feat(secure): add `:trust` command and vim.secure.trust() (#21107)

Introduce vim.secure.trust() to programmatically manage the trust
database. Use this function in a new :trust ex command which can
be used as a simple frontend.

Resolves: https://github.com/neovim/neovim/issues/21092
Co-authored-by: Gregory Anders <greg@gpanders.com>
Co-authored-by: ii14 <ii14@users.noreply.github.com>

5 files changed, 84 insertions, 0 deletions

diff --git a/src/nvim/ex_cmds.c b/src/nvim/ex_cmds.c
index 34144fbdfc..96e61c13fb 100644
--- a/src/nvim/ex_cmds.c
+++ b/src/nvim/ex_cmds.c
@@ -53,6 +53,7 @@
 #include "nvim/highlight_group.h"
 #include "nvim/indent.h"
 #include "nvim/input.h"
+#include "nvim/lua/executor.h"
 #include "nvim/macros.h"
 #include "nvim/main.h"
 #include "nvim/mark.h"
@@ -4960,3 +4961,29 @@ void ex_oldfiles(exarg_T *eap)
     }
   }
 }
+
+void ex_trust(exarg_T *eap)
+{
+  const char *const p = skiptowhite(eap->arg);
+  char *arg1 = xmemdupz(eap->arg, (size_t)(p - eap->arg));
+  const char *action = "allow";
+  const char *path = skipwhite(p);
+
+  if (strcmp(arg1, "++deny") == 0) {
+    action = "deny";
+  } else if (strcmp(arg1, "++remove") == 0) {
+    action = "remove";
+  } else if (*arg1 != '\0') {
+    semsg(e_invarg2, arg1);
+    goto theend;
+  }
+
+  if (path[0] == '\0') {
+    path = NULL;
+  }
+
+  nlua_trust(action, path);
+
+theend:
+  xfree(arg1);
+}
diff --git a/src/nvim/ex_cmds.lua b/src/nvim/ex_cmds.lua
index e3eea884c4..6911d318cc 100644
--- a/src/nvim/ex_cmds.lua
+++ b/src/nvim/ex_cmds.lua
@@ -2934,6 +2934,12 @@ module.cmds = {
     func='ex_tag',
   },
   {
+    command='trust',
+    flags=bit.bor(EXTRA, FILE1, TRLBAR, LOCK_OK),
+    addr_type='ADDR_NONE',
+    func='ex_trust',
+  },
+  {
     command='try',
     flags=bit.bor(TRLBAR, SBOXOK, CMDWIN, LOCK_OK),
     addr_type='ADDR_NONE',
diff --git a/src/nvim/ex_docmd.c b/src/nvim/ex_docmd.c
index 37396a22ad..c2d73360e3 100644
--- a/src/nvim/ex_docmd.c
+++ b/src/nvim/ex_docmd.c
@@ -1827,6 +1827,7 @@ static bool skip_cmd(const exarg_T *eap)
     case CMD_throw:
     case CMD_tilde:
     case CMD_topleft:
+    case CMD_trust:
     case CMD_unlet:
     case CMD_unlockvar:
     case CMD_verbose:
diff --git a/src/nvim/globals.h b/src/nvim/globals.h
index 130f3f6c48..737c92bc8c 100644
--- a/src/nvim/globals.h
+++ b/src/nvim/globals.h
@@ -1016,6 +1016,8 @@ EXTERN char e_highlight_group_name_too_long[] INIT(= N_("E1249: Highlight group
 EXTERN char e_undobang_cannot_redo_or_move_branch[]
 INIT(= N_("E5767: Cannot use :undo! to redo or move to a different undo branch"));
 
+EXTERN char e_trustfile[] INIT(= N_("E5570: Cannot update trust file: %s"));
+
 EXTERN char top_bot_msg[] INIT(= N_("search hit TOP, continuing at BOTTOM"));
 EXTERN char bot_top_msg[] INIT(= N_("search hit BOTTOM, continuing at TOP"));
 
diff --git a/src/nvim/lua/executor.c b/src/nvim/lua/executor.c
index 43a3b12a98..5380559baf 100644
--- a/src/nvim/lua/executor.c
+++ b/src/nvim/lua/executor.c
@@ -2217,3 +2217,51 @@ char *nlua_read_secure(const char *path)
 
   return buf;
 }
+
+bool nlua_trust(const char *action, const char *path)
+{
+  lua_State *const lstate = global_lstate;
+  lua_getglobal(lstate, "vim");
+  lua_getfield(lstate, -1, "secure");
+  lua_getfield(lstate, -1, "trust");
+
+  lua_newtable(lstate);
+  lua_pushstring(lstate, "action");
+  lua_pushstring(lstate, action);
+  lua_settable(lstate, -3);
+  if (path == NULL) {
+    lua_pushstring(lstate, "bufnr");
+    lua_pushnumber(lstate, 0);
+    lua_settable(lstate, -3);
+  } else {
+    lua_pushstring(lstate, "path");
+    lua_pushstring(lstate, path);
+    lua_settable(lstate, -3);
+  }
+
+  if (nlua_pcall(lstate, 1, 2)) {
+    nlua_error(lstate, _("Error executing vim.secure.trust: %.*s"));
+    return false;
+  }
+
+  bool success = lua_toboolean(lstate, -2);
+  const char *msg = lua_tostring(lstate, -1);
+  if (msg != NULL) {
+    if (success) {
+      if (strcmp(action, "allow") == 0) {
+        smsg("Allowed \"%s\" in trust database.", msg);
+      } else if (strcmp(action, "deny") == 0) {
+        smsg("Denied \"%s\" in trust database.", msg);
+      } else if (strcmp(action, "remove") == 0) {
+        smsg("Removed \"%s\" from trust database.", msg);
+      }
+    } else {
+      semsg(e_trustfile, msg);
+    }
+  }
+
+  // Pop return values, "vim" and "secure"
+  lua_pop(lstate, 4);
+
+  return success;
+}