lix/tests/nixos/tarball-flakes.nix

{ lib, config, nixpkgs, ... }:

let
  pkgs = config.nodes.machine.nixpkgs.pkgs;

  root = pkgs.runCommand "nixpkgs-flake" {}
    ''
      mkdir -p $out/{stable,tags}

      set -x
      dir=nixpkgs-${nixpkgs.shortRev}
      cp -prd ${nixpkgs} $dir
      # Set the correct timestamp in the tarball.
      find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${builtins.substring 12 2 nixpkgs.lastModifiedDate} --
      tar cfz $out/stable/${nixpkgs.rev}.tar.gz $dir --hard-dereference

      # Set the "Link" header on the redirect but not the final response to
      # simulate an S3-like serving environment where the final host cannot set
      # arbitrary headers.
      cat >$out/tags/.htaccess <<EOF
      Redirect "/tags/latest.tar.gz" "/stable/${nixpkgs.rev}.tar.gz"
      Header always set Link "<http://localhost/stable/${nixpkgs.rev}.tar.gz?rev=${nixpkgs.rev}&revCount=1234>; rel=\"immutable\""
      EOF
    '';
in

{
  name = "tarball-flakes";

  nodes =
    {
      machine =
        { config, pkgs, ... }:
        { networking.firewall.allowedTCPPorts = [ 80 ];

          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
          services.httpd.extraConfig = ''
            ErrorLog syslog:local6
          '';
          services.httpd.virtualHosts."localhost" =
            { servedDirs =
                [ { urlPath = "/";
                    dir = root;
                  }
                ];
            };

          virtualisation.writableStore = true;
          virtualisation.diskSize = 2048;
          virtualisation.additionalPaths = [ pkgs.hello pkgs.fuse ];
          virtualisation.memorySize = 4096;
          nix.settings.substituters = lib.mkForce [ ];
          nix.extraOptions = "experimental-features = nix-command flakes";
        };
    };

  testScript = { nodes }: ''
    # fmt: off
    import json

    start_all()

    machine.wait_for_unit("httpd.service")

    out = machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz")
    print(out)
    info = json.loads(out)

    # Check that we got redirected to the immutable URL.
    locked_url = info["locked"]["url"]
    assert locked_url == "http://localhost/stable/${nixpkgs.rev}.tar.gz?rev=${nixpkgs.rev}&revCount=1234", f"{locked_url=} != http://localhost/stable/${nixpkgs.rev}.tar.gz"

    # Check that we got the rev and revCount attributes.
    revision = info["revision"]
    rev_count = info["revCount"]
    assert revision == "${nixpkgs.rev}", f"{revision=} != ${nixpkgs.rev}"
    assert rev_count == 1234, f"{rev_count=} != 1234"

    # Check that fetching with rev/revCount/narHash succeeds.
    machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=" + revision)
    machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=" + str(rev_count))
    machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=" + info["locked"]["narHash"])

    # Check that fetching fails if we provide incorrect attributes.
    machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=493300eb13ae6fb387fbd47bf54a85915acc31c0")
    machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=789")
    machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=sha256-tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw=")
  '';

}
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00			`{ lib, config, nixpkgs, ... }:`

			`let`
			`pkgs = config.nodes.machine.nixpkgs.pkgs;`

			`root = pkgs.runCommand "nixpkgs-flake" {}`
			`''`
tests/nixos: make the tarball-flakes test better reflect real use cases In most real world cases, the Link header is set on the redirect, not on the final file. This regressed in Lix earlier and while new unit tests were added to cover it, this integration test should probably have also caught it. Change-Id: I2a9d8d952fff36f2c22cfd751451c2b523f7045c 2024-05-29 22:22:25 +00:00			`mkdir -p $out/{stable,tags}`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00
			`set -x`
			`dir=nixpkgs-${nixpkgs.shortRev}`
			`cp -prd ${nixpkgs} $dir`
			`# Set the correct timestamp in the tarball.`
Use "touch -h" https://hydra.nixos.org/build/235888160 This is needed because Nixpkgs now contains dangling symlinks (pkgs/test/nixpkgs-check-by-name/tests/symlink-invalid/pkgs/by-name/fo/foo/foo.nix). 2023-09-19 15:21:07 +00:00			`find $dir -print0 \| xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${builtins.substring 12 2 nixpkgs.lastModifiedDate} --`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00			`tar cfz $out/stable/${nixpkgs.rev}.tar.gz $dir --hard-dereference`

tests/nixos: make the tarball-flakes test better reflect real use cases In most real world cases, the Link header is set on the redirect, not on the final file. This regressed in Lix earlier and while new unit tests were added to cover it, this integration test should probably have also caught it. Change-Id: I2a9d8d952fff36f2c22cfd751451c2b523f7045c 2024-05-29 22:22:25 +00:00			`# Set the "Link" header on the redirect but not the final response to`
			`# simulate an S3-like serving environment where the final host cannot set`
			`# arbitrary headers.`
			`cat >$out/tags/.htaccess <<EOF`
			`Redirect "/tags/latest.tar.gz" "/stable/${nixpkgs.rev}.tar.gz"`
			`Header always set Link "<http://localhost/stable/${nixpkgs.rev}.tar.gz?rev=${nixpkgs.rev}&revCount=1234>; rel=\"immutable\""`
			`EOF`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00			`'';`
			`in`

			`{`
			`name = "tarball-flakes";`

			`nodes =`
			`{`
			`machine =`
			`{ config, pkgs, ... }:`
			`{ networking.firewall.allowedTCPPorts = [ 80 ];`

			`services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
			`services.httpd.extraConfig = ''`
			`ErrorLog syslog:local6`
			`'';`
			`services.httpd.virtualHosts."localhost" =`
			`{ servedDirs =`
			`[ { urlPath = "/";`
			`dir = root;`
			`}`
			`];`
			`};`

			`virtualisation.writableStore = true;`
			`virtualisation.diskSize = 2048;`
			`virtualisation.additionalPaths = [ pkgs.hello pkgs.fuse ];`
			`virtualisation.memorySize = 4096;`
			`nix.settings.substituters = lib.mkForce [ ];`
			`nix.extraOptions = "experimental-features = nix-command flakes";`
			`};`
			`};`

			`testScript = { nodes }: ''`
			`# fmt: off`
			`import json`

			`start_all()`

			`machine.wait_for_unit("httpd.service")`

tests/nixos: make the tarball-flakes test better reflect real use cases In most real world cases, the Link header is set on the redirect, not on the final file. This regressed in Lix earlier and while new unit tests were added to cover it, this integration test should probably have also caught it. Change-Id: I2a9d8d952fff36f2c22cfd751451c2b523f7045c 2024-05-29 22:22:25 +00:00			`out = machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz")`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00			`print(out)`
			`info = json.loads(out)`

			`# Check that we got redirected to the immutable URL.`
tests: add error messages to the asserts in tarball flakes test In hopes of avoiding opaque error messages like the one in https://buildbot.lix.systems/#/builders/49/builds/1054/steps/1/logs/stdio Traceback (most recent call last): File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/bin/.nixos-test-driver-wrapped", line 9, in <module> sys.exit(main()) ^^^^^^ File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/lib/python3.11/site-packages/test_driver/__init__.py", line 126, in main driver.run_tests() File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/lib/python3.11/site-packages/test_driver/driver.py", line 159, in run_tests self.test_script() File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/lib/python3.11/site-packages/test_driver/driver.py", line 151, in test_script exec(self.tests, symbols, None) File "<string>", line 13, in <module> AssertionError Change-Id: Idd2212a1c3714ce58c7c3a9f34c2ca4313eb6d55 2024-04-22 22:13:36 +00:00			`locked_url = info["locked"]["url"]`
libfetchers: make attribute / URL query handling consistent The original idea was to fix lix#174, but for a user friendly solution, I figured that we'd need more consistency: * Invalid query params will cause an error, just like invalid attributes. This has the following two consequences: * The `?dir=`-param from flakes will be removed before the URL to be fetched is passed to libfetchers. * The tarball fetcher doesn't allow URLs with custom query params anymore. I think this was questionable anyways given that an arbitrary set of query params was silently removed from the URL you wanted to fetch. The correct way is to use an attribute-set with a key `url` that contains the tarball URL to fetch. * Same for the git & mercurial fetchers: in that case it doesn't even matter though: both fetchers added unused query params to the URL that's passed from the input scheme to the fetcher (`url2` in the code). It turns out that this was never used since the query parameters were erased again in `getActualUrl`. * Validation happens for both attributes and URLs. Previously, a lot of fetchers validated e.g. refs/revs only when specified in a URL and the validity of attribute names only in `inputFromAttrs`. Now, all the validation is done in `inputFromAttrs` and `inputFromURL` constructs attributes that will be passed to `inputFromAttrs`. * Accept all attributes as URL query parameters. That also includes lesser used ones such as `narHash`. And "output" attributes like `lastModified`: these could be declared already when declaring inputs as attribute rather than URL. Now the behavior is at least consistent. Personally, I think we should differentiate in the future between "fetched input" (basically the attr-set that ends up in the lock-file) and "unfetched input" earlier: both inputFrom{Attrs,URL} entrypoints are probably OK for unfetched inputs, but for locked/fetched inputs a custom entrypoint should be used. Then, the current entrypoints wouldn't have to allow these attributes anymore. Change-Id: I1be1992249f7af8287cfc37891ab505ddaa2e8cd 2024-05-04 10:55:10 +00:00			`assert locked_url == "http://localhost/stable/${nixpkgs.rev}.tar.gz?rev=${nixpkgs.rev}&revCount=1234", f"{locked_url=} != http://localhost/stable/${nixpkgs.rev}.tar.gz"`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00
			`# Check that we got the rev and revCount attributes.`
tests: add error messages to the asserts in tarball flakes test In hopes of avoiding opaque error messages like the one in https://buildbot.lix.systems/#/builders/49/builds/1054/steps/1/logs/stdio Traceback (most recent call last): File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/bin/.nixos-test-driver-wrapped", line 9, in <module> sys.exit(main()) ^^^^^^ File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/lib/python3.11/site-packages/test_driver/__init__.py", line 126, in main driver.run_tests() File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/lib/python3.11/site-packages/test_driver/driver.py", line 159, in run_tests self.test_script() File "/nix/store/wj6wh89jhd2492r781qsr09r9wydfs6m-nixos-test-driver-1.1/lib/python3.11/site-packages/test_driver/driver.py", line 151, in test_script exec(self.tests, symbols, None) File "<string>", line 13, in <module> AssertionError Change-Id: Idd2212a1c3714ce58c7c3a9f34c2ca4313eb6d55 2024-04-22 22:13:36 +00:00			`revision = info["revision"]`
			`rev_count = info["revCount"]`
			`assert revision == "${nixpkgs.rev}", f"{revision=} != ${nixpkgs.rev}"`
			`assert rev_count == 1234, f"{rev_count=} != 1234"`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00
			`# Check that fetching with rev/revCount/narHash succeeds.`
tests/nixos: make the tarball-flakes test better reflect real use cases In most real world cases, the Link header is set on the redirect, not on the final file. This regressed in Lix earlier and while new unit tests were added to cover it, this integration test should probably have also caught it. Change-Id: I2a9d8d952fff36f2c22cfd751451c2b523f7045c 2024-05-29 22:22:25 +00:00			`machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=" + revision)`
			`machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=" + str(rev_count))`
			`machine.succeed("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=" + info["locked"]["narHash"])`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00
			`# Check that fetching fails if we provide incorrect attributes.`
tests/nixos: make the tarball-flakes test better reflect real use cases In most real world cases, the Link header is set on the redirect, not on the final file. This regressed in Lix earlier and while new unit tests were added to cover it, this integration test should probably have also caught it. Change-Id: I2a9d8d952fff36f2c22cfd751451c2b523f7045c 2024-05-29 22:22:25 +00:00			`machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?rev=493300eb13ae6fb387fbd47bf54a85915acc31c0")`
			`machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?revCount=789")`
			`machine.fail("nix flake metadata --json http://localhost/tags/latest.tar.gz?narHash=sha256-tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw=")`
Allow tarball URLs to redirect to a lockable immutable URL Previously, for tarball flakes, we recorded the original URL of the tarball flake, rather than the URL to which it ultimately redirects. Thus, a flake URL like http://example.org/patchelf-latest.tar that redirects to http://example.org/patchelf-<revision>.tar was not really usable. We couldn't record the redirected URL, because sites like GitHub redirect to CDN URLs that we can't rely on to be stable. So now we use the redirected URL only if the server returns the `x-nix-is-immutable` or `x-amz-meta-nix-is-immutable` headers in its response. 2023-06-07 12:26:30 +00:00			`'';`

			`}`