git-annex/Command
Joey Hess b657242f5d
enforce retrievalSecurityPolicy
Leveraged the existing verification code by making it also check the
retrievalSecurityPolicy.

Also, prevented getViaTmp from running the download action at all when the
retrievalSecurityPolicy is going to prevent verifying and so storing it.

Added annex.security.allow-unverified-downloads. A per-remote version
would be nice to have too, but would need more plumbing, so KISS.
(Bill the Cat reference not too over the top I hope. The point is to
make this something the user reads the documentation for before using.)

A few calls to verifyKeyContent and getViaTmp, that don't
involve downloads from remotes, have RetrievalAllKeysSecure hard-coded.
It was also hard-coded for P2P.Annex and Command.RecvKey,
to match the values of the corresponding remotes.

A few things use retrieveKeyFile/retrieveKeyFileCheap without going
through getViaTmp.
* Command.Fsck when downloading content from a remote to verify it.
  That content does not get into the annex, so this is ok.
* Command.AddUrl when using a remote to download an url; this is new
  content being added, so this is ok.

This commit was sponsored by Fernando Jimenez on Patreon.
2018-06-21 13:37:01 -04:00
..
Add.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
AddUnused.hs Avoid backtraces on expected failures when built with ghc 8; only use backtraces for unexpected errors. 2016-11-15 21:29:54 -04:00
AddUrl.hs limit url downloads to whitelisted schemes 2018-06-16 11:57:50 -04:00
Adjust.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Assistant.hs fold Build/SysConfig.hs into BuildInfo via include 2017-12-14 12:46:57 -04:00
Benchmark.hs change keys database to use IKey type with more efficient serialization 2016-01-12 14:01:50 -04:00
CalcKey.hs more lambda-case conversion 2017-12-05 15:00:50 -04:00
CheckPresentKey.hs more lambda-case conversion 2017-12-05 15:00:50 -04:00
Commit.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Config.hs more lambda-case conversion 2017-12-05 15:00:50 -04:00
ConfigList.hs .noannex file 2017-12-13 14:34:32 -04:00
ContentLocation.hs Avoid backtraces on expected failures when built with ghc 8; only use backtraces for unexpected errors. 2016-11-15 21:29:54 -04:00
Copy.hs move: --safe/--unsafe and potential drop race fix 2018-04-09 16:20:10 -04:00
Dead.hs more lambda-case conversion 2017-12-05 15:00:50 -04:00
Describe.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
DiffDriver.hs rename BlobType and add submodule to it 2018-05-14 14:45:41 -04:00
Direct.hs more lambda-case conversion 2017-12-05 15:00:50 -04:00
Drop.hs move: --safe/--unsafe and potential drop race fix 2018-04-09 16:20:10 -04:00
DropKey.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
DropUnused.hs add gitAnnexTmpWorkDir and withTmpWorkDir 2017-11-29 13:53:39 -04:00
EnableRemote.hs change Remote.repo to Remote.getRepo 2018-06-04 15:30:26 -04:00
EnableTor.hs move protocol version stuff to the Net free monad 2018-03-12 15:20:51 -04:00
ExamineKey.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
Expire.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Export.hs remove unused value 2018-06-14 12:32:36 -04:00
Find.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
FindRef.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
Fix.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
Forget.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
FromKey.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Fsck.hs fix migration bug and make fsck warn 2018-05-23 14:07:51 -04:00
FuzzTest.hs Fix several places where files in .git/annex/ were written with modes that did not take the core.sharedRepository config into account. 2018-01-02 17:25:25 -04:00
GCryptSetup.hs Avoid backtraces on expected failures when built with ghc 8; only use backtraces for unexpected errors. 2016-11-15 21:29:54 -04:00
Get.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
Group.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
GroupWanted.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Help.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Import.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
ImportFeed.hs display addurl url not file 2018-04-13 01:37:46 -04:00
InAnnex.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Indirect.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Info.hs Fix build with ghc 8.4+, which broke due to the Semigroup Monoid change 2018-05-30 12:28:43 -04:00
Init.hs .noannex file 2017-12-13 14:34:32 -04:00
InitRemote.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Inprogress.hs inprogress: Avoid showing failures for files not in progress. 2018-01-24 20:43:19 -04:00
List.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
Lock.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
LockContent.hs make sure that lockContentShared is always paired with an inAnnex check 2018-03-07 14:23:52 -04:00
Log.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
LookupKey.hs lookupkey absolute path support 2017-12-08 15:35:02 -04:00
Map.hs Improve startup time for commands that do not operate on remotes 2018-01-09 16:22:07 -04:00
MatchExpression.hs matchexpression: Added --largefiles option to parse an annex.largefiles expression. 2016-02-03 16:58:36 -04:00
Merge.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
MetaData.hs Fix mangling of --json output of utf-8 characters when not running in a utf-8 locale 2018-04-16 16:21:21 -04:00
Migrate.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
Mirror.hs move: --safe/--unsafe and potential drop race fix 2018-04-09 16:20:10 -04:00
Move.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
Multicast.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
NotifyChanges.hs make tor hidden service work when directory watching is not available 2016-12-09 16:40:47 -04:00
NumCopies.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
P2P.hs move protocol version stuff to the Net free monad 2018-03-12 15:20:51 -04:00
P2PStdIO.hs GIT_ANNEX_SHELL_APPENDONLY 2018-05-25 13:17:56 -04:00
PostReceive.hs configuration to disable automatic merge conflict resolution 2017-06-01 12:51:01 -04:00
PreCommit.hs Avoid repeated checking that files passed on the command line exist. 2017-10-16 14:10:20 -04:00
Proxy.hs finally really add back custom-setup stanza 2017-12-31 16:36:39 -04:00
ReadPresentKey.hs Avoid backtraces on expected failures when built with ghc 8; only use backtraces for unexpected errors. 2016-11-15 21:29:54 -04:00
RecvKey.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
RegisterUrl.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Reinit.hs .noannex file 2017-12-13 14:34:32 -04:00
Reinject.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
ReKey.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
RemoteDaemon.hs remotedaemon: serve tor hidden service 2016-11-20 15:48:12 -04:00
Repair.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
Required.hs started converting to use optparse-applicative 2015-07-08 13:36:25 -04:00
ResolveMerge.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
RmUrl.hs rekey: Added --batch mode. 2016-12-05 12:55:50 -04:00
Schedule.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Semitrust.hs convert all commands to work with optparse-applicative 2015-07-08 15:08:02 -04:00
SendKey.hs AssociatedFile newtype 2017-03-10 13:35:31 -04:00
SetKey.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
SetPresentKey.hs setpresentkey: Added --batch support (for ronnypfa) 2018-05-27 14:56:14 -04:00
Smudge.hs add KeyVariety type 2017-02-24 15:16:56 -04:00
Status.hs Don't allow entering a view with staged or unstaged changes. 2018-05-14 16:51:06 -04:00
Sync.hs remove use of remoteGitConfig 2018-06-05 13:15:04 -04:00
Test.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
TestRemote.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
TransferInfo.hs Fix reversion introduced in 6.20171214 that caused concurrent transfers to incorrectly fail with "transfer already in progress". 2018-03-14 18:55:34 -04:00
TransferKey.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
TransferKeys.hs enforce retrievalSecurityPolicy 2018-06-21 13:37:01 -04:00
Trust.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Unannex.hs add --json-error-messages (not yet implemented) 2018-02-19 14:32:15 -04:00
Undo.hs Avoid backtraces on expected failures when built with ghc 8; only use backtraces for unexpected errors. 2016-11-15 21:29:54 -04:00
Ungroup.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Uninit.hs Avoid repeated checking that files passed on the command line exist. 2017-10-16 14:10:20 -04:00
Unlock.hs avoid compiler warning 2018-03-15 13:21:32 -04:00
Untrust.hs convert all commands to work with optparse-applicative 2015-07-08 15:08:02 -04:00
Unused.hs avoid --all buffering list of all keys 2018-04-26 16:00:20 -04:00
Upgrade.hs .noannex file 2017-12-13 14:34:32 -04:00
VAdd.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
VCycle.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Version.hs avoid unncessary version output differences in different contexts 2018-06-04 12:26:18 -04:00
VFilter.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Vicfg.hs finish fixing inverted Ord for TrustLevel 2018-04-13 15:17:54 -04:00
View.hs Don't allow entering a view with staged or unstaged changes. 2018-05-14 16:51:06 -04:00
VPop.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Wanted.hs showStart variant for when there's no worktree file 2017-11-28 15:14:16 -04:00
Watch.hs remove 163 lines of code without changing anything except imports 2016-01-20 16:36:33 -04:00
WebApp.hs fix webapp opening in termux 2018-04-25 14:38:42 -04:00
Whereis.hs Fix mangling of --json output of utf-8 characters when not running in a utf-8 locale 2018-04-16 16:21:21 -04:00