From 5cb2a1013875f495d5d37080ac8c815b301e4c3a Mon Sep 17 00:00:00 2001
From: Simon Frei <freisim93@gmail.com>
Date: Tue, 11 May 2021 07:55:44 +0200
Subject: [PATCH] lib/model: Improve encryption cluster-config errors (#7658)

---
 lib/model/model.go      | 35 ++++++++++++++++++++---------------
 lib/model/model_test.go |  4 ++--
 2 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/lib/model/model.go b/lib/model/model.go
index 884c49144..b971f558e 100644
--- a/lib/model/model.go
+++ b/lib/model/model.go
@@ -181,20 +181,21 @@ var (
 	errNetworkNotAllowed = errors.New("network not allowed")
 	errNoVersioner       = errors.New("folder has no versioner")
 	// errors about why a connection is closed
-	errReplacingConnection             = errors.New("replacing connection")
-	errStopped                         = errors.New("Syncthing is being stopped")
-	errEncryptionInvConfigLocal        = errors.New("can't encrypt data for a device when the folder type is receiveEncrypted")
-	errEncryptionInvConfigRemote       = errors.New("remote has encrypted data and encrypts that data for us - this is impossible")
-	errEncryptionNotEncryptedLocal     = errors.New("folder is announced as encrypted, but not configured thus")
-	errEncryptionNotEncryptedRemote    = errors.New("folder is configured to be encrypted but not announced thus")
-	errEncryptionNotEncryptedUntrusted = errors.New("device is untrusted, but configured to receive not encrypted data")
-	errEncryptionPassword              = errors.New("different encryption passwords used")
-	errEncryptionTokenRead             = errors.New("failed to read encryption token")
-	errEncryptionTokenWrite            = errors.New("failed to write encryption token")
-	errEncryptionNeedToken             = errors.New("require password token for receive-encrypted token")
-	errMissingRemoteInClusterConfig    = errors.New("remote device missing in cluster config")
-	errMissingLocalInClusterConfig     = errors.New("local device missing in cluster config")
-	errConnLimitReached                = errors.New("connection limit reached")
+	errReplacingConnection                = errors.New("replacing connection")
+	errStopped                            = errors.New("Syncthing is being stopped")
+	errEncryptionInvConfigLocal           = errors.New("can't encrypt outgoing data because local data is encrypted (folder-type receive-encrypted)")
+	errEncryptionInvConfigRemote          = errors.New("remote has encrypted data and encrypts that data for us - this is impossible")
+	errEncryptionNotEncryptedLocal        = errors.New("remote expects to exchange encrypted data, but is configured for plain data")
+	errEncryptionPlainForReceiveEncrypted = errors.New("remote expects to exchange plain data, but is configured to be encrypted")
+	errEncryptionPlainForRemoteEncrypted  = errors.New("remote expects to exchange plain data, but local data is encrypted (folder-type receive-encrypted)")
+	errEncryptionNotEncryptedUntrusted    = errors.New("device is untrusted, but configured to receive plain data")
+	errEncryptionPassword                 = errors.New("different encryption passwords used")
+	errEncryptionTokenRead                = errors.New("failed to read encryption token")
+	errEncryptionTokenWrite               = errors.New("failed to write encryption token")
+	errEncryptionNeedToken                = errors.New("require password token for receive-encrypted token")
+	errMissingRemoteInClusterConfig       = errors.New("remote device missing in cluster config")
+	errMissingLocalInClusterConfig        = errors.New("local device missing in cluster config")
+	errConnLimitReached                   = errors.New("connection limit reached")
 	// messages for failure reports
 	failureUnexpectedGenerateCCError = "unexpected error occurred in generateClusterConfig"
 )
@@ -1470,7 +1471,11 @@ func (m *model) ccCheckEncryption(fcfg config.FolderConfiguration, folderDevice
 	}
 
 	if !(hasTokenRemote || hasTokenLocal) {
-		return errEncryptionNotEncryptedRemote
+		if isEncryptedRemote {
+			return errEncryptionPlainForReceiveEncrypted
+		} else {
+			return errEncryptionPlainForRemoteEncrypted
+		}
 	}
 
 	if !(isEncryptedRemote || isEncryptedLocal) {
diff --git a/lib/model/model_test.go b/lib/model/model_test.go
index f1b660d50..409f63390 100644
--- a/lib/model/model_test.go
+++ b/lib/model/model_test.go
@@ -4068,14 +4068,14 @@ func TestCcCheckEncryption(t *testing.T) {
 			tokenLocal:        nil,
 			isEncryptedRemote: true,
 			isEncryptedLocal:  false,
-			expectedErr:       errEncryptionNotEncryptedRemote,
+			expectedErr:       errEncryptionPlainForRemoteEncrypted,
 		},
 		{
 			tokenRemote:       nil,
 			tokenLocal:        nil,
 			isEncryptedRemote: false,
 			isEncryptedLocal:  true,
-			expectedErr:       errEncryptionNotEncryptedRemote,
+			expectedErr:       errEncryptionPlainForReceiveEncrypted,
 		},
 		{
 			tokenRemote:       nil,