in src/main.rs [1349:1501]
fn do_cmd_trust(
out: &Arc<dyn Out>,
cfg: &Config,
sub_args: &TrustArgs,
store: &mut Store,
network: Option<&Network>,
) -> Result<(), miette::Report> {
if let Some(package) = &sub_args.package {
// Fetch publisher information for relevant versions of `package`.
let publishers = store.ensure_publisher_versions(cfg, network, package)?;
let publisher_login = if let Some(login) = &sub_args.publisher_login {
login.clone()
} else if let Some(first) = publishers.first() {
if publishers
.iter()
.all(|publisher| publisher.user_id == first.user_id)
{
first.user_login.clone()
} else {
return Err(miette!(
"The package '{}' has multiple known publishers, \
please explicitly specify which publisher to trust",
package
));
}
} else {
return Err(miette!(
"The package '{}' has no known publishers, so cannot be trusted",
package
));
};
apply_cmd_trust(
out,
cfg,
store,
network,
package,
&publisher_login,
sub_args.start_date,
sub_args.end_date,
&sub_args.criteria,
sub_args.notes.as_ref(),
)
} else if let Some(publisher_login) = &sub_args.all {
// Run the resolver against the store in "suggest" mode to discover the
// set of packages which either fail to audit or need exemptions.
let suggest_store = store.clone_for_suggest(true);
let report =
resolver::resolve(&cfg.metadata, cfg.cli.filter_graph.as_ref(), &suggest_store);
let resolver::Conclusion::FailForVet(fail) = &report.conclusion else {
return Err(miette!(
"No failing or exempted crates, trust --all will do nothing"
));
};
// Enumerate the failed packages to collect the set of packages which
// will be trusted.
let mut failed_criteria = report.criteria_mapper.no_criteria();
let mut trust = Vec::new();
let mut skipped = Vec::new();
for (failure_idx, audit_failure) in &fail.failures {
let package = &report.graph.nodes[*failure_idx];
// Ensure the store has publisher information for this package. This
// is a no-op if called multiple times for the same package.
let publishers = store.ensure_publisher_versions(cfg, network, package.name)?;
let by_user = publishers
.iter()
.filter(|p| &p.user_login == publisher_login)
.count();
if by_user == 0 {
continue; // never published by this user
}
// Record if we're skipping this package due to multiple publishers.
if by_user != publishers.len() && !sub_args.allow_multiple_publishers {
skipped.push(package.name);
} else {
trust.push(package.name);
failed_criteria.unioned_with(&audit_failure.criteria_failures);
}
}
trust.sort();
trust.dedup();
// Delay warning about skipped entries until after `criteria_picker`, as
// that may clear the terminal.
let maybe_warn_skipped = || {
if !skipped.is_empty() {
skipped.sort();
skipped.dedup();
warn!(
"Skipped {} due to multiple publishers",
string_format::FormatShortList::new(skipped)
);
warn!(" Run with --allow-multiple-publishers to also trust these packages");
}
};
if trust.is_empty() {
maybe_warn_skipped();
return Err(miette!(
"No failing or exempted packages published by {publisher_login}"
));
}
let criteria_names = criteria_picker(
out,
&store.audits.criteria,
if sub_args.criteria.is_empty() {
report
.criteria_mapper
.criteria_names(&failed_criteria)
.map(|s| s.to_owned())
.collect()
} else {
sub_args.criteria.clone()
},
if sub_args.criteria.is_empty() {
Some(format!(
"choose trusted criteria for packages published by {publisher_login} ({})",
string_format::FormatShortList::new(trust.clone())
))
} else {
None
}
.as_ref(),
)?;
maybe_warn_skipped();
for package in &trust {
apply_cmd_trust(
out,
cfg,
store,
network,
package,
publisher_login,
sub_args.start_date,
sub_args.end_date,
&criteria_names,
sub_args.notes.as_ref(),
)?;
}
Ok(())
} else {
Err(miette!("Please specify either a package to trust or --all"))
}
}