fix(sharing): Adapt share suggestions to match trusted servers configs

When `show_federated_shares_to_trusted_servers_as_internal` is enabled
but `show_federated_shares_as_internal` is not, filter federated share
suggestions to only include trusted servers. Previously, searching for
an email address would suggest non-trusted federated servers.

Resolved: #54511
Signed-off-by: nfebe <fenn25.fn@gmail.com>

Author: nfebe

apps/files_sharing/src/components/SharingInput.vue

@@ -255,10 +255,12 @@ export default {
 
 			// remove invalid data and format to user-select layout
 			const exactSuggestions = this.filterOutExistingShares(rawExactSuggestions)
+				.filter((result) => this.filterByTrustedServer(result))
 				.map((share) => this.formatForMultiselect(share))
 				// sort by type so we can get user&groups first...
 				.sort((a, b) => a.shareType - b.shareType)
 			const suggestions = this.filterOutExistingShares(rawSuggestions)
+				.filter((result) => this.filterByTrustedServer(result))
 				.map((share) => this.formatForMultiselect(share))
 				// sort by type so we can get user&groups first...
 				.sort((a, b) => a.shareType - b.shareType)
@@ -341,6 +343,7 @@ export default {
 
 			// remove invalid data and format to user-select layout
 			this.recommendations = this.filterOutExistingShares(rawRecommendations)
+				.filter((result) => this.filterByTrustedServer(result))
 				.map((share) => this.formatForMultiselect(share))
 				.concat(externalResults)
 
@@ -463,6 +466,20 @@ export default {
 			}
 		},
 
+		/**
+		 * Filter suggestion results based on trusted server configuration
+		 *
+		 * @param {object} result The raw suggestion result from API
+		 * @return {boolean} Whether to include this result in suggestions
+		 */
+		filterByTrustedServer(result) {
+			const isRemoteEntity = result.value.shareType === ShareType.Remote || result.value.shareType === ShareType.RemoteGroup
+			if (isRemoteEntity && this.config.showFederatedSharesToTrustedServersAsInternal) {
+				return result.value.isTrustedServer === true
+			}
+			return true
+		},
+
 		/**
 		 * Format shares for the multiselect options
 		 *

lib/private/Collaboration/Collaborators/RemotePlugin.php

@@ -6,11 +6,13 @@
  */
 namespace OC\Collaboration\Collaborators;
 
+use OCA\Federation\TrustedServers;
 use OCP\Collaboration\Collaborators\ISearchPlugin;
 use OCP\Collaboration\Collaborators\ISearchResult;
 use OCP\Collaboration\Collaborators\SearchResultType;
 use OCP\Contacts\IManager;
 use OCP\Federation\ICloudIdManager;
+use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IUserManager;
 use OCP\IUserSession;
@@ -27,11 +29,14 @@ public function __construct(
 		private IConfig $config,
 		private IUserManager $userManager,
 		IUserSession $userSession,
+		private IAppConfig $appConfig,
+		private TrustedServers $trustedServers,
 	) {
 		$this->userId = $userSession->getUser()?->getUID() ?? '';
 		$this->shareeEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
 	}
 
+
 	public function search($search, $limit, $offset, ISearchResult $searchResult): bool {
 		$result = ['wide' => [], 'exact' => []];
 		$resultType = new SearchResultType('remotes');
@@ -67,9 +72,6 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 					}
 
 					$localUser = $this->userManager->get($remoteUser);
-					/**
-					 * Add local share if remote cloud id matches a local user ones
-					 */
 					if ($localUser !== null && $remoteUser !== $this->userId && $cloudId === $localUser->getCloudId()) {
 						$result['wide'][] = [
 							'label' => $contact['FN'],
@@ -95,6 +97,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 								'shareType' => IShare::TYPE_REMOTE,
 								'shareWith' => $cloudId,
 								'server' => $serverUrl,
+								'isTrustedServer' => $this->trustedServers->isTrustedServer($serverUrl),
 							],
 						];
 					} else {
@@ -107,6 +110,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 								'shareType' => IShare::TYPE_REMOTE,
 								'shareWith' => $cloudId,
 								'server' => $serverUrl,
+								'isTrustedServer' => $this->trustedServers->isTrustedServer($serverUrl),
 							],
 						];
 					}
@@ -120,9 +124,6 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 			$result['wide'] = array_slice($result['wide'], $offset, $limit);
 		}
 
-		/**
-		 * Add generic share with remote item for valid cloud ids that are not users of the local instance
-		 */
 		if (!$searchResult->hasExactIdMatch($resultType) && $this->cloudIdManager->isValidCloudId($search) && $offset === 0) {
 			try {
 				[$remoteUser, $serverUrl] = $this->splitUserRemote($search);
@@ -136,6 +137,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 							'shareType' => IShare::TYPE_REMOTE,
 							'shareWith' => $search,
 							'server' => $serverUrl,
+							'isTrustedServer' => $this->trustedServers->isTrustedServer($serverUrl),
 						],
 					];
 				}

tests/lib/Collaboration/Collaborators/RemotePluginTest.php

@@ -10,17 +10,20 @@
 use OC\Collaboration\Collaborators\RemotePlugin;
 use OC\Collaboration\Collaborators\SearchResult;
 use OC\Federation\CloudIdManager;
+use OCA\Federation\TrustedServers;
 use OCP\Collaboration\Collaborators\SearchResultType;
 use OCP\Contacts\IManager;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Federation\ICloudIdManager;
+use OCP\IAppConfig;
 use OCP\ICacheFactory;
 use OCP\IConfig;
 use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
 use OCP\Share\IShare;
+use PHPUnit\Framework\MockObject\MockObject;
 use Test\TestCase;
 
 class RemotePluginTest extends TestCase {
@@ -36,6 +39,9 @@ class RemotePluginTest extends TestCase {
 	/** @var ICloudIdManager|\PHPUnit\Framework\MockObject\MockObject */
 	protected $cloudIdManager;
 
+	protected IAppConfig|MockObject $appConfig;
+	protected ICloudIdManager|MockObject $trustedServers;
+
 	/** @var RemotePlugin */
 	protected $plugin;
 
@@ -55,6 +61,8 @@ protected function setUp(): void {
 			$this->createMock(IURLGenerator::class),
 			$this->createMock(IUserManager::class),
 		);
+		$this->appConfig = $this->createMock(IAppConfig::class);
+		$this->trustedServers = $this->createMock(TrustedServers::class);
 		$this->searchResult = new SearchResult();
 	}
 
@@ -67,7 +75,7 @@ public function instantiatePlugin() {
 		$userSession->expects($this->any())
 			->method('getUser')
 			->willReturn($user);
-		$this->plugin = new RemotePlugin($this->contactsManager, $this->cloudIdManager, $this->config, $this->userManager, $userSession);
+		$this->plugin = new RemotePlugin($this->contactsManager, $this->cloudIdManager, $this->config, $this->userManager, $userSession, $this->appConfig, $this->trustedServers);
 	}
 
 	/**
@@ -141,6 +149,37 @@ public function testSplitUserRemoteError($id): void {
 		$this->plugin->splitUserRemote($id);
 	}
 
+	public function testTrustedServerMetadata(): void {
+		$this->config->expects($this->any())
+			->method('getAppValue')
+			->willReturnCallback(
+				function ($appName, $key, $default) {
+					if ($appName === 'core' && $key === 'shareapi_allow_share_dialog_user_enumeration') {
+						return 'yes';
+					}
+					return $default;
+				}
+			);
+
+		$this->trustedServers->expects($this->any())
+			->method('isTrustedServer')
+			->willReturnCallback(function ($serverUrl) {
+				return $serverUrl === 'trustedserver.com';
+			});
+
+		$this->instantiatePlugin();
+
+		$this->contactsManager->expects($this->any())
+			->method('search')
+			->willReturn([]);
+
+		$this->plugin->search('test@trustedserver.com', 2, 0, $this->searchResult);
+		$result = $this->searchResult->asArray();
+
+		$this->assertNotEmpty($result['exact']['remotes']);
+		$this->assertTrue($result['exact']['remotes'][0]['value']['isTrustedServer']);
+	}
+
 	public static function dataGetRemote() {
 		return [
 			['test', [], true, ['remotes' => [], 'exact' => ['remotes' => []]], false, true],