From 5c34d665386f4053d666b0899ecca0639e500fbd Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Wed, 15 May 2019 15:38:24 +0200
Subject: [PATCH] Make flakes work with 'nix build --store ...'

It was getting confused between logical and real store paths.

Also, make fetchGit and fetchMercurial update allowedPaths properly.

(Maybe the evaluator, rather than the caller of the evaluator, should
apply toRealPath(), but that's a bigger change.)
---
 src/libexpr/primops/fetchGit.cc       |  2 +-
 src/libexpr/primops/fetchMercurial.cc |  2 +-
 src/libexpr/primops/flake.cc          | 13 +++++++------
 src/libstore/download.cc              |  2 ++
 src/libstore/download.hh              |  3 +++
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/libexpr/primops/fetchGit.cc b/src/libexpr/primops/fetchGit.cc
index e79eacafe..00bbeb6d8 100644
--- a/src/libexpr/primops/fetchGit.cc
+++ b/src/libexpr/primops/fetchGit.cc
@@ -259,7 +259,7 @@ static void prim_fetchGit(EvalState & state, const Pos & pos, Value * * args, Va
     v.attrs->sort();
 
     if (state.allowedPaths)
-        state.allowedPaths->insert(gitInfo.storePath);
+        state.allowedPaths->insert(state.store->toRealPath(gitInfo.storePath));
 }
 
 static RegisterPrimOp r("fetchGit", 1, prim_fetchGit);
diff --git a/src/libexpr/primops/fetchMercurial.cc b/src/libexpr/primops/fetchMercurial.cc
index cfe1bd871..596047ce3 100644
--- a/src/libexpr/primops/fetchMercurial.cc
+++ b/src/libexpr/primops/fetchMercurial.cc
@@ -214,7 +214,7 @@ static void prim_fetchMercurial(EvalState & state, const Pos & pos, Value * * ar
     v.attrs->sort();
 
     if (state.allowedPaths)
-        state.allowedPaths->insert(hgInfo.storePath);
+        state.allowedPaths->insert(state.store->toRealPath(hgInfo.storePath));
 }
 
 static RegisterPrimOp r("fetchMercurial", 1, prim_fetchMercurial);
diff --git a/src/libexpr/primops/flake.cc b/src/libexpr/primops/flake.cc
index 8dd9599bd..c73487585 100644
--- a/src/libexpr/primops/flake.cc
+++ b/src/libexpr/primops/flake.cc
@@ -248,7 +248,7 @@ static SourceInfo fetchFlake(EvalState & state, const FlakeRef & flakeRef, bool
         FlakeRef ref(resolvedRef.baseRef());
         ref.rev = Hash(std::string(*result.etag, 1, result.etag->size() - 2), htSHA1);
         SourceInfo info(ref);
-        info.storePath = result.path;
+        info.storePath = result.storePath;
 
         return info;
     }
@@ -294,21 +294,22 @@ Flake getFlake(EvalState & state, const FlakeRef & flakeRef, bool impureIsAllowe
     state.store->assertStorePath(sourceInfo.storePath);
 
     if (state.allowedPaths)
-        state.allowedPaths->insert(sourceInfo.storePath);
+        state.allowedPaths->insert(state.store->toRealPath(sourceInfo.storePath));
 
     // Guard against symlink attacks.
     Path flakeFile = canonPath(sourceInfo.storePath + "/" + resolvedRef.subdir + "/flake.nix");
-    if (!isInDir(flakeFile, sourceInfo.storePath))
-        throw Error("flake file '%s' escapes from '%s'", resolvedRef, sourceInfo.storePath);
+    Path realFlakeFile = state.store->toRealPath(flakeFile);
+    if (!isInDir(realFlakeFile, state.store->toRealPath(sourceInfo.storePath)))
+        throw Error("'flake.nix' file of flake '%s' escapes from '%s'", resolvedRef, sourceInfo.storePath);
 
     Flake flake(flakeRef, sourceInfo);
     flake.hash = state.store->queryPathInfo(sourceInfo.storePath)->narHash;
 
-    if (!pathExists(flakeFile))
+    if (!pathExists(realFlakeFile))
         throw Error("source tree referenced by '%s' does not contain a '%s/flake.nix' file", resolvedRef, resolvedRef.subdir);
 
     Value vInfo;
-    state.evalFile(flakeFile, vInfo); // FIXME: symlink attack
+    state.evalFile(realFlakeFile, vInfo); // FIXME: symlink attack
 
     state.forceAttrs(vInfo);
 
diff --git a/src/libstore/download.cc b/src/libstore/download.cc
index cb77cdc77..975cfd97d 100644
--- a/src/libstore/download.cc
+++ b/src/libstore/download.cc
@@ -804,6 +804,7 @@ CachedDownloadResult Downloader::downloadCached(ref<Store> store, const string &
         expectedStorePath = store->makeFixedOutputPath(unpack, expectedHash, name);
         if (store->isValidPath(expectedStorePath)) {
             CachedDownloadResult result;
+            result.storePath = expectedStorePath;
             result.path = store->toRealPath(expectedStorePath);
             return result;
         }
@@ -912,6 +913,7 @@ CachedDownloadResult Downloader::downloadCached(ref<Store> store, const string &
             url, expectedHash.to_string(), gotHash.to_string());
     }
 
+    result.storePath = storePath;
     result.path = store->toRealPath(storePath);
     return result;
 }
diff --git a/src/libstore/download.hh b/src/libstore/download.hh
index 8acfe4e1a..aa8c34be2 100644
--- a/src/libstore/download.hh
+++ b/src/libstore/download.hh
@@ -43,6 +43,9 @@ struct DownloadResult
 
 struct CachedDownloadResult
 {
+    // Note: 'storePath' may be different from 'path' when using a
+    // chroot store.
+    Path storePath;
     Path path;
     std::optional<std::string> etag;
 };