Record trusted/untrusted settings in ~/.local/share/nix

2020-11-26 13:11:07 +01:00 · 2020-11-26 13:11:07 +01:00 · 9a586e34ac
parent 0287f83057
commit 9a586e34ac
1 changed files with 45 additions and 2 deletions
--- a/src/libexpr/flake/flake.cc
+++ b/src/libexpr/flake/flake.cc
@ -6,6 +6,8 @@
 #include "fetchers.hh"
 #include "finally.hh"

+#include <nlohmann/json.hpp>
+
 namespace nix {

 using namespace flake;
@ -635,6 +637,27 @@ Fingerprint LockedFlake::getFingerprint() const

 Flake::~Flake() { }

+// setting name -> setting value -> allow or ignore.
+typedef std::map<std::string, std::map<std::string, bool>> TrustedList;
+
+Path trustedListPath()
+{
+    return getDataDir() + "/nix/trusted-settings.json";
+}
+
+static TrustedList readTrustedList()
+{
+    auto path = trustedListPath();
+    if (!pathExists(path)) return {};
+    auto json = nlohmann::json::parse(readFile(path));
+    return json;
+}
+
+static void writeTrustedList(const TrustedList & trustedList)
+{
+    writeFile(trustedListPath(), nlohmann::json(trustedList).dump());
+}
+
 void ConfigFile::apply()
 {
    std::set<std::string> whitelist{"bash-prompt", "bash-prompt-suffix"};
@ -657,8 +680,28 @@ void ConfigFile::apply()
            assert(false);

        if (!whitelist.count(baseName)) {
-            // FIXME: filter ANSI escapes, newlines, \r, etc.
-            if (std::tolower(logger->ask(fmt("do you want to allow configuration setting '%s' to be set to '%s' (y/N)?", name, valueS)).value_or('n')) != 'y') {
+            auto trustedList = readTrustedList();
+
+            bool trusted = false;
+
+            if (auto saved = get(get(trustedList, name).value_or(std::map<std::string, bool>()), valueS)) {
+                trusted = *saved;
+            } else {
+                // FIXME: filter ANSI escapes, newlines, \r, etc.
+                if (std::tolower(logger->ask(fmt("do you want to allow configuration setting '%s' to be set to '" ANSI_RED "%s" ANSI_NORMAL "' (y/N)?", name, valueS)).value_or('n')) != 'y') {
+                    if (std::tolower(logger->ask("do you want to permanently mark this value as untrusted (y/N)?").value_or('n')) == 'y') {
+                        trustedList[name][valueS] = false;
+                        writeTrustedList(trustedList);
+                    }
+                } else {
+                    if (std::tolower(logger->ask("do you want to permanently mark this value as trusted (y/N)?").value_or('n')) == 'y') {
+                        trustedList[name][valueS] = trusted = true;
+                        writeTrustedList(trustedList);
+                    }
+                }
+            }
+
+            if (!trusted) {
                warn("ignoring untrusted flake configuration setting '%s'", name);
                continue;
            }