Add --save-token option

Author: smoelius

Cargo.toml

@@ -31,7 +31,7 @@ walkdir = "2.5"
 
 [target.'cfg(unix)'.dependencies]
 libc = { version = "0.2", optional = true }
-xdg = { version = "2.5", optional = true }
+xdg = { version = "2.5" }
 
 [target.'cfg(windows)'.dependencies]
 windows-sys = { version = "0.59", features = [
@@ -52,7 +52,7 @@ snapbox = "0.6"
 [features]
 default = ["on-disk-cache", "lock-index"]
 cache-repositories = ["on-disk-cache"]
-on-disk-cache = ["xdg"]
+on-disk-cache = []
 lock-index = ["libc", "windows-sys"]
 
 [lints.rust.unexpected_cfgs]

README.md

@@ -68,6 +68,8 @@ Options:
       --no-exit-code    Do not set exit status when unmaintained packages are found
       --no-warnings     Do not show warnings
   -p, --package <NAME>  Check only whether package NAME is unmaintained
+      --save-token      Read a personal access token from standard input and save it to
+                        $HOME/.config/cargo-unmaintained/token.txt
       --tree            Show paths to unmaintained packages
       --verbose         Show information about what cargo-unmaintained is doing
   -h, --help            Print help
@@ -77,6 +79,13 @@ The `GITHUB_TOKEN_PATH` environment variable can be set to the path of a file co
 access token. If set, cargo-unmaintained will use this token to authenticate to GitHub and check
 whether packages' repositories have been archived.
 
+Alternatively, the `GITHUB_TOKEN` environment variable can be set to a personal access token.
+However, use of `GITHUB_TOKEN_PATH` is recommended as it is less likely to leak the token.
+
+If neither `GITHUB_TOKEN_PATH` nor `GITHUB_TOKEN` is set, but a file exists at
+$HOME/.config/cargo-unmaintained/token.txt, cargo-unmaintained will use that file's contents as a
+personal access token.
+
 Unless --no-exit-code is passed, the exit status is 0 if no unmaintained packages were found and no
 irrecoverable errors occurred, 1 if unmaintained packages were found, and 2 if an irrecoverable
 error occurred.

build.rs

@@ -1,6 +1,35 @@
+use std::{env::var, fs::write, path::PathBuf};
+
+const TOKEN_PATH: &str = if cfg!(not(windows)) {
+    "$HOME/.config/cargo-unmaintained/token.txt"
+} else {
+    "%LOCALAPPDATA%\\\\cargo-unmaintained\\\\token.txt"
+};
+
 fn main() {
     println!("cargo:rustc-cfg=__warnings");
 
     #[cfg(all(feature = "cache-repositories", not(feature = "on-disk-cache")))]
     println!("cargo:warning=Feature `cache-repositories` has been renamed to `on-disk-cache`");
+
+    let out_dir = var("OUT_DIR").unwrap();
+    let path = PathBuf::from(out_dir).join("after_help.rs");
+    let contents = format!(
+        r#"const AFTER_HELP: &str = "\
+The `GITHUB_TOKEN_PATH` environment variable can be set to the path of a file containing a \
+personal access token. If set, cargo-unmaintained will use this token to authenticate to GitHub \
+and check whether packages' repositories have been archived.
+
+Alternatively, the `GITHUB_TOKEN` environment variable can be set to a personal access token. \
+However, use of `GITHUB_TOKEN_PATH` is recommended as it is less likely to leak the token.
+
+If neither `GITHUB_TOKEN_PATH` nor `GITHUB_TOKEN` is set, but a file exists at {TOKEN_PATH}, \
+cargo-unmaintained will use that file's contents as a personal access token.
+
+Unless --no-exit-code is passed, the exit status is 0 if no unmaintained packages were found and \
+no irrecoverable errors occurred, 1 if unmaintained packages were found, and 2 if an irrecoverable \
+error occurred.";
+"#,
+    );
+    write(path, contents).unwrap();
 }

rustsec_util/Cargo.lock

@@ -19,6 +19,9 @@ strum_macros = "0.26"
 tempfile = "3.13"
 tokio = "1.40"
 
+[target.'cfg(unix)'.dependencies]
+xdg = { version = "2.5" }
+
 [lints.rust.unexpected_cfgs]
 level = "deny"
 check-cfg = ["cfg(dylint_lib, values(any()))", "cfg(__warnings)"]

rustsec_util/Cargo.toml

@@ -18,6 +18,7 @@ mod octocrab_util;
 mod flush;
 use flush::Flush;
 
+#[allow(unused)]
 #[path = "../../../../src/github/util.rs"]
 mod github_util;
 

rustsec_util/src/bin/rustsec_issues/main.rs

@@ -15,8 +15,8 @@ mod map_ext;
 use map_ext::MapExt;
 
 mod util;
-pub(crate) use util::load_token;
 use util::PERSONAL_TOKEN;
+pub(crate) use util::{load_token, save_token};
 
 #[allow(clippy::unwrap_used)]
 static RE: Lazy<Regex> =

src/github/mod.rs

@@ -1,5 +1,28 @@
 use anyhow::{anyhow, Context, Result};
-use std::{env::var, fs::read_to_string, sync::OnceLock};
+use once_cell::sync::Lazy;
+use std::{
+    env::var,
+    fs::{create_dir_all, read_to_string, File, OpenOptions},
+    io::{stdin, Write},
+    path::PathBuf,
+    sync::OnceLock,
+};
+
+#[allow(clippy::unwrap_used)]
+static CONFIG_DIRECTORY: Lazy<PathBuf> = Lazy::new(|| {
+    #[cfg(not(windows))]
+    {
+        let base_directories = xdg::BaseDirectories::new().unwrap();
+        base_directories.get_config_file("cargo-unmaintained")
+    }
+    #[cfg(windows)]
+    {
+        let local_app_data = var("LOCALAPPDATA").unwrap();
+        PathBuf::from(local_app_data).join("cargo-unmaintained")
+    }
+});
+
+static TOKEN_PATH: Lazy<PathBuf> = Lazy::new(|| CONFIG_DIRECTORY.join("token.txt"));
 
 pub(super) static PERSONAL_TOKEN: OnceLock<String> = OnceLock::new();
 
@@ -16,11 +39,19 @@ pub(crate) fn load_token(f: impl FnOnce(String) -> Result<()>) -> Result<bool> {
             );
         }
         token
+    } else if TOKEN_PATH.try_exists().with_context(|| {
+        format!(
+            "failed to determine whether `{}` exists",
+            TOKEN_PATH.display()
+        )
+    })? {
+        read_to_string(&*TOKEN_PATH).with_context(|| format!("failed to read {TOKEN_PATH:?}"))?
     } else {
         #[cfg(__warnings)]
         crate::warn!(
-            "`GITHUB_TOKEN_PATH` and `GITHUB_TOKEN` are not set; archival statuses will not be \
-             checked",
+            "`GITHUB_TOKEN_PATH` and `GITHUB_TOKEN` are not set and no file was found at {}; \
+             archival statuses will not be checked",
+            TOKEN_PATH.display()
         );
         return Ok(false);
     };
@@ -31,3 +62,56 @@ pub(crate) fn load_token(f: impl FnOnce(String) -> Result<()>) -> Result<bool> {
     f(token)?;
     Ok(true)
 }
+
+pub(crate) fn save_token() -> Result<()> {
+    println!("Please paste a personal access token below. The token needs no scopes.");
+
+    let mut buf = String::new();
+
+    {
+        let n = stdin()
+            .read_line(&mut buf)
+            .with_context(|| "failed to read stdin")?;
+        assert_eq!(buf.len(), n);
+    }
+
+    create_dir_all(&*CONFIG_DIRECTORY).with_context(|| "failed to create config directory")?;
+
+    let mut file = OpenOptions::new()
+        .create(true)
+        .truncate(true)
+        .write(true)
+        .open(&*TOKEN_PATH)
+        .with_context(|| format!("failed to open `{}`", TOKEN_PATH.display()))?;
+    set_permissions(&file, 0o600)?;
+    file.write_all(buf.as_bytes())
+        .with_context(|| format!("failed to write `{}`", TOKEN_PATH.display()))?;
+
+    println!(
+        "Personal access token written to `{}`",
+        TOKEN_PATH.display()
+    );
+
+    Ok(())
+}
+
+type CargoResult<T> = Result<T>;
+
+// smoelius: The below definitions of `set_permissions` were copied from:
+// https://github.com/rust-lang/cargo/blob/1e6828485eea0f550ed7be46ef96107b46aeb162/src/cargo/util/config.rs#L1010-L1024
+#[cfg(unix)]
+#[cfg_attr(dylint_lib = "try_io_result", allow(try_io_result))]
+fn set_permissions(file: &File, mode: u32) -> CargoResult<()> {
+    use std::os::unix::fs::PermissionsExt;
+
+    let mut perms = file.metadata()?.permissions();
+    perms.set_mode(mode);
+    file.set_permissions(perms)?;
+    Ok(())
+}
+
+#[cfg(not(unix))]
+#[allow(unused, clippy::unnecessary_wraps)]
+fn set_permissions(file: &File, mode: u32) -> CargoResult<()> {
+    Ok(())
+}

src/github/util.rs

@@ -59,20 +59,15 @@ enum CargoSubCommand {
     Unmaintained(Opts),
 }
 
+include!(concat!(env!("OUT_DIR"), "/after_help.rs"));
+
 #[allow(clippy::struct_excessive_bools)]
 #[derive(Debug, Parser)]
 #[remain::sorted]
 #[clap(
     version = crate_version!(),
     about = "Find unmaintained packages in Rust projects",
-    after_help = "\
-The `GITHUB_TOKEN_PATH` environment variable can be set to the path of a file containing a \
-personal access token. If set, cargo-unmaintained will use this token to authenticate to GitHub \
-and check whether packages' repositories have been archived.
-
-Unless --no-exit-code is passed, the exit status is 0 if no unmaintained packages were found and \
-no irrecoverable errors occurred, 1 if unmaintained packages were found, and 2 if an irrecoverable \
-error occurred."
+    after_help = AFTER_HELP
 )]
 struct Opts {
     #[clap(
@@ -122,6 +117,22 @@ struct Opts {
     )]
     package: Option<String>,
 
+    #[cfg(not(windows))]
+    #[clap(
+        long,
+        help = "Read a personal access token from standard input and save it to \
+                $HOME/.config/cargo-unmaintained/token.txt"
+    )]
+    save_token: bool,
+
+    #[cfg(windows)]
+    #[clap(
+        long,
+        help = "Read a personal access token from standard input and save it to \
+                %LOCALAPPDATA%\\cargo-unmaintained\\token.txt"
+    )]
+    save_token: bool,
+
     #[clap(long, help = "Show paths to unmaintained packages")]
     tree: bool,
 
@@ -214,6 +225,12 @@ fn main() -> Result<()> {
 
     opts::init(opts);
 
+    if opts::get().save_token {
+        // smoelius: Currently, if additional options are passed besides --save-token, they are
+        // ignored and no error is emitted. This is ugly.
+        return github::save_token();
+    }
+
     if github::load_token(|_| Ok(()))? {
         TOKEN_FOUND.store(true, Ordering::SeqCst);
     }