git-annex/Command/Trust.hs

{- git-annex command
 -
 - Copyright 2010-2021 Joey Hess <id@joeyh.name>
 -
 - Licensed under the GNU AGPL version 3 or higher.
 -}

module Command.Trust where

import Command
import qualified Remote
import qualified Annex
import Types.TrustLevel
import Logs.Trust
import Logs.Group

import qualified Data.Set as S

cmd :: Command
cmd = command "trust" SectionSetup "trust a repository"
	(paramRepeating paramRepository) (withParams seek)

seek :: CmdParams -> CommandSeek
seek = trustCommand "trust" Trusted

trustCommand :: String -> TrustLevel -> CmdParams -> CommandSeek
trustCommand _ _ [] = giveup "no repository name specified"
trustCommand c level ps = withStrings (commandAction . start) ps
  where
	start name = do
		u <- Remote.nameToUUID name
		let si = SeekInput [name]
		starting c (ActionItemOther (Just (UnquotedString name))) si (perform name u)
	perform name uuid = do
		when (level >= Trusted) $
			unlessM (Annex.getRead Annex.force) $
				giveup $ trustedNeedsForce name
		trustSet uuid level
		when (level == DeadTrusted) $
			groupSet uuid S.empty
		l <- lookupTrust uuid
		when (l /= level) $
			warning $ UnquotedString $ "This remote's trust level is overridden to " ++ showTrustLevel l ++ "."
		next $ return True

trustedNeedsForce :: String -> String
trustedNeedsForce name = unwords
	[ "Trusting a repository can lead to data loss."
	, "If you're sure you know what you're doing, use --force to"
	, "make this take effect."
	, "If you choose to do so, bear in mind that any time you drop"
	, "content from " ++ name ++ ", you will risk losing data."
	]
forgot to add these 2010-12-28 21:44:55 +00:00			`{- git-annex command`
			`-`
Behavior change: git-annex trust now needs --force Since unconsidered use of trusted repositories can lead to data loss. Trusted has always been this way, but it used to be acceptable for git-annex to be set up so that data could be lost without using --force, and most or all other ways that can happen have already been eliminated. This commit was sponsored by Mark Reidenbach on Patreon. 2021-01-07 13:59:52 +00:00			`- Copyright 2010-2021 Joey Hess <id@joeyh.name>`
forgot to add these 2010-12-28 21:44:55 +00:00			`-`
update licenses from GPL to AGPL This does not change the overall license of the git-annex program, which was already AGPL due to a number of sources files being AGPL already. Legally speaking, I'm adding a new license under which these files are now available; I already released their current contents under the GPL license. Now they're dual licensed GPL and AGPL. However, I intend for all my future changes to these files to only be released under the AGPL license, and I won't be tracking the dual licensing status, so I'm simply changing the license statement to say it's AGPL. (In some cases, others wrote parts of the code of a file and released it under the GPL; but in all cases I have contributed a significant portion of the code in each file and it's that code that is getting the AGPL license; the GPL license of other contributors allows combining with AGPL code.) 2019-03-13 19:48:14 +00:00			`- Licensed under the GNU AGPL version 3 or higher.`
forgot to add these 2010-12-28 21:44:55 +00:00			`-}`

			`module Command.Trust where`

			`import Command`
converted several commands to use Remote only move and map still to convert 2011-03-27 20:55:43 +00:00			`import qualified Remote`
Behavior change: git-annex trust now needs --force Since unconsidered use of trusted repositories can lead to data loss. Trusted has always been this way, but it used to be acceptable for git-annex to be set up so that data could be lost without using --force, and most or all other ways that can happen have already been eliminated. This commit was sponsored by Mark Reidenbach on Patreon. 2021-01-07 13:59:52 +00:00			`import qualified Annex`
trust, untrust, semitrust, dead: Warn when the trust level is overridden in .git/config. 2014-02-20 19:17:39 +00:00			`import Types.TrustLevel`
reorganize log modules no code changes 2011-10-15 20:21:08 +00:00			`import Logs.Trust`
refactor 2014-02-20 19:12:35 +00:00			`import Logs.Group`

			`import qualified Data.Set as S`
forgot to add these 2010-12-28 21:44:55 +00:00
started converting to use optparse-applicative This is a work in progress. It compiles and is able to do basic command dispatch, including git autocorrection, while using optparse-applicative for the core commandline parsing. * Many commands are temporarily disabled before conversion. * Options are not wired in yet. * cmdnorepo actions don't work yet. Also, removed the [Command] list, which was only used in one place. 2015-07-08 16:33:27 +00:00			`cmd :: Command`
convert all commands to work with optparse-applicative Still no options though. 2015-07-08 19:08:02 +00:00			`cmd = command "trust" SectionSetup "trust a repository"`
improve usage These commands operate on not only remotes, but any way a repository can be specified, including "here" etc. Sponsored-by: Graham Spencer on Patreon 2022-10-03 17:49:42 +00:00			`(paramRepeating paramRepository) (withParams seek)`
refactor in preparation for adding a git-annex-shell command 2010-12-30 19:06:26 +00:00
convert all commands to work with optparse-applicative Still no options though. 2015-07-08 19:08:02 +00:00			`seek :: CmdParams -> CommandSeek`
refactor 2014-02-20 19:12:35 +00:00			`seek = trustCommand "trust" Trusted`
forgot to add these 2010-12-28 21:44:55 +00:00
convert all commands to work with optparse-applicative Still no options though. 2015-07-08 19:08:02 +00:00			`trustCommand :: String -> TrustLevel -> CmdParams -> CommandSeek`
avoid combining multiple words provided to trust/untrust/dead * trust, untrust, semitrust, dead: Fix behavior when provided with multiple repositories to operate on. * trust, untrust, semitrust, dead: When provided with no parameters, do not operate on a repository that has an empty name. The man page and usage already indicated that multiple repos could be provided to these commands, but they actually used unwords to combine everything into string, and found a repo matching that string. This was especially bad when no parameters resulted in the empty string and some repo happened to have an empty description. This does change the behavior, and it's possible someone relied on the current behavior to eg, trust a repo by name with the name not quoted into a single parameter. But fixing the empty string bug and matching the documentation are worth breaking that usage. Note that git-annex init/reinit do still unwords multiple parameters when provided to them. That is inconsistent behavior, but it certianly seems possible that something does run git-annex init with an unquoted description, and I don't think it's worth breaking that just to make it more consistent with these other commands. Sponsored-by: Boyd Stephen Smith Jr. on Patreon 2022-10-03 17:48:40 +00:00			`trustCommand _ _ [] = giveup "no repository name specified"`
			`trustCommand c level ps = withStrings (commandAction . start) ps`
refactor 2014-02-20 19:12:35 +00:00			`where`
avoid combining multiple words provided to trust/untrust/dead * trust, untrust, semitrust, dead: Fix behavior when provided with multiple repositories to operate on. * trust, untrust, semitrust, dead: When provided with no parameters, do not operate on a repository that has an empty name. The man page and usage already indicated that multiple repos could be provided to these commands, but they actually used unwords to combine everything into string, and found a repo matching that string. This was especially bad when no parameters resulted in the empty string and some repo happened to have an empty description. This does change the behavior, and it's possible someone relied on the current behavior to eg, trust a repo by name with the name not quoted into a single parameter. But fixing the empty string bug and matching the documentation are worth breaking that usage. Note that git-annex init/reinit do still unwords multiple parameters when provided to them. That is inconsistent behavior, but it certianly seems possible that something does run git-annex init with an unquoted description, and I don't think it's worth breaking that just to make it more consistent with these other commands. Sponsored-by: Boyd Stephen Smith Jr. on Patreon 2022-10-03 17:48:40 +00:00			`start name = do`
refactor 2014-02-20 19:12:35 +00:00			`u <- Remote.nameToUUID name`
avoid combining multiple words provided to trust/untrust/dead * trust, untrust, semitrust, dead: Fix behavior when provided with multiple repositories to operate on. * trust, untrust, semitrust, dead: When provided with no parameters, do not operate on a repository that has an empty name. The man page and usage already indicated that multiple repos could be provided to these commands, but they actually used unwords to combine everything into string, and found a repo matching that string. This was especially bad when no parameters resulted in the empty string and some repo happened to have an empty description. This does change the behavior, and it's possible someone relied on the current behavior to eg, trust a repo by name with the name not quoted into a single parameter. But fixing the empty string bug and matching the documentation are worth breaking that usage. Note that git-annex init/reinit do still unwords multiple parameters when provided to them. That is inconsistent behavior, but it certianly seems possible that something does run git-annex init with an unquoted description, and I don't think it's worth breaking that just to make it more consistent with these other commands. Sponsored-by: Boyd Stephen Smith Jr. on Patreon 2022-10-03 17:48:40 +00:00			`let si = SeekInput [name]`
git style quoting for ActionItemOther Added StringContainingQuotedPath, which is used for ActionItemOther. In the process, checked every ActionItemOther for those containing filenames, and made them use quoting. Sponsored-by: Graham Spencer on Patreon 2023-04-08 19:48:32 +00:00			`starting c (ActionItemOther (Just (UnquotedString name))) si (perform name u)`
Behavior change: git-annex trust now needs --force Since unconsidered use of trusted repositories can lead to data loss. Trusted has always been this way, but it used to be acceptable for git-annex to be set up so that data could be lost without using --force, and most or all other ways that can happen have already been eliminated. This commit was sponsored by Mark Reidenbach on Patreon. 2021-01-07 13:59:52 +00:00			`perform name uuid = do`
			`when (level >= Trusted) $`
move several readonly values to AnnexRead This improves performance to a small extent in several places. Sponsored-by: Tobias Ammann on Patreon 2022-06-28 19:28:14 +00:00			`unlessM (Annex.getRead Annex.force) $`
Behavior change: git-annex trust now needs --force Since unconsidered use of trusted repositories can lead to data loss. Trusted has always been this way, but it used to be acceptable for git-annex to be set up so that data could be lost without using --force, and most or all other ways that can happen have already been eliminated. This commit was sponsored by Mark Reidenbach on Patreon. 2021-01-07 13:59:52 +00:00			`giveup $ trustedNeedsForce name`
refactor 2014-02-20 19:12:35 +00:00			`trustSet uuid level`
			`when (level == DeadTrusted) $`
			`groupSet uuid S.empty`
trust, untrust, semitrust, dead: Warn when the trust level is overridden in .git/config. 2014-02-20 19:17:39 +00:00			`l <- lookupTrust uuid`
			`when (l /= level) $`
filter out control characters in warning messages Converted warning and similar to use StringContainingQuotedPath. Most warnings are static strings, some do refer to filepaths that need to be quoted, and others don't need quoting. Note that, since quote filters out control characters of even UnquotedString, this makes all warnings safe, even when an attacker sneaks in a control character in some other way. When json is being output, no quoting is done, since json gets its own quoting. This does, as a side effect, make warning messages in json output not be indented. The indentation is only needed to offset warning messages underneath the display of the file they apply to, so that's ok. Sponsored-by: Brett Eisenberg on Patreon 2023-04-10 18:47:32 +00:00			`warning $ UnquotedString $ "This remote's trust level is overridden to " ++ showTrustLevel l ++ "."`
refactor 2014-02-20 19:12:35 +00:00			`next $ return True`
Behavior change: git-annex trust now needs --force Since unconsidered use of trusted repositories can lead to data loss. Trusted has always been this way, but it used to be acceptable for git-annex to be set up so that data could be lost without using --force, and most or all other ways that can happen have already been eliminated. This commit was sponsored by Mark Reidenbach on Patreon. 2021-01-07 13:59:52 +00:00
			`trustedNeedsForce :: String -> String`
fix format of message newlines are eaten 2021-01-11 17:14:09 +00:00			`trustedNeedsForce name = unwords`
Behavior change: git-annex trust now needs --force Since unconsidered use of trusted repositories can lead to data loss. Trusted has always been this way, but it used to be acceptable for git-annex to be set up so that data could be lost without using --force, and most or all other ways that can happen have already been eliminated. This commit was sponsored by Mark Reidenbach on Patreon. 2021-01-07 13:59:52 +00:00			`[ "Trusting a repository can lead to data loss."`
			`, "If you're sure you know what you're doing, use --force to"`
			`, "make this take effect."`
			`, "If you choose to do so, bear in mind that any time you drop"`
			`, "content from " ++ name ++ ", you will risk losing data."`
			`]`