forked from lix-project/lix
Reimplement trusted-substituters (aka trusted-binary-caches)
This commit is contained in:
parent
9cc8047f44
commit
76cb3c702c
|
@ -239,6 +239,10 @@ public:
|
||||||
"Additional URIs of substituters.",
|
"Additional URIs of substituters.",
|
||||||
{"extra-binary-caches"}};
|
{"extra-binary-caches"}};
|
||||||
|
|
||||||
|
Setting<StringSet> trustedSubstituters{this, {}, "trusted-substituters",
|
||||||
|
"Disabled substituters that may be enabled via the substituters option by untrusted users.",
|
||||||
|
{"trusted-binary-caches"}};
|
||||||
|
|
||||||
Setting<Strings> trustedUsers{this, {"root"}, "trusted-users",
|
Setting<Strings> trustedUsers{this, {"root"}, "trusted-users",
|
||||||
"Which users or groups are trusted to ask the daemon to do unsafe things."};
|
"Which users or groups are trusted to ask the daemon to do unsafe things."};
|
||||||
|
|
||||||
|
|
|
@ -448,20 +448,56 @@ static void performOp(ref<LocalStore> store, bool trusted, unsigned int clientVe
|
||||||
readInt(from); // obsolete printBuildTrace
|
readInt(from); // obsolete printBuildTrace
|
||||||
settings.buildCores = readInt(from);
|
settings.buildCores = readInt(from);
|
||||||
settings.useSubstitutes = readInt(from);
|
settings.useSubstitutes = readInt(from);
|
||||||
|
|
||||||
|
StringMap overrides;
|
||||||
if (GET_PROTOCOL_MINOR(clientVersion) >= 12) {
|
if (GET_PROTOCOL_MINOR(clientVersion) >= 12) {
|
||||||
unsigned int n = readInt(from);
|
unsigned int n = readInt(from);
|
||||||
for (unsigned int i = 0; i < n; i++) {
|
for (unsigned int i = 0; i < n; i++) {
|
||||||
string name = readString(from);
|
string name = readString(from);
|
||||||
string value = readString(from);
|
string value = readString(from);
|
||||||
|
overrides.emplace(name, value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
startWork();
|
||||||
|
|
||||||
|
for (auto & i : overrides) {
|
||||||
|
auto & name(i.first);
|
||||||
|
auto & value(i.second);
|
||||||
|
|
||||||
|
auto setSubstituters = [&](Setting<Strings> & res) {
|
||||||
|
if (name != res.name && res.aliases.count(name) == 0)
|
||||||
|
return false;
|
||||||
|
StringSet trusted = settings.trustedSubstituters;
|
||||||
|
for (auto & s : settings.substituters.get())
|
||||||
|
trusted.insert(s);
|
||||||
|
Strings subs;
|
||||||
|
auto ss = tokenizeString<Strings>(value);
|
||||||
|
for (auto & s : ss)
|
||||||
|
if (trusted.count(s))
|
||||||
|
subs.push_back(s);
|
||||||
|
else
|
||||||
|
warn("ignoring untrusted substituter '%s'", s);
|
||||||
|
res = subs;
|
||||||
|
return true;
|
||||||
|
};
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (trusted || name == "build-timeout")
|
if (trusted
|
||||||
|
|| name == settings.buildTimeout.name
|
||||||
|
|| name == settings.connectTimeout.name)
|
||||||
settings.set(name, value);
|
settings.set(name, value);
|
||||||
|
else if (setSubstituters(settings.substituters))
|
||||||
|
;
|
||||||
|
else if (setSubstituters(settings.extraSubstituters))
|
||||||
|
;
|
||||||
|
else
|
||||||
|
debug("ignoring untrusted setting '%s'", name);
|
||||||
} catch (UsageError & e) {
|
} catch (UsageError & e) {
|
||||||
warn(e.what());
|
warn(e.what());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
startWork();
|
|
||||||
stopWork();
|
stopWork();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue