Reimplement trusted-substituters (aka trusted-binary-caches)

This commit is contained in:
Eelco Dolstra 2017-04-20 13:20:49 +02:00
parent 9cc8047f44
commit 76cb3c702c
No known key found for this signature in database
GPG key ID: 8170B4726D7198DE
2 changed files with 46 additions and 6 deletions

View file

@ -239,6 +239,10 @@ public:
"Additional URIs of substituters.", "Additional URIs of substituters.",
{"extra-binary-caches"}}; {"extra-binary-caches"}};
Setting<StringSet> trustedSubstituters{this, {}, "trusted-substituters",
"Disabled substituters that may be enabled via the substituters option by untrusted users.",
{"trusted-binary-caches"}};
Setting<Strings> trustedUsers{this, {"root"}, "trusted-users", Setting<Strings> trustedUsers{this, {"root"}, "trusted-users",
"Which users or groups are trusted to ask the daemon to do unsafe things."}; "Which users or groups are trusted to ask the daemon to do unsafe things."};

View file

@ -448,20 +448,56 @@ static void performOp(ref<LocalStore> store, bool trusted, unsigned int clientVe
readInt(from); // obsolete printBuildTrace readInt(from); // obsolete printBuildTrace
settings.buildCores = readInt(from); settings.buildCores = readInt(from);
settings.useSubstitutes = readInt(from); settings.useSubstitutes = readInt(from);
StringMap overrides;
if (GET_PROTOCOL_MINOR(clientVersion) >= 12) { if (GET_PROTOCOL_MINOR(clientVersion) >= 12) {
unsigned int n = readInt(from); unsigned int n = readInt(from);
for (unsigned int i = 0; i < n; i++) { for (unsigned int i = 0; i < n; i++) {
string name = readString(from); string name = readString(from);
string value = readString(from); string value = readString(from);
overrides.emplace(name, value);
}
}
startWork();
for (auto & i : overrides) {
auto & name(i.first);
auto & value(i.second);
auto setSubstituters = [&](Setting<Strings> & res) {
if (name != res.name && res.aliases.count(name) == 0)
return false;
StringSet trusted = settings.trustedSubstituters;
for (auto & s : settings.substituters.get())
trusted.insert(s);
Strings subs;
auto ss = tokenizeString<Strings>(value);
for (auto & s : ss)
if (trusted.count(s))
subs.push_back(s);
else
warn("ignoring untrusted substituter '%s'", s);
res = subs;
return true;
};
try { try {
if (trusted || name == "build-timeout") if (trusted
|| name == settings.buildTimeout.name
|| name == settings.connectTimeout.name)
settings.set(name, value); settings.set(name, value);
else if (setSubstituters(settings.substituters))
;
else if (setSubstituters(settings.extraSubstituters))
;
else
debug("ignoring untrusted setting '%s'", name);
} catch (UsageError & e) { } catch (UsageError & e) {
warn(e.what()); warn(e.what());
} }
} }
}
startWork();
stopWork(); stopWork();
break; break;
} }