aboutsummaryrefslogtreecommitdiff
path: root/src/libexpr/flake/config.cc
diff options
context:
space:
mode:
Diffstat (limited to 'src/libexpr/flake/config.cc')
-rw-r--r--src/libexpr/flake/config.cc54
1 files changed, 35 insertions, 19 deletions
diff --git a/src/libexpr/flake/config.cc b/src/libexpr/flake/config.cc
index b330d96f9..adcf7fd10 100644
--- a/src/libexpr/flake/config.cc
+++ b/src/libexpr/flake/config.cc
@@ -51,30 +51,46 @@ void ConfigFile::apply()
else
assert(false);
- if (!whitelist.count(baseName) && !nix::fetchSettings.acceptFlakeConfig) {
- bool trusted = false;
- auto trustedList = readTrustedList();
- auto tlname = get(trustedList, name);
- if (auto saved = tlname ? get(*tlname, valueS) : nullptr) {
- trusted = *saved;
- printInfo("Using saved setting for '%s = %s' from ~/.local/share/nix/trusted-settings.json.", name, valueS);
- } else {
- // FIXME: filter ANSI escapes, newlines, \r, etc.
- if (std::tolower(logger->ask(fmt("do you want to allow configuration setting '%s' to be set to '" ANSI_RED "%s" ANSI_NORMAL "' (y/N)?", name, valueS)).value_or('n')) == 'y') {
- trusted = true;
- }
- if (std::tolower(logger->ask(fmt("do you want to permanently mark this value as %s (y/N)?", trusted ? "trusted": "untrusted" )).value_or('n')) == 'y') {
- trustedList[name][valueS] = trusted;
- writeTrustedList(trustedList);
+ bool trusted = whitelist.count(baseName);
+ if (!trusted) {
+ switch (nix::fetchSettings.acceptFlakeConfig) {
+ case AcceptFlakeConfig::True: {
+ trusted = true;
+ break;
+ }
+ case AcceptFlakeConfig::Ask: {
+ auto trustedList = readTrustedList();
+ auto tlname = get(trustedList, name);
+ if (auto saved = tlname ? get(*tlname, valueS) : nullptr) {
+ trusted = *saved;
+ printInfo("Using saved setting for '%s = %s' from ~/.local/share/nix/trusted-settings.json.", name, valueS);
+ } else {
+ // FIXME: filter ANSI escapes, newlines, \r, etc.
+ if (std::tolower(logger->ask(fmt("Do you want to allow configuration setting '%s' to be set to '" ANSI_RED "%s" ANSI_NORMAL "' (y/N)? This may allow the flake to gain root, see the nix.conf manual page.", name, valueS)).value_or('n')) == 'y') {
+ trusted = true;
+ } else {
+ warn("you can set '%s' to '%b' to automatically reject configuration options supplied by flakes", "accept-flake-config", false);
+ }
+ if (std::tolower(logger->ask(fmt("do you want to permanently mark this value as %s (y/N)?", trusted ? "trusted": "untrusted" )).value_or('n')) == 'y') {
+ trustedList[name][valueS] = trusted;
+ writeTrustedList(trustedList);
+ }
}
+ break;
}
- if (!trusted) {
- warn("ignoring untrusted flake configuration setting '%s'.\nPass '%s' to trust it", name, "--accept-flake-config");
- continue;
+ case nix::AcceptFlakeConfig::False: {
+ trusted = false;
+ break;
+ };
}
}
- globalConfig.set(name, valueS);
+ if (trusted) {
+ debug("accepting trusted flake configuration setting '%s'", name);
+ globalConfig.set(name, valueS);
+ } else {
+ warn("ignoring untrusted flake configuration setting '%s', pass '%s' to trust it (may allow the flake to gain root, see the nix.conf manual page)", name, "--accept-flake-config");
+ }
}
}