This commit is contained in:
John Ericson 2023-04-07 11:13:23 -04:00
parent c036de086e
commit 6e1e15ffec
8 changed files with 48 additions and 29 deletions

View file

@ -290,14 +290,19 @@ connected:
auto drv = store->readDerivation(*drvPath); auto drv = store->readDerivation(*drvPath);
std::optional<BuildResult> optResult; std::optional<BuildResult> optResult;
if (sshStore->isTrustedClient() || drv.type().isCA()) { // If we don't know whether we are trusted (e.g. `ssh://`
// Hijack the inputs paths of the derivation to include all the paths // stores), we assume we are. This is neccessary for backwards
// that come from the `inputDrvs` set. // compat.
// We dont do that for the derivations whose `inputDrvs` is empty if (std::optional trust = sshStore->isTrustedClient(); (!trust || *trust) || drv.type().isCA()) {
// because // Hijack the inputs paths of the derivation to include all
// the paths that come from the `inputDrvs` set. We dont do
// that for the derivations whose `inputDrvs` is empty
// because:
//
// 1. Its not needed // 1. Its not needed
// 2. Changing the `inputSrcs` set changes the associated output ids, //
// which break CA derivations // 2. Changing the `inputSrcs` set changes the associated
// output ids, which break CA derivations
if (!drv.inputDrvs.empty()) if (!drv.inputDrvs.empty())
drv.inputSrcs = store->parseStorePathSet(inputs); drv.inputSrcs = store->parseStorePathSet(inputs);
optResult = sshStore->buildDerivation(*drvPath, (const BasicDerivation &) drv); optResult = sshStore->buildDerivation(*drvPath, (const BasicDerivation &) drv);

View file

@ -0,0 +1,2 @@
outPath=$(readlink -f $TEST_ROOT/result)
grep 'FOO BAR BAZ' ${remoteDir}/${outPath}

View file

@ -1,11 +1,25 @@
source common.sh source common.sh
# We act as if remote trusts us, but it doesn't. This fails since we are [[ $busybox =~ busybox ]] || skipTest "no busybox"
# building input-addressed derivations with `buildDerivation`, which
# depends on trust. unset NIX_STORE_DIR
unset NIX_STATE_DIR
# We first build a dependency of the derivation we eventually want to
# build.
nix-build build-hook.nix -A passthru.input2 \
-o "$TEST_ROOT/input2" \
--arg busybox "$busybox" \
--store "$TEST_ROOT/local" \
--option system-features bar
# Now when we go to build that downstream derivation, Nix will try to
# copy our already-build `input2` to the remote store. That store object
# is input-addressed, so this will fail.
file=build-hook.nix file=build-hook.nix
prog=$(readlink -e ./nix-daemon-untrusting.sh) prog=$(readlink -e ./nix-daemon-untrusting.sh)
proto=ssh-ng proto=ssh-ng
trusting=true
! source build-remote-trustless.sh expectStderr 1 source build-remote-trustless.sh \
| grepQuiet "cannot add path '[^ ]*' because it lacks a signature by a trusted key"

View file

@ -1,9 +1,9 @@
source common.sh source common.sh
# Remote trusts us but we pretend it doesn't. # Remote trusts us
file=build-hook.nix file=build-hook.nix
prog=nix-store prog=nix-store
proto=ssh proto=ssh
trusting=false
source build-remote-trustless.sh source build-remote-trustless.sh
source build-remote-trustless-after.sh

View file

@ -1,9 +1,9 @@
source common.sh source common.sh
# Remote trusts us but we pretend it doesn't. # Remote trusts us
file=build-hook.nix file=build-hook.nix
prog=nix-daemon prog=nix-daemon
proto=ssh-ng proto=ssh-ng
trusting=false
source build-remote-trustless.sh source build-remote-trustless.sh
source build-remote-trustless-after.sh

View file

@ -1,9 +1,9 @@
source common.sh source common.sh
# Remote doesn't trust us nor do we think it does # Remote doesn't trust us
file=build-hook.nix file=build-hook.nix
prog=$(readlink -e ./nix-daemon-untrusting.sh) prog=$(readlink -e ./nix-daemon-untrusting.sh)
proto=ssh-ng proto=ssh-ng
trusting=false
source build-remote-trustless.sh source build-remote-trustless.sh
source build-remote-trustless-after.sh

View file

@ -1,10 +1,10 @@
source common.sh source common.sh
# We act as if remote trusts us, but it doesn't. This is fine because we # Remote doesn't trusts us, but this is fine because we are only
# are only building (fixed) CA derivations. # building (fixed) CA derivations.
file=build-hook-ca-fixed.nix file=build-hook-ca-fixed.nix
prog=$(readlink -e ./nix-daemon-untrusting.sh) prog=$(readlink -e ./nix-daemon-untrusting.sh)
proto=ssh-ng proto=ssh-ng
trusting=true
source build-remote-trustless.sh source build-remote-trustless.sh
source build-remote-trustless-after.sh

View file

@ -1,16 +1,14 @@
if ! canUseSandbox; then exit; fi requireSandboxSupport
if ! [[ $busybox =~ busybox ]]; then exit; fi [[ $busybox =~ busybox ]] || skipTest "no busybox"
unset NIX_STORE_DIR unset NIX_STORE_DIR
unset NIX_STATE_DIR unset NIX_STATE_DIR
remoteDir=$TEST_ROOT/remote
# Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for # Note: ssh{-ng}://localhost bypasses ssh. See tests/build-remote.sh for
# more details. # more details.
nix build -L -v -f $file -o $TEST_ROOT/result --max-jobs 0 \ nix-build $file -o $TEST_ROOT/result --max-jobs 0 \
--arg busybox $busybox \ --arg busybox $busybox \
--store $TEST_ROOT/local \ --store $TEST_ROOT/local \
--builders "$proto://localhost?remote-program=$prog&trusting=$trusting&remote-store=$TEST_ROOT/remote%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz" --builders "$proto://localhost?remote-program=$prog&remote-store=${remoteDir}%3Fsystem-features=foo%20bar%20baz - - 1 1 foo,bar,baz"
outPath=$(readlink -f $TEST_ROOT/result)
grep 'FOO BAR BAZ' $TEST_ROOT/${subDir}/local${outPath}