2010-12-31 17:39:30 +00:00
|
|
|
{- git-annex command
|
|
|
|
-
|
2015-01-21 16:50:09 +00:00
|
|
|
- Copyright 2010 Joey Hess <id@joeyh.name>
|
2010-12-31 17:39:30 +00:00
|
|
|
-
|
|
|
|
- Licensed under the GNU GPL version 3 or higher.
|
|
|
|
-}
|
|
|
|
|
|
|
|
module Command.RecvKey where
|
|
|
|
|
|
|
|
import Command
|
2011-10-04 04:40:47 +00:00
|
|
|
import Annex.Content
|
2015-07-31 20:00:13 +00:00
|
|
|
import Annex.Action
|
2013-03-29 00:34:07 +00:00
|
|
|
import Annex
|
2012-09-19 18:28:32 +00:00
|
|
|
import Utility.Rsync
|
2016-08-03 16:37:12 +00:00
|
|
|
import Types.Transfer
|
2018-06-21 17:34:11 +00:00
|
|
|
import Types.Remote (RetrievalSecurityPolicy(..))
|
2012-08-23 19:22:23 +00:00
|
|
|
import Command.SendKey (fieldTransfer)
|
2014-01-26 20:32:55 +00:00
|
|
|
import qualified CmdLine.GitAnnexShell.Fields as Fields
|
2010-12-31 17:39:30 +00:00
|
|
|
|
2015-07-08 16:33:27 +00:00
|
|
|
cmd :: Command
|
2015-07-08 19:08:02 +00:00
|
|
|
cmd = noCommit $ command "recvkey" SectionPlumbing
|
|
|
|
"runs rsync in server mode to receive content"
|
|
|
|
paramKey (withParams seek)
|
2010-12-31 17:39:30 +00:00
|
|
|
|
2015-07-08 16:33:27 +00:00
|
|
|
seek :: CmdParams -> CommandSeek
|
2018-10-01 18:12:06 +00:00
|
|
|
seek = withKeys (commandAction . start)
|
2010-12-31 17:39:30 +00:00
|
|
|
|
2011-09-15 20:50:49 +00:00
|
|
|
start :: Key -> CommandStart
|
Do verification of checksums of annex objects downloaded from remotes.
* When annex objects are received into git repositories, their checksums are
verified then too.
* To get the old, faster, behavior of not verifying checksums, set
annex.verify=false, or remote.<name>.annex-verify=false.
* setkey, rekey: These commands also now verify that the provided file
matches the key, unless annex.verify=false.
* reinject: Already verified content; this can now be disabled by
setting annex.verify=false.
recvkey and reinject already did verification, so removed now duplicate
code from them. fsck still does its own verification, which is ok since it
does not use getViaTmp, so verification doesn't happen twice when using fsck
--from.
2015-10-01 19:54:37 +00:00
|
|
|
start key = fieldTransfer Download key $ \_p -> do
|
2015-12-26 17:59:27 +00:00
|
|
|
-- Always verify content when a repo is sending an unlocked file,
|
Do verification of checksums of annex objects downloaded from remotes.
* When annex objects are received into git repositories, their checksums are
verified then too.
* To get the old, faster, behavior of not verifying checksums, set
annex.verify=false, or remote.<name>.annex-verify=false.
* setkey, rekey: These commands also now verify that the provided file
matches the key, unless annex.verify=false.
* reinject: Already verified content; this can now be disabled by
setting annex.verify=false.
recvkey and reinject already did verification, so removed now duplicate
code from them. fsck still does its own verification, which is ok since it
does not use getViaTmp, so verification doesn't happen twice when using fsck
--from.
2015-10-01 19:54:37 +00:00
|
|
|
-- as the file could change while being transferred.
|
2015-12-26 17:59:27 +00:00
|
|
|
fromunlocked <- (isJust <$> Fields.getField Fields.unlocked)
|
|
|
|
<||> (isJust <$> Fields.getField Fields.direct)
|
|
|
|
let verify = if fromunlocked then AlwaysVerify else DefaultVerify
|
2018-06-21 17:34:11 +00:00
|
|
|
-- This matches the retrievalSecurityPolicy of Remote.Git
|
|
|
|
let rsp = RetrievalAllKeysSecure
|
|
|
|
ifM (getViaTmp rsp verify key go)
|
2014-08-04 13:16:47 +00:00
|
|
|
( do
|
|
|
|
-- forcibly quit after receiving one key,
|
|
|
|
-- and shutdown cleanly
|
|
|
|
_ <- shutdown True
|
|
|
|
return True
|
|
|
|
, return False
|
|
|
|
)
|
2013-01-11 19:43:09 +00:00
|
|
|
where
|
other 80% of avoding verification when hard linking to objects in shared repo
In c6632ee5c8e66c26ef18317f56ae02bae1e7e280, it actually only handled
uploading objects to a shared repository. To avoid verification when
downloading objects from a shared repository, was a lot harder.
On the plus side, if the process of downloading a file from a remote
is able to verify its content on the side, the remote can indicate this
now, and avoid the extra post-download verification.
As of yet, I don't have any remotes (except Git) using this ability.
Some more work would be needed to support it in special remotes.
It would make sense for tahoe to implicitly verify things downloaded from it;
as long as you trust your tahoe server (which typically runs locally),
there's cryptographic integrity. OTOH, despite bup being based on shas,
a bup repo under an attacker's control could have the git ref used for an
object changed, and so a bup repo shouldn't implicitly verify. Indeed,
tahoe seems unique in being trustworthy enough to implicitly verify.
2015-10-02 17:56:42 +00:00
|
|
|
go tmp = unVerified $ do
|
2013-03-30 23:05:51 +00:00
|
|
|
opts <- filterRsyncSafeOptions . maybe [] words
|
|
|
|
<$> getField "RsyncOptions"
|
Do verification of checksums of annex objects downloaded from remotes.
* When annex objects are received into git repositories, their checksums are
verified then too.
* To get the old, faster, behavior of not verifying checksums, set
annex.verify=false, or remote.<name>.annex-verify=false.
* setkey, rekey: These commands also now verify that the provided file
matches the key, unless annex.verify=false.
* reinject: Already verified content; this can now be disabled by
setting annex.verify=false.
recvkey and reinject already did verification, so removed now duplicate
code from them. fsck still does its own verification, which is ok since it
does not use getViaTmp, so verification doesn't happen twice when using fsck
--from.
2015-10-01 19:54:37 +00:00
|
|
|
liftIO $ rsyncServerReceive (map Param opts) tmp
|