fix:--anon: now hidden, gives an error, still usable as --obfuscate [#2133]

2024-01-21 11:54:49 -10:00 · 2024-01-21 11:54:49 -10:00 · 41711d8ab5
commit 41711d8ab5
parent 0cdc012fd9
7 changed files with 49 additions and 24 deletions
--- a/doc/common.m4
+++ b/doc/common.m4
@ -87,9 +87,6 @@ m4_define({{_inputoptions_}}, {{
 `--alias=OLD=NEW`
 : rename accounts named OLD to NEW

-`--anon`
-: anonymize accounts and payees
-
 `--pivot FIELDNAME`
 : use some other field or tag for the account name

--- a/hledger-lib/Hledger/Read/Common.hs
+++ b/hledger-lib/Hledger/Read/Common.hs
@ -213,7 +213,7 @@ rawOptsToInputOpts day rawopts =
       mformat_           = Nothing
      ,mrules_file_       = maybestringopt "rules-file" rawopts
      ,aliases_           = listofstringopt "alias" rawopts
-      ,anon_              = boolopt "anon" rawopts
+      ,anon_              = boolopt "obfuscate" rawopts
      ,new_               = boolopt "new" rawopts
      ,new_save_          = True
      ,pivot_             = stringopt "pivot" rawopts
--- a/hledger-lib/Hledger/Read/InputOptions.hs
+++ b/hledger-lib/Hledger/Read/InputOptions.hs
@ -29,7 +29,7 @@ data InputOpts = InputOpts {
                                                --   by a filename prefix. Nothing means try all.
    ,mrules_file_       :: Maybe FilePath       -- ^ a conversion rules file to use (when reading CSV)
    ,aliases_           :: [String]             -- ^ account name aliases to apply
-    ,anon_              :: Bool                 -- ^ do light anonymisation/obfuscation of the data
+    ,anon_              :: Bool                 -- ^ do light obfuscation of the data. Now corresponds to --obfuscate, not the old --anon flag.
    ,new_               :: Bool                 -- ^ read only new transactions since this file was last read
    ,new_save_          :: Bool                 -- ^ save latest new transactions state for next time
    ,pivot_             :: String               -- ^ use the given field's value as the account name
--- a/hledger/Hledger/Cli/Anon.hs
+++ b/hledger/Hledger/Cli/Anon.hs
@ -1,8 +1,10 @@
 {-|

-Instances for anonymizing sensitive data in various types.
+Instances for obfuscating sensitive data (mainly text, not numbers) in various types.

-Note that there is no clear way to anonymize numbers.
+Currently this is deterministic and does not provide much privacy.
+It has been moved to a hidden --obfuscate flag, with the old --anon flag
+now raising an error. See https://github.com/simonmichael/hledger/issues/2133 .

 -}

--- a/hledger/Hledger/Cli/CliOptions.hs
+++ b/hledger/Hledger/Cli/CliOptions.hs
@ -134,7 +134,6 @@ inputflags = [
  flagReq  ["file","f"]      (\s opts -> Right $ setopt "file" s opts) "FILE" "use a different input file. For stdin, use - (default: $LEDGER_FILE or $HOME/.hledger.journal)"
 ,flagReq  ["rules-file"]    (\s opts -> Right $ setopt "rules-file" s opts) "RFILE" "CSV conversion rules file (default: FILE.rules)"
 ,flagReq  ["alias"]         (\s opts -> Right $ setopt "alias" s opts)  "OLD=NEW" "rename accounts named OLD to NEW"
- ,flagNone ["anon"]          (setboolopt "anon") "anonymize accounts and payees"
 ,flagReq  ["pivot"]         (\s opts -> Right $ setopt "pivot" s opts)  "TAGNAME" "use some other field/tag for account names"
 ,flagNone ["ignore-assertions","I"] (setboolopt "ignore-assertions") "ignore any balance assertions"
 ,flagNone ["strict","s"]    (setboolopt "strict") "do extra error checking (check that all posted accounts are declared)"
@ -250,9 +249,11 @@ flattreeflags showamounthelp = [
 -- such as --effective, --aux-date.
 hiddenflags :: [Flag RawOpts]
 hiddenflags = [
-   flagNone ["effective","aux-date"] (setboolopt "date2") "Ledger-compatible aliases for --date2"
-  ,flagNone ["infer-value"] (setboolopt "infer-market-prices") "legacy flag that was renamed"
-  ,flagNone ["pretty-tables"] (setopt "pretty" "always") "legacy flag that was renamed"
+   flagNone ["effective","aux-date"]  (setboolopt "date2") "Ledger-compatible aliases for --date2"
+  ,flagNone ["infer-value"]  (setboolopt "infer-market-prices") "legacy flag that was renamed"
+  ,flagNone ["pretty-tables"]  (setopt "pretty" "always") "legacy flag that was renamed"
+  ,flagNone ["anon"]  (setboolopt "anon") "deprecated, renamed to --obfuscate"  -- #2133, handled by anonymiseByOpts
+  ,flagNone ["obfuscate"]  (setboolopt "obfuscate") "slightly obfuscate hledger's output. Warning, does not give privacy. Formerly --anon."  -- #2133, handled by maybeObfuscate
  ]

 -- | Common output-related flags: --output-file, --output-format...
--- a/hledger/Hledger/Cli/Utils.hs
+++ b/hledger/Hledger/Cli/Utils.hs
@ -87,17 +87,30 @@ journalTransform :: CliOpts -> Journal -> Journal
 journalTransform opts =
      pivotByOpts opts
  <&> anonymiseByOpts opts
+  <&> maybeObfuscate opts

-- | Apply the pivot transformation on a journal, if option is present.
+-- | Apply the pivot transformation on a journal (replacing account names by a different field's value), if option is present.
 pivotByOpts :: CliOpts -> Journal -> Journal
 pivotByOpts opts =
  case maybestringopt "pivot" . rawopts_ $ opts of
    Just tag -> journalPivot $ T.pack tag
    Nothing  -> id

-- | Apply the anonymisation transformation on a journal, if option is present
+-- #2133
+-- | Raise an error, announcing the rename to --obfuscate and its limitations.
 anonymiseByOpts :: CliOpts -> Journal -> Journal
 anonymiseByOpts opts =
+  if boolopt "anon" $ rawopts_ opts
+    then error' $ unlines [
+       "--anon does not give privacy, and perhaps should be avoided;"
+      ,"please see https://github.com/simonmichael/hledger/issues/2133 ."
+      ,"For now it has been renamed to --obfuscate (a hidden flag)."
+      ]
+    else id
+
+-- | Apply light obfuscation to a journal, if --obfuscate is present (formerly --anon).
+maybeObfuscate :: CliOpts -> Journal -> Journal
+maybeObfuscate opts =
  if anon_ . inputopts_ $ opts
      then anon
      else id
--- a/hledger/test/journal/anon.test
+++ b/hledger/test/journal/anon.test
@ -13,29 +13,41 @@ alias tips=expenses:tips
    (liabilities)   1
    (tips)  3

-# Basic tests on accounts
 # ** 1.
 $ hledger -f- print --anon
-> !/assets|liabilities|expenses|tips/
+>2 /--anon does not give privacy/
+>=1
+
+# Basic tests on accounts
+
 # ** 2.
-$ hledger -f- reg --anon
+$ hledger -f- print --obfuscate
 > !/assets|liabilities|expenses|tips/
+
 # ** 3.
-$ hledger -f- bal --anon
+$ hledger -f- reg --obfuscate
 > !/assets|liabilities|expenses|tips/
+
 # ** 4.
-$ hledger -f- accounts --anon
+$ hledger -f- bal --obfuscate
+> !/assets|liabilities|expenses|tips/
+
+# ** 5.
+$ hledger -f- accounts --obfuscate
 > !/assets|liabilities|expenses|tips/

 # Basic tests on descriptions and comments
-# ** 5.
-$ hledger -f- print --anon
-> !/borrow|signed/
+
 # ** 6.
-$ hledger -f- reg --anon
+$ hledger -f- print --obfuscate
+> !/borrow|signed/
+
+# ** 7.
+$ hledger -f- reg --obfuscate
 > !/borrow/

 # Basic tests on transaction code
-# ** 7.
-$ hledger -f- print --anon
+
+# ** 8.
+$ hledger -f- print --obfuscate
 > !/receipt/