From c815aff21b668f5fe7bbd04086a988df51281840 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 7 Apr 2005 14:01:51 +0000 Subject: [PATCH] * `nix-store --add-fixed' to preload the outputs of fixed-output derivations. This is mostly to simplify the implementation of nix-prefetch-{url, svn}, which now work properly in setuid installations. * Enforce valid store names in `nix-store --add / --add-fixed'. --- NEWS | 6 ++-- corepkgs/fetchurl/builder.sh.in | 8 +---- scripts/nix-prefetch-url.in | 63 ++++++++++++++++----------------- src/libexpr/primops.cc | 12 +------ src/libstore/store.cc | 61 +++++++++++++++++++++++++++++-- src/libstore/store.hh | 9 +++++ src/nix-store/main.cc | 50 ++++++++++++++++++++++++-- 7 files changed, 152 insertions(+), 57 deletions(-) diff --git a/NEWS b/NEWS index 21aed8955..8f65315a6 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,4 @@ -Version 0.8 +Version 0.8 NOTE: the hashing scheme in Nix 0.8 changed (as detailed below). As a result, `nix-pull' manifests and channels built for Nix 0.7 and below @@ -161,7 +161,7 @@ Nix 0.8 has the following improvements: all unsafe, really ;-) -Version 0.7 +Version 0.7 (January 12, 2005) * Binary patching. When upgrading components using pre-built binaries (through nix-pull / nix-channel), Nix can automatically download and @@ -183,7 +183,7 @@ Version 0.7 dependencies are revealed. -Version 0.6 +Version 0.6 (November 14, 2004) Major changes include the following: diff --git a/corepkgs/fetchurl/builder.sh.in b/corepkgs/fetchurl/builder.sh.in index 92b874652..02abb18b4 100644 --- a/corepkgs/fetchurl/builder.sh.in +++ b/corepkgs/fetchurl/builder.sh.in @@ -2,10 +2,4 @@ echo "downloading $url into $out" -prefetch=@storedir@/nix-prefetch-url-$outputHash -if test -f "$prefetch"; then - echo "using prefetched $prefetch"; - @coreutils@/mv $prefetch $out -else - @curl@ --fail --location --max-redirs 20 "$url" > "$out" -fi +@curl@ --fail --location --max-redirs 20 "$url" > "$out" diff --git a/scripts/nix-prefetch-url.in b/scripts/nix-prefetch-url.in index 615383833..5f6ea4c0d 100644 --- a/scripts/nix-prefetch-url.in +++ b/scripts/nix-prefetch-url.in @@ -1,7 +1,7 @@ #! @shell@ -e url=$1 -hash=$2 +expHash=$2 hashType=$NIX_HASH_ALGO if test -z "$hashType"; then @@ -14,55 +14,54 @@ if test "$hashType" != "md5"; then fi if test -z "$url"; then - echo "syntax: nix-prefetch-url URL" >&2 + echo "syntax: nix-prefetch-url URL [EXPECTED-HASH]" >&2 exit 1 fi -# Determine the hash, unless it was given. -if test -z "$hash"; then +name=$(basename "$url") +if test -z "$name"; then echo "invalid url"; exit 1; fi - # !!! race - tmpPath1=@storedir@/nix-prefetch-url-$$ - # Test whether we have write permission in the store. If not, - # fetch to /tmp and don't copy to the store. This is a hack to - # make this script at least work somewhat in setuid installations. - if ! touch $tmpPath1 2> /dev/null; then - echo "(cannot write to the store, result won't be cached)" >&2 - dummyMode=1 - tmpPath1=/tmp/nix-prefetch-url-$$ # !!! security? +# If the hash was given, a file with that hash may already be in the +# store. +if test -n "$expHash"; then + finalPath=$(@bindir@/nix-store --print-fixed-path "$hashType" "$expHash" "$name") + if ! @bindir@/nix-store --check-validity "$finalPath" 2> /dev/null; then + finalPath= fi + hash=$expHash +fi + + +# If we don't know the hash or a file with that hash doesn't exist, +# download the file and add it to the store. +if test -z "$finalPath"; then + + tmpPath=/tmp/nix-prefetch-url-$$ # !!! security? + tmpFile=$tmpPath/$name + mkdir $tmpPath # Perform the download. - @curl@ --fail --location --max-redirs 20 "$url" > $tmpPath1 + @curl@ --fail --location --max-redirs 20 "$url" > $tmpFile # Compute the hash. - hash=$(@bindir@/nix-hash --type "$hashType" $hashFormat --flat $tmpPath1) + hash=$(@bindir@/nix-hash --type "$hashType" $hashFormat --flat $tmpFile) if ! test -n "$QUIET"; then echo "hash is $hash" >&2; fi - # Rename it so that the fetchurl builder can find it. - if test "$dummyMode" != 1; then - tmpPath2=@storedir@/nix-prefetch-url-$hash - test -e $tmpPath2 || mv $tmpPath1 $tmpPath2 # !!! race + # Add the downloaded file to the Nix store. + finalPath=$(@bindir@/nix-store --add-fixed "$hashType" $tmpFile) + + if test -n "$tmpPath"; then rm -rf $tmpPath || true; fi + + if test -n "$expHash" -a "$expHash" != "$hash"; then + echo "hash mismatch for URL \`$url'" + exit 1 fi - fi -# Create a Nix expression that does a fetchurl. -storeExpr=$( \ - echo "(import @datadir@/nix/corepkgs/fetchurl) \ - {url = $url; outputHashAlgo = \"$hashType\"; outputHash = \"$hash\"; system = \"@system@\";}" \ - | @bindir@/nix-instantiate -) -# Realise it. -finalPath=$(@bindir@/nix-store -r $storeExpr) - if ! test -n "$QUIET"; then echo "path is $finalPath" >&2; fi -if test -n "$tmpPath1" -o -n "$tmpPath2"; then - rm -rf $tmpPath1 $tmpPath2 || true -fi - echo $hash if test -n "$PRINT_PATH"; then diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index a2f27b4dc..03d36638d 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -267,17 +267,7 @@ static Expr primDerivation(EvalState & state, const ATermVector & _args) /* Check the derivation name. It shouldn't contain whitespace, but we are conservative here: we check whether only alphanumerics and some other characters appear. */ - string validChars = "+-._?="; - for (string::iterator i = drvName.begin(); i != drvName.end(); ++i) - if (!((*i >= 'A' && *i <= 'Z') || - (*i >= 'a' && *i <= 'z') || - (*i >= '0' && *i <= '9') || - validChars.find(*i) != string::npos)) - { - throw Error(format("invalid character `%1%' in derivation name `%2%'") - % *i % drvName); - } - + checkStoreName(drvName); if (isDerivation(drvName)) throw Error(format("derivation names are not allowed to end in `%1%'") % drvExtension); diff --git a/src/libstore/store.cc b/src/libstore/store.cc index 87425430a..4e531bc41 100644 --- a/src/libstore/store.cc +++ b/src/libstore/store.cc @@ -202,6 +202,21 @@ Path toStorePath(const Path & path) } +void checkStoreName(const string & name) +{ + string validChars = "+-._?="; + for (string::const_iterator i = name.begin(); i != name.end(); ++i) + if (!((*i >= 'A' && *i <= 'Z') || + (*i >= 'a' && *i <= 'z') || + (*i >= '0' && *i <= '9') || + validChars.find(*i) != string::npos)) + { + throw Error(format("invalid character `%1%' in name `%2%'") + % *i % name); + } +} + + void canonicalisePathMetaData(const Path & path) { checkInterrupt(); @@ -579,13 +594,28 @@ Path makeStorePath(const string & type, string s = type + ":sha256:" + printHash(hash) + ":" + nixStore + ":" + suffix; + checkStoreName(suffix); + return nixStore + "/" + printHash32(compressHash(hashString(htSHA256, s), 20)) + "-" + suffix; } -Path addToStore(const Path & _srcPath) +Path makeFixedOutputPath(bool recursive, + string hashAlgo, Hash hash, string name) +{ + /* !!! copy/paste from primops.cc */ + Hash h = hashString(htSHA256, "fixed:out:" + + (recursive ? (string) "r:" : "") + hashAlgo + ":" + + printHash(hash) + ":" + + ""); + return makeStorePath("output:out", h, name); +} + + +static Path _addToStore(bool fixed, bool recursive, + string hashAlgo, const Path & _srcPath) { Path srcPath(absPath(_srcPath)); debug(format("adding `%1%' to the store") % srcPath); @@ -597,7 +627,22 @@ Path addToStore(const Path & _srcPath) } string baseName = baseNameOf(srcPath); - Path dstPath = makeStorePath("source", h, baseName); + + Path dstPath; + + if (fixed) { + + HashType ht(parseHashType(hashAlgo)); + Hash h2(ht); + { + SwitchToOriginalUser sw; + h2 = recursive ? hashPath(ht, srcPath) : hashFile(ht, srcPath); + } + + dstPath = makeFixedOutputPath(recursive, hashAlgo, h2, baseName); + } + + else dstPath = makeStorePath("source", h, baseName); addTempRoot(dstPath); @@ -635,6 +680,18 @@ Path addToStore(const Path & _srcPath) } +Path addToStore(const Path & srcPath) +{ + return _addToStore(false, false, "", srcPath); +} + + +Path addToStoreFixed(bool recursive, string hashAlgo, const Path & srcPath) +{ + return _addToStore(true, recursive, hashAlgo, srcPath); +} + + Path addTextToStore(const string & suffix, const string & s, const PathSet & references) { diff --git a/src/libstore/store.hh b/src/libstore/store.hh index 01a971404..bcaea401e 100644 --- a/src/libstore/store.hh +++ b/src/libstore/store.hh @@ -85,6 +85,8 @@ void assertStorePath(const Path & path); bool isInStore(const Path & path); bool isStorePath(const Path & path); +void checkStoreName(const string & name); + /* Chop off the parts after the top-level store name, e.g., /nix/store/abcd-foo/bar => /nix/store/abcd-foo. */ Path toStorePath(const Path & path); @@ -137,6 +139,13 @@ Path makeStorePath(const string & type, the resulting path. The resulting path is returned. */ Path addToStore(const Path & srcPath); +/* Like addToStore(), but for pre-adding the outputs of fixed-output + derivations. */ +Path addToStoreFixed(bool recursive, string hashAlgo, const Path & srcPath); + +Path makeFixedOutputPath(bool recursive, + string hashAlgo, Hash hash, string name); + /* Like addToStore, but the contents written to the output path is a regular file containing the given string. */ Path addTextToStore(const string & suffix, const string & s, diff --git a/src/nix-store/main.cc b/src/nix-store/main.cc index ff226f986..a8720ce6f 100644 --- a/src/nix-store/main.cc +++ b/src/nix-store/main.cc @@ -85,8 +85,7 @@ static void opRealise(Strings opFlags, Strings opArgs) } -/* Add files to the Nix values directory and print the resulting - paths. */ +/* Add files to the Nix store and print the resulting paths. */ static void opAdd(Strings opFlags, Strings opArgs) { if (!opFlags.empty()) throw UsageError("unknown flag"); @@ -96,6 +95,49 @@ static void opAdd(Strings opFlags, Strings opArgs) } +/* Preload the output of a fixed-output derivation into the Nix + store. */ +static void opAddFixed(Strings opFlags, Strings opArgs) +{ + bool recursive = false; + + for (Strings::iterator i = opFlags.begin(); + i != opFlags.end(); ++i) + if (*i == "--recursive") recursive = true; + else throw UsageError(format("unknown flag `%1%'") % *i); + + if (opArgs.empty()) + throw UsageError("first argument must be hash algorithm"); + + string hashAlgo = opArgs.front(); + opArgs.pop_front(); + + for (Strings::iterator i = opArgs.begin(); i != opArgs.end(); ++i) + cout << format("%1%\n") % addToStoreFixed(recursive, hashAlgo, *i); +} + + +/* Hack to support caching in `nix-prefetch-url'. */ +static void opPrintFixedPath(Strings opFlags, Strings opArgs) +{ + bool recursive = false; + + for (Strings::iterator i = opFlags.begin(); + i != opFlags.end(); ++i) + if (*i == "--recursive") recursive = true; + else throw UsageError(format("unknown flag `%1%'") % *i); + + Strings::iterator i = opArgs.begin(); + string hashAlgo = *i++; + string hash = *i++; + string name = *i++; + + cout << format("%1%\n") % + makeFixedOutputPath(recursive, hashAlgo, + parseHash(parseHashType(hashAlgo), hash), name); +} + + /* Place in `paths' the set of paths that are required to `realise' the given store path, i.e., all paths necessary for valid deployment of the path. For a derivation, this is the union of @@ -557,6 +599,10 @@ void run(Strings args) op = opRealise; else if (arg == "--add" || arg == "-A") op = opAdd; + else if (arg == "--add-fixed") + op = opAddFixed; + else if (arg == "--print-fixed-path") + op = opPrintFixedPath; else if (arg == "--query" || arg == "-q") op = opQuery; else if (arg == "--substitute")