only check --force at init time, not enable time

git-lfs repos that encrypt the annexed content but not the git repo only
need --force passed to initremote, allow enableremote and autoenable of
such remotes without forcing again.

Needing --force again particularly made autoenable of such a repo not work.
And once such a repo has been set up, it seems a second --force when
enabling it elsewhere has little added value. It does tell the user about
the possibly insecure configuration, but if the git repo has already been
pushed to that remote in the clear, data has already been exposed. The goal
of that --force was not to prevent every situation where such an exposure
can happen -- anyone who sets up a public git repo and pushes to it will
expose things similarly and git-annex is not involved. Instead, the purpose
of the --force is to point out to the user that they're asking for a
configuration where encryption is inconsistently applied.

CHANGELOG

@@ -13,6 +13,9 @@ git-annex (8.20200502) UNRELEASED; urgency=medium
   * S3: Support signature=v4, to use S3 Signature Version 4.
     Some S3 services seem to require v4, while others may only
     support v2, which remains the default.
+  * git-lfs repos that encrypt the annexed content but not the git repo
+    only need --force passed to initremote, allow enableremote and
+    autoenable of such remotes without forcing again.
 
  -- Joey Hess <id@joeyh.name>  Mon, 04 May 2020 12:46:11 -0400
 

Remote/GitLFS.hs

@@ -134,34 +134,35 @@ gen r u rc gc rs = do
 		}
 
 mySetup :: SetupStage -> Maybe UUID -> Maybe CredPair -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, UUID)
-mySetup _ mu _ c gc = do
+mySetup ss mu _ c gc = do
 	u <- maybe (liftIO genUUID) return mu
 
 	(c', _encsetup) <- encryptionSetup c gc
 	pc <- either giveup return . parseRemoteConfig c' =<< configParser remote c'
+	let failinitunlessforced msg = case ss of
+		Init -> unlessM (Annex.getState Annex.force) (giveup msg)
+		Enable _ -> noop
 	case (isEncrypted pc, Git.GCrypt.urlPrefix `isPrefixOf` url) of
 		(False, False) -> noop
 		(True, True) -> Remote.GCrypt.setGcryptEncryption pc remotename
-		(True, False) -> unlessM (Annex.getState Annex.force) $
-			giveup $ unwords $
-				[ "Encryption is enabled for this remote,"
-				, "but only the files that git-annex stores on"
-				, "it would be encrypted; "
-				, "anything that git push sends to it would"
-				, "not be encrypted. Recommend prefixing the"
-				, "url with \"gcrypt::\" to also encrypt"
-				, "git pushes."
-				, "(Use --force if you want to use this"
-				, "likely insecure configuration.)"
-				]
-		(False, True) -> unlessM (Annex.getState Annex.force) $
-			giveup $ unwords $
-				[ "You used a \"gcrypt::\" url for this remote,"
-				, "but encryption=none prevents git-annex"
-				, "from encrypting files it stores there."
-				, "(Use --force if you want to use this"
-				, "likely insecure configuration.)"
-				]
+		(True, False) -> failinitunlessforced $ unwords $
+			[ "Encryption is enabled for this remote,"
+			, "but only the files that git-annex stores on"
+			, "it would be encrypted; "
+			, "anything that git push sends to it would"
+			, "not be encrypted. Recommend prefixing the"
+			, "url with \"gcrypt::\" to also encrypt"
+			, "git pushes."
+			, "(Use --force if you want to use this"
+			, "likely insecure configuration.)"
+			]
+		(False, True) -> failinitunlessforced $ unwords
+			[ "You used a \"gcrypt::\" url for this remote,"
+			, "but encryption=none prevents git-annex"
+			, "from encrypting files it stores there."
+			, "(Use --force if you want to use this"
+			, "likely insecure configuration.)"
+			]
 
 	-- Set up remote.name.url to point to the repo,
 	-- (so it's also usable by git as a non-special remote),