feat(cli): agent read commands (list/get/search/ack) with policy filtering
This commit is contained in:
@@ -0,0 +1,217 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"io"
|
||||
"time"
|
||||
|
||||
"git.dcglab.co.uk/steve/emcli/internal/mail"
|
||||
"git.dcglab.co.uk/steve/emcli/internal/policy"
|
||||
"git.dcglab.co.uk/steve/emcli/internal/store"
|
||||
)
|
||||
|
||||
// Mailer is the subset of the IMAP client the agent commands use.
|
||||
type Mailer interface {
|
||||
SelectFolder(folder string) (uint32, uint32, error)
|
||||
FetchHeaders(folder string, uids []uint32) ([]mail.Header, error)
|
||||
FetchHeadersRange(folder string, since, before uint32, limit int) ([]mail.Header, error)
|
||||
FetchFull(folder string, uid uint32) (mail.Message, error)
|
||||
Search(folder string, sc mail.SearchCriteria, limit int) ([]mail.Header, error)
|
||||
Logout() error
|
||||
}
|
||||
|
||||
type Deps struct {
|
||||
Store *store.Store
|
||||
Dial func(store.Account) (Mailer, error)
|
||||
Now func() time.Time
|
||||
Out io.Writer
|
||||
}
|
||||
|
||||
func (d Deps) emit(e Envelope) error { return e.Write(d.Out) }
|
||||
|
||||
func (d Deps) audit(account, action, target, result, reason string) {
|
||||
_ = d.Store.Audit(d.Now(), store.AuditEntry{
|
||||
Account: account, Action: action, Target: target, Result: result, Reason: reason,
|
||||
})
|
||||
}
|
||||
|
||||
// setup loads the account, builds the inbound rule, dials IMAP, and selects the
|
||||
// folder (establishing the baseline). Returns a cleanup func.
|
||||
func (d Deps) setup(account, folder string) (store.Account, policy.InboundRule, Mailer, func(), *Envelope) {
|
||||
acc, err := d.Store.GetAccount(account)
|
||||
if err != nil {
|
||||
e := Failure(CodeNotFound, "account not found: "+account)
|
||||
return acc, policy.InboundRule{}, nil, nil, &e
|
||||
}
|
||||
re, err := policy.CompileSubject(acc.SubjectRegex)
|
||||
if err != nil {
|
||||
e := Failure(CodeConfig, "invalid subject_regex: "+err.Error())
|
||||
return acc, policy.InboundRule{}, nil, nil, &e
|
||||
}
|
||||
wlIn, _ := d.Store.ListWhitelist(account, store.DirIn)
|
||||
rule := policy.InboundRule{
|
||||
WhitelistInEnabled: acc.WhitelistInEnabled,
|
||||
WhitelistIn: wlIn,
|
||||
SubjectRegex: re,
|
||||
}
|
||||
m, err := d.Dial(acc)
|
||||
if err != nil {
|
||||
e := Failure(CodeNetwork, "imap connect failed: "+err.Error())
|
||||
return acc, rule, nil, nil, &e
|
||||
}
|
||||
uidv, maxUID, err := m.SelectFolder(folder)
|
||||
if err != nil {
|
||||
m.Logout()
|
||||
e := Failure(CodeNetwork, "select folder failed: "+err.Error())
|
||||
return acc, rule, nil, nil, &e
|
||||
}
|
||||
if err := d.Store.EnsureFolderBaseline(account, folder, uidv, maxUID); err != nil {
|
||||
m.Logout()
|
||||
e := Failure(CodeDB, err.Error())
|
||||
return acc, rule, nil, nil, &e
|
||||
}
|
||||
return acc, rule, m, func() { m.Logout() }, nil
|
||||
}
|
||||
|
||||
func headerMap(h mail.Header) map[string]any {
|
||||
return map[string]any{
|
||||
"uid": h.UID, "from": h.From, "to": h.To, "subject": h.Subject,
|
||||
"date": h.Date, "message_id": h.MessageID, "has_attachments": h.HasAttachments,
|
||||
}
|
||||
}
|
||||
|
||||
func ListCmd(d Deps, account, folder string, onlyNew bool, beforeUID, sinceUID uint32, limit int) error {
|
||||
_, rule, m, done, fail := d.setup(account, folder)
|
||||
if fail != nil {
|
||||
return d.emit(*fail)
|
||||
}
|
||||
defer done()
|
||||
|
||||
var headers []mail.Header
|
||||
var err error
|
||||
if beforeUID > 0 || sinceUID > 0 {
|
||||
headers, err = m.FetchHeadersRange(folder, sinceUID, beforeUID, limit)
|
||||
} else {
|
||||
headers, err = m.FetchHeaders(folder, nil)
|
||||
}
|
||||
if err != nil {
|
||||
d.audit(account, "list", folder, "blocked", "imap_error")
|
||||
return d.emit(Failure(CodeNetwork, err.Error()))
|
||||
}
|
||||
|
||||
out := make([]map[string]any, 0, len(headers))
|
||||
for _, h := range headers {
|
||||
if !rule.Allows(h.From, h.Subject) {
|
||||
continue // invisible
|
||||
}
|
||||
if onlyNew {
|
||||
isNew, err := d.Store.IsNew(account, folder, h.UID)
|
||||
if err != nil {
|
||||
return d.emit(Failure(CodeDB, err.Error()))
|
||||
}
|
||||
if !isNew {
|
||||
continue
|
||||
}
|
||||
}
|
||||
out = append(out, headerMap(h))
|
||||
if limit > 0 && len(out) >= limit {
|
||||
break
|
||||
}
|
||||
}
|
||||
d.audit(account, "list", folder, "allowed", "")
|
||||
return d.emit(Success(map[string]any{"messages": out}))
|
||||
}
|
||||
|
||||
// visible fetches a UID's header and reports whether policy allows it.
|
||||
func (d Deps) visible(m Mailer, rule policy.InboundRule, folder string, uid uint32) (bool, error) {
|
||||
hs, err := m.FetchHeaders(folder, []uint32{uid})
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
if len(hs) == 0 {
|
||||
return false, nil
|
||||
}
|
||||
return rule.Allows(hs[0].From, hs[0].Subject), nil
|
||||
}
|
||||
|
||||
func GetCmd(d Deps, account, folder string, uid uint32) error {
|
||||
_, rule, m, done, fail := d.setup(account, folder)
|
||||
if fail != nil {
|
||||
return d.emit(*fail)
|
||||
}
|
||||
defer done()
|
||||
|
||||
ok, err := d.visible(m, rule, folder, uid)
|
||||
if err != nil {
|
||||
return d.emit(Failure(CodeNetwork, err.Error()))
|
||||
}
|
||||
if !ok {
|
||||
d.audit(account, "get", uitoa(uid), "blocked", "filtered")
|
||||
return d.emit(Failure(CodeNotFound, "message not found"))
|
||||
}
|
||||
msg, err := m.FetchFull(folder, uid)
|
||||
if err != nil {
|
||||
return d.emit(Failure(CodeNetwork, err.Error()))
|
||||
}
|
||||
atts := make([]map[string]any, 0, len(msg.Attachments))
|
||||
for _, a := range msg.Attachments {
|
||||
atts = append(atts, map[string]any{
|
||||
"name": a.Name, "size": a.Size, "mime": a.MIME,
|
||||
"content_b64": b64(a.Content),
|
||||
})
|
||||
}
|
||||
d.audit(account, "get", uitoa(uid), "allowed", "")
|
||||
return d.emit(Success(map[string]any{
|
||||
"uid": msg.Header.UID, "from": msg.Header.From, "to": msg.Header.To,
|
||||
"subject": msg.Header.Subject, "date": msg.Header.Date,
|
||||
"message_id": msg.Header.MessageID, "body_text": msg.BodyText,
|
||||
"attachments": atts,
|
||||
}))
|
||||
}
|
||||
|
||||
func SearchCmd(d Deps, account, folder string, sc mail.SearchCriteria, limit int) error {
|
||||
_, rule, m, done, fail := d.setup(account, folder)
|
||||
if fail != nil {
|
||||
return d.emit(*fail)
|
||||
}
|
||||
defer done()
|
||||
headers, err := m.Search(folder, sc, limit)
|
||||
if err != nil {
|
||||
return d.emit(Failure(CodeNetwork, err.Error()))
|
||||
}
|
||||
out := make([]map[string]any, 0, len(headers))
|
||||
for _, h := range headers {
|
||||
if !rule.Allows(h.From, h.Subject) {
|
||||
continue
|
||||
}
|
||||
out = append(out, headerMap(h))
|
||||
if limit > 0 && len(out) >= limit {
|
||||
break
|
||||
}
|
||||
}
|
||||
d.audit(account, "search", folder, "allowed", "")
|
||||
return d.emit(Success(map[string]any{"messages": out}))
|
||||
}
|
||||
|
||||
func AckCmd(d Deps, account, folder string, uids []uint32) error {
|
||||
_, rule, m, done, fail := d.setup(account, folder)
|
||||
if fail != nil {
|
||||
return d.emit(*fail)
|
||||
}
|
||||
defer done()
|
||||
uidv, _, _ := m.SelectFolder(folder)
|
||||
for _, uid := range uids {
|
||||
ok, err := d.visible(m, rule, folder, uid)
|
||||
if err != nil {
|
||||
return d.emit(Failure(CodeNetwork, err.Error()))
|
||||
}
|
||||
if !ok {
|
||||
d.audit(account, "ack", uitoa(uid), "blocked", "filtered")
|
||||
return d.emit(Failure(CodeNotFound, "message not found"))
|
||||
}
|
||||
}
|
||||
if err := d.Store.Ack(account, folder, uidv, uids...); err != nil {
|
||||
return d.emit(Failure(CodeDB, err.Error()))
|
||||
}
|
||||
d.audit(account, "ack", folder, "allowed", "")
|
||||
return d.emit(Success(map[string]any{"acked": uintSlice(uids)}))
|
||||
}
|
||||
Reference in New Issue
Block a user