From 49114cf4eabeb2cc4f598af8cebc46fc1c04ac47 Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Mon, 27 Feb 2017 15:02:38 -0400
Subject: [PATCH] securehash matching

Added --securehash option to match files using a secure hash function, and
corresponding securehash preferred content expression.

This commit was sponsored by Ethan Aubin.
---
 Annex/FileMatcher.hs                 | 1 +
 CHANGELOG                            | 2 ++
 CmdLine/GitAnnex/Options.hs          | 5 +++++
 Limit.hs                             | 9 ++++++++-
 doc/git-annex-matching-options.mdwn  | 5 +++++
 doc/git-annex-preferred-content.mdwn | 5 +++++
 doc/preferred_content.mdwn           | 1 +
 7 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/Annex/FileMatcher.hs b/Annex/FileMatcher.hs
index 654c5a9606..7a418cc48a 100644
--- a/Annex/FileMatcher.hs
+++ b/Annex/FileMatcher.hs
@@ -117,6 +117,7 @@ preferredContentParser matchstandard matchgroupwanted getgroupmap configmap mu e
 		, SimpleToken "groupwanted" (call matchgroupwanted)
 		, SimpleToken "present" (simply $ limitPresent mu)
 		, SimpleToken "inpreferreddir" (simply $ limitInDir preferreddir)
+		, SimpleToken "securehash" (simply limitSecureHash)
 		, ValueToken "copies" (usev limitCopies)
 		, ValueToken "lackingcopies" (usev $ limitLackingCopies False)
 		, ValueToken "approxlackingcopies" (usev $ limitLackingCopies True)
diff --git a/CHANGELOG b/CHANGELOG
index cc5bf6d52c..bdb56ad314 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,6 +7,8 @@ git-annex (6.20170215) UNRELEASED; urgency=medium
     from being added to .git/annex/objects by any method.
   * fsck: Warn about any files whose content is present, that don't
     use secure hashes, when annex.securehashesonly is set.
+  * Added --securehash option to match files using a secure hash function,
+    and corresponding securehash preferred content expression.
   * sync, merge: Fail when the current branch has no commits yet, instead
     of not merging in anything from remotes and appearing to succeed.
   * Run ssh with -n whenever input is not being piped into it,
diff --git a/CmdLine/GitAnnex/Options.hs b/CmdLine/GitAnnex/Options.hs
index f7e0dcf072..726a6963c5 100644
--- a/CmdLine/GitAnnex/Options.hs
+++ b/CmdLine/GitAnnex/Options.hs
@@ -224,6 +224,11 @@ nonWorkTreeMatchingOptions' =
 		<> hidden
 		<> completeBackends
 		)
+	, globalFlag Limit.addSecureHash
+		( long "securehash"
+		<> help "match files using a cryptographically secure hash"
+		<> hidden
+		)
 	, globalSetter Limit.addInAllGroup $ strOption
 		( long "inallgroup" <> metavar paramGroup
 		<> help "match files present in all remotes in a group"
diff --git a/Limit.hs b/Limit.hs
index 1485b4bce0..97e3653b14 100644
--- a/Limit.hs
+++ b/Limit.hs
@@ -1,6 +1,6 @@
 {- user-specified limits on files to act on
  -
- - Copyright 2011-2016 Joey Hess <id@joeyh.name>
+ - Copyright 2011-2017 Joey Hess <id@joeyh.name>
  -
  - Licensed under the GNU GPL version 3 or higher.
  -}
@@ -255,6 +255,13 @@ limitInBackend name = Right $ const $ checkKey check
 	check key = pure $ keyVariety key == variety
 	variety = parseKeyVariety name
 
+{- Adds a limit to skip files not using a secure hash. -}
+addSecureHash :: Annex ()
+addSecureHash = addLimit $ Right limitSecureHash
+
+limitSecureHash :: MatchFiles Annex
+limitSecureHash _ = checkKey $ pure . cryptographicallySecure . keyVariety
+
 {- Adds a limit to skip files that are too large or too small -}
 addLargerThan :: String -> Annex ()
 addLargerThan = addLimit . limitSize (>)
diff --git a/doc/git-annex-matching-options.mdwn b/doc/git-annex-matching-options.mdwn
index 5c5f6ca259..2802fe60bc 100644
--- a/doc/git-annex-matching-options.mdwn
+++ b/doc/git-annex-matching-options.mdwn
@@ -95,6 +95,11 @@ in either of two repositories.
   Matches only files whose content is stored using the specified key-value
   backend.
 
+* `--securehash`
+
+  Matches only files whose content is hashed using a cryptographically
+  secure function. 
+
 * `--inallgroup=groupname`
 
   Matches only files that git-annex believes are present in all repositories
diff --git a/doc/git-annex-preferred-content.mdwn b/doc/git-annex-preferred-content.mdwn
index a8d2efeb20..92899c82aa 100644
--- a/doc/git-annex-preferred-content.mdwn
+++ b/doc/git-annex-preferred-content.mdwn
@@ -96,6 +96,11 @@ elsewhere to allow removing it).
   Matches only files whose content is stored using the specified key-value
   backend.
 
+* `securehash`
+
+  Matches only files whose content is hashed using a cryptographically
+  secure function.
+
 * `inallgroup=groupname`
 
   Matches only files that git-annex believes are present in all repositories
diff --git a/doc/preferred_content.mdwn b/doc/preferred_content.mdwn
index d7b9870e5a..19670723cc 100644
--- a/doc/preferred_content.mdwn
+++ b/doc/preferred_content.mdwn
@@ -58,6 +58,7 @@ it assumes all files that are currently present are preferred content.
 Here are recent changes to preferred content expressions, and the version
 they were added in.
 
+* "securehash" 6.20170228
 * "nothing" 6.201600202
 * "anything" 5.20150616
 * "standard" 5.20140314