From cbe4e68c072239608a5b59d50dec399cb36699b0 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 1 Feb 2018 09:19:14 -0800
Subject: [PATCH] Add a Herald action to trigger "Must Encrypt" for mail

Summary: Depends on D18983. Ref T13053. Adds a new Herald action to activate the "must encrypt" flag and drop mail content.

Test Plan:
  - Created a new Herald rule:

{F5407075}

  - Created a "dog task" (woof woof, unsecure) and a "duck task" (quack quack, secure).
  - Viewed mail for both in `bin/mail` and web UI, saw appropriate security/encryption behavior.
  - Viewed "Must Encrypt" in "Headers" tab for the duck mail, saw why the mail was encrypted (link to Herald rule).

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13053

Differential Revision: https://secure.phabricator.com/D18984
---
 src/__phutil_library_map__.php                |  2 +
 .../herald/adapter/HeraldAdapter.php          | 14 +++++
 .../PhabricatorMetaMTAMailViewController.php  |  9 +++
 ...PhabricatorMailMustEncryptHeraldAction.php | 62 +++++++++++++++++++
 .../PhabricatorMetaMTAEmailHeraldAction.php   |  4 ++
 .../storage/PhabricatorMetaMTAMail.php        |  9 +++
 ...habricatorApplicationTransactionEditor.php | 11 ++++
 7 files changed, 111 insertions(+)
 create mode 100644 src/applications/metamta/herald/PhabricatorMailMustEncryptHeraldAction.php

diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
index 32985c76c0..f0e2d29cfc 100644
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -3189,6 +3189,7 @@ phutil_register_library_map(array(
     'PhabricatorMailManagementUnverifyWorkflow' => 'applications/metamta/management/PhabricatorMailManagementUnverifyWorkflow.php',
     'PhabricatorMailManagementVolumeWorkflow' => 'applications/metamta/management/PhabricatorMailManagementVolumeWorkflow.php',
     'PhabricatorMailManagementWorkflow' => 'applications/metamta/management/PhabricatorMailManagementWorkflow.php',
+    'PhabricatorMailMustEncryptHeraldAction' => 'applications/metamta/herald/PhabricatorMailMustEncryptHeraldAction.php',
     'PhabricatorMailOutboundMailHeraldAdapter' => 'applications/metamta/herald/PhabricatorMailOutboundMailHeraldAdapter.php',
     'PhabricatorMailOutboundRoutingHeraldAction' => 'applications/metamta/herald/PhabricatorMailOutboundRoutingHeraldAction.php',
     'PhabricatorMailOutboundRoutingSelfEmailHeraldAction' => 'applications/metamta/herald/PhabricatorMailOutboundRoutingSelfEmailHeraldAction.php',
@@ -8674,6 +8675,7 @@ phutil_register_library_map(array(
     'PhabricatorMailManagementUnverifyWorkflow' => 'PhabricatorMailManagementWorkflow',
     'PhabricatorMailManagementVolumeWorkflow' => 'PhabricatorMailManagementWorkflow',
     'PhabricatorMailManagementWorkflow' => 'PhabricatorManagementWorkflow',
+    'PhabricatorMailMustEncryptHeraldAction' => 'HeraldAction',
     'PhabricatorMailOutboundMailHeraldAdapter' => 'HeraldAdapter',
     'PhabricatorMailOutboundRoutingHeraldAction' => 'HeraldAction',
     'PhabricatorMailOutboundRoutingSelfEmailHeraldAction' => 'PhabricatorMailOutboundRoutingHeraldAction',
diff --git a/src/applications/herald/adapter/HeraldAdapter.php b/src/applications/herald/adapter/HeraldAdapter.php
index 9d56f474ff..cc0fdbd3b5 100644
--- a/src/applications/herald/adapter/HeraldAdapter.php
+++ b/src/applications/herald/adapter/HeraldAdapter.php
@@ -39,6 +39,7 @@ abstract class HeraldAdapter extends Phobject {
   private $edgeCache = array();
   private $forbiddenActions = array();
   private $viewer;
+  private $mustEncryptReasons = array();
 
   public function getEmailPHIDs() {
     return array_values($this->emailPHIDs);
@@ -1182,4 +1183,17 @@ abstract class HeraldAdapter extends Phobject {
     return $this->forbiddenActions[$action];
   }
 
+
+/* -(  Must Encrypt  )------------------------------------------------------- */
+
+
+  final public function addMustEncryptReason($reason) {
+    $this->mustEncryptReasons[] = $reason;
+    return $this;
+  }
+
+  final public function getMustEncryptReasons() {
+    return $this->mustEncryptReasons;
+  }
+
 }
diff --git a/src/applications/metamta/controller/PhabricatorMetaMTAMailViewController.php b/src/applications/metamta/controller/PhabricatorMetaMTAMailViewController.php
index 20bbc425b5..1aca34c2ea 100644
--- a/src/applications/metamta/controller/PhabricatorMetaMTAMailViewController.php
+++ b/src/applications/metamta/controller/PhabricatorMetaMTAMailViewController.php
@@ -175,6 +175,15 @@ final class PhabricatorMetaMTAMailViewController
       $properties->addProperty($key, $value);
     }
 
+    $encrypt_phids = $mail->getMustEncryptReasons();
+    if ($encrypt_phids) {
+      $properties->addProperty(
+        pht('Must Encrypt'),
+        $viewer->loadHandles($encrypt_phids)
+          ->renderList());
+    }
+
+
     return $properties;
   }
 
diff --git a/src/applications/metamta/herald/PhabricatorMailMustEncryptHeraldAction.php b/src/applications/metamta/herald/PhabricatorMailMustEncryptHeraldAction.php
new file mode 100644
index 0000000000..f8cf7ee204
--- /dev/null
+++ b/src/applications/metamta/herald/PhabricatorMailMustEncryptHeraldAction.php
@@ -0,0 +1,62 @@
+<?php
+
+final class PhabricatorMailMustEncryptHeraldAction
+  extends HeraldAction {
+
+  const DO_MUST_ENCRYPT = 'do.must-encrypt';
+
+  const ACTIONCONST = 'email.must-encrypt';
+
+  public function getHeraldActionName() {
+    return pht('Require secure email');
+  }
+
+  public function renderActionDescription($value) {
+    return pht(
+      'Require mail content be transmitted only over secure channels.');
+  }
+  public function supportsObject($object) {
+    return self::isMailGeneratingObject($object);
+  }
+
+  public function getActionGroupKey() {
+    return HeraldUtilityActionGroup::ACTIONGROUPKEY;
+  }
+
+  public function supportsRuleType($rule_type) {
+    return ($rule_type != HeraldRuleTypeConfig::RULE_TYPE_PERSONAL);
+  }
+
+  public function getHeraldActionStandardType() {
+    return self::STANDARD_NONE;
+  }
+
+  public function applyEffect($object, HeraldEffect $effect) {
+    $rule_phid = $effect->getRule()->getPHID();
+
+    $adapter = $this->getAdapter();
+    $adapter->addMustEncryptReason($rule_phid);
+
+    $this->logEffect(self::DO_MUST_ENCRYPT, array($rule_phid));
+  }
+
+  protected function getActionEffectMap() {
+    return array(
+      self::DO_MUST_ENCRYPT => array(
+        'icon' => 'fa-shield',
+        'color' => 'blue',
+        'name' => pht('Must Encrypt'),
+      ),
+    );
+  }
+
+  protected function renderActionEffectDescription($type, $data) {
+    switch ($type) {
+      case self::DO_MUST_ENCRYPT:
+        return pht(
+          'Made it a requirement that mail content be transmitted only '.
+          'over secure channels.');
+    }
+  }
+
+}
diff --git a/src/applications/metamta/herald/PhabricatorMetaMTAEmailHeraldAction.php b/src/applications/metamta/herald/PhabricatorMetaMTAEmailHeraldAction.php
index 74fb879fe7..383b8ebd36 100644
--- a/src/applications/metamta/herald/PhabricatorMetaMTAEmailHeraldAction.php
+++ b/src/applications/metamta/herald/PhabricatorMetaMTAEmailHeraldAction.php
@@ -13,6 +13,10 @@ abstract class PhabricatorMetaMTAEmailHeraldAction
   }
 
   public function supportsObject($object) {
+    return self::isMailGeneratingObject($object);
+  }
+
+  public static function isMailGeneratingObject($object) {
     // NOTE: This implementation lacks generality, but there's no great way to
     // figure out if something generates email right now.
 
diff --git a/src/applications/metamta/storage/PhabricatorMetaMTAMail.php b/src/applications/metamta/storage/PhabricatorMetaMTAMail.php
index c203e86530..a9736c1766 100644
--- a/src/applications/metamta/storage/PhabricatorMetaMTAMail.php
+++ b/src/applications/metamta/storage/PhabricatorMetaMTAMail.php
@@ -259,6 +259,15 @@ final class PhabricatorMetaMTAMail
     return $this->getParam('mustEncrypt', false);
   }
 
+  public function setMustEncryptReasons(array $reasons) {
+    $this->setParam('mustEncryptReasons', $reasons);
+    return $this;
+  }
+
+  public function getMustEncryptReasons() {
+    return $this->getParam('mustEncryptReasons', array());
+  }
+
   public function setHTMLBody($html) {
     $this->setParam('html-body', $html);
     return $this;
diff --git a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
index 155592fc4e..0dc6a06fbf 100644
--- a/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
+++ b/src/applications/transactions/editor/PhabricatorApplicationTransactionEditor.php
@@ -71,6 +71,7 @@ abstract class PhabricatorApplicationTransactionEditor
   private $mailShouldSend = false;
   private $modularTypes;
   private $silent;
+  private $mustEncrypt;
 
   private $transactionQueue = array();
 
@@ -2549,6 +2550,13 @@ abstract class PhabricatorApplicationTransactionEditor
         $this->loadHandles($xactions);
 
         $mail = $this->buildMailForTarget($object, $xactions, $target);
+
+        if ($this->mustEncrypt) {
+          $mail
+            ->setMustEncrypt(true)
+            ->setMustEncryptReasons($this->mustEncrypt);
+        }
+
       } catch (Exception $ex) {
         $caught = $ex;
       }
@@ -3214,6 +3222,8 @@ abstract class PhabricatorApplicationTransactionEditor
         $adapter->getQueuedHarbormasterBuildRequests());
     }
 
+    $this->mustEncrypt = $adapter->getMustEncryptReasons();
+
     return array_merge(
       $this->didApplyHeraldRules($object, $adapter, $xscript),
       $adapter->getQueuedTransactions());
@@ -3558,6 +3568,7 @@ abstract class PhabricatorApplicationTransactionEditor
       'feedRelatedPHIDs',
       'feedShouldPublish',
       'mailShouldSend',
+      'mustEncrypt',
     );
   }