nix: Add --expr flag

This replaces the '(...)' installable syntax, which is not very
discoverable. The downside is that you can't have multiple expressions
or mix expressions and other installables.
This commit is contained in:
Eelco Dolstra 2019-11-27 00:05:30 +01:00
parent 2c6dbcd5e7
commit ca8caaec5e
9 changed files with 86 additions and 76 deletions

View file

@ -56,6 +56,7 @@ struct MixFlakeOptions : virtual Args
struct SourceExprCommand : virtual Args, EvalCommand, MixFlakeOptions struct SourceExprCommand : virtual Args, EvalCommand, MixFlakeOptions
{ {
std::optional<Path> file; std::optional<Path> file;
std::optional<std::string> expr;
SourceExprCommand(); SourceExprCommand();
@ -106,7 +107,7 @@ struct InstallableCommand : virtual Args, SourceExprCommand
private: private:
std::string _installable{"."}; std::string _installable{""};
}; };
/* A command that operates on zero or more store paths. */ /* A command that operates on zero or more store paths. */

View file

@ -28,7 +28,7 @@ struct CmdEval : MixJSON, InstallableCommand
return { return {
Example{ Example{
"To evaluate a Nix expression given on the command line:", "To evaluate a Nix expression given on the command line:",
"nix eval '(1 + 2)'" "nix eval --expr '1 + 2'"
}, },
Example{ Example{
"To evaluate a Nix expression from a file or URI:", "To evaluate a Nix expression from a file or URI:",

View file

@ -51,8 +51,14 @@ SourceExprCommand::SourceExprCommand()
.shortName('f') .shortName('f')
.longName("file") .longName("file")
.label("file") .label("file")
.description("evaluate a set of attributes from FILE (deprecated)") .description("evaluate attributes from FILE")
.dest(&file); .dest(&file);
mkFlag()
.longName("expr")
.label("expr")
.description("evaluate attributes from EXPR")
.dest(&expr);
} }
Strings SourceExprCommand::getDefaultFlakeAttrPaths() Strings SourceExprCommand::getDefaultFlakeAttrPaths()
@ -378,19 +384,25 @@ std::vector<std::shared_ptr<Installable>> SourceExprCommand::parseInstallables(
{ {
std::vector<std::shared_ptr<Installable>> result; std::vector<std::shared_ptr<Installable>> result;
if (file) { if (file || expr) {
if (file && expr)
throw UsageError("'--file' and '--expr' are exclusive");
// FIXME: backward compatibility hack // FIXME: backward compatibility hack
evalSettings.pureEval = false; if (file) evalSettings.pureEval = false;
auto state = getEvalState(); auto state = getEvalState();
auto vFile = state->allocValue(); auto vFile = state->allocValue();
state->evalFile(lookupFileArg(*state, *file), *vFile);
if (ss.empty()) if (file)
ss = {""}; state->evalFile(lookupFileArg(*state, *file), *vFile);
else {
auto e = state->parseExprFromString(*expr, absPath("."));
state->eval(e, *vFile);
}
for (auto & s : ss) for (auto & s : ss)
result.push_back(std::make_shared<InstallableAttrPath>(*this, vFile, s)); result.push_back(std::make_shared<InstallableAttrPath>(*this, vFile, s == "." ? "" : s));
} else { } else {
@ -407,10 +419,7 @@ std::vector<std::shared_ptr<Installable>> SourceExprCommand::parseInstallables(
size_t hash; size_t hash;
std::optional<Path> storePath; std::optional<Path> storePath;
if (s.compare(0, 1, "(") == 0) if (hasPrefix(s, "nixpkgs.")) {
result.push_back(std::make_shared<InstallableExpr>(*this, s));
else if (hasPrefix(s, "nixpkgs.")) {
bool static warned; bool static warned;
warnOnce(warned, "the syntax 'nixpkgs.<attr>' is deprecated; use 'nixpkgs:<attr>' instead"); warnOnce(warned, "the syntax 'nixpkgs.<attr>' is deprecated; use 'nixpkgs:<attr>' instead");
result.push_back(std::make_shared<InstallableFlake>(*this, FlakeRef("nixpkgs"), result.push_back(std::make_shared<InstallableFlake>(*this, FlakeRef("nixpkgs"),
@ -532,7 +541,7 @@ PathSet toDerivations(ref<Store> store,
void InstallablesCommand::prepare() void InstallablesCommand::prepare()
{ {
if (_installables.empty() && !file && useDefaultInstallables()) if (_installables.empty() && useDefaultInstallables())
// FIXME: commands like "nix install" should not have a // FIXME: commands like "nix install" should not have a
// default, probably. // default, probably.
_installables.push_back("."); _installables.push_back(".");

View file

@ -28,39 +28,39 @@ git -C $repo commit -m 'Bla2' -a
rev2=$(git -C $repo rev-parse HEAD) rev2=$(git -C $repo rev-parse HEAD)
# Fetch the default branch. # Fetch the default branch.
path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath") path=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
[[ $(cat $path/hello) = world ]] [[ $(cat $path/hello) = world ]]
# In pure eval mode, fetchGit without a revision should fail. # In pure eval mode, fetchGit without a revision should fail.
[[ $(nix eval --impure --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") = world ]] [[ $(nix eval --impure --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")") = world ]]
(! nix eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") (! nix eval --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")")
# Fetch using an explicit revision hash. # Fetch using an explicit revision hash.
path2=$(nix eval --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# In pure eval mode, fetchGit with a revision should succeed. # In pure eval mode, fetchGit with a revision should succeed.
[[ $(nix eval --raw "(builtins.readFile (fetchGit { url = file://$repo; rev = \"$rev2\"; } + \"/hello\"))") = world ]] [[ $(nix eval --raw --expr "builtins.readFile (fetchGit { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]]
# Fetch again. This should be cached. # Fetch again. This should be cached.
mv $repo ${repo}-tmp mv $repo ${repo}-tmp
path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
[[ $(nix eval --impure "(builtins.fetchGit file://$repo).revCount") = 2 ]] [[ $(nix eval --impure --expr "(builtins.fetchGit file://$repo).revCount") = 2 ]]
[[ $(nix eval --impure --raw "(builtins.fetchGit file://$repo).rev") = $rev2 ]] [[ $(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
# Fetching with a explicit hash should succeed. # Fetching with a explicit hash should succeed.
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev1\"; }).outPath") path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev1\"; }).outPath")
[[ $(cat $path2/hello) = utrecht ]] [[ $(cat $path2/hello) = utrecht ]]
mv ${repo}-tmp $repo mv ${repo}-tmp $repo
# Using a clean working tree should produce the same result. # Using a clean working tree should produce the same result.
path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# Using an unclean tree should yield the tracked but uncommitted changes. # Using an unclean tree should yield the tracked but uncommitted changes.
@ -71,26 +71,26 @@ echo bar > $repo/dir2/bar
git -C $repo add dir1/foo git -C $repo add dir1/foo
git -C $repo rm hello git -C $repo rm hello
path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
[ ! -e $path2/hello ] [ ! -e $path2/hello ]
[ ! -e $path2/bar ] [ ! -e $path2/bar ]
[ ! -e $path2/dir2/bar ] [ ! -e $path2/dir2/bar ]
[ ! -e $path2/.git ] [ ! -e $path2/.git ]
[[ $(cat $path2/dir1/foo) = foo ]] [[ $(cat $path2/dir1/foo) = foo ]]
[[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]] [[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
# ... unless we're using an explicit ref or rev. # ... unless we're using an explicit ref or rev.
path3=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath") path3=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
[[ $path = $path3 ]] [[ $path = $path3 ]]
path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath") path3=$(nix eval --raw --expr "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path3 ]] [[ $path = $path3 ]]
# Committing should not affect the store path. # Committing should not affect the store path.
git -C $repo commit -m 'Bla3' -a git -C $repo commit -m 'Bla3' -a
path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchGit file://$repo).outPath") path4=$(nix eval --impure --tarball-ttl 0 --raw --expr "(builtins.fetchGit file://$repo).outPath")
[[ $path2 = $path4 ]] [[ $path2 = $path4 ]]
# tarball-ttl should be ignored if we specify a rev # tarball-ttl should be ignored if we specify a rev
@ -98,32 +98,32 @@ echo delft > $repo/hello
git -C $repo add hello git -C $repo add hello
git -C $repo commit -m 'Bla4' git -C $repo commit -m 'Bla4'
rev3=$(git -C $repo rev-parse HEAD) rev3=$(git -C $repo rev-parse HEAD)
nix eval --tarball-ttl 3600 "(builtins.fetchGit { url = $repo; rev = \"$rev3\"; })" >/dev/null nix eval --tarball-ttl 3600 --expr "builtins.fetchGit { url = $repo; rev = \"$rev3\"; }" >/dev/null
# Update 'path' to reflect latest master # Update 'path' to reflect latest master
path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath") path=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
# Check behavior when non-master branch is used # Check behavior when non-master branch is used
git -C $repo checkout $rev2 -b dev git -C $repo checkout $rev2 -b dev
echo dev > $repo/hello echo dev > $repo/hello
# File URI uses 'master' unless specified otherwise # File URI uses 'master' unless specified otherwise
path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# Using local path with branch other than 'master' should work when clean or dirty # Using local path with branch other than 'master' should work when clean or dirty
path3=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath") path3=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
# (check dirty-tree handling was used) # (check dirty-tree handling was used)
[[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]] [[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
# Committing shouldn't change store path, or switch to using 'master' # Committing shouldn't change store path, or switch to using 'master'
git -C $repo commit -m 'Bla5' -a git -C $repo commit -m 'Bla5' -a
path4=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath") path4=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
[[ $(cat $path4/hello) = dev ]] [[ $(cat $path4/hello) = dev ]]
[[ $path3 = $path4 ]] [[ $path3 = $path4 ]]
# Confirm same as 'dev' branch # Confirm same as 'dev' branch
path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath") path5=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
[[ $path3 = $path5 ]] [[ $path3 = $path5 ]]
@ -133,8 +133,8 @@ rm -rf $TEST_HOME/.cache/nix/gitv2
# Try again, but without 'git' on PATH # Try again, but without 'git' on PATH
NIX=$(command -v nix) NIX=$(command -v nix)
# This should fail # This should fail
(! PATH= $NIX eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" ) (! PATH= $NIX eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
# Try again, with 'git' available. This should work. # Try again, with 'git' available. This should work.
path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath") path5=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
[[ $path3 = $path5 ]] [[ $path3 = $path5 ]]

View file

@ -26,43 +26,43 @@ hg commit --cwd $repo -m 'Bla2'
rev2=$(hg log --cwd $repo -r tip --template '{node}') rev2=$(hg log --cwd $repo -r tip --template '{node}')
# Fetch the default branch. # Fetch the default branch.
path=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath") path=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
[[ $(cat $path/hello) = world ]] [[ $(cat $path/hello) = world ]]
# In pure eval mode, fetchGit without a revision should fail. # In pure eval mode, fetchGit without a revision should fail.
[[ $(nix eval --impure --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]] [[ $(nix eval --impure --raw --expr "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
(! nix eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") (! nix eval --raw --expr "builtins.readFile (fetchMercurial file://$repo + \"/hello\")")
# Fetch using an explicit revision hash. # Fetch using an explicit revision hash.
path2=$(nix eval --impure --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# In pure eval mode, fetchGit with a revision should succeed. # In pure eval mode, fetchGit with a revision should succeed.
[[ $(nix eval --raw "(builtins.readFile (fetchMercurial { url = file://$repo; rev = \"$rev2\"; } + \"/hello\"))") = world ]] [[ $(nix eval --raw --expr "builtins.readFile (fetchMercurial { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]]
# Fetch again. This should be cached. # Fetch again. This should be cached.
mv $repo ${repo}-tmp mv $repo ${repo}-tmp
path2=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
[[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).branch") = default ]] [[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).branch") = default ]]
[[ $(nix eval --impure "(builtins.fetchMercurial file://$repo).revCount") = 1 ]] [[ $(nix eval --impure --expr "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
[[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]] [[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
# But with TTL 0, it should fail. # But with TTL 0, it should fail.
(! nix eval --impure --tarball-ttl 0 "(builtins.fetchMercurial file://$repo)") (! nix eval --impure --tarball-ttl 0 --expr "builtins.fetchMercurial file://$repo")
# Fetching with a explicit hash should succeed. # Fetching with a explicit hash should succeed.
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath") path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev1\"; }).outPath") path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev1\"; }).outPath")
[[ $(cat $path2/hello) = utrecht ]] [[ $(cat $path2/hello) = utrecht ]]
mv ${repo}-tmp $repo mv ${repo}-tmp $repo
# Using a clean working tree should produce the same result. # Using a clean working tree should produce the same result.
path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).outPath")
[[ $path = $path2 ]] [[ $path = $path2 ]]
# Using an unclean tree should yield the tracked but uncommitted changes. # Using an unclean tree should yield the tracked but uncommitted changes.
@ -73,21 +73,21 @@ echo bar > $repo/dir2/bar
hg add --cwd $repo dir1/foo hg add --cwd $repo dir1/foo
hg rm --cwd $repo hello hg rm --cwd $repo hello
path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath") path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).outPath")
[ ! -e $path2/hello ] [ ! -e $path2/hello ]
[ ! -e $path2/bar ] [ ! -e $path2/bar ]
[ ! -e $path2/dir2/bar ] [ ! -e $path2/dir2/bar ]
[ ! -e $path2/.hg ] [ ! -e $path2/.hg ]
[[ $(cat $path2/dir1/foo) = foo ]] [[ $(cat $path2/dir1/foo) = foo ]]
[[ $(nix eval --impure --raw "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]] [[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
# ... unless we're using an explicit rev. # ... unless we're using an explicit rev.
path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath") path3=$(nix eval --raw --expr "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath")
[[ $path = $path3 ]] [[ $path = $path3 ]]
# Committing should not affect the store path. # Committing should not affect the store path.
hg commit --cwd $repo -m 'Bla3' hg commit --cwd $repo -m 'Bla3'
path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchMercurial file://$repo).outPath") path4=$(nix eval --impure --tarball-ttl 0 --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
[[ $path2 = $path4 ]] [[ $path2 = $path4 ]]

View file

@ -57,11 +57,11 @@ with import ./config.nix; mkDerivation {
EOF EOF
) )
nix build --impure -v -o $TEST_ROOT/result-A -L "($expr)" \ nix build --impure -v -o $TEST_ROOT/result-A -L --expr "$expr" \
--min-free 1000 --max-free 2000 --min-free-check-interval 1 & --min-free 1000 --max-free 2000 --min-free-check-interval 1 &
pid=$! pid=$!
nix build --impure -v -o $TEST_ROOT/result-B -L "($expr2)" \ nix build --impure -v -o $TEST_ROOT/result-B -L --expr "$expr2" \
--min-free 1000 --max-free 2000 --min-free-check-interval 1 --min-free 1000 --max-free 2000 --min-free-check-interval 1
wait "$pid" wait "$pid"

View file

@ -2,6 +2,6 @@ source common.sh
set -o pipefail set -o pipefail
res=$(nix eval '(builtins.anotherNull)' --option setting-set true --option plugin-files $PWD/plugins/libplugintest*) res=$(nix eval --expr builtins.anotherNull --option setting-set true --option plugin-files $PWD/plugins/libplugintest*)
[ "$res"x = "nullx" ] [ "$res"x = "nullx" ]

View file

@ -2,17 +2,17 @@ source common.sh
clearStore clearStore
nix eval '(assert 1 + 2 == 3; true)' nix eval --expr 'assert 1 + 2 == 3; true'
[[ $(nix eval --impure '(builtins.readFile ./pure-eval.sh)') =~ clearStore ]] [[ $(nix eval --impure --expr 'builtins.readFile ./pure-eval.sh') =~ clearStore ]]
(! nix eval '(builtins.readFile ./pure-eval.sh)') (! nix eval --expr 'builtins.readFile ./pure-eval.sh')
(! nix eval '(builtins.currentTime)') (! nix eval --expr builtins.currentTime)
(! nix eval '(builtins.currentSystem)') (! nix eval --expr builtins.currentSystem)
(! nix-instantiate --pure-eval ./simple.nix) (! nix-instantiate --pure-eval ./simple.nix)
[[ $(nix eval --impure "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") == 123 ]] [[ $(nix eval --impure --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x") == 123 ]]
(! nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") (! nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x")
nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x)" nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x"

View file

@ -17,18 +17,18 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/nix-channel'
(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>') (! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=. nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)") p=$(nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)")
cmp $p restricted.sh cmp $p restricted.sh
(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval) (! nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval)
(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/") (! nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh" nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
(! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval) (! nix eval --raw --expr "builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz" --impure --restrict-eval)
(! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval) (! nix eval --raw --expr "builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz" --impure --restrict-eval)
(! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --impure --restrict-eval) (! nix eval --raw --expr "fetchGit git://github.com/NixOS/patchelf.git" --impure --restrict-eval)
ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
[[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]] [[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]]
@ -37,7 +37,7 @@ ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .) (! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I . nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
[[ $(nix eval --raw --impure --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]] [[ $(nix eval --raw --impure --restrict-eval -I . --expr 'builtins.readFile "${import ./simple.nix}/hello"') == 'Hello World!' ]]
# Check whether we can leak symlink information through directory traversal. # Check whether we can leak symlink information through directory traversal.
traverseDir="$(pwd)/restricted-traverse-me" traverseDir="$(pwd)/restricted-traverse-me"
@ -45,7 +45,7 @@ ln -sfn "$(pwd)/restricted-secret" "$(pwd)/restricted-innocent"
mkdir -p "$traverseDir" mkdir -p "$traverseDir"
goUp="..$(echo "$traverseDir" | sed -e 's,[^/]\+,..,g')" goUp="..$(echo "$traverseDir" | sed -e 's,[^/]\+,..,g')"
output="$(nix eval --raw --restrict-eval -I "$traverseDir" \ output="$(nix eval --raw --restrict-eval -I "$traverseDir" \
"(builtins.readFile \"$traverseDir/$goUp$(pwd)/restricted-innocent\")" \ --expr "builtins.readFile \"$traverseDir/$goUp$(pwd)/restricted-innocent\"" \
2>&1 || :)" 2>&1 || :)"
echo "$output" | grep "is forbidden" echo "$output" | grep "is forbidden"
! echo "$output" | grep -F restricted-secret ! echo "$output" | grep -F restricted-secret