use std::path::PathBuf; use super::{Error, Options}; use crate::{bstr::BString, config, open::Permissions, ThreadSafeRepository}; impl Default for Options { fn default() -> Self { Options { object_store_slots: Default::default(), permissions: Default::default(), git_dir_trust: None, filter_config_section: None, lossy_config: None, lenient_config: true, bail_if_untrusted: false, open_path_as_is: false, api_config_overrides: Vec::new(), cli_config_overrides: Vec::new(), current_dir: None, } } } /// Instantiation impl Options { /// Options configured to prevent accessing anything else than the repository configuration file, prohibiting /// accessing the environment or spreading beyond the git repository location. pub fn isolated() -> Self { Options::default().permissions(Permissions::isolated()) } } /// Generic modification impl Options { /// An adapter to allow calling any builder method on this instance despite only having a mutable reference. pub fn modify(&mut self, f: impl FnOnce(Self) -> Self) { *self = f(std::mem::take(self)); } } /// Builder methods impl Options { /// Apply the given configuration `values` like `init.defaultBranch=special` or `core.bool-implicit-true` in memory to as early /// as the configuration is initialized to allow affecting the repository instantiation phase, both on disk or when opening. /// The configuration is marked with [source API][gix_config::Source::Api]. pub fn config_overrides(mut self, values: impl IntoIterator>) -> Self { self.api_config_overrides = values.into_iter().map(Into::into).collect(); self } /// Set configuration values of the form `core.abbrev=5` or `remote.origin.url = foo` or `core.bool-implicit-true` for application /// as CLI overrides to the repository configuration, marked with [source CLI][gix_config::Source::Cli]. /// These are equivalent to CLI overrides passed with `-c` in `git`, for example. pub fn cli_overrides(mut self, values: impl IntoIterator>) -> Self { self.cli_config_overrides = values.into_iter().map(Into::into).collect(); self } /// Set the amount of slots to use for the object database. It's a value that doesn't need changes on the client, typically, /// but should be controlled on the server. pub fn object_store_slots(mut self, slots: gix_odb::store::init::Slots) -> Self { self.object_store_slots = slots; self } // TODO: tests /// Set the given permissions, which are typically derived by a `Trust` level. pub fn permissions(mut self, permissions: Permissions) -> Self { self.permissions = permissions; self } /// If `true`, default `false`, we will not modify the incoming path to open to assure it is a `.git` directory. /// /// If `false`, we will try to open the input directory as is, even though it doesn't appear to be a `git` repository /// due to the lack of `.git` suffix or because its basename is not `.git` as in `worktree/.git`. pub fn open_path_as_is(mut self, enable: bool) -> Self { self.open_path_as_is = enable; self } /// Set the trust level of the `.git` directory we are about to open. /// /// This can be set manually to force trust even though otherwise it might /// not be fully trusted, leading to limitations in how configuration files /// are interpreted. /// /// If not called explicitly, it will be determined by looking at its /// ownership via [`gix_sec::Trust::from_path_ownership()`]. /// /// # Security Warning /// /// Use with extreme care and only if it's absolutely known that the repository /// is always controlled by the desired user. Using this capability _only_ saves /// a permission check and only so if the [`open()`][Self::open()] method is used, /// as opposed to discovery. pub fn with(mut self, trust: gix_sec::Trust) -> Self { self.git_dir_trust = trust.into(); self } /// If true, default false, and if the repository's trust level is not `Full` /// (see [`with()`][Self::with()] for more), then the open operation will fail. /// /// Use this to mimic `git`s way of handling untrusted repositories. Note that `gitoxide` solves /// this by not using configuration from untrusted sources and by generally being secured against /// doctored input files which at worst could cause out-of-memory at the time of writing. pub fn bail_if_untrusted(mut self, toggle: bool) -> Self { self.bail_if_untrusted = toggle; self } /// Set the filter which determines if a configuration section can be used to read values from, /// hence it returns true if it is eligible. /// /// The default filter selects sections whose trust level is [`full`][gix_sec::Trust::Full] or /// whose source is not [`repository-local`][gix_config::source::Kind::Repository]. pub fn filter_config_section(mut self, filter: fn(&gix_config::file::Metadata) -> bool) -> Self { self.filter_config_section = Some(filter); self } /// By default, in release mode configuration will be read without retaining non-essential information like /// comments or whitespace to optimize lookup performance. /// /// Some application might want to toggle this to false in they want to display or edit configuration losslessly /// with all whitespace and comments included. pub fn lossy_config(mut self, toggle: bool) -> Self { self.lossy_config = toggle.into(); self } /// If set, default is false, invalid configuration values will cause an error even if these can safely be defaulted. /// /// This is recommended for all applications that prefer correctness over usability. /// `git` itself defaults to strict configuration mode, flagging incorrect configuration immediately. /// /// Failure to read configuration files due to IO errors will also be a hard error if this mode is enabled, otherwise /// these errors will merely be logged. pub fn strict_config(mut self, toggle: bool) -> Self { self.lenient_config = !toggle; self } /// Open a repository at `path` with the options set so far. #[allow(clippy::result_large_err)] pub fn open(self, path: impl Into) -> Result { ThreadSafeRepository::open_opts(path, self) } } impl Options { pub(crate) fn current_dir_or_empty(&self) -> &std::path::Path { self.current_dir.as_deref().unwrap_or(std::path::Path::new("")) } } impl gix_sec::trust::DefaultForLevel for Options { fn default_for_level(level: gix_sec::Trust) -> Self { match level { gix_sec::Trust::Full => Options { object_store_slots: Default::default(), permissions: Permissions::default_for_level(level), git_dir_trust: gix_sec::Trust::Full.into(), filter_config_section: Some(config::section::is_trusted), lossy_config: None, bail_if_untrusted: false, lenient_config: true, open_path_as_is: false, api_config_overrides: Vec::new(), cli_config_overrides: Vec::new(), current_dir: None, }, gix_sec::Trust::Reduced => Options { object_store_slots: gix_odb::store::init::Slots::Given(32), // limit resource usage permissions: Permissions::default_for_level(level), git_dir_trust: gix_sec::Trust::Reduced.into(), filter_config_section: Some(config::section::is_trusted), bail_if_untrusted: false, lenient_config: true, open_path_as_is: false, lossy_config: None, api_config_overrides: Vec::new(), cli_config_overrides: Vec::new(), current_dir: None, }, } } }