fix(sharing): Adapt share suggestions to match trusted servers configs

When `show_federated_shares_to_trusted_servers_as_internal` is enabled
but `show_federated_shares_as_internal` is not, filter federated share
suggestions to only include trusted servers. Previously, searching for
an email address would suggest non-trusted federated servers.

Resolved: #54511

Author: nfebe

apps/files_sharing/src/components/SharingInput.vue

@@ -249,10 +249,12 @@ export default {
 
 			// remove invalid data and format to user-select layout
 			const exactSuggestions = this.filterOutExistingShares(rawExactSuggestions)
+				.filter(result => this.filterByTrustedServer(result))
 				.map(share => this.formatForMultiselect(share))
 				// sort by type so we can get user&groups first...
 				.sort((a, b) => a.shareType - b.shareType)
 			const suggestions = this.filterOutExistingShares(rawSuggestions)
+				.filter(result => this.filterByTrustedServer(result))
 				.map(share => this.formatForMultiselect(share))
 				// sort by type so we can get user&groups first...
 				.sort((a, b) => a.shareType - b.shareType)
@@ -335,6 +337,7 @@ export default {
 
 			// remove invalid data and format to user-select layout
 			this.recommendations = this.filterOutExistingShares(rawRecommendations)
+				.filter(result => this.filterByTrustedServer(result))
 				.map(share => this.formatForMultiselect(share))
 				.concat(externalResults)
 
@@ -457,6 +460,34 @@ export default {
 			}
 		},
 
+		/**
+		 * Filter suggestion results based on trusted server configuration
+		 *
+		 * @param {object} result The raw suggestion result from API
+		 * @return {boolean} Whether to include this result in suggestions
+		 */
+		filterByTrustedServer(result) {
+			// Only apply filtering to remote shares
+			if (result.value.shareType !== ShareType.Remote && result.value.shareType !== ShareType.RemoteGroup) {
+				return true
+			}
+
+			// If showFederatedSharesToTrustedServersAsInternal is not enabled, show all
+			if (!this.config.showFederatedSharesToTrustedServersAsInternal) {
+				return true
+			}
+
+			const isTrustedServer = result.value.isTrustedServer || false
+
+			// For internal section: only show trusted servers
+			if (!this.isExternal) {
+				return isTrustedServer
+			}
+
+			// For external section: only show non-trusted servers
+			return !isTrustedServer
+		},
+
 		/**
 		 * Format shares for the multiselect options
 		 *

lib/private/Collaboration/Collaborators/RemotePlugin.php

@@ -6,11 +6,13 @@
  */
 namespace OC\Collaboration\Collaborators;
 
+use OCA\Federation\TrustedServers;
 use OCP\Collaboration\Collaborators\ISearchPlugin;
 use OCP\Collaboration\Collaborators\ISearchResult;
 use OCP\Collaboration\Collaborators\SearchResultType;
 use OCP\Contacts\IManager;
 use OCP\Federation\ICloudIdManager;
+use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IUserManager;
 use OCP\IUserSession;
@@ -27,11 +29,17 @@ public function __construct(
 		private IConfig $config,
 		private IUserManager $userManager,
 		IUserSession $userSession,
+		private IAppConfig $appConfig,
+		private TrustedServers $trustedServers,
 	) {
 		$this->userId = $userSession->getUser()?->getUID() ?? '';
 		$this->shareeEnumeration = $this->config->getAppValue('core', 'shareapi_allow_share_dialog_user_enumeration', 'yes') === 'yes';
 	}
 
+	private function isServerTrusted(string $serverUrl): bool {
+		return $this->trustedServers->isTrustedServer($serverUrl);
+	}
+
 	public function search($search, $limit, $offset, ISearchResult $searchResult): bool {
 		$result = ['wide' => [], 'exact' => []];
 		$resultType = new SearchResultType('remotes');
@@ -95,6 +103,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 								'shareType' => IShare::TYPE_REMOTE,
 								'shareWith' => $cloudId,
 								'server' => $serverUrl,
+								'isTrustedServer' => $this->isServerTrusted($serverUrl),
 							],
 						];
 					} else {
@@ -107,6 +116,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 								'shareType' => IShare::TYPE_REMOTE,
 								'shareWith' => $cloudId,
 								'server' => $serverUrl,
+								'isTrustedServer' => $this->isServerTrusted($serverUrl),
 							],
 						];
 					}
@@ -120,9 +130,6 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 			$result['wide'] = array_slice($result['wide'], $offset, $limit);
 		}
 
-		/**
-		 * Add generic share with remote item for valid cloud ids that are not users of the local instance
-		 */
 		if (!$searchResult->hasExactIdMatch($resultType) && $this->cloudIdManager->isValidCloudId($search) && $offset === 0) {
 			try {
 				[$remoteUser, $serverUrl] = $this->splitUserRemote($search);
@@ -136,6 +143,7 @@ public function search($search, $limit, $offset, ISearchResult $searchResult): b
 							'shareType' => IShare::TYPE_REMOTE,
 							'shareWith' => $search,
 							'server' => $serverUrl,
+							'isTrustedServer' => $this->isServerTrusted($serverUrl),
 						],
 					];
 				}

tests/lib/Collaboration/Collaborators/RemotePluginTest.php

@@ -10,10 +10,12 @@
 use OC\Collaboration\Collaborators\RemotePlugin;
 use OC\Collaboration\Collaborators\SearchResult;
 use OC\Federation\CloudIdManager;
+use OCA\Federation\TrustedServers;
 use OCP\Collaboration\Collaborators\SearchResultType;
 use OCP\Contacts\IManager;
 use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Federation\ICloudIdManager;
+use OCP\IAppConfig;
 use OCP\ICacheFactory;
 use OCP\IConfig;
 use OCP\IURLGenerator;
@@ -36,6 +38,12 @@ class RemotePluginTest extends TestCase {
 	/** @var ICloudIdManager|\PHPUnit\Framework\MockObject\MockObject */
 	protected $cloudIdManager;
 
+	/** @var IAppConfig|\PHPUnit\Framework\MockObject\MockObject */
+	protected $appConfig;
+
+	/** @var TrustedServers|\PHPUnit\Framework\MockObject\MockObject */
+	protected $trustedServers;
+
 	/** @var RemotePlugin */
 	protected $plugin;
 
@@ -55,6 +63,8 @@ protected function setUp(): void {
 			$this->createMock(IURLGenerator::class),
 			$this->createMock(IUserManager::class),
 		);
+		$this->appConfig = $this->createMock(IAppConfig::class);
+		$this->trustedServers = $this->createMock(TrustedServers::class);
 		$this->searchResult = new SearchResult();
 	}
 
@@ -67,7 +77,7 @@ public function instantiatePlugin() {
 		$userSession->expects($this->any())
 			->method('getUser')
 			->willReturn($user);
-		$this->plugin = new RemotePlugin($this->contactsManager, $this->cloudIdManager, $this->config, $this->userManager, $userSession);
+		$this->plugin = new RemotePlugin($this->contactsManager, $this->cloudIdManager, $this->config, $this->userManager, $userSession, $this->appConfig, $this->trustedServers);
 	}
 
 	/**
@@ -141,6 +151,37 @@ public function testSplitUserRemoteError($id): void {
 		$this->plugin->splitUserRemote($id);
 	}
 
+	public function testTrustedServerMetadata(): void {
+		$this->config->expects($this->any())
+			->method('getAppValue')
+			->willReturnCallback(
+				function ($appName, $key, $default) {
+					if ($appName === 'core' && $key === 'shareapi_allow_share_dialog_user_enumeration') {
+						return 'yes';
+					}
+					return $default;
+				}
+			);
+
+		$this->trustedServers->expects($this->any())
+			->method('isTrustedServer')
+			->willReturnCallback(function ($serverUrl) {
+				return $serverUrl === 'trustedserver.com';
+			});
+
+		$this->instantiatePlugin();
+
+		$this->contactsManager->expects($this->any())
+			->method('search')
+			->willReturn([]);
+
+		$this->plugin->search('test@trustedserver.com', 2, 0, $this->searchResult);
+		$result = $this->searchResult->asArray();
+
+		$this->assertNotEmpty($result['exact']['remotes']);
+		$this->assertTrue($result['exact']['remotes'][0]['value']['isTrustedServer']);
+	}
+
 	public static function dataGetRemote() {
 		return [
 			['test', [], true, ['remotes' => [], 'exact' => ['remotes' => []]], false, true],