipient of the reply.
2018-12-07 08:03:50 -04:00
Maxime Coste
baa4185c30 cli: notmuch show support for --include-html with --format=text 2018-11-24 09:12:30 -04:00
Maxime Coste
37e5bc00ae cli: notmuch show support for --body=false with --format=text 2018-11-24 09:11:42 -04:00
Daniel Kahn Gillmor
311f530013 test: git should ignore message-id-parse
b31e44c678 introduced message-id-parse
as a new binary created by the test suite.  It shows up as something
additional to git, but git ought to know to ignore it.
2018-10-08 12:50:03 -03:00
David Edmondson
e8cb6b2cd6 emacs: Call `notmuch-mua-send-hook' hooks when sending a message
Previously any hook functions attached to `notmuch-mua-send-hook' were
ignored.
2018-09-28 20:22:42 -03:00
David Edmondson
4e213fe9b4 test: Check that `notmuch-mua-send-hook' is called on sending a message 2018-09-28 20:22:33 -03:00
David Bremner
c846e15ffe test: make regexp test conditional on field processors
Normally we'd mark it broken, but perversely missing regexp support
actually makes the test pass.
2018-09-14 08:54:20 -03:00
David Bremner
c6ba5522a5 test: mark thread subqueries broken without field processors
Currently these tests just fail when notmuch is built against Xapian
1.2.x
2018-09-14 08:54:09 -03:00
David Edmondson
4cd5a0a3d5 test: Absolute and relative directory paths. 2018-09-08 20:19:42 -03:00
David Bremner
87934c432c lib: change parent strategy to use In-Reply-To if it looks sane
As reported by Sean Whitton, there are mailers (in particular the
Debian Bug Tracking System) that have sensible In-Reply-To headers,
but un-useful-for-notmuch References (in particular with the BTS, the
oldest reference is last). I looked at a sample of about 200K
messages, and only about 0.5% these had something other than a single
message-id in In-Reply-To. On this basis, if we see a single
message-id in In-Reply-To, consider that as authoritative.
2018-09-06 08:07:13 -03:00
David Bremner
b31e44c678 lib: add _notmuch_message_id_parse_strict
The idea is that if a message-id parses with this function, the MUA
generating it was probably sane, and in particular it's probably safe
to use the result as a parent from In-Reply-to.
2018-09-06 08:07:13 -03:00
David Bremner
35053c2b9a test/thread-replies: mangle In-Reply-To's
In a future commit, we will start trusting In-Reply-To's when they
look sane (i.e. a single message-id). Modify these tests so they will
keep passing (i.e. keep choosing References) when that happens.
2018-09-06 08:07:13 -03:00
David Bremner
ea08032ae4 test: add known broken test for good In-Reply-To / bad References
The current scheme of choosing the replyto (i.e. the default parent
for threading purposes) does not work well for mailers that put
the oldest Reference last.
2018-09-06 08:07:13 -03:00
David Bremner
46dce33abc lib/thread: change _resolve_thread_relationships to use depths
We (finally) implement the XXX comment. It requires a bit of care not
to reparent all of the possible toplevel messages.

_notmuch_messages_has_next is not ready to be a public function yet,
since it punts on the mset case. We know in the one case it is called,
the notmuch_messages_t is just a regular list / iterator.
2018-09-06 08:07:13 -03:00
David Bremner
a330858284 lib/thread: initial use of references as for fallback parenting
This is mainly to lay out the structure of the final code. The problem
isn't really solved yet, although some very simple cases are
better (hence the fixed test). We need two passes through the messages
because we need to be careful not to re-parent too many messages and
end up without any toplevel messages.
2018-09-06 08:07:13 -03:00
David Bremner
9b568e73e1 lib/thread: sort sibling messages by date
For non-root messages, this should not should anything currently, as
the messages are already added in date order. In the future we will
add some non-root messages in a second pass out of order and the
sorting will be useful. It does fix the order of multiple
root-messages (although it is overkill for that).
2018-09-06 08:07:12 -03:00
David Bremner
ccb52edb4c test: add known broken tests for "ghost roots"
This documents the bug discussed at

     id:87efgmmysi.fsf@len.workgroup

The underlying issue is that the reply to a ghost (missing) message is
falsely classified as a root message in _resolve_thread_relationships.

There are two pairs of tests; in each case the the first test is
simpler / more robust, but also easier to fool.
2018-09-06 08:07:12 -03:00
David Bremner
ebd131ac07 test: start threading test corpus
There are 3 threads here, two synthetic, and one anonymized one using
data from Gregor. They test various aspects of thread
ordering/construction in the presence of replies to ghost messages.
2018-09-06 08:07:12 -03:00
David Bremner
dfda1745bf test/tag: add test for updating during batch tag operations
This clarifies that the breakage seen with Xapian 1.4.6 does not have
to do with "funny" tags.

This test is "known broken", but only with xapian 1.4.6, and there's
curently no convenient way to mark that.
2018-08-29 06:37:48 -03:00
Sebastian Poeplau
0f08bf7166 lib: detect mislabeled Windows-1252 parts
Use GMime functionality to detect mislabeled messages and apply the
correct (Windows) encoding instead.
2018-08-29 06:34:39 -03:00
Sebastian Poeplau
7074bb8f80 test: add known broken test for mislabeled Windows-1252 encoding
Messages that contain Windows-1252 are frequently mislabeled as ISO
8859-1, which may result in non-printable characters when displaying
the message. The test asserts that such characters (in this case
curved quotes) are displayed correctly.
2018-08-29 06:28:13 -03:00
David Bremner
46cf1a98f3 test: fix hardcoded paths in T050-new.sh
The previous paths will fail almost everywhere.
2018-05-26 16:46:44 -07:00
Daniel Kahn Gillmor
aa605f7e8a cli/show: enable --decrypt=stash
Add fancy new feature, which makes "notmuch show" capable of actually
indexing messages that it just decrypted.

This enables a workflow where messages can come in in the background
and be indexed using "--decrypt=auto".  But when showing an encrypted
message for the first time, it gets automatically indexed.

This is something of a departure for "notmuch show" -- in particular,
because it requires read/write access to the database.  However, this
might be a common use case -- people get mail delivered and indexed in
the background, but only want access to their secret key to happen
when they're directly interacting with notmuch itself.

In such a scenario, they couldn't search newly-delivered, encrypted
messages, but they could search for them once they've read them.

Documentation of this new feature also uses a table form, similar to
that found in the description of index.decrypt in notmuch-config(1).

A notmuch UI that wants to facilitate this workflow while also
offering an interactive search interface might instead make use of
these additional commands while the user is at the console:

Count received encrypted messages (if > 0, there are some things we
haven't yet tried to index, and therefore can't yet search):

     notmuch count tag:encrypted and \
         not property:index.decryption=success and \
         not property:index.decryption=failure

Reindex those messages:

     notmuch reindex --try-decrypt=true tag:encrypted and \
         not property:index.decryption=success and \
         not property:index.decryption=failure
2018-05-26 07:43:30 -07:00
Daniel Kahn Gillmor
9d114a8552 test-lib: add notmuch_show_part for "notmuch show --format=text"
Thanks to David Bremner for this improved readability!
2018-05-26 07:42:28 -07:00
David Bremner
84b2963726 test: use --full-scan in T050-new.sh
Wherever the test relies on directories being scanned, this option
should be used to avoid skipping them due to mtimes on directories
matching the database.
2018-05-22 09:29:59 -07:00
David Bremner
d1acff6153 test: add tests for notmuch new --full-scan
Most of these just check that adding the flag does not break existing
functionality. The one test that does check the full-scan
functionality had to be rewritten to output debugging info.
2018-05-22 09:29:48 -07:00
Thomas Schneider
b2e4778ea4 build: Allow user to specify ruby executable
This way, one can build for a different Ruby than $PATH/ruby
(e. g. different versions, or Ruby in other paths).

Signed-off-by: Thomas Schneider <qsx@chaotikum.eu>
2018-05-10 21:01:06 -03:00
David Bremner
5ad39ebf75 lib: add thread subqueries.
This change allows queries of the form

 thread:{from:me} and thread:{from:jian} and not thread:{from:dave}

This is still somewhat brute-force, but it's a big improvement over
both the shell script solution and the previous proposal [1], because it
does not build the whole thread structure just generate a
query. A further potential optimization is to replace the calls to
notmuch with more specialized Xapian code; in particular it's not
likely that reading all of the message metadata is a win here.

[1]: id:20170820213240.20526-1-david@tethera.net
2018-05-07 08:42:53 -03:00
Florian Klink
140e8fb118 T460-emacs-tree: sync $EXPECTED with test name
This syncs the $EXPECTED directory name with the tests filename.

Signed-off-by: Florian Klink <flokli@flokli.de>
2018-05-03 21:03:33 -03:00
Daniel Kahn Gillmor
c20a5eb805 move more http -> https
Correct URLs that have crept into the notmuch codebase with http://
when https:// is possible.

As part of this conversion, this changeset also indicates the current
preferred upstream URLs for both gmime and sup.  the new URLs are
https-enabled, the old ones are not.

This also fixes T310-emacs.sh, thanks to Bremner for catching it.
2018-05-03 20:59:20 -03:00
David Bremner
4ac23c5978 test: add known broken test for regexp search of second subject
We expect this to give the same answer as the non-regexp subject
search. It does not because the regexp search relies on the value
slot, which currently contains only one subject.
2018-05-03 07:44:49 -03:00
David Bremner
f3f4297c7f test: tests for python bindings get_property / get_properties
These roughly replicate the equivalent C tests, although they rely on
the database state created by the former tests, since the python
bindings currently provide read-only access to properties.
2018-05-02 20:30:51 -03:00
David Bremner
963ccabe93 Merge branch 'release'
reference loop fixes to be included in 0.26.2
2018-04-25 17:36:32 -03:00
David Bremner
e8ac065a50 test: re-enable disabled test in T700-reindex.sh
The extra test_done looks like a typo
2018-04-24 22:59:21 -03:00
David Bremner
491b1f4b40 lib: choose oldest message when breaking reference loops
This preserves a sensible thread order
2018-04-23 23:00:20 -03:00
David Bremner
4e085b6d92 test: add known broken test for thread ordering from a loop
The previous loop handling code chooses the last message in the
message list, which turns out to be the last in date order.
See the comment in _notmuch_thread_create.
2018-04-23 23:00:20 -03:00
David Bremner
9293d6da27 lib: break reference loop by choosing arbitrary top level msg
Other parts of notmuch (e.g. notmuch show) expect each thread to
contain at least one top level message, and crash if this expectation
is not met.
2018-04-20 11:23:31 -03:00
David Bremner
ab55ca8e0a test: add known broken test for indexing an In-Reply-To loop.
This documents the bug discussed in

     id:87d10042pu.fsf@curie.anarc.at
2018-04-20 11:23:31 -03:00
David Bremner
044cbd920c test: two new messages for the 'broken' corpus
These have an 'In-Reply-To' loop, which currently confuses "notmuch
new".
2018-04-20 11:23:31 -03:00
Georg Faerber
c117306f2d Fix typos as found by codespell
Signed-off-by: Georg Faerber <georg@riseup.net>
2018-03-24 20:09:54 -03:00
Daniel Kahn Gillmor
b6e3efde05 cli/insert: add --world-readable flag
In some cases (e.g. when building a publicly-visible e-mail archive)
it doesn't make any sense to restrict visibility of the message to the
current user account.

This adds a --world-readable boolean option for "notmuch insert", so
that those who want to archive their mail publicly can feed their
archiver with:

    notmuch insert --world-readable

Other local delivery agents (postfix's local, and dovecot's lda) all
default to delivery in mode 0600 rather than relying on the user's
umask, so this fix doesn't change the default.

Also, this does not override the user's umask.  if the umask is
already set tight, it will not become looser as the result of passing
--world-readable.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-03-24 20:08:11 -03:00
Daniel Kahn Gillmor
54982e520c fix typos 2018-01-04 20:35:58 -04:00
Daniel Kahn Gillmor
af8255fb71 cli/reply: make --decrypt take a keyword
This brings the --decrypt argument to "notmuch reply" into line with
the other --decrypt arguments (in "show", "new", "insert", and
"reindex").  This patch is really just about bringing consistency to
the user interface.

We also use the recommended form in the emacs MUA when replying, and
update test T350 to match.
2017-12-29 16:45:55 -04:00
Daniel Kahn Gillmor
8ea4a99d74 cli/show: make --decrypt take a keyword.
We also expand tab completion for it, update the emacs bindings, and
update T350, T357, and T450 to match.

Make use of the bool-to-keyword backward-compatibility feature.
2017-12-29 16:45:46 -04:00
Daniel Kahn Gillmor
0ada2a05c9 cli: some keyword options can be supplied with no argument
We might change some notmuch command line tools that used to be
booleans into keyword arguments.

In that case, there are some legacy tools that will expect to be able
to do "notmuch foo --bar" instead of "notmuch foo --bar=baz".

This patch makes it possible to support that older API, while
providing a warning and an encouragement to upgrade.
2017-12-29 16:45:35 -04:00
Daniel Kahn Gillmor
6aec7a76b9 python: add decrypt_policy argument to Database.index_file()
We adopt a pythonic idiom here with an optional argument, rather than
exposing the user to the C indexopts object directly.

This now includes a simple test to ensure that the decrypt_policy
argument works as expected.
2017-12-24 09:47:35 -04:00
Daniel Kahn Gillmor
b1de8e885d test: final named query test works regardless of Xapian FieldProcessor
This test passes with older versions of Xapian as well, because
neither query returns any results.

This should resolve the travis build failure at
https://travis-ci.org/notmuch/notmuch/builds/318571658

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-12-21 09:35:20 -04:00
David Bremner
7cfa1c6961 lib: return "" rather than NULL from notmuch_thread_get_authors
The current behaviour is at best under-documented. The modified test in
T470-missing-headers.sh previously relied on printf doing the right
thing with NULL, which seems icky.

The use of talloc_strdup here is probably overkill, but it avoids
having to enforce that thread->authors is never mutated outside
_resolve_thread_authors_string.
2017-12-21 09:22:30 -04:00
Daniel Kahn Gillmor
8e1c3fa5bb test: retrying lock tests are broken when built against older Xapian
If we're building against a version of Xapian that doesn't offer
retrying the lock, we should be honest and describe the tests as
broken, rather than marking them as missing a test prerequisite.

missing test prerequisites should be for specific components of the
test harness that are missing, not for the backend library notmuch
uses.
2017-12-19 07:14:13 -04:00
Daniel Kahn Gillmor
bace15c275 test: named query tests are broken when missing Xapian FieldProcessor
Named queries don't work without Xapian FieldProcessor.  Rather than
silently skipping them, we should explictly mark them as broken when
building against an older version of Xapian.
2017-12-19 07:14:07 -04:00
Daniel Kahn Gillmor
776a2982ae test: searching by absolute date is broken without Xapian FieldProcessor
Previously, the test suite had simply silently skipped the absolute
date test if we're using an archaic version of Xapian.  For
correctness, we should instead mark the test as broken.

This also changes from string to numeric comparison when checking
NOMTUCH_HAVE_XAPIAN_FIELD_PROCESSOR for consistency with other tests.
2017-12-19 07:14:03 -04:00
l-m-h@web.de
660f1a5a33 test: Add test to unset config items with the python bindings 2017-12-19 06:42:50 -04:00
l-m-h@web.de
3444c731d2 python: Rename get_config_list to get_configs
The old name has a bit of a feeling of hungarian notation.  Also many
generators in the core are named with the suffix "s" to indicate
iterables: dict.items, dict.keys for example.
2017-12-19 06:42:11 -04:00
l-m-h@web.de
7a07fd8625 test: Add tests for new python bindings
The tests where adopted from the tests for the corresponding C functions
in test/T590-libconfig.sh.
2017-12-19 06:41:23 -04:00
Jani Nikula
7354d6d8f6 test: test regexp based new.ignore
Just some basics.
2017-12-15 07:55:02 -04:00
Jani Nikula
f3fc97c000 cli: add support for only printing the addresses in notmuch address
The notmuch address output is much more useful for scripts with just
the addresses printed. Support this using the --output=address option.
2017-12-14 21:28:50 -04:00
Jani Nikula
ab4b033c70 test: expand argument parsing sanity checks
Test the various boolean formats and --no- prefixed boolean and
keyword flag arguments.
2017-12-13 08:31:03 -04:00
David Bremner
040c3236af Merge branch 'release'
Conflicts:
        NEWS

Add in NEWS from point release
2017-12-08 22:19:06 -04:00
David Bremner
151b2c3747 test/emacs: add exploit mitigation test
This test will pass if either the notmuch show mitigation code is
working correctly, or upstream emacs mime handling code has it's own
fix for https://bugs.gnu.org/28350.
2017-12-08 20:36:20 -04:00
Daniel Kahn Gillmor
cb855d8a9d crypto: signature verification reports valid User IDs
When i'm trying to understand a message signature, i care that i know
who it came from (the "validity" of the identity associated with the
key), *not* whether i'm willing to accept the keyholder's other
identity assertions (the "trust" associated with the certificate).

We've been reporting User ID information based on the "trust"
associated with the certificate, because GMime didn't clearly expose
the validity of the User IDs.

This change relies on fixes made in GMime 3.0.3 and later which
include https://github.com/jstedfast/gmime/pull/18.
2017-12-08 20:35:18 -04:00
Daniel Kahn Gillmor
fccebbaeef crypto: add --decrypt=nostash to avoid stashing session keys
Here's the configuration choice for people who want a cleartext index,
but don't want stashed session keys.

Interestingly, this "nostash" decryption policy is actually the same
policy that should be used by "notmuch show" and "notmuch reply",
since they never modify the index or database when they are invoked
with --decrypt.

We take advantage of this parallel to tune the behavior of those
programs so that we're not requesting session keys from GnuPG during
"show" and "reply" that we would then otherwise just throw away.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
29648a137c crypto: actually stash session keys when decrypt=true
If you're going to store the cleartext index of an encrypted message,
in most situations you might just as well store the session key.
Doing this storage has efficiency and recoverability advantages.

Combined with a schedule of regular OpenPGP subkey rotation and
destruction, this can also offer security benefits, like "deletable
e-mail", which is the store-and-forward analog to "forward secrecy".

But wait, i hear you saying, i have a special need to store cleartext
indexes but it's really bad for me to store session keys!  Maybe
(let's imagine) i get lots of e-mails with incriminating photos
attached, and i want to be able to search for them by the text in the
e-mail, but i don't want someone with access to the index to be
actually able to see the photos themselves.

Fret not, the next patch in this series will support your wacky
uncommon use case.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
6a9626a2fd cli/reindex: destroy stashed session keys when --decrypt=false
There are some situations where the user wants to get rid of the
cleartext index of a message.  For example, if they're indexing
encrypted messages normally, but suddenly they run across a message
that they really don't want any trace of in their index.

In that case, the natural thing to do is:

   notmuch reindex --decrypt=false id:whatever@example.biz

But of course, clearing the cleartext index without clearing the
stashed session key is just silly.  So we do the expected thing and
also destroy any stashed session keys while we're destroying the index
of the cleartext.

Note that stashed session keys are stored in the xapian database, but
xapian does not currently allow safe deletion (see
https://trac.xapian.org/ticket/742).

As a workaround, after removing session keys and cleartext material
from the database, the user probably should do something like "notmuch
compact" to try to purge whatever recoverable data is left in the
xapian freelist.  This problem really needs to be addressed within
xapian, though, if we want it fixed right.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
076f86025d cli/new, insert, reindex: change index.decrypt to "auto" by default
The new "auto" decryption policy is not only good for "notmuch show"
and "notmuch reindex".  It's also useful for indexing messages --
there's no good reason to not try to go ahead and index the cleartext
of a message that we have a stashed session key for.

This change updates the defaults and tunes the test suite to make sure
that they have taken effect.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
a1260896f6 cli/show: use decryption policy "auto" by default.
When showing a message, if the user doesn't specify --decrypt= at all,
but a stashed session key is known to notmuch, notmuch should just go
ahead and try to decrypt the message with the session key (without
bothering the user for access to their asymmetric secret key).

The user can disable this at the command line with --decrypt=false if
they really don't want to look at the e-mail that they've asked
notmuch to show them.

and of course, "notmuch show --decrypt" still works for accessing the
user's secret keys if necessary.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
6802b333eb cli/reply: use decryption policy "auto" by default.
If the user doesn't specify --decrypt= at all, but a stashed session
key is known to notmuch, when replying to an encrypted message,
notmuch should just go ahead and decrypt.

The user can disable this at the command line with --decrypt=false,
though it's not clear why they would ever want to do that.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
798aa789b5 lib: convert notmuch decryption policy to an enum
Future patches in this series will introduce new policies; this merely
readies the way for them.

We also convert --try-decrypt to a keyword argument instead of a boolean.
2017-12-08 08:07:02 -04:00
Daniel Kahn Gillmor
d3964e81ac indexing: Change from try_decrypt to decrypt
the command-line interface for indexing (reindex, new, insert) used
--try-decrypt; and the configuration records used index.try_decrypt.
But by comparison with "show" and "reply", there doesn't seem to be
any reason for the "try" prefix.

This changeset adjusts the command-line interface and the
configuration interface.

For the moment, i've left indexopts_{set,get}_try_decrypt alone.  The
subsequent changeset will address those.
2017-12-08 08:05:53 -04:00
Daniel Kahn Gillmor
9d23ebfcc3 test: session keys are known broken without session key support
If the version of GMime we're building against doesn't support session
key extraction or re-use, mark the tests that rely on session key
capabilities as known-broken.

This should resolve test suite failures on ubuntu trusty and debian
jessie and earlier, which have GMime 2.6.20 -- session key support was
introduced in GMime 2.6.21.
2017-12-05 20:09:25 -04:00
Daniel Kahn Gillmor
6d7249fec9 crypto: Test restore of cleartext index from stashed session keys
If you've got a notmuch dump that includes stashed session keys for
every decrypted message, and you've got your message archive, you
should be able to get back to the same index that you had before.

Here we add a simple test that give some flavor of how that works.
2017-12-04 21:53:05 -04:00
Daniel Kahn Gillmor
836ec85b0c test/corpora: add an encrypted message for index decryption tests 2017-12-04 21:53:05 -04:00
David Bremner
1e4e8e3bf5 test: unbreak performance tests
In 8e7fb88237 Jani replaced the use of $(pwd -P) to find the
TEST_DIRECTORY in order to better support out of tree
builds. Unfortunately the performance-tests need a different value for
the variable and were thus broken.

This commit splits out the setting of this variable for the two sets
of tests.  Performance tests still don't work out of tree, because
the handling of the downloaded corpus needs to be updated.
2017-12-04 21:04:38 -04:00
Jani Nikula
cf08295c50 test: test notmuch insert --folder=""
Test insert into top level folder.
2017-11-08 09:47:14 -05:00
Jani Nikula
1b91884296 test: fix test database backup/restore location
backup_database() and restore_database() used to store the backups in
the test specific temporary directory, through the current working
directory being there. Commit 8e7fb88237 ("test: use source and
build paths in test-lib-common.sh") started using a test specific
backup directories under the build tree test directory. This was in
error. Switch back to the old location, but using paths to the
location instead of relying on current working directory.

Reported by Daniel Kahn Gillmor <dkg@fifthhorseman.net>.
2017-10-29 09:30:30 -07:00
Daniel Kahn Gillmor
8116891744 cli/reindex: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-run basis
when invoking "notmuch reindex".  This allows the possibility of (for
example) an emacs keybinding that adds the cleartext of the currently
shown decrypted message to the index, making it searchable in the
future.

It also enables one-time indexing of all messages matching some query,
like so:

    notmuch reindex tag:encrypted and\
       not property:index.decryption=success and\
       from:alice@example.org

We also update the documentation and tab completion, and add a few
more tests.
2017-10-21 19:58:52 -03:00
Daniel Kahn Gillmor
c5356b9ed5 cli/insert: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-message
basis when invoking "notmuch insert".

We also update the documentation and tab completion, and add more tests.
2017-10-21 19:58:43 -03:00
Daniel Kahn Gillmor
35456d4b0c cli/new: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting during "notmuch new"
on a per-invocation basis.

We update the documentation and tab completion, and also add a test.
2017-10-21 19:58:32 -03:00
Daniel Kahn Gillmor
92f318abe4 tests: emacs_fcc_message: allow passing --arguments to notmuch new
Subsequent patches may want to send GNU-style --long-arguments to
notmuch new in the test suite, in particular when invoking
emacs_fcc_message.  This changeset makes that possible.
2017-10-21 19:58:23 -03:00
Jani Nikula
d7929d61a2 test: use source path in add_gnupg_home
Make a distinction between source and build directories.
2017-10-21 16:34:04 -03:00