From bec87d536c9f441ffeb603fc821fa7e613585d00 Mon Sep 17 00:00:00 2001
From: Genevieve <4873173+dryya@users.noreply.github.com>
Date: Fri, 14 Jul 2023 18:34:28 +0000
Subject: [PATCH] aerc: add assertion to limit per-account extraConfig to UI
 config (#4196)

* aerc: fix per-account extraConfig section names

The aerc configuration file `aerc.conf` can contain 10 different
sections, but only the UI section supports what the aerc manual calls
contextual configuration. This works by appending to the section heading
either `:account=name` or `:folder=bar`.

The aerc-accounts module, however, applied `mkAccountConfig` to each
section heading declared in
`config.accounts.email.accounts.<name>.aerc.extraConfig.*`. This means
home-manager will generate files with `[general:account=default]` and
the options will not be recognized by aerc.

To address this, and since it doesn't make sense for other sections to
only be under a single account's scope, an assertion has been added
to confirm that only sectons that support contextual config (i.e.,
only the UI section) is declared.

This also addresses confusions like declaring
`accounts.email.accounts.*.aerc.extraConfig.general.unsafe-accounts-conf
= true` and triggering a warning message because
`programs.aerc.extraConfig.general.unsafe-accounts-conf` was unset.

This commit also updated documentation throughout the aerc modules to
be in line with this change, and fixed minor typos/formatting therein.

Co-authored-by: Genevieve <genevieve@sunlashed.garden>

* aerc: make assertion plaintext and add test case

This commit adds a test case to check both the warning on unset
`unsafe-accounts-conf = true` when aerc accounts are configured
with Nix, and the new assertion when per-account configuration
contains unsupported subsections (i.e. general).

It also fixes minor formatting issues and typos.
---
 modules/programs/aerc-accounts.nix        | 16 ++++---
 modules/programs/aerc.nix                 | 24 ++++++++---
 tests/modules/programs/aerc/assertion.nix | 52 +++++++++++++++++++++++
 tests/modules/programs/aerc/default.nix   |  1 +
 4 files changed, 80 insertions(+), 13 deletions(-)
 create mode 100644 tests/modules/programs/aerc/assertion.nix

diff --git a/modules/programs/aerc-accounts.nix b/modules/programs/aerc-accounts.nix
index 1d4f4053..4e852eb8 100644
--- a/modules/programs/aerc-accounts.nix
+++ b/modules/programs/aerc-accounts.nix
@@ -53,9 +53,9 @@ in {
           example =
             literalExpression ''{ source = "maildir://~/Maildir/example"; }'';
           description = ''
-            Extra config added to the configuration of this account in
+            Extra config added to the configuration section for this account in
             <filename>$HOME/.config/aerc/accounts.conf</filename>.
-            See aerc-config(5).
+            See <citerefentry><refentrytitle>aerc-accounts</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
           '';
         };
 
@@ -66,18 +66,20 @@ in {
             ''{ messages = { d = ":move ''${folder.trash}<Enter>"; }; }'';
           description = ''
             Extra bindings specific to this account, added to
-            <filename>$HOME/.config/aerc/accounts.conf</filename>.
-            See <citerefentry><refentrytitle>aerc-config</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+            <filename>$HOME/.config/aerc/binds.conf</filename>.
+            See <citerefentry><refentrytitle>aerc-binds</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
           '';
         };
 
         extraConfig = mkOption {
           type = confSections;
           default = { };
-          example = literalExpression "{ ui = { sidebar-width = 42; }; }";
+          example = literalExpression "{ ui = { sidebar-width = 25; }; }";
           description = ''
-            Extra config specific to this account, added to
-            <filename>$HOME/.config/aerc/aerc.conf</filename>.
+            Config specific to this account, added to <filename>$HOME/.config/aerc/aerc.conf</filename>.
+            Aerc only supports per-account UI configuration.
+            For other sections of <filename>$HOME/.config/aerc/aerc.conf</filename>,
+            use <literal>programs.aerc.extraConfig</literal>.
             See <citerefentry><refentrytitle>aerc-config</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
           '';
         };
diff --git a/modules/programs/aerc.nix b/modules/programs/aerc.nix
index c3f69050..ccd26e21 100644
--- a/modules/programs/aerc.nix
+++ b/modules/programs/aerc.nix
@@ -8,7 +8,7 @@ let
     ((type: either type (listOf type)) (nullOr (oneOf [ str int bool float ])))
     // {
       description =
-        "values (null, bool, int, string of float) or a list of values, that will be joined with a comma";
+        "values (null, bool, int, string, or float) or a list of values, that will be joined with a comma";
     };
 
   confSection = types.attrsOf primitive;
@@ -162,16 +162,28 @@ in {
   in mkIf cfg.enable {
     warnings = if genAccountsConf
     && (cfg.extraConfig.general.unsafe-accounts-conf or false) == false then [''
-      aerc: An email account was configured, but `extraConfig.general.unsafe-accounts-conf` is set to false or unset.
-      This will prevent aerc from starting, see `unsafe-accounts-conf` in the man page aerc-config(5), which states:
+      aerc: `programs.aerc.enable` is set, but `...extraConfig.general.unsafe-accounts-conf` is set to false or unset.
+      This will prevent aerc from starting; see `unsafe-accounts-conf` in the man page aerc-config(5):
       > By default, the file permissions of accounts.conf must be restrictive and only allow reading by the file owner (0600).
       > Set this option to true to ignore this permission check. Use this with care as it may expose your credentials.
-      These file permissions are not possible with home-manger, since the generated file is stored in the nix-store with read-only access for all users (0444).
-      If `passwordCommand` is properly set, no credentials will be stored in the nix store.
-      Therefore, consider setting the option `extraConfig.general.unsafe-accounts-conf` to true.
+      These permissions are not possible with home-manager, since the generated file is in the nix-store (permissions 0444).
+      Therefore, please set `programs.aerc.extraConfig.general.unsafe-accounts-conf = true`.
+      This option is safe; if `passwordCommand` is properly set, no credentials will be written to the nix store.
     ''] else
       [ ];
 
+    assertions = [{
+      assertion = let
+        extraConfigSections = (unique (flatten
+          (mapAttrsToList (_: v: attrNames v.aerc.extraConfig) aerc-accounts)));
+      in extraConfigSections == [ ] || extraConfigSections == [ "ui" ];
+      message = ''
+        Only the ui section of $XDG_CONFIG_HOME/aerc.conf supports contextual (per-account) configuration.
+        Please configure it with accounts.email.accounts._.aerc.extraConfig.ui and move any other
+        configuration to programs.aerc.extraConfig.
+      '';
+    }];
+
     home.packages = [ cfg.package ];
 
     xdg.configFile = {
diff --git a/tests/modules/programs/aerc/assertion.nix b/tests/modules/programs/aerc/assertion.nix
new file mode 100644
index 00000000..9b37f082
--- /dev/null
+++ b/tests/modules/programs/aerc/assertion.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  config = {
+    test.asserts.assertions.expected = [''
+      Only the ui section of $XDG_CONFIG_HOME/aerc.conf supports contextual (per-account) configuration.
+      Please configure it with accounts.email.accounts._.aerc.extraConfig.ui and move any other
+      configuration to programs.aerc.extraConfig.
+    ''];
+    test.asserts.warnings.expected = [''
+      aerc: `programs.aerc.enable` is set, but `...extraConfig.general.unsafe-accounts-conf` is set to false or unset.
+      This will prevent aerc from starting; see `unsafe-accounts-conf` in the man page aerc-config(5):
+      > By default, the file permissions of accounts.conf must be restrictive and only allow reading by the file owner (0600).
+      > Set this option to true to ignore this permission check. Use this with care as it may expose your credentials.
+      These permissions are not possible with home-manager, since the generated file is in the nix-store (permissions 0444).
+      Therefore, please set `programs.aerc.extraConfig.general.unsafe-accounts-conf = true`.
+      This option is safe; if `passwordCommand` is properly set, no credentials will be written to the nix store.
+    ''];
+
+    test.stubs.aerc = { };
+
+    programs.aerc = {
+      enable = true;
+      extraAccounts = {
+        Test1 = {
+          source = "maildir:///dev/null";
+          enable-folders-sort = true;
+          folders = [ "INBOX" "SENT" "JUNK" ];
+        };
+      };
+      extraConfig.general = {
+        # unsafe-accounts-conf = true;
+        pgp-provider = "gpg";
+      };
+    };
+
+    accounts.email.accounts.Test2 = {
+      address = "addr@mail.invalid";
+      userName = "addr@mail.invalid";
+      realName = "Foo Bar";
+      primary = true;
+      imap.host = "imap.host.invalid";
+      passwordCommand = "echo PaSsWorD!";
+      aerc = {
+        enable = true;
+        extraConfig.general.pgp-provider = "internal";
+      };
+    };
+  };
+}
diff --git a/tests/modules/programs/aerc/default.nix b/tests/modules/programs/aerc/default.nix
index f5d81092..9417a219 100644
--- a/tests/modules/programs/aerc/default.nix
+++ b/tests/modules/programs/aerc/default.nix
@@ -1,4 +1,5 @@
 {
   aerc-noSettings = ./noSettings.nix;
   aerc-settings = ./settings.nix;
+  aerc-assertion = ./assertion.nix;
 }