nix: Add --impure as a shorter alias of --no-pure-eval

This commit is contained in:
Eelco Dolstra 2019-04-08 23:19:19 +02:00
parent 6a4c7fb975
commit ee1254d4f5
6 changed files with 49 additions and 42 deletions

View file

@ -289,7 +289,7 @@ static std::tuple<FlakeId, std::map<FlakeId, Flake>> resolveFlake(EvalState & st
#if 0 #if 0
if (evalSettings.pureEval && !flakeRef.isImmutable() && (!toplevel || !impureTopRef)) if (evalSettings.pureEval && !flakeRef.isImmutable() && (!toplevel || !impureTopRef))
throw Error("mutable flake '%s' is not allowed in pure mode; use --no-pure-eval to disable", flakeRef.to_string()); throw Error("mutable flake '%s' is not allowed in pure mode; use --impure to disable", flakeRef.to_string());
#endif #endif
auto flake = getFlake(state, flakeRef); auto flake = getFlake(state, flakeRef);

View file

@ -21,6 +21,13 @@ SourceExprCommand::SourceExprCommand()
.label("file") .label("file")
.description("evaluate a set of attributes from FILE (deprecated)") .description("evaluate a set of attributes from FILE (deprecated)")
.dest(&file); .dest(&file);
mkFlag()
.longName("impure")
.description("allow access to mutable paths and repositories")
.handler([&](std::vector<std::string> ss) {
evalSettings.pureEval = false;
});
} }
ref<EvalState> SourceExprCommand::getEvalState() ref<EvalState> SourceExprCommand::getEvalState()

View file

@ -26,11 +26,11 @@ git -C $repo commit -m 'Bla2' -a
rev2=$(git -C $repo rev-parse HEAD) rev2=$(git -C $repo rev-parse HEAD)
# Fetch the default branch. # Fetch the default branch.
path=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath") path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
[[ $(cat $path/hello) = world ]] [[ $(cat $path/hello) = world ]]
# In pure eval mode, fetchGit without a revision should fail. # In pure eval mode, fetchGit without a revision should fail.
[[ $(nix eval --no-pure-eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") = world ]] [[ $(nix eval --impure --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") = world ]]
(! nix eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") (! nix eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))")
# Fetch using an explicit revision hash. # Fetch using an explicit revision hash.
@ -42,14 +42,14 @@ path2=$(nix eval --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"
# Fetch again. This should be cached. # Fetch again. This should be cached.
mv $repo ${repo}-tmp mv $repo ${repo}-tmp
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
[[ $(nix eval --no-pure-eval "(builtins.fetchGit file://$repo).revCount") = 2 ]] [[ $(nix eval --impure "(builtins.fetchGit file://$repo).revCount") = 2 ]]
[[ $(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).rev") = $rev2 ]] [[ $(nix eval --impure --raw "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
# But with TTL 0, it should fail. # But with TTL 0, it should fail.
(! nix eval --no-pure-eval --tarball-ttl 0 "(builtins.fetchGit file://$repo)" -vvvvv) (! nix eval --impure --tarball-ttl 0 "(builtins.fetchGit file://$repo)" -vvvvv)
# Fetching with a explicit hash should succeed. # Fetching with a explicit hash should succeed.
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
@ -61,7 +61,7 @@ path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo;
mv ${repo}-tmp $repo mv ${repo}-tmp $repo
# Using a clean working tree should produce the same result. # Using a clean working tree should produce the same result.
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# Using an unclean tree should yield the tracked but uncommitted changes. # Using an unclean tree should yield the tracked but uncommitted changes.
@ -72,17 +72,17 @@ echo bar > $repo/dir2/bar
git -C $repo add dir1/foo git -C $repo add dir1/foo
git -C $repo rm hello git -C $repo rm hello
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
[ ! -e $path2/hello ] [ ! -e $path2/hello ]
[ ! -e $path2/bar ] [ ! -e $path2/bar ]
[ ! -e $path2/dir2/bar ] [ ! -e $path2/dir2/bar ]
[ ! -e $path2/.git ] [ ! -e $path2/.git ]
[[ $(cat $path2/dir1/foo) = foo ]] [[ $(cat $path2/dir1/foo) = foo ]]
[[ $(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]] [[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
# ... unless we're using an explicit ref or rev. # ... unless we're using an explicit ref or rev.
path3=$(nix eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath") path3=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
[[ $path = $path3 ]] [[ $path = $path3 ]]
path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath") path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath")
@ -91,7 +91,7 @@ path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).ou
# Committing should not affect the store path. # Committing should not affect the store path.
git -C $repo commit -m 'Bla3' -a git -C $repo commit -m 'Bla3' -a
path4=$(nix eval --no-pure-eval --tarball-ttl 0 --raw "(builtins.fetchGit file://$repo).outPath") path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchGit file://$repo).outPath")
[[ $path2 = $path4 ]] [[ $path2 = $path4 ]]
# tarball-ttl should be ignored if we specify a rev # tarball-ttl should be ignored if we specify a rev
@ -102,29 +102,29 @@ rev3=$(git -C $repo rev-parse HEAD)
nix eval --tarball-ttl 3600 "(builtins.fetchGit { url = $repo; rev = \"$rev3\"; })" >/dev/null nix eval --tarball-ttl 3600 "(builtins.fetchGit { url = $repo; rev = \"$rev3\"; })" >/dev/null
# Update 'path' to reflect latest master # Update 'path' to reflect latest master
path=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath") path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
# Check behavior when non-master branch is used # Check behavior when non-master branch is used
git -C $repo checkout $rev2 -b dev git -C $repo checkout $rev2 -b dev
echo dev > $repo/hello echo dev > $repo/hello
# File URI uses 'master' unless specified otherwise # File URI uses 'master' unless specified otherwise
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# Using local path with branch other than 'master' should work when clean or dirty # Using local path with branch other than 'master' should work when clean or dirty
path3=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath") path3=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
# (check dirty-tree handling was used) # (check dirty-tree handling was used)
[[ $(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]] [[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
# Committing shouldn't change store path, or switch to using 'master' # Committing shouldn't change store path, or switch to using 'master'
git -C $repo commit -m 'Bla5' -a git -C $repo commit -m 'Bla5' -a
path4=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath") path4=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
[[ $(cat $path4/hello) = dev ]] [[ $(cat $path4/hello) = dev ]]
[[ $path3 = $path4 ]] [[ $path3 = $path4 ]]
# Confirm same as 'dev' branch # Confirm same as 'dev' branch
path5=$(nix eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath") path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
[[ $path3 = $path5 ]] [[ $path3 = $path5 ]]
@ -134,8 +134,8 @@ rm -rf $TEST_HOME/.cache/nix/gitv2
# Try again, but without 'git' on PATH # Try again, but without 'git' on PATH
NIX=$(command -v nix) NIX=$(command -v nix)
# This should fail # This should fail
(! PATH= $NIX eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" ) (! PATH= $NIX eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
# Try again, with 'git' available. This should work. # Try again, with 'git' available. This should work.
path5=$(nix eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath") path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
[[ $path3 = $path5 ]] [[ $path3 = $path5 ]]

View file

@ -26,15 +26,15 @@ hg commit --cwd $repo -m 'Bla2'
rev2=$(hg log --cwd $repo -r tip --template '{node}') rev2=$(hg log --cwd $repo -r tip --template '{node}')
# Fetch the default branch. # Fetch the default branch.
path=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).outPath") path=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath")
[[ $(cat $path/hello) = world ]] [[ $(cat $path/hello) = world ]]
# In pure eval mode, fetchGit without a revision should fail. # In pure eval mode, fetchGit without a revision should fail.
[[ $(nix eval --no-pure-eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]] [[ $(nix eval --impure --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
(! nix eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") (! nix eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))")
# Fetch using an explicit revision hash. # Fetch using an explicit revision hash.
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --impure --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# In pure eval mode, fetchGit with a revision should succeed. # In pure eval mode, fetchGit with a revision should succeed.
@ -42,15 +42,15 @@ path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial { url = file://$
# Fetch again. This should be cached. # Fetch again. This should be cached.
mv $repo ${repo}-tmp mv $repo ${repo}-tmp
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
[[ $(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).branch") = default ]] [[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).branch") = default ]]
[[ $(nix eval --no-pure-eval "(builtins.fetchMercurial file://$repo).revCount") = 1 ]] [[ $(nix eval --impure "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
[[ $(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]] [[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
# But with TTL 0, it should fail. # But with TTL 0, it should fail.
(! nix eval --no-pure-eval --tarball-ttl 0 "(builtins.fetchMercurial file://$repo)") (! nix eval --impure --tarball-ttl 0 "(builtins.fetchMercurial file://$repo)")
# Fetching with a explicit hash should succeed. # Fetching with a explicit hash should succeed.
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
@ -62,7 +62,7 @@ path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://
mv ${repo}-tmp $repo mv ${repo}-tmp $repo
# Using a clean working tree should produce the same result. # Using a clean working tree should produce the same result.
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial $repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# Using an unclean tree should yield the tracked but uncommitted changes. # Using an unclean tree should yield the tracked but uncommitted changes.
@ -73,14 +73,14 @@ echo bar > $repo/dir2/bar
hg add --cwd $repo dir1/foo hg add --cwd $repo dir1/foo
hg rm --cwd $repo hello hg rm --cwd $repo hello
path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial $repo).outPath") path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath")
[ ! -e $path2/hello ] [ ! -e $path2/hello ]
[ ! -e $path2/bar ] [ ! -e $path2/bar ]
[ ! -e $path2/dir2/bar ] [ ! -e $path2/dir2/bar ]
[ ! -e $path2/.hg ] [ ! -e $path2/.hg ]
[[ $(cat $path2/dir1/foo) = foo ]] [[ $(cat $path2/dir1/foo) = foo ]]
[[ $(nix eval --no-pure-eval --raw "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]] [[ $(nix eval --impure --raw "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
# ... unless we're using an explicit rev. # ... unless we're using an explicit rev.
path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath") path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath")
@ -89,5 +89,5 @@ path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\
# Committing should not affect the store path. # Committing should not affect the store path.
hg commit --cwd $repo -m 'Bla3' hg commit --cwd $repo -m 'Bla3'
path4=$(nix eval --no-pure-eval --tarball-ttl 0 --raw "(builtins.fetchMercurial file://$repo).outPath") path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchMercurial file://$repo).outPath")
[[ $path2 = $path4 ]] [[ $path2 = $path4 ]]

View file

@ -4,7 +4,7 @@ clearStore
nix eval '(assert 1 + 2 == 3; true)' nix eval '(assert 1 + 2 == 3; true)'
[[ $(nix eval --no-pure-eval '(builtins.readFile ./pure-eval.sh)') =~ clearStore ]] [[ $(nix eval --impure '(builtins.readFile ./pure-eval.sh)') =~ clearStore ]]
(! nix eval '(builtins.readFile ./pure-eval.sh)') (! nix eval '(builtins.readFile ./pure-eval.sh)')
@ -13,6 +13,6 @@ nix eval '(assert 1 + 2 == 3; true)'
(! nix-instantiate --pure-eval ./simple.nix) (! nix-instantiate --pure-eval ./simple.nix)
[[ $(nix eval --no-pure-eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") == 123 ]] [[ $(nix eval --impure "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") == 123 ]]
(! nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") (! nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)")
nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x)" nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x)"

View file

@ -17,18 +17,18 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/nix-channel'
(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>') (! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=. nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval --allowed-uris "file://$(pwd)") p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)")
cmp $p restricted.sh cmp $p restricted.sh
(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval) (! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval)
(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/") (! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh" nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
(! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --no-pure-eval --restrict-eval) (! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval)
(! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --no-pure-eval --restrict-eval) (! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval)
(! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --no-pure-eval --restrict-eval) (! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --impure --restrict-eval)
ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
[[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]] [[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]]
@ -37,7 +37,7 @@ ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .) (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I . nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
[[ $(nix eval --raw --no-pure-eval --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]] [[ $(nix eval --raw --impure --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]]
# Check whether we can leak symlink information through directory traversal. # Check whether we can leak symlink information through directory traversal.
traverseDir="$(pwd)/restricted-traverse-me" traverseDir="$(pwd)/restricted-traverse-me"