fix(GODT-3048): WKD Policy behavior

Ensure Bridge respects the no encrypt setting on a contact which has a WKD key.
2025-12-21 17:46:48 +00:00 · 2023-11-08 13:28:32 +01:00
parent e8d9534b9c
commit 4a01c46aed
5 changed files with 93 additions and 20 deletions
--- a/internal/services/smtp/smtp_prefs.go
+++ b/internal/services/smtp/smtp_prefs.go
@ -34,13 +34,14 @@ const (
 )

 type contactSettings struct {
-	Email     string
-	Keys      []string
-	Scheme    string
-	Sign      bool
-	SignIsSet bool
-	Encrypt   bool
-	MIMEType  rfc822.MIMEType
+	Email            string
+	Keys             []string
+	Scheme           string
+	Sign             bool
+	SignIsSet        bool
+	Encrypt          bool
+	EncryptUntrusted bool
+	MIMEType         rfc822.MIMEType
 }

 // newContactSettings converts the API settings into our local settings.
@ -61,6 +62,12 @@ func newContactSettings(settings proton.ContactSettings) *contactSettings {
 		metadata.Encrypt = *settings.Encrypt
 	}

+	if settings.EncryptUntrusted != nil {
+		metadata.EncryptUntrusted = *settings.EncryptUntrusted
+	} else {
+		metadata.EncryptUntrusted = true
+	}
+
 	if settings.Scheme != nil {
 		switch *settings.Scheme { // nolint:exhaustive
 		case proton.PGPMIMEScheme:
@ -426,9 +433,12 @@ func (b *sendPrefsBuilder) setExternalPGPSettingsWithWKDKeys(
 		return errors.New("an API key is necessary but wasn't provided")
 	}

-	// We always encrypt and sign external mail if WKD keys are present.
-	b.withEncrypt(true)
-	b.withSign(true)
+	b.withEncrypt(vCardData.EncryptUntrusted)
+	if vCardData.EncryptUntrusted {
+		b.withSign(true)
+	} else if vCardData.SignIsSet {
+		b.withSign(vCardData.Sign)
+	}

 	// If the contact has a specific Scheme preference, we set it (otherwise we
 	// leave it unset to allow it to be filled in with the default value later).