From 36133f27c0bd5ba037291420d4b66a3bd8e26308 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Mon, 28 Dec 2020 15:08:53 -0400
Subject: [PATCH] move untrust forcing from Logs.Trust into Remote

No behavior changes here, but this is groundwork for letting remotes
such as borg vary untrust forcing depending on configuration.
---
 Logs/Trust.hs                 | 19 ++++++-------------
 Remote/Adb.hs                 |  1 +
 Remote/BitTorrent.hs          |  1 +
 Remote/Borg.hs                |  1 +
 Remote/Bup.hs                 |  1 +
 Remote/Ddar.hs                |  1 +
 Remote/Directory.hs           |  1 +
 Remote/External.hs            |  1 +
 Remote/GCrypt.hs              |  1 +
 Remote/Git.hs                 |  1 +
 Remote/GitLFS.hs              |  1 +
 Remote/Glacier.hs             |  1 +
 Remote/Helper/ExportImport.hs | 10 ++++++++++
 Remote/Hook.hs                |  1 +
 Remote/HttpAlso.hs            |  1 +
 Remote/P2P.hs                 |  1 +
 Remote/Rsync.hs               |  1 +
 Remote/S3.hs                  |  1 +
 Remote/Tahoe.hs               |  1 +
 Remote/Web.hs                 |  1 +
 Remote/WebDAV.hs              |  1 +
 Types/Remote.hs               |  7 +++++++
 22 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/Logs/Trust.hs b/Logs/Trust.hs
index b1db4943ba..220ff54f06 100644
--- a/Logs/Trust.hs
+++ b/Logs/Trust.hs
@@ -64,22 +64,15 @@ trustMap = maybe trustMapLoad return =<< Annex.getState Annex.trustmap
 {- Loads the map, updating the cache, -}
 trustMapLoad :: Annex TrustMap
 trustMapLoad = do
-	overrides <- Annex.getState Annex.forcetrust
+	forceoverrides <- Annex.getState Annex.forcetrust
 	l <- remoteList
-	-- Export/import remotes are normally untrusted, because they are
-	-- not key/value stores and there are many ways that content stored
-	-- on them can be lost. An exception is ones with versionedExport set.
-	let isexportimport r = Types.Remote.isExportSupported r
-		<||> Types.Remote.isImportSupported r
-	let isuntrustworthy r = isexportimport r
-		<&&> pure (not (Types.Remote.versionedExport (Types.Remote.exportActions r)))
-	untrustworthy <- filterM isuntrustworthy l
-	let trustoverrides = M.fromList $
-		map (\r -> (Types.Remote.uuid r, UnTrusted)) untrustworthy
+	let untrustoverrides = M.fromList $
+		map (\r -> (Types.Remote.uuid r, UnTrusted))
+		(filter Types.Remote.untrustworthy l)
 	logged <- trustMapRaw
 	let configured = M.fromList $ mapMaybe configuredtrust l
-	let m = M.unionWith min trustoverrides $
-		M.union overrides $
+	let m = M.unionWith min untrustoverrides $
+		M.union forceoverrides $
 		M.union configured logged
 	Annex.changeState $ \s -> s { Annex.trustmap = Just m }
 	return m
diff --git a/Remote/Adb.hs b/Remote/Adb.hs
index f0eeaad2f8..edc15ac73c 100644
--- a/Remote/Adb.hs
+++ b/Remote/Adb.hs
@@ -101,6 +101,7 @@ gen r u rc gc rs = do
 		, availability = LocallyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = return
 			[ ("androidserial", fromAndroidSerial serial)
diff --git a/Remote/BitTorrent.hs b/Remote/BitTorrent.hs
index 61e660270a..5f4b1a3474 100644
--- a/Remote/BitTorrent.hs
+++ b/Remote/BitTorrent.hs
@@ -86,6 +86,7 @@ gen r _ rc gc rs = do
 		, getRepo = return r
 		, readonly = True
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing
diff --git a/Remote/Borg.hs b/Remote/Borg.hs
index 9e7656a776..aefe616902 100644
--- a/Remote/Borg.hs
+++ b/Remote/Borg.hs
@@ -108,6 +108,7 @@ gen r u rc gc rs = do
 		, availability = if borgLocal borgrepo then LocallyAvailable else GloballyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = True
 		, mkUnavailable = return Nothing
 		, getInfo = return [("repo", borgrepo)]
 		, claimUrl = Nothing
diff --git a/Remote/Bup.hs b/Remote/Bup.hs
index 8950ac4670..6ba638a2df 100644
--- a/Remote/Bup.hs
+++ b/Remote/Bup.hs
@@ -95,6 +95,7 @@ gen r u rc gc rs = do
 		, availability = if bupLocal buprepo then LocallyAvailable else GloballyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = return [("repo", buprepo)]
 		, claimUrl = Nothing
diff --git a/Remote/Ddar.hs b/Remote/Ddar.hs
index 4c544d28cd..be96a71dac 100644
--- a/Remote/Ddar.hs
+++ b/Remote/Ddar.hs
@@ -98,6 +98,7 @@ gen r u rc gc rs = do
 		, availability = if ddarLocal ddarrepo then LocallyAvailable else GloballyAvailable
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = return [("repo", ddarRepoLocation ddarrepo)]
 		, claimUrl = Nothing
diff --git a/Remote/Directory.hs b/Remote/Directory.hs
index ed52a1ff25..ae3b1de4a0 100644
--- a/Remote/Directory.hs
+++ b/Remote/Directory.hs
@@ -115,6 +115,7 @@ gen r u rc gc rs = do
 			, localpath = Just dir'
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = LocallyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u rc
diff --git a/Remote/External.hs b/Remote/External.hs
index 7562737f74..6504965851 100644
--- a/Remote/External.hs
+++ b/Remote/External.hs
@@ -144,6 +144,7 @@ gen r u rc gc rs
 			, gitconfig = gc
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = avail
 			, remotetype = remote 
 				{ exportSupported = cheapexportsupported }
diff --git a/Remote/GCrypt.hs b/Remote/GCrypt.hs
index af1ddc712f..9aff202669 100644
--- a/Remote/GCrypt.hs
+++ b/Remote/GCrypt.hs
@@ -153,6 +153,7 @@ gen' r u c gc rs = do
 		, gitconfig = gc
 		, readonly = Git.repoIsHttp r
 		, appendonly = False
+		, untrustworthy = False
 		, availability = availabilityCalc r
 		, remotetype = remote
 		, mkUnavailable = return Nothing
diff --git a/Remote/Git.hs b/Remote/Git.hs
index 62751a5607..485af81534 100644
--- a/Remote/Git.hs
+++ b/Remote/Git.hs
@@ -205,6 +205,7 @@ gen r u rc gc rs
 			, gitconfig = gc
 			, readonly = Git.repoIsHttp r
 			, appendonly = False
+			, untrustworthy = False
 			, availability = availabilityCalc r
 			, remotetype = remote
 			, mkUnavailable = unavailable r u rc gc rs
diff --git a/Remote/GitLFS.hs b/Remote/GitLFS.hs
index f9cf7f7512..9103105a7f 100644
--- a/Remote/GitLFS.hs
+++ b/Remote/GitLFS.hs
@@ -133,6 +133,7 @@ gen r u rc gc rs = do
 		, readonly = False
 		-- content cannot be removed from a git-lfs repo
 		, appendonly = True
+		, untrustworthy = False
 		, mkUnavailable = return Nothing
 		, getInfo = gitRepoInfo (this c cst h)
 		, claimUrl = Nothing
diff --git a/Remote/Glacier.hs b/Remote/Glacier.hs
index d4b2365226..5fbebc8bd6 100644
--- a/Remote/Glacier.hs
+++ b/Remote/Glacier.hs
@@ -99,6 +99,7 @@ gen r u rc gc rs = new
 			, localpath = Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = return Nothing
diff --git a/Remote/Helper/ExportImport.hs b/Remote/Helper/ExportImport.hs
index 2ed375cd32..878ce112e6 100644
--- a/Remote/Helper/ExportImport.hs
+++ b/Remote/Helper/ExportImport.hs
@@ -204,6 +204,16 @@ adjustExportImport' isexport isimport r rs = do
 		-- in confusing ways when there's an export
 		-- conflict (or an import conflict).
 		, checkPresentCheap = False
+		-- Export/import remotes can lose content stored on them in
+		-- many ways. This is not a problem with versioned
+		-- ones though, since they still allow accessing by Key.
+		-- And for thirdPartyPopulated, it depends on how the
+		-- content gets actually stored in the remote, so
+		-- is not overriddden here.
+		, untrustworthy =
+			if versioned || thirdPartyPopulated (remotetype r)
+				then untrustworthy r
+				else False
 		-- git-annex testremote cannot be used to test
 		-- import/export since it stores keys.
 		, mkUnavailable = return Nothing
diff --git a/Remote/Hook.hs b/Remote/Hook.hs
index 89611113b7..301cb92c7d 100644
--- a/Remote/Hook.hs
+++ b/Remote/Hook.hs
@@ -80,6 +80,7 @@ gen r u rc gc rs = do
 			, gitconfig = gc
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u rc
diff --git a/Remote/HttpAlso.hs b/Remote/HttpAlso.hs
index 136df441cc..b111d76734 100644
--- a/Remote/HttpAlso.hs
+++ b/Remote/HttpAlso.hs
@@ -88,6 +88,7 @@ gen r u rc gc rs = do
 		, getRepo = return r
 		, readonly = True
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing
diff --git a/Remote/P2P.hs b/Remote/P2P.hs
index 859205bfcc..21cf5b42e1 100644
--- a/Remote/P2P.hs
+++ b/Remote/P2P.hs
@@ -74,6 +74,7 @@ chainGen addr r u rc gc rs = do
 		, gitconfig = gc
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing
diff --git a/Remote/Rsync.hs b/Remote/Rsync.hs
index 1d00636b87..d9cc05884b 100644
--- a/Remote/Rsync.hs
+++ b/Remote/Rsync.hs
@@ -118,6 +118,7 @@ gen r u rc gc rs = do
 				else Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = if islocal then LocallyAvailable else GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = return Nothing
diff --git a/Remote/S3.hs b/Remote/S3.hs
index 58121c3fc5..1005b840c8 100644
--- a/Remote/S3.hs
+++ b/Remote/S3.hs
@@ -234,6 +234,7 @@ gen r u rc gc rs = do
 			, localpath = Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u (M.insert hostField (Proposed "!dne!") rc) gc rs
diff --git a/Remote/Tahoe.hs b/Remote/Tahoe.hs
index 3fbae0df9b..172c32c5ef 100644
--- a/Remote/Tahoe.hs
+++ b/Remote/Tahoe.hs
@@ -107,6 +107,7 @@ gen r u rc gc rs = do
 		, localpath = Nothing
 		, readonly = False
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing
diff --git a/Remote/Web.hs b/Remote/Web.hs
index f5de143c27..f62a7943d5 100644
--- a/Remote/Web.hs
+++ b/Remote/Web.hs
@@ -72,6 +72,7 @@ gen r _ rc gc rs = do
 		, getRepo = return r
 		, readonly = True
 		, appendonly = False
+		, untrustworthy = False
 		, availability = GloballyAvailable
 		, remotetype = remote
 		, mkUnavailable = return Nothing
diff --git a/Remote/WebDAV.hs b/Remote/WebDAV.hs
index 80f8e80093..6d7172d81a 100644
--- a/Remote/WebDAV.hs
+++ b/Remote/WebDAV.hs
@@ -115,6 +115,7 @@ gen r u rc gc rs = do
 			, localpath = Nothing
 			, readonly = False
 			, appendonly = False
+			, untrustworthy = False
 			, availability = GloballyAvailable
 			, remotetype = remote
 			, mkUnavailable = gen r u (M.insert urlField (Proposed "http://!dne!/") rc) gc rs
diff --git a/Types/Remote.hs b/Types/Remote.hs
index 717f9cb62d..4e24329ecb 100644
--- a/Types/Remote.hs
+++ b/Types/Remote.hs
@@ -143,6 +143,13 @@ data RemoteA a = Remote
 	-- a Remote can allow writes but not have a way to delete content
 	-- from it.
 	, appendonly :: Bool
+	-- Set if a remote cannot be trusted to continue to contain the
+	-- contents of files stored there. Notably, most export/import
+	-- remotes are untrustworthy because they are not key/value stores.
+	-- Since this prevents the user from adjusting a remote's trust
+	-- level, it's often better not not set it and instead let the user
+	-- decide.
+	, untrustworthy :: Bool
 	-- a Remote can be globally available. (Ie, "in the cloud".)
 	, availability :: Availability
 	-- the type of the remote