feat!: add Repository::excludes() and simplify signature of Worktree::excludes().

Further, this change removes the `permission` module without replacement,
and moves `permissions` into `open`.

This corrects an artifact of this crate previously being name `gix-repository` and brings
these types semantically closer to where they are actually used.

Author: Byron

gix/src/config/cache/access.rs

@@ -197,7 +197,7 @@ impl Cache {
         &self,
         git_dir: &std::path::Path,
         source: gix_worktree::cache::state::attributes::Source,
-        attributes: crate::permissions::Attributes,
+        attributes: crate::open::permissions::Attributes,
     ) -> Result<gix_worktree::cache::state::Attributes, config::attribute_stack::Error> {
         let configured_or_user_attributes = match self
             .trusted_file_path("core", None, Core::ATTRIBUTES_FILE.name)

gix/src/config/cache/init.rs

@@ -12,7 +12,7 @@ use crate::{
         tree::{gitoxide, Core, Http},
         Cache,
     },
-    repository,
+    open,
 };
 
 /// Initialization
@@ -32,24 +32,24 @@ impl Cache {
         filter_config_section: fn(&gix_config::file::Metadata) -> bool,
         git_install_dir: Option<&std::path::Path>,
         home: Option<&std::path::Path>,
-        environment @ repository::permissions::Environment {
+        environment @ open::permissions::Environment {
             git_prefix,
             ssh_prefix: _,
             xdg_config_home: _,
             home: _,
             http_transport,
             identity,
             objects,
-        }: repository::permissions::Environment,
-        attributes: repository::permissions::Attributes,
-        repository::permissions::Config {
+        }: open::permissions::Environment,
+        attributes: open::permissions::Attributes,
+        open::permissions::Config {
             git_binary: use_installation,
             system: use_system,
             git: use_git,
             user: use_user,
             env: use_env,
             includes: use_includes,
-        }: repository::permissions::Config,
+        }: open::permissions::Config,
         lenient_config: bool,
         api_config_overrides: &[BString],
         cli_config_overrides: &[BString],
@@ -233,12 +233,12 @@ impl Cache {
     }
 
     pub(crate) fn make_source_env(
-        crate::permissions::Environment {
+        crate::open::permissions::Environment {
             xdg_config_home,
             git_prefix,
             home,
             ..
-        }: crate::permissions::Environment,
+        }: open::permissions::Environment,
     ) -> impl FnMut(&str) -> Option<OsString> {
         move |name| {
             match name {

gix/src/config/mod.rs

@@ -462,7 +462,7 @@ pub(crate) struct Cache {
     /// If true, we should default what's possible if something is misconfigured, on case by case basis, to be more resilient.
     /// Also available in options! Keep in sync!
     pub lenient_config: bool,
-    attributes: crate::permissions::Attributes,
-    environment: crate::permissions::Environment,
+    attributes: crate::open::permissions::Attributes,
+    environment: crate::open::permissions::Environment,
     // TODO: make core.precomposeUnicode available as well.
 }

gix/src/lib.rs

@@ -127,7 +127,7 @@ pub mod head;
 pub mod id;
 pub mod object;
 pub mod reference;
-mod repository;
+pub mod repository;
 pub mod tag;
 
 ///
@@ -223,13 +223,6 @@ pub fn open_opts(directory: impl Into<std::path::PathBuf>, options: open::Option
     ThreadSafeRepository::open_opts(directory, options).map(Into::into)
 }
 
-///
-pub mod permission;
-
-///
-pub mod permissions;
-pub use repository::permissions::Permissions;
-
 ///
 pub mod create;
 

gix/src/open/mod.rs

@@ -1,6 +1,17 @@
 use std::path::PathBuf;
 
-use crate::{bstr::BString, config, permission, Permissions};
+use crate::{bstr::BString, config};
+
+/// Permissions associated with various resources of a git repository
+#[derive(Debug, Clone)]
+pub struct Permissions {
+    /// Control which environment variables may be accessed.
+    pub env: permissions::Environment,
+    /// Permissions related where git configuration should be loaded from.
+    pub config: permissions::Config,
+    /// Permissions related to where `gitattributes` should be loaded from.
+    pub attributes: permissions::Attributes,
+}
 
 /// The options used in [`ThreadSafeRepository::open_opts()`][crate::ThreadSafeRepository::open_opts()].
 ///
@@ -44,11 +55,11 @@ pub enum Error {
     #[error("The git directory at '{}' is considered unsafe as it's not owned by the current user.", .path.display())]
     UnsafeGitDir { path: PathBuf },
     #[error(transparent)]
-    EnvironmentAccessDenied(#[from] permission::env_var::resource::Error),
+    EnvironmentAccessDenied(#[from] gix_sec::permission::Error<std::path::PathBuf>),
 }
 
 mod options;
-
+pub mod permissions;
 mod repository;
 
 #[cfg(test)]

gix/src/open/options.rs

@@ -1,7 +1,7 @@
 use std::path::PathBuf;
 
 use super::{Error, Options};
-use crate::{bstr::BString, config, Permissions, ThreadSafeRepository};
+use crate::{bstr::BString, config, open::Permissions, ThreadSafeRepository};
 
 impl Default for Options {
     fn default() -> Self {

gix/src/open/permissions.rs

@@ -0,0 +1,215 @@
+//! Various permissions to define what can be done when operating a [`Repository`][crate::Repository].
+use crate::open::Permissions;
+use gix_sec::Trust;
+
+/// Configure from which sources git configuration may be loaded.
+///
+/// Note that configuration from inside of the repository is always loaded as it's definitely required for correctness.
+#[derive(Copy, Clone, Ord, PartialOrd, PartialEq, Eq, Debug, Hash)]
+pub struct Config {
+    /// The git binary may come with configuration as part of its configuration, and if this is true (default false)
+    /// we will load the configuration of the git binary, if present and not a duplicate of the ones below.
+    ///
+    /// It's disabled by default as it may involve executing the git binary once per execution of the application.
+    pub git_binary: bool,
+    /// Whether to use the system configuration.
+    /// This is defined as `$(prefix)/etc/gitconfig` on unix.
+    pub system: bool,
+    /// Whether to use the git application configuration.
+    ///
+    /// A platform defined location for where a user's git application configuration should be located.
+    /// If `$XDG_CONFIG_HOME` is not set or empty, `$HOME/.config/git/config` will be used
+    /// on unix.
+    pub git: bool,
+    /// Whether to use the user configuration.
+    /// This is usually `~/.gitconfig` on unix.
+    pub user: bool,
+    /// Whether to use the configuration from environment variables.
+    pub env: bool,
+    /// Whether to follow include files are encountered in loaded configuration,
+    /// via `include` and `includeIf` sections.
+    pub includes: bool,
+}
+
+impl Config {
+    /// Allow everything which usually relates to a fully trusted environment
+    pub fn all() -> Self {
+        Config {
+            git_binary: false,
+            system: true,
+            git: true,
+            user: true,
+            env: true,
+            includes: true,
+        }
+    }
+
+    /// Load only configuration local to the git repository.
+    pub fn isolated() -> Self {
+        Config {
+            git_binary: false,
+            system: false,
+            git: false,
+            user: false,
+            env: false,
+            includes: false,
+        }
+    }
+}
+
+impl Default for Config {
+    fn default() -> Self {
+        Self::all()
+    }
+}
+
+/// Configure from which `gitattribute` files may be loaded.
+///
+/// Note that `.gitattribute` files from within the repository are always loaded.
+#[derive(Copy, Clone, Ord, PartialOrd, PartialEq, Eq, Debug, Hash)]
+pub struct Attributes {
+    /// The git binary may come with attribute configuration in its installation directory, and if this is true (default false)
+    /// we will load the configuration of the git binary.
+    ///
+    /// It's disabled by default as it involves executing the git binary once per execution of the application.
+    pub git_binary: bool,
+    /// Whether to use the system configuration.
+    /// This is typically defined as `$(prefix)/etc/gitconfig`.
+    pub system: bool,
+    /// Whether to use the git application configuration.
+    ///
+    /// A platform defined location for where a user's git application configuration should be located.
+    /// If `$XDG_CONFIG_HOME` is not set or empty, `$HOME/.config/git/attributes` will be used
+    /// on unix.
+    pub git: bool,
+}
+
+impl Attributes {
+    /// Allow everything which usually relates to a fully trusted environment
+    pub fn all() -> Self {
+        Attributes {
+            git_binary: false,
+            system: true,
+            git: true,
+        }
+    }
+
+    /// Allow loading attributes that are local to the git repository.
+    pub fn isolated() -> Self {
+        Attributes {
+            git_binary: false,
+            system: false,
+            git: false,
+        }
+    }
+}
+
+impl Default for Attributes {
+    fn default() -> Self {
+        Self::all()
+    }
+}
+
+/// Permissions related to the usage of environment variables
+#[derive(Debug, Clone, Copy)]
+pub struct Environment {
+    /// Control whether resources pointed to by `XDG_CONFIG_HOME` can be used when looking up common configuration values.
+    ///
+    /// Note that [`gix_sec::Permission::Forbid`] will cause the operation to abort if a resource is set via the XDG config environment.
+    pub xdg_config_home: gix_sec::Permission,
+    /// Control the way resources pointed to by the home directory (similar to `xdg_config_home`) may be used.
+    pub home: gix_sec::Permission,
+    /// Control if environment variables to configure the HTTP transport, like `http_proxy` may be used.
+    ///
+    /// Note that http-transport related environment variables prefixed with `GIT_` may also be included here
+    /// if they match this category like `GIT_HTTP_USER_AGENT`.
+    pub http_transport: gix_sec::Permission,
+    /// Control if the `EMAIL` environment variables may be read.
+    ///
+    /// Note that identity related environment variables prefixed with `GIT_` may also be included here
+    /// if they match this category.
+    pub identity: gix_sec::Permission,
+    /// Control if environment variables related to the object database are handled. This includes features and performance
+    /// options alike.
+    pub objects: gix_sec::Permission,
+    /// Control if resources pointed to by `GIT_*` prefixed environment variables can be used, **but only** if they
+    /// are not contained in any other category. This is a catch-all section.
+    pub git_prefix: gix_sec::Permission,
+    /// Control if resources pointed to by `SSH_*` prefixed environment variables can be used (like `SSH_ASKPASS`)
+    pub ssh_prefix: gix_sec::Permission,
+}
+
+impl Environment {
+    /// Allow access to the entire environment.
+    pub fn all() -> Self {
+        let allow = gix_sec::Permission::Allow;
+        Environment {
+            xdg_config_home: allow,
+            home: allow,
+            git_prefix: allow,
+            ssh_prefix: allow,
+            http_transport: allow,
+            identity: allow,
+            objects: allow,
+        }
+    }
+
+    /// Don't allow loading any environment variables.
+    pub fn isolated() -> Self {
+        let deny = gix_sec::Permission::Deny;
+        Environment {
+            xdg_config_home: deny,
+            home: deny,
+            ssh_prefix: deny,
+            git_prefix: deny,
+            http_transport: deny,
+            identity: deny,
+            objects: deny,
+        }
+    }
+}
+
+impl Permissions {
+    /// Secure permissions are similar to `all()`
+    pub fn secure() -> Self {
+        Permissions {
+            env: Environment::all(),
+            config: Config::all(),
+            attributes: Attributes::all(),
+        }
+    }
+
+    /// Everything is allowed with this set of permissions, thus we read all configuration and do what git typically
+    /// does with owned repositories.
+    pub fn all() -> Self {
+        Permissions {
+            env: Environment::all(),
+            config: Config::all(),
+            attributes: Attributes::all(),
+        }
+    }
+
+    /// Don't read any but the local git configuration and deny reading any environment variables.
+    pub fn isolated() -> Self {
+        Permissions {
+            config: Config::isolated(),
+            attributes: Attributes::isolated(),
+            env: Environment::isolated(),
+        }
+    }
+}
+
+impl gix_sec::trust::DefaultForLevel for Permissions {
+    fn default_for_level(level: Trust) -> Self {
+        match level {
+            Trust::Full => Permissions::all(),
+            Trust::Reduced => Permissions::secure(),
+        }
+    }
+}
+
+impl Default for Permissions {
+    fn default() -> Self {
+        Permissions::secure()
+    }
+}

gix/src/open/repository.rs

@@ -10,7 +10,8 @@ use crate::{
         cache::{interpolate_context, util::ApplyLeniency},
         tree::{gitoxide, Core, Key, Safe},
     },
-    permission, Permissions, ThreadSafeRepository,
+    open::Permissions,
+    ThreadSafeRepository,
 };
 
 #[derive(Default, Clone)]
@@ -26,7 +27,7 @@ pub(crate) struct EnvironmentOverrides {
 }
 
 impl EnvironmentOverrides {
-    fn from_env() -> Result<Self, permission::env_var::resource::Error> {
+    fn from_env() -> Result<Self, gix_sec::permission::Error<std::path::PathBuf>> {
         let mut worktree_dir = None;
         if let Some(path) = std::env::var_os(Core::WORKTREE.the_environment_override()) {
             worktree_dir = PathBuf::from(path).into();