Re: [PATCH v2 5/5] cli/show: enable --decrypt=stash

[David Bremner]

Daniel Kahn Gillmor  writes:

> +
> +Note: ``--decrypt=stash`` requires a writable database.
> +Otherwise, ``notmuch show`` operates entirely in read-only mode.

I would rephrase this as "requires write access to the database";
otherwise it sounds like "writable" (or lack) is persistent property of
databases.


> +# show the message using stashing decryption
> +test_begin_subtest "stash decryption during show"
> +output=$(notmuch show --decrypt=stash tag:encrypted subject:002 | awk 
> '/^\014part}/{ f=0 }; { if (f) { print $0 } } /^\014part{ ID: 3/{ f=1 }')
> +expected='This is a test encrypted message with a wumpus.'
> +test_expect_equal \
> +"$output" \
> +"$expected"
> +

This is a bit hard to follow. I think it would be better to isolate this
kind of parsing in a function in test-lib.sh; then at least the name
would suggest the intent.

> +test_begin_subtest "search should now show the contents"

I think the point is not that it _shows_ the contents, but that it finds
them

> +output=$(notmuch search wumpus)
> +expected='thread:0003   2000-01-01 [1/1] Notmuch Test Suite; 
> test encrypted message for cleartext index 002 (encrypted inbox unread)'
> +if [ $NOTMUCH_HAVE_GMIME_SESSION_KEYS -eq 0 ]; then
> +test_subtest_known_broken
> +fi
> +test_expect_equal \
> +"$output" \
> +"$expected"
___
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

[PATCH v2 5/5] cli/show: enable --decrypt=stash

[Daniel Kahn Gillmor]

Add fancy new feature, which makes "notmuch show" capable of actually
indexing messages that it just decrypted.

This enables a workflow where messages can come in in the background
and be indexed using "--decrypt=auto".  But when showing an encrypted
message for the first time, it gets automatically indexed.

This is something of a departure for "notmuch show" -- in particular,
because it requires read/write access to the database.  However, this
might be a common use case -- people get mail delivered and indexed in
the background, but only want access to their secret key to happen
when they're directly interacting with notmuch itself.

In such a scenario, they couldn't search newly-delivered, encrypted
messages, but they could search for them once they've read them.

Documentation of this new feature also uses a table form, similar to
that found in the description of index.decrypt in notmuch-config(1).

A notmuch UI that wants to facilitate this workflow while also
offering an interactive search interface might instead make use of
these additional commands while the user is at the console:

Count received encrypted messages (if > 0, there are some things we
haven't yet tried to index, and therefore can't yet search):

 notmuch count tag:encrypted and \
 not property:index.decryption=success and \
 not property:index.decryption=failure

Reindex those messages:

 notmuch reindex --try-decrypt=true tag:encrypted and \
 not property:index.decryption=success and \
 not property:index.decryption=failure
---
 completion/notmuch-completion.bash |  2 +-
 doc/man1/notmuch-show.rst  | 40 --
 notmuch-show.c |  9 +++--
 test/T357-index-decryption.sh  | 18 +
 4 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/completion/notmuch-completion.bash 
b/completion/notmuch-completion.bash
index 249b9664..15425697 100644
--- a/completion/notmuch-completion.bash
+++ b/completion/notmuch-completion.bash
@@ -522,7 +522,7 @@ _notmuch_show()
return
;;
 --decrypt)
-   COMPREPLY=( $( compgen -W "true auto false" -- "${cur}" ) )
+   COMPREPLY=( $( compgen -W "true auto false stash" -- "${cur}" ) )
return
;;
 esac
diff --git a/doc/man1/notmuch-show.rst b/doc/man1/notmuch-show.rst
index 2b825ccc..66e8024c 100644
--- a/doc/man1/notmuch-show.rst
+++ b/doc/man1/notmuch-show.rst
@@ -110,7 +110,7 @@ Supported options for **show** include
 supported with --format=json and --format=sexp), and the
 multipart/signed part will be replaced by the signed data.
 
-``--decrypt=(false|auto|true)``
+``--decrypt=(false|auto|true|stash)``
 If ``true``, decrypt any MIME encrypted parts found in the
 selected content (i.e. "multipart/encrypted" parts). Status of
 the decryption will be reported (currently only supported
@@ -118,17 +118,45 @@ Supported options for **show** include
 decryption the multipart/encrypted part will be replaced by
 the decrypted content.
 
+``stash`` behaves like ``true``, but upon successful decryption it
+will also stash the message's session key in the database, and
+index the cleartext of the message, enabling automatic decryption
+in the future.
+
 If ``auto``, and a session key is already known for the
 message, then it will be decrypted, but notmuch will not try
 to access the user's keys.
 
 Use ``false`` to avoid even automatic decryption.
 
-Non-automatic decryption expects a functioning
-**gpg-agent(1)** to provide any needed credentials. Without
-one, the decryption will fail.
-
-Note: ``true`` implies --verify.
+Non-automatic decryption (``stash`` or ``true``, in the absence of
+a stashed session key) expects a functioning **gpg-agent(1)** to
+provide any needed credentials. Without one, the decryption will
+fail.
+
+Note: setting either ``true`` or ``stash`` here implies
+``--verify``.
+
+Here is a table that summarizes each of these policies:
+
+++---+--+--+---+
+|| false | auto | true | stash |
+++===+==+==+===+
+| Show cleartext if  |   |  X   |  X   |   X   |
+| session key is |   |  |  |   |
+| already known  |   |  |  |   |
+++---+--+--+---+
+| Use secret keys to |   |  |  X   |   X   |
+| show cleartext |   |  |  |   |
+++---+--+--+---+
+| Stash any newly|   |  |  |   X   |
+| recovered session keys,|   |  |  |   |
+| reindexing message if  |   |  |  |   |
+| found  |   |  |  |   |
+