Merge pull request #154 from DeterminateSystems/graham/fh-440-fh-appl…

…y-cant-turn-off-use-scoped-token Replace --use-scoped-token with --use-scoped-token=always|never
DeterminateSystems · Nov 6, 2024 · 46c2856 · 46c2856
2 parents 4d3de3a + 24532f1
commit 46c2856
Showing 1 changed file with 31 additions and 9 deletions.
diff --git a/src/cli/cmd/apply/mod.rs b/src/cli/cmd/apply/mod.rs
@@ -19,15 +19,35 @@ use self::{home_manager::HomeManager, nix_darwin::NixDarwin, nixos::NixOs};
 
 use super::{CommandExecute, FlakeHubClient};
 
+#[derive(Copy, Clone, PartialEq, Eq, clap::ValueEnum)]
+enum TokenChoice {
+    Always,
+    Never,
+}
+
+impl std::fmt::Display for TokenChoice {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        write!(
+            f,
+            "{}",
+            match self {
+                TokenChoice::Always => "always",
+                TokenChoice::Never => "never",
+            }
+        )
+    }
+}
+
 /// Apply the configuration at the specified FlakeHub output reference to the current system
 #[derive(Parser)]
 pub(crate) struct ApplySubcommand {
     #[clap(subcommand)]
     system: System,
 
-    /// Use a scoped token generated by FlakeHub that allows substituting the given output _only_.
-    #[clap(long, default_value_t = true)]
-    use_scoped_token: bool,
+    /// By default, fh apply exchanges its API token for a tightly scoped token generated by FlakeHub that _only_ allows substituting the given output.
+    /// Pass --use-scoped-token=never to use the system's FlakeHub token, and not perform exchanging for a tightly scoped token.
+    #[clap(long, default_value_t = TokenChoice::Always)]
+    use_scoped_token: TokenChoice,
 
     #[clap(from_global)]
     api_addr: url::Url,
@@ -85,10 +105,12 @@ impl CommandExecute for ApplySubcommand {
 
         tracing::info!(%output_ref, "Resolving output reference");
 
-        let resolved_path =
-            FlakeHubClient::resolve(self.api_addr.as_ref(), &output_ref, self.use_scoped_token)
-                .await?;
-
+        let resolved_path = FlakeHubClient::resolve(
+            self.api_addr.as_ref(),
+            &output_ref,
+            self.use_scoped_token == TokenChoice::Always,
+        )
+        .await?;
         tracing::debug!(
             "Successfully resolved reference {} to path {}",
             &output_ref,
@@ -99,7 +121,7 @@ impl CommandExecute for ApplySubcommand {
 
         match resolved_path.token {
             Some(token) => {
-                if self.use_scoped_token {
+                if self.use_scoped_token == TokenChoice::Always {
                     let mut nix_args = vec![
                         "copy".to_string(),
                         "--option".to_string(),
@@ -168,7 +190,7 @@ impl CommandExecute for ApplySubcommand {
                 }
             }
             None => {
-                if self.use_scoped_token {
+                if self.use_scoped_token == TokenChoice::Always {
                     return Err(color_eyre::eyre::eyre!(
                         "FlakeHub did not return a restricted token!"
                     ));