9 files changed, 108 insertions, 62 deletions

diff --git a/Creds.hs b/Creds.hs
index 0c69fc7a5..dbd05e3ef 100644
--- a/Creds.hs
+++ b/Creds.hs
@@ -12,7 +12,7 @@ import Annex.Perms
 import Utility.FileMode
 import Crypto
 import Types.Remote (RemoteConfig, RemoteConfigKey)
-import Remote.Helper.Encryptable (remoteCipher, isTrustedCipher)
+import Remote.Helper.Encryptable (remoteCipher, embedCreds)
 
 import System.Environment
 import System.Posix.Env (setEnv)
@@ -31,26 +31,32 @@ data CredPairStorage = CredPairStorage
 	, credPairRemoteKey :: Maybe RemoteConfigKey
 	}
 
-{- Stores creds in a remote's configuration, if the remote is encrypted
- - with a GPG key. Otherwise, caches them locally. -}
+{- Stores creds in a remote's configuration, if the remote allows
+ - that. Otherwise, caches them locally. -}
 setRemoteCredPair :: RemoteConfig -> CredPairStorage -> Annex RemoteConfig
 setRemoteCredPair c storage = go =<< getRemoteCredPair c storage
   where
-	go (Just creds) = do
-		mcipher <- remoteCipher c
-		case (mcipher, credPairRemoteKey storage) of
-			(Just cipher, Just key) | isTrustedCipher c -> do
-				s <- liftIO $ encrypt cipher
-					(feedBytes $ L.pack $ encodeCredPair creds)
-					(readBytes $ return . L.unpack)
-				return $ M.insert key (toB64 s) c
-			_ -> do
-				writeCacheCredPair creds storage
-				return c
+	go (Just creds)
+		| embedCreds c = case credPairRemoteKey storage of
+			Nothing -> localcache creds
+			Just key -> storeconfig creds key =<< remoteCipher c
+		| otherwise = localcache creds
 	go Nothing = return c
 
+	localcache creds = do
+		writeCacheCredPair creds storage
+		return c
+
+	storeconfig creds key (Just cipher) = do
+		s <- liftIO $ encrypt cipher
+			(feedBytes $ L.pack $ encodeCredPair creds)
+			(readBytes $ return . L.unpack)
+		return $ M.insert key (toB64 s) c
+	storeconfig creds key Nothing =
+		return $ M.insert key (toB64 $ encodeCredPair creds) c
+
 {- Gets a remote's credpair, from the environment if set, otherwise
- - from the cache in gitAnnexCredsDir, or failing that, from the encrypted
+ - from the cache in gitAnnexCredsDir, or failing that, from the
  - value in RemoteConfig. -}
 getRemoteCredPair :: RemoteConfig -> CredPairStorage -> Annex (Maybe CredPair)
 getRemoteCredPair c storage = maybe fromcache (return . Just) =<< fromenv
@@ -61,17 +67,20 @@ getRemoteCredPair c storage = maybe fromcache (return . Just) =<< fromenv
 		Just key -> do
 			mcipher <- remoteCipher c
 			case (M.lookup key c, mcipher) of
+				(Nothing, _) -> return Nothing
 				(Just enccreds, Just cipher) -> do
 					creds <- liftIO $ decrypt cipher
 						(feedBytes $ L.pack $ fromB64 enccreds)
 						(readBytes $ return . L.unpack)
-					case decodeCredPair creds of
-						Just credpair -> do
-							writeCacheCredPair credpair storage 
-							return $ Just credpair
-						_ -> do error $ "bad " ++ key
-				_ -> return Nothing
+					fromcreds creds
+				(Just bcreds, Nothing) ->
+					fromcreds $ fromB64 bcreds
 		Nothing -> return Nothing
+	fromcreds creds = case decodeCredPair creds of
+		Just credpair -> do
+			writeCacheCredPair credpair storage
+			return $ Just credpair
+		_ -> do error $ "bad creds"
 
 {- Gets a CredPair from the environment. -}
 getEnvCredPair :: CredPairStorage -> IO (Maybe CredPair)
diff --git a/Remote/Helper/Encryptable.hs b/Remote/Helper/Encryptable.hs
index a48ec813a..05aca9a41 100644
--- a/Remote/Helper/Encryptable.hs
+++ b/Remote/Helper/Encryptable.hs
@@ -87,10 +87,20 @@ remoteCipher c = go $ extractCipher c
 				Annex.changeState (\s -> s { Annex.ciphers = M.insert encipher cipher cache })
 				return $ Just cipher
 
-{- Checks if there is a trusted (non-shared) cipher. -}
-isTrustedCipher :: RemoteConfig -> Bool
-isTrustedCipher c = 
-	isJust (M.lookup "cipherkeys" c) && isJust (M.lookup "cipher" c)
+{- Checks if the remote's config allows storing creds in the remote's config.
+ - 
+ - embedcreds=yes allows this, and embedcreds=no prevents it.
+ -
+ - If not set, the default is to only store creds when it's surely safe:
+ - When gpg encryption is used, in which case the creds will be encrypted
+ - using it. Not when a shared cipher is used.
+ -}
+embedCreds :: RemoteConfig -> Bool
+embedCreds c
+	| M.lookup "embedcreds" c == Just "yes" = True
+	| M.lookup "embedcreds" c == Just "no" = False
+	| isJust (M.lookup "cipherkeys" c) && isJust (M.lookup "cipher" c) = True
+	| otherwise = False
 
 {- Gets encryption Cipher, and encrypted version of Key. -}
 cipherKey :: Maybe RemoteConfig -> Key -> Annex (Maybe (Cipher, Key))
diff --git a/debian/changelog b/debian/changelog
index c9488014e..ba8556767 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,9 @@ git-annex (3.20121113) UNRELEASED; urgency=low
   * directory special remote: Made more efficient and robust.
   * Bugfix: directory special remote could loop forever storing a key 
     when a too small chunksize was configured.
+  * Allow controlling whether login credentials for S3 and webdav are
+    committed to the repository, by setting embedcreds=yes|no when running
+    initremote.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 13 Nov 2012 13:17:07 -0400
 
diff --git a/doc/special_remotes/S3.mdwn b/doc/special_remotes/S3.mdwn
index 79a8e584a..5a7ecc25b 100644
--- a/doc/special_remotes/S3.mdwn
+++ b/doc/special_remotes/S3.mdwn
@@ -8,21 +8,29 @@ See [[tips/using_Amazon_S3]] and
 
 The standard environment variables `AWS_ACCESS_KEY_ID` and 
 `AWS_SECRET_ACCESS_KEY` are used to supply login credentials
-for Amazon. When encryption is enabled, they are stored in encrypted form
-by `git annex initremote`. Without encryption, they are stored in a
-file only you can read inside the local git repository. So you do not
-need to keep the environment variables set after the initial
-initalization of the remote.
+for Amazon. You need to set these only when running
+`git annex initremote`, as they will be cached in a file only you
+can read inside the local git repository.
 
 A number of parameters can be passed to `git annex initremote` to configure
 the S3 remote.
 
-* `encryption` - Required. Either "none" to disable encryption
-  (not recommended),
+* `encryption` - Required. Either "none" to disable encryption (not recommended),
   or a value that can be looked up (using gpg -k) to find a gpg encryption
-  key that will be given access to the remote. Note that additional gpg
-  keys can be given access to a remote by rerunning initremote with
-  the new key id. See [[encryption]].
+  key that will be given access to the remote, or "shared" which allows
+  every clone of the repository to access the encrypted data (use with caution).
+
+  Note that additional gpg keys can be given access to a remote by
+  rerunning initremote with the new key id. See [[encryption]].
+
+* `embedcreds` - Optional. Set to "yes" embed the login credentials inside
+  the git repository, which allows other clones to also access them. This is
+  the default when gpg encryption is enabled; the credentials are stored
+  encrypted and only those with the repository's keys can access them.
+
+  It is not the default when using shared encryption, or no encryption.
+  Think carefully about who can access your repository before using
+  embedcreds without gpg encryption.
 
 * `datacenter` - Defaults to "US". Other values include "EU",
   "us-west-1", and "ap-southeast-1".
diff --git a/doc/special_remotes/bup.mdwn b/doc/special_remotes/bup.mdwn
index e59ff240d..519b5607f 100644
--- a/doc/special_remotes/bup.mdwn
+++ b/doc/special_remotes/bup.mdwn
@@ -22,9 +22,11 @@ These parameters can be passed to `git annex initremote` to configure bup:
 * `encryption` - Required. Either "none" to disable encryption of content
   stored in bup (ssh will still be used to transport it securely),
   or a value that can be looked up (using gpg -k) to find a gpg encryption
-  key that will be given access to the remote. Note that additional gpg
-  keys can be given access to a remote by rerunning initremote with
-  the new key id. See [[encryption]].
+  key that will be given access to the remote, or "shared" which allows
+  every clone of the repository to access the encrypted data (use with caution).
+
+  Note that additional gpg keys can be given access to a remote by
+  rerunning initremote with the new key id. See [[encryption]].
 
 * `buprepo` - Required. This is passed to `bup` as the `--remote`
   to use to store data. To create the repository,`bup init` will be run.
diff --git a/doc/special_remotes/directory.mdwn b/doc/special_remotes/directory.mdwn
index 7194e0d8e..7fdfdfca0 100644
--- a/doc/special_remotes/directory.mdwn
+++ b/doc/special_remotes/directory.mdwn
@@ -10,12 +10,14 @@ the drive's mountpoint as a directory remote.
 These parameters can be passed to `git annex initremote` to configure the
 remote:
 
-* `encryption` - Required. Either "none" to disable encryption of content
-  stored in the directory,
+* `encryption` - Required. Either "none" to disable encryption,
   or a value that can be looked up (using gpg -k) to find a gpg encryption
-  key that will be given access to the remote. Note that additional gpg
-  keys can be given access to a remote by rerunning initremote with
-  the new key id. See [[encryption]].
+  key that will be given access to the remote, or "shared" which allows
+  every clone of the repository to decrypt the encrypted data.
+
+  Note that additional gpg keys can be given access to a remote by
+  rerunning initremote with the new key id. See [[encryption]].
+
 * `chunksize` - Avoid storing files larger than the specified size in the
   directory. For use on directories on mount points that have file size
   limitations. The default is to never chunk files.  
diff --git a/doc/special_remotes/hook.mdwn b/doc/special_remotes/hook.mdwn
index 9a7dbf7a1..6867edb8f 100644
--- a/doc/special_remotes/hook.mdwn
+++ b/doc/special_remotes/hook.mdwn
@@ -25,11 +25,13 @@ Can you spot the potential data loss bugs in the above simple example?
 
 These parameters can be passed to `git annex initremote`:
 
-* `encryption` - Required. Either "none" to disable encryption of content,
+* `encryption` - Required. Either "none" to disable encryption,
   or a value that can be looked up (using gpg -k) to find a gpg encryption
-  key that will be given access to the remote. Note that additional gpg
-  keys can be given access to a remote by rerunning initremote with
-  the new key id. See [[encryption]].
+  key that will be given access to the remote, or "shared" which allows
+  every clone of the repository to access the encrypted data.
+
+  Note that additional gpg keys can be given access to a remote by
+  rerunning initremote with the new key id. See [[encryption]].
 
 * `hooktype` - Required. This specifies a collection of hooks to use for
   this remote.
diff --git a/doc/special_remotes/rsync.mdwn b/doc/special_remotes/rsync.mdwn
index 273469258..f98c80a83 100644
--- a/doc/special_remotes/rsync.mdwn
+++ b/doc/special_remotes/rsync.mdwn
@@ -15,11 +15,13 @@ Or for using rsync over SSH
 These parameters can be passed to `git annex initremote` to configure rsync:
 
 * `encryption` - Required. Either "none" to disable encryption of content
-  stored in rsync, 
-  or a value that can be looked up (using `gpg -k`) to find a gpg encryption
-  key that will be given access to the remote. Note that additional gpg
-  keys can be given access to a remote by rerunning initremote with
-  the new key id. See [[encryption]].
+  stored on the remote rsync server,
+  or a value that can be looked up (using gpg -k) to find a gpg encryption
+  key that will be given access to the remote, or "shared" which allows
+  every clone of the repository to decrypt the encrypted data.
+
+  Note that additional gpg keys can be given access to a remote by
+  rerunning initremote with the new key id. See [[encryption]].
 
 * `rsyncurl` - Required. This is the url or `hostname:/directory` to 
   pass to rsync to tell it where to store content.
diff --git a/doc/special_remotes/webdav.mdwn b/doc/special_remotes/webdav.mdwn
index 8421dd5f4..570b6f949 100644
--- a/doc/special_remotes/webdav.mdwn
+++ b/doc/special_remotes/webdav.mdwn
@@ -3,21 +3,29 @@ This special remote type stores file contents in a WebDAV server.
 ## configuration
 
 The environment variables `WEBDAV_USERNAME` and `WEBDAV_PASSWORD` are used
-to supply login credentials. When encryption is enabled, they are stored in
-encrypted form by `git annex initremote`. Without encryption, they are
-stored in a file only you can read inside the local git repository. So you
-do not need to keep the environment variables set after the initial
-initalization of the remote.
+to supply login credentials. You need to set these only when running
+`git annex initremote`, as they will be cached in a file only you 
+can read inside the local git repository.
 
 A number of parameters can be passed to `git annex initremote` to configure
 the webdav remote.
 
-* `encryption` - Required. Either "none" to disable encryption
-  (not recommended),
+* `encryption` - Required. Either "none" to disable encryption (not recommended),
   or a value that can be looked up (using gpg -k) to find a gpg encryption
-  key that will be given access to the remote. Note that additional gpg
-  keys can be given access to a remote by rerunning initremote with
-  the new key id. See [[encryption]].
+  key that will be given access to the remote, or "shared" which allows
+  every clone of the repository to access the encrypted data (use with caution).
+
+  Note that additional gpg keys can be given access to a remote by
+  rerunning initremote with the new key id. See [[encryption]].
+
+* `embedcreds` - Optional. Set to "yes" embed the login credentials inside
+  the git repository, which allows other clones to also access them. This is
+  the default when gpg encryption is enabled; the credentials are stored
+  encrypted and only those with the repository's keys can access them.
+
+  It is not the default when using shared encryption, or no encryption.
+  Think carefully about who can access your repository before using
+  embedcreds without gpg encryption.
 
 * `url` - Required. The URL to the WebDAV directory where files will be
   stored. This can be a subdirectory of a larger WebDAV repository, and will