Add advisory_device_file_protection support to server_config API command on server

Author: touilleMan

server/parsec/cli/run.py

@@ -9,7 +9,14 @@
 
 import click
 
-from parsec._parsec import ActiveUsersLimit, EmailAddress, ParsecAddr, SecretKey, TrustAnchor
+from parsec._parsec import (
+    ActiveUsersLimit,
+    AdvisoryDeviceFileProtection,
+    EmailAddress,
+    ParsecAddr,
+    SecretKey,
+    TrustAnchor,
+)
 from parsec._version import __version__ as server_version
 from parsec.asgi import app_factory, serve_parsec_asgi_app
 from parsec.backend import backend_factory
@@ -193,6 +200,24 @@ def handle_parse_result(
     type=click.Choice(AccountConfig),
     default=AccountConfig.DISABLED,
 )
+@click.option(
+    "--advisory-device-file-protection",
+    "advisory_device_file_protection",
+    envvar="PARSEC_ADVISORY_DEVICE_FILE_PROTECTION",
+    show_envvar=True,
+    multiple=True,
+    type=AdvisoryDeviceFileProtection.from_str,
+    metavar="STRATEGY",
+    help="""Advisory device file protection to recommend to clients.
+
+Can be specified multiple times to recommend multiple strategies.
+
+Allowed values: PASSWORD, PASSWORD+TOTP, KEYRING, KEYRING+TOTP, PKI,
+PKI+TOTP, OPENBAO, OPENBAO+TOTP, ACCOUNT_VAULT, ACCOUNT_VAULT+TOTP.
+
+When not specified, no recommendation is made (all strategies accepted).
+""",
+)
 @click.option(
     "--cryptpad-server-url",
     envvar="PARSEC_CRYPTPAD_SERVER_URL",
@@ -554,6 +579,7 @@ async def run_cmd(
     blockstore: BaseBlockStoreConfig,
     administration_token: str,
     account_config: AccountConfig,
+    advisory_device_file_protection: tuple[AdvisoryDeviceFileProtection, ...],
     cryptpad_server_url: str | None,
     openbao_server_url: str | None,
     openbao_secret_mount_path: str,
@@ -674,6 +700,7 @@ async def run_cmd(
             server_addr=server_addr,
             debug=debug,
             account_config=account_config,
+            advisory_device_file_protection=advisory_device_file_protection,
             cryptpad_config=cryptpad_config,
             openbao_config=openbao_config,
             organization_bootstrap_webhook_url=organization_bootstrap_webhook,

server/parsec/components/events.py

@@ -547,4 +547,7 @@ async def api_server_config(
             organization_bootstrap=organization_bootstrap,
             cryptpad=cryptpad,
             openbao=openbao,
+            advisory_device_file_protection=[
+                p.str for p in self._config.advisory_device_file_protection
+            ],
         )

server/parsec/config.py

@@ -11,6 +11,7 @@
 
 from parsec._parsec import (
     ActiveUsersLimit,
+    AdvisoryDeviceFileProtection,
     DateTime,
     EmailAddress,
     OpenBaoAuthType,
@@ -306,6 +307,8 @@ class BackendConfig:
 
     openbao_config: OpenBaoConfig | None = None
 
+    advisory_device_file_protection: tuple[AdvisoryDeviceFileProtection, ...] = ()
+
     organization_bootstrap_webhook_url: str | None = None
     organization_spontaneous_bootstrap: bool = False
     organization_initial_active_users_limit: ActiveUsersLimit = field(

server/tests/api_v5/anonymous_server/test_server_config.py

@@ -2,12 +2,17 @@
 
 import pytest
 
-from parsec._parsec import OpenBaoAuthType, anonymous_server_cmds
+from parsec._parsec import (
+    AdvisoryDeviceFilePrimaryProtection,
+    AdvisoryDeviceFileProtection,
+    OpenBaoAuthType,
+    anonymous_server_cmds,
+)
 from parsec.config import AccountConfig, CryptPadConfig, OpenBaoAuthConfig, OpenBaoConfig
 from tests.common import AnonymousServerRpcClient, Backend, HttpCommonErrorsTester
 
 
-@pytest.mark.parametrize("kind", ("default", "custom"))
+@pytest.mark.parametrize("kind", ("default", "custom", "with_advisory_device_file_protection"))
 async def test_anonymous_server_server_config_ok(
     backend: Backend,
     anonymous_server: AnonymousServerRpcClient,
@@ -20,6 +25,7 @@ async def test_anonymous_server_server_config_ok(
                 organization_bootstrap=anonymous_server_cmds.latest.server_config.OrganizationBootstrapConfig.WITH_BOOTSTRAP_TOKEN,
                 cryptpad=anonymous_server_cmds.latest.server_config.CryptPadConfigDisabled(),
                 openbao=anonymous_server_cmds.latest.server_config.OpenBaoConfigDisabled(),
+                advisory_device_file_protection=[],
             )
 
         case "custom":
@@ -66,6 +72,25 @@ async def test_anonymous_server_server_config_ok(
                         ),
                     ],
                 ),
+                advisory_device_file_protection=[],
+            )
+
+        case "with_advisory_device_file_protection":
+            backend.config.advisory_device_file_protection = (
+                AdvisoryDeviceFileProtection(
+                    primary=AdvisoryDeviceFilePrimaryProtection.PASSWORD, with_totp=True
+                ),
+                AdvisoryDeviceFileProtection(
+                    primary=AdvisoryDeviceFilePrimaryProtection.PKI, with_totp=False
+                ),
+            )
+
+            expected_rep = anonymous_server_cmds.latest.server_config.RepOk(
+                account=anonymous_server_cmds.latest.server_config.AccountConfig.DISABLED,
+                organization_bootstrap=anonymous_server_cmds.latest.server_config.OrganizationBootstrapConfig.WITH_BOOTSTRAP_TOKEN,
+                cryptpad=anonymous_server_cmds.latest.server_config.CryptPadConfigDisabled(),
+                openbao=anonymous_server_cmds.latest.server_config.OpenBaoConfigDisabled(),
+                advisory_device_file_protection=["PASSWORD+TOTP", "PKI"],
             )
 
         case unknown: