reject an insecure configuration

A user might expect onlyencryptcreds=yes to do some useful encryption of
the creds despite using encryption=shared. Prevent them from thinking
they have somehow secured the creds in their repository in that case.

Also reject onlyencryptcreds=yes encryption=none in case the user
somehow thinks there is creds-only encryption going on in that case.

Sponsored-by: Graham Spencer

diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs
index 7bc73e115ff8d7ab24600014a8cde770f6ff05c1..f7939abf2b2ec47de02338a3038b1670c44304e3 100644 (file)
--- a/Remote/Helper/Encryptable.hs
+++ b/Remote/Helper/Encryptable.hs
@@ -166,6 +166,10 @@ parseMac (Just (Proposed s)) = case readMac s of
 encryptionSetup :: SetupStage -> RemoteConfig -> RemoteGitConfig -> Annex (RemoteConfig, EncryptionIsSetup)
 encryptionSetup setupstage c gc = do
        pc <- either giveup return $ parseEncryptionConfig c
+       when (onlyEncryptCreds pc && encryption == Right SharedEncryption) $
+               giveup "There is no security benefit to using onlyencryptcreds=yes with encryption=shared"
+       when (onlyEncryptCreds pc && encryption == Right NoneEncryption) $
+               giveup "There is no security benefit to using onlyencryptcreds=yes with encryption=none"
        checkallowedchange pc
        gpgcmd <- gpgCmd <$> Annex.getGitConfig
        maybe (genCipher pc gpgcmd) (updateCipher pc gpgcmd) (extractCipher pc)