Shared drive auto acceptance (#4614)

Automatic acceptance of Drive sharings from trusted members, eliminating
manual approval for trusted contacts.

  Features
- Domain-based trust: Configure trusted domains (e.g., *.company.com) to
auto-accept sharings within organizations
- Contact-based trust: After manually accepting a sharing once, future
sharings from that sender are auto-accepted

  Configuration
```yaml
  sharing:
    auto_accept_trusted: true
    auto_accept_trusted_contacts: true
    contexts:
      default:
        trusted_domains: ["linagora.com"]
```

Author: shepilov

.gitignore

@@ -9,6 +9,7 @@ node_modules
 /scripts/golangci-lint
 /storage
 tmp
+/.idea
 
 *.log
 *.enc

docs/sharing.md

@@ -673,6 +673,67 @@ be used for two scenarios:
 2. This request will be used to create a shortcut (in that case, a query-string
    parameter `shortcut=true&url=...` will be added).
 
+Drive sharings always include in the payload a credentials entry containing the
+OAuth state generated for each recipient. When the recipient Cozy is configured
+with `sharing.auto_accept_trusted = true`, receiving this state enqueues a
+background job that performs the same handshake as a manual acceptance and
+POSTs the answer back to the owner's Cozy.
+
+Trusted members are determined by the recipient Cozy only. The recipient checks
+that the sender belongs to a trusted domain (or has been marked as a trusted
+contact) before launching the auto-accept flow.
+
+Members are trusted when their instance domain exactly matches or is a
+subdomain of any of the configured trusted domains. The behaviour can be tuned
+via the configuration:
+
+```yaml
+sharing:
+  auto_accept_trusted: true
+  auto_accept_trusted_contacts: true
+  contexts:
+    default:
+      trusted_domains:
+        - example.com
+    white-label:
+      auto_accept_trusted: false
+```
+
+`trusted_domains` must be defined inside a context. Use the `default` context
+to configure a global rule, or override it per custom context.
+
+If `auto_accept_trusted` is disabled on the recipient Cozy, the request is kept
+in the pending state even if the sharer provided the state in the credentials
+payload.
+
+### Contact-Based Trust
+
+In addition to domain-based trust, contacts can be marked as trusted when you
+accept a sharing from them. This provides a more granular trust model:
+
+- **First sharing**: User manually accepts, sender's contact is automatically marked as trusted
+- **Subsequent sharings**: Automatically accepted because the contact is trusted
+
+Contact-based trust works independently of domain-based trust (and can be
+disabled via `sharing.auto_accept_trusted_contacts` or the corresponding
+context override):
+- A contact from an untrusted domain can still be trusted
+- This allows trusting specific individuals without trusting entire domains
+- Contact trust takes effect even if domain-based trust is not configured
+
+**Example workflow:**
+1. Alice receives a Drive sharing from `bob@external.com` (untrusted domain)
+2. Alice manually accepts the sharing
+3. Bob's contact is automatically marked as trusted in Alice's Cozy
+4. Future Drive sharings from Bob are auto-accepted (if `auto_accept_trusted` is enabled)
+
+**Trust determination:**
+A member is considered trusted if **either**:
+- Their instance domain matches a configured trusted domain (domain-based trust)
+- Their contact has been marked as trusted (contact-based trust)
+
+The contact's `trustedForSharing` field is set to `true` when a sharing is accepted.
+
 #### Request
 
 ```http

docs/workers.md

@@ -348,12 +348,13 @@ in the config file, via the `fs.auto_clean_trashed_after` parameter.
 
 ## share workers
 
-The stack have 4 workers to power the sharings (internal usage only):
+The stack have 5 workers to power the sharings (internal usage only):
 
 1. `share-group`, to add/remove members to a sharing
 2. `share-track`, to update the `io.cozy.shared` database
 3. `share-replicate`, to start a replicator for most documents
 4. `share-upload`, to upload files
+5. `share-autoaccept`, to automatically accept a sharing for trusted members
 
 ### Share-group
 
@@ -372,6 +373,15 @@ optionaly the old version of this document.
 The message is composed of a sharing ID and a count of the number of errors
 (i.e. the number of times this job was retried).
 
+### Share-autoaccept
+
+The message is composed of the sharing ID and the OAuth state assigned to the
+recipient. When the job runs on the recipient Cozy it calls the owner's
+`/sharings/:sharing-id/answer` endpoint (the state is provided in the Drive
+sharing credentials payload in
+[PUT /sharings/:sharing-id](sharing.md#put-sharingssharing-id)) to perform the
+acceptance flow without user interaction.
+
 ## notes-save
 
 This is another worker for the interal usage of the stack. It allows to write

model/contact/contacts.go

@@ -294,6 +294,66 @@ func CreateMyself(inst *instance.Instance, settings *couchdb.JSONDoc) (*Contact,
 	return doc, nil
 }
 
+// CreateFromSharingMember creates a contact from sharing member information.
+// This is useful when accepting a sharing and we want to create a contact for the sender.
+func CreateFromSharingMember(inst *instance.Instance, email, name, cozyURL string) (*Contact, error) {
+	if email == "" {
+		return nil, ErrNoMailAddress
+	}
+
+	doc := New()
+	doc.JSONDoc.M["email"] = []map[string]interface{}{
+		{"address": email, "primary": true},
+	}
+
+	displayName := name
+	if name == "" {
+		parts := strings.SplitN(email, "@", 2)
+		name = parts[0]
+		displayName = email
+	}
+	if name != "" {
+		doc.JSONDoc.M["fullname"] = name
+	}
+	doc.JSONDoc.M["displayName"] = displayName
+
+	if cozyURL != "" {
+		doc.JSONDoc.M["cozy"] = []map[string]interface{}{
+			{"url": cozyURL, "primary": true},
+		}
+	}
+
+	index := email
+	if cozyURL != "" {
+		index = cozyURL
+	}
+	doc.JSONDoc.M["indexes"] = map[string]interface{}{
+		"byFamilyNameGivenNameEmailCozyUrl": index,
+	}
+
+	if err := couchdb.CreateDoc(inst, doc); err != nil {
+		return nil, err
+	}
+	return doc, nil
+}
+
+// TrustedForSharingKey is the key used to mark a contact as trusted for auto-accepting sharings
+const TrustedForSharingKey = "trustedForSharing"
+
+// IsTrusted returns true if this contact has been marked as trusted for auto-accepting sharings
+func (c *Contact) IsTrusted() bool {
+	if val, ok := c.M[TrustedForSharingKey].(bool); ok {
+		return val
+	}
+	return false
+}
+
+// MarkAsTrusted marks this contact as trusted for auto-accepting sharings
+func (c *Contact) MarkAsTrusted(inst *instance.Instance) error {
+	c.M[TrustedForSharingKey] = true
+	return couchdb.UpdateDoc(inst, c)
+}
+
 // GetMyself returns the myself contact document, or an ErrNotFound error.
 func GetMyself(db prefixer.Prefixer) (*Contact, error) {
 	var docs []*Contact

model/sharing/autoaccept_job.go

@@ -0,0 +1,57 @@
+package sharing
+
+import (
+	"errors"
+
+	"github.com/cozy/cozy-stack/model/instance"
+	"github.com/cozy/cozy-stack/model/job"
+)
+
+// AutoAcceptMsg is the payload for auto-accepting a drive sharing from a trusted sender
+type AutoAcceptMsg struct {
+	SharingID string `json:"sharing_id"`
+	State     string `json:"state"`
+}
+
+// EnqueueAutoAccept schedules a job to auto-accept a drive sharing
+func EnqueueAutoAccept(inst *instance.Instance, sharingID, state string) error {
+	if inst == nil || sharingID == "" || state == "" {
+		return ErrInvalidSharing
+	}
+
+	msg, err := job.NewMessage(&AutoAcceptMsg{
+		SharingID: sharingID,
+		State:     state,
+	})
+	if err != nil {
+		return err
+	}
+
+	_, err = job.System().PushJob(inst, &job.JobRequest{
+		WorkerType: "share-autoaccept",
+		Message:    msg,
+	})
+	return err
+}
+
+// HandleAutoAccept executes the auto-acceptance for a Drive sharing.
+// The OAuth state must be provided by the owner in the sharing request.
+func HandleAutoAccept(inst *instance.Instance, msg *AutoAcceptMsg) error {
+	if inst == nil || msg == nil || msg.SharingID == "" || msg.State == "" {
+		return ErrInvalidSharing
+	}
+
+	s, err := FindSharing(inst, msg.SharingID)
+	if err != nil {
+		return err
+	}
+
+	// Send the acceptance answer using the state provided by the owner
+	if err := s.SendAnswer(inst, msg.State); err != nil {
+		if errors.Is(err, ErrAlreadyAccepted) {
+			return nil // Already accepted, not an error
+		}
+		return err
+	}
+	return nil
+}

model/sharing/oauth.go

@@ -18,6 +18,7 @@ import (
 	"github.com/cozy/cozy-stack/model/permission"
 	csettings "github.com/cozy/cozy-stack/model/settings"
 	"github.com/cozy/cozy-stack/model/vfs"
+	"github.com/cozy/cozy-stack/pkg/config/config"
 	"github.com/cozy/cozy-stack/pkg/consts"
 	"github.com/cozy/cozy-stack/pkg/couchdb"
 	"github.com/cozy/cozy-stack/pkg/couchdb/mango"
@@ -89,7 +90,10 @@ func (m *Member) CreateSharingRequest(inst *instance.Instance, s *Sharing, c *Cr
 		if err != nil {
 			return err
 		}
-		var list interface{} = []Credentials{{DriveToken: token}}
+		var list interface{} = []Credentials{{
+			DriveToken: token,
+			State:      c.State,
+		}}
 		creds = &list
 	}
 
@@ -468,6 +472,43 @@ func (s *Sharing) SendAnswer(inst *instance.Instance, state string) error {
 	s.Credentials[0].Client = creds.Client
 	s.Active = true
 	s.Initial = s.NbFiles > 0
+
+	options := config.GetConfig().Sharing.OptionsForContext(inst.ContextName)
+	// Mark the sender's contact as trusted since we accepted their sharing
+	if *options.AutoAcceptTrustedContacts && len(s.Members) > 0 && s.Members[0].Email != "" {
+		c, err := contact.FindByEmail(inst, s.Members[0].Email)
+		if err != nil {
+			// Contact doesn't exist, create it using the standardized method
+			c, err = contact.CreateFromSharingMember(inst, s.Members[0].Email, s.Members[0].Name, s.Members[0].Instance)
+			if err != nil {
+				if couchdb.IsConflictError(err) {
+					c, err = contact.FindByEmail(inst, s.Members[0].Email)
+					if err != nil {
+						inst.Logger().WithNamespace("sharing").
+							Debugf("Contact creation conflict and retry failed: %s", err)
+						c = nil
+					}
+				} else {
+					inst.Logger().WithNamespace("sharing").
+						Warnf("Could not create contact for sender: %s", err)
+				}
+			} else {
+				inst.Logger().WithNamespace("sharing").
+					Infof("Created contact for sender %s", s.Members[0].Email)
+			}
+		}
+
+		if c != nil && !c.IsTrusted() {
+			if err := c.MarkAsTrusted(inst); err != nil {
+				inst.Logger().WithNamespace("sharing").
+					Warnf("Could not mark contact as trusted: %s", err)
+			} else {
+				inst.Logger().WithNamespace("sharing").
+					Infof("Marked contact %s as trusted after accepting sharing", s.Members[0].Email)
+			}
+		}
+	}
+
 	return couchdb.UpdateDoc(inst, s)
 }
 

model/sharing/trust.go

@@ -0,0 +1,75 @@
+package sharing
+
+import (
+	"strings"
+
+	"github.com/cozy/cozy-stack/model/contact"
+	"github.com/cozy/cozy-stack/model/instance"
+	"github.com/cozy/cozy-stack/pkg/config/config"
+	"github.com/cozy/cozy-stack/pkg/utils"
+)
+
+// IsTrustedMember checks if a member is trusted for auto-accepting sharings.
+// Trust is determined by:
+// - Domain matching: member's domain matches configured trusted domains (or subdomains)
+// - Contact trust: member's contact has been marked as trusted (by previously accepting a sharing)
+//
+// Contact-based trust takes precedence and works even if domain-based trust is not configured.
+func IsTrustedMember(inst *instance.Instance, member *Member) bool {
+	if inst == nil || member == nil {
+		return false
+	}
+	options := config.GetConfig().Sharing.OptionsForContext(inst.ContextName)
+
+	if options.AutoAcceptTrusted == nil || !*options.AutoAcceptTrusted {
+		return false
+	}
+
+	// Extract the member's instance domain
+	memberDomain := utils.ExtractInstanceHost(member.Instance)
+	if memberDomain == "" {
+		return false
+	}
+
+	// Check if member's domain matches any trusted domain
+	for _, domain := range options.TrustedDomains {
+		if domain == "" {
+			continue
+		}
+		d := utils.NormalizeDomain(domain)
+		if d == "" {
+			continue
+		}
+		if memberDomain == d || strings.HasSuffix(memberDomain, "."+d) {
+			inst.Logger().WithNamespace("sharing-trust").
+				Infof("Member %s trusted (trusted domain: %s)", member.Instance, domain)
+			return true
+		}
+	}
+
+	// Check if this member is a trusted contact
+	if options.AutoAcceptTrustedContacts == nil || !*options.AutoAcceptTrustedContacts {
+		return false
+	}
+	if isTrustedContact(inst, member) {
+		inst.Logger().WithNamespace("sharing-trust").
+			Infof("Member %s trusted (trusted contact)", member.Instance)
+		return true
+	}
+
+	return false
+}
+
+// isTrustedContact checks if a member is marked as a trusted contact
+func isTrustedContact(inst *instance.Instance, member *Member) bool {
+	if member.Email == "" {
+		return false
+	}
+
+	c, err := contact.FindByEmail(inst, member.Email)
+	if err != nil {
+		return false
+	}
+
+	return c.IsTrusted()
+}