From f5009253d316f4e61198d339df3a8f3417b9034f Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 30 Jul 2024 23:46:40 +0200
Subject: [PATCH 1/5] Add setting 'unforwarded-settings' to prevent forwarding
 to the daemon

This is useful for settings like netrc-file that we might not want to
forward, and can avoid annoying warnings if the user is not trusted.
---
 src/libstore/globals.hh                       | 6 ++++++
 src/libstore/remote-store.cc                  | 3 +++
 tests/functional/common/vars-and-functions.sh | 2 +-
 tests/functional/remote-store.sh              | 7 +++++++
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 8760c9d145b..1eaa003025f 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -99,6 +99,12 @@ public:
      */
     Path nixDaemonSocketFile;
 
+    Setting<StringSet> unforwardedSettings{this, {}, "unforwarded-settings",
+        R"(
+          The names of settings that will not be forwarded from the
+          Nix client to the Nix daemon.
+        )"};
+
     Setting<std::string> storeUri{this, getEnv("NIX_REMOTE").value_or("auto"), "store",
         R"(
           The [URL of the Nix store](@docroot@/store/types/index.md#store-url-format)
diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc
index ebb0864c555..cd5dcc02f62 100644
--- a/src/libstore/remote-store.cc
+++ b/src/libstore/remote-store.cc
@@ -129,6 +129,9 @@ void RemoteStore::setOptions(Connection & conn)
         overrides.erase(loggerSettings.showTrace.name);
         overrides.erase(experimentalFeatureSettings.experimentalFeatures.name);
         overrides.erase("plugin-files");
+        overrides.erase(settings.unforwardedSettings.name);
+        for (auto & i : settings.unforwardedSettings.get())
+            overrides.erase(i);
         conn.to << overrides.size();
         for (auto & i : overrides)
             conn.to << i.first << i.second.value;
diff --git a/tests/functional/common/vars-and-functions.sh b/tests/functional/common/vars-and-functions.sh
index 632c81a82a5..8532542decd 100644
--- a/tests/functional/common/vars-and-functions.sh
+++ b/tests/functional/common/vars-and-functions.sh
@@ -123,7 +123,7 @@ startDaemon() {
     fi
     # Start the daemon, wait for the socket to appear.
     rm -f $NIX_DAEMON_SOCKET_PATH
-    PATH=$DAEMON_PATH nix --extra-experimental-features 'nix-command' daemon &
+    PATH=$DAEMON_PATH nix --extra-experimental-features 'nix-command' daemon "${extraDaemonFlags[@]}" &
     _NIX_TEST_DAEMON_PID=$!
     export _NIX_TEST_DAEMON_PID
     for ((i = 0; i < 300; i++)); do
diff --git a/tests/functional/remote-store.sh b/tests/functional/remote-store.sh
index 841b6b27ae4..3eea21a31f3 100755
--- a/tests/functional/remote-store.sh
+++ b/tests/functional/remote-store.sh
@@ -36,3 +36,10 @@ NIX_REMOTE= nix-store --dump-db > $TEST_ROOT/d2
 cmp $TEST_ROOT/d1 $TEST_ROOT/d2
 
 killDaemon
+
+# Test 'unforwarded-settings'.
+extraDaemonFlags=("--trusted-users" "")
+startDaemon
+nix store info --netrc-file /foo 2>&1 | grepQuiet "ignoring the client-specified setting 'netrc-file'"
+nix store info --netrc-file /foo --unforwarded-settings netrc-file 2>&1 | grep -v "ignoring the client-specified setting 'netrc-file'"
+killDaemon

From 3cab221b24c530ea7f1b99ac90909dc548be1893 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 31 Jul 2024 17:59:58 +0200
Subject: [PATCH 2/5] Rename unforwarded-settings -> client-only-settings

---
 src/libstore/globals.hh          | 2 +-
 src/libstore/remote-store.cc     | 4 ++--
 tests/functional/remote-store.sh | 4 +++-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 1eaa003025f..f22737bb702 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -99,7 +99,7 @@ public:
      */
     Path nixDaemonSocketFile;
 
-    Setting<StringSet> unforwardedSettings{this, {}, "unforwarded-settings",
+    Setting<StringSet> clientOnlySettings{this, {}, "client-only-settings",
         R"(
           The names of settings that will not be forwarded from the
           Nix client to the Nix daemon.
diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc
index cd5dcc02f62..cc4ebeab455 100644
--- a/src/libstore/remote-store.cc
+++ b/src/libstore/remote-store.cc
@@ -129,8 +129,8 @@ void RemoteStore::setOptions(Connection & conn)
         overrides.erase(loggerSettings.showTrace.name);
         overrides.erase(experimentalFeatureSettings.experimentalFeatures.name);
         overrides.erase("plugin-files");
-        overrides.erase(settings.unforwardedSettings.name);
-        for (auto & i : settings.unforwardedSettings.get())
+        overrides.erase(settings.clientOnlySettings.name);
+        for (auto & i : settings.clientOnlySettings.get())
             overrides.erase(i);
         conn.to << overrides.size();
         for (auto & i : overrides)
diff --git a/tests/functional/remote-store.sh b/tests/functional/remote-store.sh
index 3eea21a31f3..63e8a025275 100755
--- a/tests/functional/remote-store.sh
+++ b/tests/functional/remote-store.sh
@@ -41,5 +41,7 @@ killDaemon
 extraDaemonFlags=("--trusted-users" "")
 startDaemon
 nix store info --netrc-file /foo 2>&1 | grepQuiet "ignoring the client-specified setting 'netrc-file'"
-nix store info --netrc-file /foo --unforwarded-settings netrc-file 2>&1 | grep -v "ignoring the client-specified setting 'netrc-file'"
+if nix store info --netrc-file /foo --client-only-settings netrc-file 2>&1 | grep "ignoring the client-specified setting 'netrc-file'"; then
+    exit 1
+fi
 killDaemon

From 2ac15b3bcf38e203ee5d984a7eb4c2dd6f31b232 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 3 Sep 2024 17:43:45 +0200
Subject: [PATCH 3/5] Update comment

---
 tests/functional/remote-store.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/functional/remote-store.sh b/tests/functional/remote-store.sh
index 63e8a025275..6e732674656 100755
--- a/tests/functional/remote-store.sh
+++ b/tests/functional/remote-store.sh
@@ -37,7 +37,7 @@ cmp $TEST_ROOT/d1 $TEST_ROOT/d2
 
 killDaemon
 
-# Test 'unforwarded-settings'.
+# Test 'client-only-settings'.
 extraDaemonFlags=("--trusted-users" "")
 startDaemon
 nix store info --netrc-file /foo 2>&1 | grepQuiet "ignoring the client-specified setting 'netrc-file'"

From 120ca30816f19d3558a626a08bf29c9d5a374a8d Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 3 Sep 2024 17:46:20 +0200
Subject: [PATCH 4/5] Filter out client-only-settings on the daemon

---
 src/libstore/daemon.cc           |  4 ++++
 tests/functional/remote-store.sh | 10 +++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index 6079eae7ba4..7b4e306d490 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -238,9 +238,13 @@ struct ClientSettings
                 return true;
             };
 
+            auto clientOnlySettings = settings.clientOnlySettings.get();
+
             try {
                 if (name == "ssh-auth-sock") // obsolete
                     ;
+                else if (clientOnlySettings.contains(name))
+                    ;
                 else if (name == experimentalFeatureSettings.experimentalFeatures.name) {
                     // We don’t want to forward the experimental features to
                     // the daemon, as that could cause some pretty weird stuff
diff --git a/tests/functional/remote-store.sh b/tests/functional/remote-store.sh
index 6e732674656..8237c715322 100755
--- a/tests/functional/remote-store.sh
+++ b/tests/functional/remote-store.sh
@@ -37,7 +37,7 @@ cmp $TEST_ROOT/d1 $TEST_ROOT/d2
 
 killDaemon
 
-# Test 'client-only-settings'.
+# Test 'client-only-settings' on the client.
 extraDaemonFlags=("--trusted-users" "")
 startDaemon
 nix store info --netrc-file /foo 2>&1 | grepQuiet "ignoring the client-specified setting 'netrc-file'"
@@ -45,3 +45,11 @@ if nix store info --netrc-file /foo --client-only-settings netrc-file 2>&1 | gre
     exit 1
 fi
 killDaemon
+
+# Test 'client-only-settings' on the daemon.
+extraDaemonFlags=("--trusted-users" "" "--option" "client-only-settings" "netrc-file")
+startDaemon
+if nix store info --netrc-file /foo 2>&1 | grep "ignoring the client-specified setting 'netrc-file'"; then
+    exit 1
+fi
+killDaemon

From 6b552a281a0d75c41e46f49cae5b1dc61765ab8d Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Tue, 3 Sep 2024 17:52:06 +0200
Subject: [PATCH 5/5] Fix spellcheck

---
 tests/functional/common/functions.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/functional/common/functions.sh b/tests/functional/common/functions.sh
index b27ec6802f1..b621475cc5d 100644
--- a/tests/functional/common/functions.sh
+++ b/tests/functional/common/functions.sh
@@ -62,6 +62,8 @@ clearCacheCache() {
     rm -f "$TEST_HOME/.cache/nix/binary-cache"*
 }
 
+extraDaemonFlags=()
+
 startDaemon() {
     if isTestOnNixOS; then
       die "startDaemon: not supported when testing on NixOS. Is it really needed? If so add conditionals; e.g. if ! isTestOnNixOS; then ..."