git-annex/Command/RecvKey.hs

{- git-annex command
 -
 - Copyright 2010 Joey Hess <id@joeyh.name>
 -
 - Licensed under the GNU AGPL version 3 or higher.
 -}

module Command.RecvKey where

import Command
import Annex.Content
import Annex.Action
import Annex
import Utility.Rsync
import Types.Transfer
import Types.Remote (RetrievalSecurityPolicy(..))
import Command.SendKey (fieldTransfer)
import qualified CmdLine.GitAnnexShell.Fields as Fields

cmd :: Command
cmd = noCommit $ command "recvkey" SectionPlumbing 
	"runs rsync in server mode to receive content"
	paramKey (withParams seek)

seek :: CmdParams -> CommandSeek
seek = withKeys (commandAction . start)

start :: Key -> CommandStart
start key = fieldTransfer Download key $ \_p -> do
	-- Always verify content when a repo is sending an unlocked file,
	-- as the file could change while being transferred.
	fromunlocked <- (isJust <$> Fields.getField Fields.unlocked)
		<||> (isJust <$> Fields.getField Fields.direct)
	let verify = if fromunlocked then AlwaysVerify else DefaultVerify
	-- This matches the retrievalSecurityPolicy of Remote.Git
	let rsp = RetrievalAllKeysSecure
	ifM (getViaTmp rsp verify key go)
		( do
			-- forcibly quit after receiving one key,
			-- and shutdown cleanly
			_ <- shutdown True
			return True
		, return False
		)
  where
	go tmp = unVerified $ do
		opts <- filterRsyncSafeOptions . maybe [] words
			<$> getField "RsyncOptions"
		liftIO $ rsyncServerReceive (map Param opts) tmp
git-annex-shell is complete still not used 2010-12-31 17:39:30 +00:00			`{- git-annex command`
			`-`
update my email address and homepage url 2015-01-21 16:50:09 +00:00			`- Copyright 2010 Joey Hess <id@joeyh.name>`
git-annex-shell is complete still not used 2010-12-31 17:39:30 +00:00			`-`
update licenses from GPL to AGPL This does not change the overall license of the git-annex program, which was already AGPL due to a number of sources files being AGPL already. Legally speaking, I'm adding a new license under which these files are now available; I already released their current contents under the GPL license. Now they're dual licensed GPL and AGPL. However, I intend for all my future changes to these files to only be released under the AGPL license, and I won't be tracking the dual licensing status, so I'm simply changing the license statement to say it's AGPL. (In some cases, others wrote parts of the code of a file and released it under the GPL; but in all cases I have contributed a significant portion of the code in each file and it's that code that is getting the AGPL license; the GPL license of other contributors allows combining with AGPL code.) 2019-03-13 19:48:14 +00:00			`- Licensed under the GNU AGPL version 3 or higher.`
git-annex-shell is complete still not used 2010-12-31 17:39:30 +00:00			`-}`

			`module Command.RecvKey where`

			`import Command`
rename 2011-10-04 04:40:47 +00:00			`import Annex.Content`
Improve shutdown due to --time-limit, especially for fsck * Perform a clean shutdown when --time-limit is reached. This includes running queued git commands, and cleanup actions normally run when a command is finished. * fsck: Commit incremental fsck database when --time-limit is reached. Previously, some of the last files fscked did not make it into the database when using --time-limit. Note that this changes Annex.addCleanup hooks, to run after --time-limit expires. Fsck was using such a hook to clean up after a --incremental-schedule, and that shouldn't run when --time-limit exipires it. So, instead, moved that cleanup code to be run by cleanupIncremental. Resulted in some data type juggling. 2015-07-31 20:00:13 +00:00			`import Annex.Action`
Make git-annex-shell call the command with its (safe) options. 2013-03-29 00:34:07 +00:00			`import Annex`
renamed RsyncFile -> Rsync 2012-09-19 18:28:32 +00:00			`import Utility.Rsync`
get, move, copy, mirror: Added --failed switch which retries failed copies/moves Note that get --from foo --failed will get things that a previous get --from bar tried and failed to get, etc. I considered making --failed only retry transfers from the same remote, but it was easier, and seems more useful, to not have the same remote requirement. Noisy due to some refactoring into Types/ 2016-08-03 16:37:12 +00:00			`import Types.Transfer`
enforce retrievalSecurityPolicy Leveraged the existing verification code by making it also check the retrievalSecurityPolicy. Also, prevented getViaTmp from running the download action at all when the retrievalSecurityPolicy is going to prevent verifying and so storing it. Added annex.security.allow-unverified-downloads. A per-remote version would be nice to have too, but would need more plumbing, so KISS. (Bill the Cat reference not too over the top I hope. The point is to make this something the user reads the documentation for before using.) A few calls to verifyKeyContent and getViaTmp, that don't involve downloads from remotes, have RetrievalAllKeysSecure hard-coded. It was also hard-coded for P2P.Annex and Command.RecvKey, to match the values of the corresponding remotes. A few things use retrieveKeyFile/retrieveKeyFileCheap without going through getViaTmp. * Command.Fsck when downloading content from a remote to verify it. That content does not get into the annex, so this is ok. * Command.AddUrl when using a remote to download an url; this is new content being added, so this is ok. This commit was sponsored by Fernando Jimenez on Patreon. 2018-06-21 17:34:11 +00:00			`import Types.Remote (RetrievalSecurityPolicy(..))`
keep logs of failed transfers, and requeue them when doing a non-full scan of a remote 2012-08-23 19:22:23 +00:00			`import Command.SendKey (fieldTransfer)`
reorg 2014-01-26 20:32:55 +00:00			`import qualified CmdLine.GitAnnexShell.Fields as Fields`
git-annex-shell is complete still not used 2010-12-31 17:39:30 +00:00
started converting to use optparse-applicative This is a work in progress. It compiles and is able to do basic command dispatch, including git autocorrection, while using optparse-applicative for the core commandline parsing. * Many commands are temporarily disabled before conversion. * Options are not wired in yet. * cmdnorepo actions don't work yet. Also, removed the [Command] list, which was only used in one place. 2015-07-08 16:33:27 +00:00			`cmd :: Command`
convert all commands to work with optparse-applicative Still no options though. 2015-07-08 19:08:02 +00:00			`cmd = noCommit $ command "recvkey" SectionPlumbing`
			`"runs rsync in server mode to receive content"`
			`paramKey (withParams seek)`
git-annex-shell is complete still not used 2010-12-31 17:39:30 +00:00
started converting to use optparse-applicative This is a work in progress. It compiles and is able to do basic command dispatch, including git autocorrection, while using optparse-applicative for the core commandline parsing. * Many commands are temporarily disabled before conversion. * Options are not wired in yet. * cmdnorepo actions don't work yet. Also, removed the [Command] list, which was only used in one place. 2015-07-08 16:33:27 +00:00			`seek :: CmdParams -> CommandSeek`
move commandAction out of CmdLine.Seek This is groundwork for nested seek loops, eg seeking over all files and then performing commandActions on a list of remotes, which can be done concurrently. This commit was sponsored by Boyd Stephen Smith Jr. on Patreon. 2018-10-01 18:12:06 +00:00			`seek = withKeys (commandAction . start)`
git-annex-shell is complete still not used 2010-12-31 17:39:30 +00:00
remove command type definitions These were a mistake, they make the type signatures harder to read and less flexible. The CommandSeek, CommandStart, CommandPerform, and CommandCleanup types were a good idea, but composing them with the parameters expected is going too far. 2011-09-15 20:50:49 +00:00			`start :: Key -> CommandStart`
Do verification of checksums of annex objects downloaded from remotes. * When annex objects are received into git repositories, their checksums are verified then too. * To get the old, faster, behavior of not verifying checksums, set annex.verify=false, or remote.<name>.annex-verify=false. * setkey, rekey: These commands also now verify that the provided file matches the key, unless annex.verify=false. * reinject: Already verified content; this can now be disabled by setting annex.verify=false. recvkey and reinject already did verification, so removed now duplicate code from them. fsck still does its own verification, which is ok since it does not use getViaTmp, so verification doesn't happen twice when using fsck --from. 2015-10-01 19:54:37 +00:00			`start key = fieldTransfer Download key $ \_p -> do`
add unlocked flag for git-annex-shell recvkey The direct flag is also set when sending unlocked content, to support old versions of git-annex-shell. At some point, the direct flag will be removed, and only the unlocked flag will be used. 2015-12-26 17:59:27 +00:00			`-- Always verify content when a repo is sending an unlocked file,`
Do verification of checksums of annex objects downloaded from remotes. * When annex objects are received into git repositories, their checksums are verified then too. * To get the old, faster, behavior of not verifying checksums, set annex.verify=false, or remote.<name>.annex-verify=false. * setkey, rekey: These commands also now verify that the provided file matches the key, unless annex.verify=false. * reinject: Already verified content; this can now be disabled by setting annex.verify=false. recvkey and reinject already did verification, so removed now duplicate code from them. fsck still does its own verification, which is ok since it does not use getViaTmp, so verification doesn't happen twice when using fsck --from. 2015-10-01 19:54:37 +00:00			`-- as the file could change while being transferred.`
add unlocked flag for git-annex-shell recvkey The direct flag is also set when sending unlocked content, to support old versions of git-annex-shell. At some point, the direct flag will be removed, and only the unlocked flag will be used. 2015-12-26 17:59:27 +00:00			`fromunlocked <- (isJust <$> Fields.getField Fields.unlocked)`
			`<\|\|> (isJust <$> Fields.getField Fields.direct)`
			`let verify = if fromunlocked then AlwaysVerify else DefaultVerify`
enforce retrievalSecurityPolicy Leveraged the existing verification code by making it also check the retrievalSecurityPolicy. Also, prevented getViaTmp from running the download action at all when the retrievalSecurityPolicy is going to prevent verifying and so storing it. Added annex.security.allow-unverified-downloads. A per-remote version would be nice to have too, but would need more plumbing, so KISS. (Bill the Cat reference not too over the top I hope. The point is to make this something the user reads the documentation for before using.) A few calls to verifyKeyContent and getViaTmp, that don't involve downloads from remotes, have RetrievalAllKeysSecure hard-coded. It was also hard-coded for P2P.Annex and Command.RecvKey, to match the values of the corresponding remotes. A few things use retrieveKeyFile/retrieveKeyFileCheap without going through getViaTmp. * Command.Fsck when downloading content from a remote to verify it. That content does not get into the annex, so this is ok. * Command.AddUrl when using a remote to download an url; this is new content being added, so this is ok. This commit was sponsored by Fernando Jimenez on Patreon. 2018-06-21 17:34:11 +00:00			`-- This matches the retrievalSecurityPolicy of Remote.Git`
			`let rsp = RetrievalAllKeysSecure`
			`ifM (getViaTmp rsp verify key go)`
fix "storeKey when already present" test for git-annex-shell transfers Now git-annex-shell recvkey, when the key is already present, allows another copy to be rsynced up, and just throws it away. This same behavior could have already happened before, when eg, two repos tried to upload the same object at the same time. So this makes the test suite pass, and should not add any bad behavior, other than slightly more work being done in a rather edge case. This relies on moveAnnex's behavior of keeping the current version of an object. 2014-08-04 13:16:47 +00:00			`( do`
			`-- forcibly quit after receiving one key,`
			`-- and shutdown cleanly`
			`_ <- shutdown True`
			`return True`
			`, return False`
			`)`
safe recv-key in direct mode Checks the key's size and checksum. This is sorta expensive, but it avoids needing to add another round-trip to the protocol. 2013-01-11 19:43:09 +00:00			`where`
other 80% of avoding verification when hard linking to objects in shared repo In c6632ee5c8e66c26ef18317f56ae02bae1e7e280, it actually only handled uploading objects to a shared repository. To avoid verification when downloading objects from a shared repository, was a lot harder. On the plus side, if the process of downloading a file from a remote is able to verify its content on the side, the remote can indicate this now, and avoid the extra post-download verification. As of yet, I don't have any remotes (except Git) using this ability. Some more work would be needed to support it in special remotes. It would make sense for tahoe to implicitly verify things downloaded from it; as long as you trust your tahoe server (which typically runs locally), there's cryptographic integrity. OTOH, despite bup being based on shas, a bup repo under an attacker's control could have the git ref used for an object changed, and so a bup repo shouldn't implicitly verify. Indeed, tahoe seems unique in being trustworthy enough to implicitly verify. 2015-10-02 17:56:42 +00:00			`go tmp = unVerified $ do`
minor refactoring 2013-03-30 23:05:51 +00:00			`opts <- filterRsyncSafeOptions . maybe [] words`
			`<$> getField "RsyncOptions"`
Do verification of checksums of annex objects downloaded from remotes. * When annex objects are received into git repositories, their checksums are verified then too. * To get the old, faster, behavior of not verifying checksums, set annex.verify=false, or remote.<name>.annex-verify=false. * setkey, rekey: These commands also now verify that the provided file matches the key, unless annex.verify=false. * reinject: Already verified content; this can now be disabled by setting annex.verify=false. recvkey and reinject already did verification, so removed now duplicate code from them. fsck still does its own verification, which is ok since it does not use getViaTmp, so verification doesn't happen twice when using fsck --from. 2015-10-01 19:54:37 +00:00			`liftIO $ rsyncServerReceive (map Param opts) tmp`