Skip to content

Commit

Permalink
PlaceNixConfiguration: fix --extra-conf handling of `extra-trusted-…
Browse files Browse the repository at this point in the history 
…substituters` and `extra-trusted-public-keys` (#1145)

* PlaceNixConfiguration: split Nix config setup to own function for testability

* PlaceNixConfiguration: test that it's possible to specify `extra-trusted-public-keys` and `extra-trusted-substituters`

This will fail until a follow-up commit that fixes it.

* PlaceNixConfiguration: fix `--extra-conf` handling of `extra-trusted-substituters` and `extra-trusted-public-keys`
  • Loading branch information
@cole-h
cole-h authored Sep 10, 2024
1 parent dd31839 commit 7ed9e26
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 22 deletions.
132 changes: 114 additions & 18 deletions src/action/common/place_nix_configuration.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,35 @@ impl PlaceNixConfiguration {
extra_conf: Vec<UrlOrPathOrString>,
force: bool,
) -> Result<StatefulAction<Self>, ActionError> {
let nix_config = Self::setup_nix_config(
nix_build_group_name,
proxy,
ssl_cert_file,
extra_internal_conf,
extra_conf,
)
.await?;

let create_directory = CreateDirectory::plan(NIX_CONF_FOLDER, None, None, 0o0755, force)
.await
.map_err(Self::error)?;
let create_or_merge_nix_config = CreateOrMergeNixConfig::plan(NIX_CONF, nix_config)
.await
.map_err(Self::error)?;
Ok(Self {
create_directory,
create_or_merge_nix_config,
}
.into())
}

async fn setup_nix_config(
nix_build_group_name: String,
proxy: Option<Url>,
ssl_cert_file: Option<PathBuf>,
extra_internal_conf: Option<nix_config_parser::NixConfig>,
extra_conf: Vec<UrlOrPathOrString>,
) -> Result<nix_config_parser::NixConfig, ActionError> {
let mut extra_conf_text = vec![];
for extra in extra_conf {
let buf = match &extra {
Expand Down Expand Up @@ -98,6 +127,7 @@ impl PlaceNixConfiguration {
}

settings.insert("build-users-group".to_string(), nix_build_group_name);

let experimental_features = ["nix-command", "flakes"];
match settings.entry("experimental-features".to_string()) {
Entry::Occupied(mut slot) => {
Expand All @@ -124,14 +154,50 @@ impl PlaceNixConfiguration {
// base, unintrusive Determinate Nix options
{
// Add FlakeHub cache to the list of possible substituters, but disabled by default.
// This allows a user to turn on FlakeHub Cache.
settings.insert(
"extra-trusted-substituters".to_string(),
"https://cache.flakehub.com".to_string(),
);
// This allows a user to turn on FlakeHub Cache by adding it to the `extra-substituters`
// list without being a trusted user.
let extra_trusted_substituters = ["https://cache.flakehub.com"];
match settings.entry("extra-trusted-substituters".to_string()) {
Entry::Occupied(mut slot) => {
let slot_mut = slot.get_mut();
for extra_trusted_substituter in extra_trusted_substituters {
if !slot_mut.contains(extra_trusted_substituter) {
*slot_mut += " ";
*slot_mut += extra_trusted_substituter;
}
}
},
Entry::Vacant(slot) => {
let _ = slot.insert(extra_trusted_substituters.join(" "));
},
};

// Add FlakeHub's cache signing keys to the allowed list, but unused unless a user turns them on.
settings.insert("extra-trusted-public-keys".to_string(), "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM= cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio= cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU= cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU= cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8= cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ= cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o= cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=".to_string());
// Add FlakeHub's cache signing keys to the allowed list, but unused unless a user
// specifies FlakeHub Cache as an `extra-substituter`.
let extra_trusted_public_keys = [
"cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=",
"cache.flakehub.com-4:Asi8qIv291s0aYLyH6IOnr5Kf6+OF14WVjkE6t3xMio=",
"cache.flakehub.com-5:zB96CRlL7tiPtzA9/WKyPkp3A2vqxqgdgyTVNGShPDU=",
"cache.flakehub.com-6:W4EGFwAGgBj3he7c5fNh9NkOXw0PUVaxygCVKeuvaqU=",
"cache.flakehub.com-7:mvxJ2DZVHn/kRxlIaxYNMuDG1OvMckZu32um1TadOR8=",
"cache.flakehub.com-8:moO+OVS0mnTjBTcOUh2kYLQEd59ExzyoW1QgQ8XAARQ=",
"cache.flakehub.com-9:wChaSeTI6TeCuV/Sg2513ZIM9i0qJaYsF+lZCXg0J6o=",
"cache.flakehub.com-10:2GqeNlIp6AKp4EF2MVbE1kBOp9iBSyo0UPR9KoR0o1Y=",
];
match settings.entry("extra-trusted-public-keys".to_string()) {
Entry::Occupied(mut slot) => {
let slot_mut = slot.get_mut();
for extra_trusted_public_key in extra_trusted_public_keys {
if !slot_mut.contains(extra_trusted_public_key) {
*slot_mut += " ";
*slot_mut += extra_trusted_public_key;
}
}
},
Entry::Vacant(slot) => {
let _ = slot.insert(extra_trusted_public_keys.join(" "));
},
};
}

settings.insert(
Expand All @@ -157,17 +223,7 @@ impl PlaceNixConfiguration {
"https://install.determinate.systems/nix-upgrade/stable/universal".to_string(),
);

let create_directory = CreateDirectory::plan(NIX_CONF_FOLDER, None, None, 0o0755, force)
.await
.map_err(Self::error)?;
let create_or_merge_nix_config = CreateOrMergeNixConfig::plan(NIX_CONF, nix_config)
.await
.map_err(Self::error)?;
Ok(Self {
create_directory,
create_or_merge_nix_config,
}
.into())
Ok(nix_config)
}
}

Expand Down Expand Up @@ -252,3 +308,43 @@ impl Action for PlaceNixConfiguration {
}
}
}

#[cfg(test)]
mod tests {
use super::*;

#[tokio::test]
async fn extra_trusted_no_error() -> eyre::Result<()> {
let nix_config = PlaceNixConfiguration::setup_nix_config(
String::from("foo"),
None,
None,
None,
vec![
UrlOrPathOrString::String(String::from("extra-trusted-substituters = barfoo")),
UrlOrPathOrString::String(String::from("extra-trusted-public-keys = foobar")),
],
)
.await?;

assert!(
nix_config
.settings()
.get("extra-trusted-substituters")
.unwrap()
.contains("barfoo"),
"User config and internal defaults are both respected"
);

assert!(
nix_config
.settings()
.get("extra-trusted-public-keys")
.unwrap()
.contains("foobar"),
"User config and internal defaults are both respected"
);

Ok(())
}
}
21 changes: 17 additions & 4 deletions src/settings.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ use clap::{
error::{ContextKind, ContextValue},
ArgAction,
};
use indexmap::map::Entry;
use url::Url;

pub const SCRATCH_DIR: &str = "/nix/temp-install-dir";
Expand Down Expand Up @@ -694,10 +695,22 @@ pub fn determinate_nix_settings() -> nix_config_parser::NixConfig {
let settings = cfg.settings_mut();

settings.insert("netrc-file".into(), "/nix/var/determinate/netrc".into());
settings.insert(
"extra-substituters".into(),
"https://cache.flakehub.com".into(),
);

let extra_substituters = ["https://cache.flakehub.com"];
match settings.entry("extra-substituters".to_string()) {
Entry::Occupied(mut slot) => {
let slot_mut = slot.get_mut();
for extra_substituter in extra_substituters {
if !slot_mut.contains(extra_substituter) {
*slot_mut += " ";
*slot_mut += extra_substituter;
}
}
},
Entry::Vacant(slot) => {
let _ = slot.insert(extra_substituters.join(" "));
},
};

cfg
}

0 comments on commit 7ed9e26

Please sign in to comment.