Maximilian Bosch
35eec921af
The original idea was to fix lix#174, but for a user friendly solution,
I figured that we'd need more consistency:
* Invalid query params will cause an error, just like invalid
attributes. This has the following two consequences:
* The `?dir=`-param from flakes will be removed before the URL to be
fetched is passed to libfetchers.
* The tarball fetcher doesn't allow URLs with custom query params
anymore. I think this was questionable anyways given that an
arbitrary set of query params was silently removed from the URL you
wanted to fetch. The correct way is to use an attribute-set
with a key `url` that contains the tarball URL to fetch.
* Same for the git & mercurial fetchers: in that case it doesn't even
matter though: both fetchers added unused query params to the URL
that's passed from the input scheme to the fetcher (`url2` in the code).
It turns out that this was never used since the query parameters were
erased again in `getActualUrl`.
* Validation happens for both attributes and URLs. Previously, a lot of
fetchers validated e.g. refs/revs only when specified in a URL and
the validity of attribute names only in `inputFromAttrs`.
Now, all the validation is done in `inputFromAttrs` and `inputFromURL`
constructs attributes that will be passed to `inputFromAttrs`.
* Accept all attributes as URL query parameters. That also includes
lesser used ones such as `narHash`.
And "output" attributes like `lastModified`: these could be declared
already when declaring inputs as attribute rather than URL. Now the
behavior is at least consistent.
Personally, I think we should differentiate in the future between
"fetched input" (basically the attr-set that ends up in the lock-file)
and "unfetched input" earlier: both inputFrom{Attrs,URL} entrypoints
are probably OK for unfetched inputs, but for locked/fetched inputs
a custom entrypoint should be used. Then, the current entrypoints
wouldn't have to allow these attributes anymore.
Change-Id: I1be1992249f7af8287cfc37891ab505ddaa2e8cd
92 lines
3.4 KiB
Nix
92 lines
3.4 KiB
Nix
{ lib, config, nixpkgs, ... }:
|
|
|
|
let
|
|
pkgs = config.nodes.machine.nixpkgs.pkgs;
|
|
|
|
root = pkgs.runCommand "nixpkgs-flake" {}
|
|
''
|
|
mkdir -p $out/{stable,tags}
|
|
|
|
set -x
|
|
dir=nixpkgs-${nixpkgs.shortRev}
|
|
cp -prd ${nixpkgs} $dir
|
|
# Set the correct timestamp in the tarball.
|
|
find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${builtins.substring 12 2 nixpkgs.lastModifiedDate} --
|
|
tar cfz $out/stable/${nixpkgs.rev}.tar.gz $dir --hard-dereference
|
|
|
|
# Set the "Link" header on the redirect but not the final response to
|
|
# simulate an S3-like serving environment where the final host cannot set
|
|
# arbitrary headers.
|
|
cat >$out/tags/.htaccess <<EOF
|
|
Redirect "/tags/latest.tar.gz" "/stable/${nixpkgs.rev}.tar.gz"
|
|
Header always set Link "<http://localhost/stable/${nixpkgs.rev}.tar.gz?rev=${nixpkgs.rev}&revCount=1234>; rel=\"immutable\""
|
|
EOF
|
|
'';
|
|
in
|
|
|
|
{
|
|
name = "tarball-flakes";
|
|
|
|
nodes =
|
|
{
|
|
machine =
|
|
{ config, pkgs, ... }:
|
|
{ networking.firewall.allowedTCPPorts = [ 80 ];
|
|
|
|
services.httpd.enable = true;
|
|
services.httpd.adminAddr = "foo@example.org";
|
|
services.httpd.extraConfig = ''
|
|
ErrorLog syslog:local6
|
|
'';
|
|
services.httpd.virtualHosts."localhost" =
|
|
{ servedDirs =
|
|
[ { urlPath = "/";
|
|
dir = root;
|
|
}
|
|
];
|
|
};
|
|
|
|
virtualisation.writableStore = true;
|
|
virtualisation.diskSize = 2048;
|
|
virtualisation.additionalPaths = [ pkgs.hello pkgs.fuse ];
|
|
virtualisation.memorySize = 4096;
|
|
nix.settings.substituters = lib.mkForce [ ];
|
|
nix.extraOptions = "experimental-features = nix-command flakes";
|
|
};
|
|
};
|
|
|
|
testScript = { nodes }: ''
|
|
# fmt: off
|
|
import json
|
|
|
|
start_all()
|
|
|
|
machine.wait_for_unit("httpd.service")
|
|
|
|
out = machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz")
|
|
print(out)
|
|
info = json.loads(out)
|
|
|
|
# Check that we got redirected to the immutable URL.
|
|
locked_url = info["locked"]["url"]
|
|
assert locked_url == "http://localhost/stable/${nixpkgs.rev}.tar.gz?rev=${nixpkgs.rev}&revCount=1234", f"{locked_url=} != http://localhost/stable/${nixpkgs.rev}.tar.gz"
|
|
|
|
# Check that we got the rev and revCount attributes.
|
|
revision = info["revision"]
|
|
rev_count = info["revCount"]
|
|
assert revision == "${nixpkgs.rev}", f"{revision=} != ${nixpkgs.rev}"
|
|
assert rev_count == 1234, f"{rev_count=} != 1234"
|
|
|
|
# Check that fetching with rev/revCount/narHash succeeds.
|
|
machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=" + revision)
|
|
machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=" + str(rev_count))
|
|
machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=" + info["locked"]["narHash"])
|
|
|
|
# Check that fetching fails if we provide incorrect attributes.
|
|
machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=493300eb13ae6fb387fbd47bf54a85915acc31c0")
|
|
machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=789")
|
|
machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=sha256-tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw=")
|
|
'';
|
|
|
|
}
|