From 56a0b0a9946e04214d357b8e04dd5dde71810af8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 16 Apr 2025 19:30:02 +0200
Subject: [PATCH] run_cmd: print what commands are allowed in if the current
 command is not in the allow list

---
 pkgs/clan-cli/clan_cli/nix/__init__.py | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/nix/__init__.py b/pkgs/clan-cli/clan_cli/nix/__init__.py
index 2cb150312..2bf57c88e 100644
--- a/pkgs/clan-cli/clan_cli/nix/__init__.py
+++ b/pkgs/clan-cli/clan_cli/nix/__init__.py
@@ -125,15 +125,20 @@ def nix_shell(packages: list[str], cmd: list[str]) -> list[str]:
 
 # lazy loads list of allowed and static programs
 class Programs:
-    allowed_programs: list[str] | None = None
-    static_programs: list[str] | None = None
+    allowed_programs: set[str] | None = None
+    static_programs: set[str] | None = None
 
     @classmethod
-    def is_allowed(cls: type["Programs"], program: str) -> bool:
+    def ensure_allowed(cls: type["Programs"], program: str) -> None:
         if cls.allowed_programs is None:
             with (Path(__file__).parent / "allowed-programs.json").open() as f:
-                cls.allowed_programs = json.load(f)
-        return program in cls.allowed_programs
+                cls.allowed_programs = allowed_programs = set(json.load(f))
+        else:
+            allowed_programs = cls.allowed_programs
+
+        if program not in allowed_programs:
+            msg = f"Program not allowed: '{program}', allowed programs are:\n{'\n'.join(allowed_programs)}"
+            raise ClanError(msg)
 
     @classmethod
     def is_static(cls: type["Programs"], program: str) -> bool:
@@ -141,7 +146,9 @@ class Programs:
         Determines if a program is statically shipped with this clan distribution
         """
         if cls.static_programs is None:
-            cls.static_programs = os.environ.get("CLAN_STATIC_PROGRAMS", "").split(":")
+            cls.static_programs = set(
+                os.environ.get("CLAN_STATIC_PROGRAMS", "").split(":")
+            )
         return program in cls.static_programs
 
 
@@ -152,9 +159,7 @@ class Programs:
 #     - build clan distributions that ship some or all packages (eg. clan-cli-full)
 def run_cmd(programs: list[str], cmd: list[str]) -> list[str]:
     for program in programs:
-        if not Programs.is_allowed(program):
-            msg = f"Program not allowed: {program}"
-            raise ClanError(msg)
+        Programs.ensure_allowed(program)
     if os.environ.get("IN_NIX_SANDBOX"):
         return cmd
     missing_packages = [