Skip to content
Snippets Groups Projects

Move environment-variable checking into fs-mistrust

Merged Move environment-variable checking into fs-mistrust
nickm/arti:mistrust-envvar into main
Merged Nick Mathewson requested to merge nickm/arti:mistrust-envvar into main

With this set of changes, we no longer need so much special-case logic in arti-client and arti to override the fs-mistrust in the configuration: instead we can just have the right value wind up in the configuration.

Closes #483 (closed).

Edited by Nick Mathewson

Merge request reports

Approval is optional

Merged by Nick MathewsonNick Mathewson 2 years ago (Jul 19, 2022 8:46pm UTC)

Merge details

  • Changes merged into main with 414939bf.
  • Deleted the source branch.

  • Closed #483 (closed)

  • Auto-merge enabled

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Ian Jackson
  • Ian Jackson
    Ian Jackson @Diziet started a thread on an outdated change in commit a60cf1b0
    • crates/fs-mistrust/src/disable.rs 0 → 100644
    35 /// assuming that if you set a disable variable, you meant to disable.)
    36 ///
    37 /// Absent environment vars are treated as None.
    38 #[allow(clippy::match_like_matches_macro)]
    39 fn from_env_var_value(input: std::result::Result<String, VarError>) -> Option<bool> {
    40 let mut s = match input {
    41 Ok(s) => s,
    42 Err(VarError::NotPresent) => return None,
    43 Err(VarError::NotUnicode(_)) => return Some(true),
    44 };
    45
    46 s.make_ascii_lowercase();
    47 Some(match s.as_ref() {
    48 "0" | "no" | "never" | "false" | "" => false,
    49 _ => true,
    50 })
    • Comment on lines +48 to +50
      Ian Jackson
      Ian Jackson @Diziet ·
      Maintainer

      I have often seen code that interprets env var strings as booleans, which looks only at the first character. I think that's idiomatic on Unix but I don't know what you think of it.

      And, I'm inclined to suggest treating "" as unset (fall back to other var etc.) rather than "don't disable".

    • Nick Mathewson changed this line in version 2 of the diff

      changed this line in version 2 of the diff

    • Nick Mathewson
      Nick Mathewson @nickm ·
      Author Owner

      I don't really care for the "any prefix counts" approach; but I'm fine with """ is unset". Making that change in cd65414c

    • Ian Jackson
      Ian Jackson @Diziet ·
      Maintainer

      I think, given that this function is infallible, prefix matching is better than being picky. Eg, currently this function treats n as "true", which is quite perverse.

    • Please register or sign in to reply
  • Ian Jackson
    Ian Jackson @Diziet started a thread on an outdated change in commit a60cf1b0
    • crates/fs-mistrust/src/disable.rs 0 → 100644
    41 Ok(s) => s,
    42 Err(VarError::NotPresent) => return None,
    43 Err(VarError::NotUnicode(_)) => return Some(true),
    44 };
    45
    46 s.make_ascii_lowercase();
    47 Some(match s.as_ref() {
    48 "0" | "no" | "never" | "false" | "" => false,
    49 _ => true,
    50 })
    51 }
    52
    53 impl Disable {
    54 /// Return true if, based on this [`Disable`] setting, and on the
    55 /// environment, we should disable permissions checking.
    56 pub(crate) fn should_disable_checks(&self) -> bool {
    • Ian Jackson
      Ian Jackson @Diziet ·
      Maintainer

      quoting commit message for 35061ef7 "Arti: Use synthetic argument to implement --disable-fs-permission-checks"

      With this design, --disable-fs-permission-checks is now just an alias for --option storage.permissions.dangerously_trust_everyone=true

      I don't think this is true. If it were, it wouldn't be effective at allowing configuration to be read from fs-mistrust-disliked places.

    • Nick Mathewson
      Nick Mathewson @nickm ·
      Author Owner

      Adding note in f7a75944; will fix when I squash.

    • Please register or sign in to reply
  • Ian Jackson
    Ian Jackson @Diziet ·
    Maintainer

    Hi. Thanks for this. It looks like a considerable improvement to me!

    I have a few comments now. But, it's late and warm and I don't feel I have properly read all the code. In the interests of getting you feedback sooner, I'm going to "submit review" now, but I will have another go over this tomorrow to look at the code in more detail to see if I spot any omissions etc.

  • Ian Jackson
    Ian Jackson @Diziet started a thread on an outdated change in commit a60cf1b0
    • crates/fs-mistrust/src/disable.rs 0 → 100644
    60 .unwrap_or(false),
    61 Disable::OnGlobalEnvVar => {
    62 from_env_var_value(env::var(GLOBAL_DISABLE_VAR)).unwrap_or(false)
    63 }
    64 Disable::Never => false,
    65 }
    66 }
    67 }
    68
    69 #[cfg(test)]
    70 mod test {
    71 use super::*;
    72 #[test]
    73 fn from_val() {
    74 assert_eq!(from_env_var_value(Ok("yes".into())), Some(true));
    75 assert_eq!(from_env_var_value(Ok("no".into())), Some(false));
    • Comment on lines +74 to +75
      Ian Jackson
      Ian Jackson @Diziet ·
      Maintainer
      Suggested change
      74 assert_eq!(from_env_var_value(Ok("yes".into())), Some(true));
      75 assert_eq!(from_env_var_value(Ok("no".into())), Some(false));
      74 assert_eq!(from_env_var_value(Ok("yes".into())), Some(true));
      75 assert_eq!(from_env_var_value(Ok("y".into())), Some(true));
      76 assert_eq!(from_env_var_value(Ok("1".into())), Some(true));
      77 assert_eq!(from_env_var_value(Ok("no".into())), Some(false));
      78 assert_eq!(from_env_var_value(Ok("n".into())), Some(false));
      79 assert_eq!(from_env_var_value(Ok("0".into())), Some(false));
    • Nick Mathewson changed this line in version 2 of the diff

      changed this line in version 2 of the diff

    • Please register or sign in to reply
  • Ian Jackson
  • Ian Jackson
  • Ian Jackson
  • Ian Jackson
  • Ian Jackson
    Ian Jackson @Diziet started a thread on the diff
    • crates/arti/src/lib.rs
    404 400 let matches = clap_app.get_matches();
    405 401
    406 let fs_mistrust_disabled = fs_permissions_checks_disabled_via_env()
    407 | matches.is_present("disable-fs-permission-checks");
    402 let fs_mistrust_disabled = matches.is_present("disable-fs-permission-checks");
    408 403
    409 404 // A Mistrust object to use for loading our configuration. Elsewhere, we
    410 405 // use the value _from_ the configuration.
    411 406 let cfg_mistrust = if fs_mistrust_disabled {
    412 407 fs_mistrust::Mistrust::new_dangerously_trust_everyone()
    413 408 } else {
    414 fs_mistrust::Mistrust::new()
    409 fs_mistrust::MistrustBuilder::default()
    410 .controlled_by_env_var(arti_client::config::FS_PERMISSIONS_CHECKS_DISABLE_VAR)
    411 .build()
    412 .expect("Could not construct default fs-mistrust")
    • Comment on lines +409 to +412
      Ian Jackson
      Ian Jackson @Diziet ·
      Maintainer

      This recapitulation of the mistrust construction bothered me somewhat. I'm not sure, but I wonder if it woudl be better to move building of cfg_sources and the associated manipulation of the mistrust, into arti-client. The function in arti-client would take fs_mistrust_disabled. It would have to be generic over the relevant traits from tor_config::load.

      What do you think ?

      In any case, this would be a followup to this MR. But we might want to do it before the next release to avoid API churn.

    • Nick Mathewson
      Nick Mathewson @nickm ·
      Author Owner

      IMO this would be fine to do later on. I don't think it would necessarily break existing APIs: it would just be a new way to construct the configuration sources, right?

      (Also I have no compunctions about API churn before 1.0.)

    • Ian Jackson
      Ian Jackson @Diziet ·
      Maintainer

      I think it would be an api break for the arti library crate which we don't care about at all. Filed it as #524. Assigned it to me but feel free to pick it up...

    • Please register or sign in to reply
  • Ian Jackson
    Ian Jackson @Diziet ·
    Maintainer

    I've reread this properly this morning and I like it even better today. Nice work. I had a few further observations.

  • Nick Mathewson added 6 commits

    added 6 commits

    • bab38a77 - fixup! fs-mistrust: API to disable based on environment
    • cd65414c - fixup! fs-mistrust: API to disable based on environment
    • 878570be - fixup! fs-mistrust: API to disable based on environment
    • f7a75944 - squash! Arti: Use synthetic argument to implement --disable-fs-permission-checks
    • a0de9c39 - fixup! fs-mistrust: API to disable based on environment
    • b6a457c6 - fixup! fs-mistrust: API to disable based on environment

    Compare with previous version

    Toggle commit list
  • Nick Mathewson marked this merge request as draft from nickm/arti@bab38a77

    marked this merge request as draft from nickm/arti@bab38a77

  • Nick Mathewson added 1 commit

    added 1 commit

    Compare with previous version

  • Nick Mathewson added 5 commits

    added 5 commits

    • a4db21a9 - fs-mistrust: API to disable based on environment
    • af3f6846 - Move responsibility for disable-fs-mistrust envvar.
    • 65c11f59 - Arti: Use synthetic argument to implement --disable-fs-permission-checks
    • 71cb4548 - arti-client: Remove code related to overriding fs-mistrust.
    • c9aa3aec - Semver tweaks from review.

    Compare with previous version

    Toggle commit list
  • Nick Mathewson marked this merge request as ready

    marked this merge request as ready

  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
  • Loading
    • Please register or sign in to reply