Merge remote-tracking branch 'upstream/master' into overlayfs-store

2025-07-07 10:11:47 +02:00 · 2023-07-09 20:30:23 -04:00 · 2023-07-09 20:30:23 -04:00 · 28398e6d02
commit 28398e6d02
parent 9c0473120f 8d871e1822
65 changed files with 1481 additions and 612 deletions
--- a/tests/check.sh
+++ b/tests/check.sh
@ -18,6 +18,9 @@ clearStore
 nix-build dependencies.nix --no-out-link
 nix-build dependencies.nix --no-out-link --check

+# Build failure exit codes (100, 104, etc.) are from
+# doc/manual/src/command-ref/status-build-failure.md
+
 # check for dangling temporary build directories
 # only retain if build fails and --keep-failed is specified, or...
 # ...build is non-deterministic and --check and --keep-failed are both specified
--- a/tests/fetchGit.sh
+++ b/tests/fetchGit.sh
@ -105,6 +105,8 @@ path2=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
 [[ $(cat $path2/dir1/foo) = foo ]]

 [[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
+[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).dirtyRev") = "${rev2}-dirty" ]]
+[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).dirtyShortRev") = "${rev2:0:7}-dirty" ]]

 # ... unless we're using an explicit ref or rev.
 path3=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
@ -119,6 +121,10 @@ git -C $repo commit -m 'Bla3' -a
 path4=$(nix eval --impure --refresh --raw --expr "(builtins.fetchGit file://$repo).outPath")
 [[ $path2 = $path4 ]]

+[[ $(nix eval --impure --expr "builtins.hasAttr \"rev\" (builtins.fetchGit $repo)") == "true" ]]
+[[ $(nix eval --impure --expr "builtins.hasAttr \"dirtyRev\" (builtins.fetchGit $repo)") == "false" ]]
+[[ $(nix eval --impure --expr "builtins.hasAttr \"dirtyShortRev\" (builtins.fetchGit $repo)") == "false" ]]
+
 status=0
 nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; narHash = \"sha256-B5yIPHhEm0eysJKEsO7nqxprh9vcblFxpJG11gXJus1=\"; }).outPath" || status=$?
 [[ "$status" = "102" ]]
--- a/tests/flakes/check.sh
+++ b/tests/flakes/check.sh
@ -25,6 +25,18 @@ EOF

 (! nix flake check $flakeDir)

+cat > $flakeDir/flake.nix <<EOF
+{
+  outputs = { self, ... }: {
+    overlays.x86_64-linux.foo = final: prev: {
+    };
+  };
+}
+EOF
+
+checkRes=$(nix flake check $flakeDir 2>&1 && fail "nix flake check --all-systems should have failed" || true)
+echo "$checkRes" | grepQuiet "error: overlay is not a function, but a set instead"
+
 cat > $flakeDir/flake.nix <<EOF
 {
  outputs = { self }: {
--- a/tests/flakes/flakes.sh
+++ b/tests/flakes/flakes.sh
@ -95,11 +95,16 @@ json=$(nix flake metadata flake1 --json | jq .)
 [[ $(echo "$json" | jq -r .lastModified) = $(git -C $flake1Dir log -n1 --format=%ct) ]]
 hash1=$(echo "$json" | jq -r .revision)

+echo foo > $flake1Dir/foo
+git -C $flake1Dir add $flake1Dir/foo
+[[ $(nix flake metadata flake1 --json --refresh | jq -r .dirtyRevision) == "$hash1-dirty" ]]
+
 echo -n '# foo' >> $flake1Dir/flake.nix
 flake1OriginalCommit=$(git -C $flake1Dir rev-parse HEAD)
 git -C $flake1Dir commit -a -m 'Foo'
 flake1NewCommit=$(git -C $flake1Dir rev-parse HEAD)
 hash2=$(nix flake metadata flake1 --json --refresh | jq -r .revision)
+[[ $(nix flake metadata flake1 --json --refresh | jq -r .dirtyRevision) == "null" ]]
 [[ $hash1 != $hash2 ]]

 # Test 'nix build' on a flake.
--- a/tests/linux-sandbox-cert-test.nix
+++ b/tests/linux-sandbox-cert-test.nix
@ -1,29 +1,30 @@
-{ fixed-output }:
+{ mode }:

 with import ./config.nix;

-mkDerivation ({
-  name = "ssl-export";
-  buildCommand = ''
-    # Add some indirection, otherwise grepping into the debug output finds the string.
-    report () { echo CERT_$1_IN_SANDBOX; }
+mkDerivation (
+  {
+    name = "ssl-export";
+    buildCommand = ''
+      # Add some indirection, otherwise grepping into the debug output finds the string.
+      report () { echo CERT_$1_IN_SANDBOX; }

-    if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
-      content=$(</etc/ssl/certs/ca-certificates.crt)
-      if [ "$content" == CERT_CONTENT ]; then
-        report present
+      if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
+        content=$(</etc/ssl/certs/ca-certificates.crt)
+        if [ "$content" == CERT_CONTENT ]; then
+          report present
+        fi
+      else
+        report missing
      fi
-    else
-      report missing
-    fi

-    # Always fail, because we do not want to bother with fixed-output
-    # derivations being cached, and do not want to compute the right hash.
-    false;
-  '';
-} // (
-  if fixed-output == "fixed-output"
-  then { outputHash = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; }
-  else { }
-))
+      # Always fail, because we do not want to bother with fixed-output
+      # derivations being cached, and do not want to compute the right hash.
+      false;
+    '';
+  } // {
+    fixed-output = { outputHash = "sha256:0000000000000000000000000000000000000000000000000000000000000000"; };
+    normal = { };
+  }.${mode}
+)

--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@ -11,6 +11,8 @@ requireSandboxSupport
 # otherwise things get complicated (e.g. if it's in /bin, do we need
 # /lib as well?).
 if [[ ! $SHELL =~ /nix/store ]]; then skipTest "Shell is not from Nix store"; fi
+# An alias to automatically bind-mount the $SHELL on nix-build invocations
+nix-sandbox-build () { nix-build --no-out-link --sandbox-paths /nix/store "$@"; }

 chmod -R u+w $TEST_ROOT/store0 || true
 rm -rf $TEST_ROOT/store0
@ -18,7 +20,7 @@ rm -rf $TEST_ROOT/store0
 export NIX_STORE_DIR=/my/store
 export NIX_REMOTE=$TEST_ROOT/store0

-outPath=$(nix-build dependencies.nix --no-out-link --sandbox-paths /nix/store)
+outPath=$(nix-sandbox-build dependencies.nix)

 [[ $outPath =~ /my/store/.*-dependencies ]]

@ -29,24 +31,31 @@ nix store ls -R -l $outPath | grep foobar
 nix store cat $outPath/foobar | grep FOOBAR

 # Test --check without hash rewriting.
-nix-build dependencies.nix --no-out-link --check --sandbox-paths /nix/store
+nix-sandbox-build dependencies.nix --check

 # Test that sandboxed builds with --check and -K can move .check directory to store
-nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
+nix-sandbox-build check.nix -A nondeterministic

-(! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
-if grepQuiet 'error: renaming' $TEST_ROOT/log; then false; fi
+# `100 + 4` means non-determinstic, see doc/manual/src/command-ref/status-build-failure.md
+expectStderr 104 nix-sandbox-build check.nix -A nondeterministic --check -K > $TEST_ROOT/log
+grepQuietInverse 'error: renaming' $TEST_ROOT/log
 grepQuiet 'may not be deterministic' $TEST_ROOT/log

 # Test that sandboxed builds cannot write to /etc easily
-(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)
+# `100` means build failure without extra info, see doc/manual/src/command-ref/status-build-failure.md
+expectStderr 100 nix-sandbox-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' |
+    grepQuiet "/etc/test: Permission denied"


 ## Test mounting of SSL certificates into the sandbox
 testCert () {
-    (! nix-build linux-sandbox-cert-test.nix --argstr fixed-output "$2" --no-out-link --sandbox-paths /nix/store --option ssl-cert-file "$3" 2> $TEST_ROOT/log)
-    cat $TEST_ROOT/log
-    grepQuiet "CERT_${1}_IN_SANDBOX" $TEST_ROOT/log
+    expectation=$1 # "missing" | "present"
+    mode=$2        # "normal" | "fixed-output"
+    certFile=$3    # a string that can be the path to a cert file
+    # `100` means build failure without extra info, see doc/manual/src/command-ref/status-build-failure.md
+    [ "$mode" == fixed-output ] && ret=1 || ret=100
+    expectStderr $ret nix-sandbox-build linux-sandbox-cert-test.nix --argstr mode "$mode" --option ssl-cert-file "$certFile" |
+        grepQuiet "CERT_${expectation}_IN_SANDBOX"
 }

 nocert=$TEST_ROOT/no-cert-file.pem
--- a/tests/nix-profile.sh
+++ b/tests/nix-profile.sh
@ -47,8 +47,9 @@ cp ./config.nix $flake1Dir/

 # Test upgrading from nix-env.
 nix-env -f ./user-envs.nix -i foo-1.0
-nix profile list | grep '0 - - .*-foo-1.0'
+nix profile list | grep -A2 'Index:.*0' | grep 'Store paths:.*foo-1.0'
 nix profile install $flake1Dir -L
+nix profile list | grep -A4 'Index:.*1' | grep 'Locked flake URL:.*narHash'
 [[ $($TEST_HOME/.nix-profile/bin/hello) = "Hello World" ]]
 [ -e $TEST_HOME/.nix-profile/share/man ]
 (! [ -e $TEST_HOME/.nix-profile/include ])
--- a/tests/nixos/authorization.nix
+++ b/tests/nixos/authorization.nix
@ -75,5 +75,20 @@
      su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
      grep -F "you are not privileged to repair paths" diag
    """)
+
+    machine.succeed("""
+        set -x
+        su --login mallory -c '
+          nix-store --generate-binary-cache-key cache1.example.org sk1 pk1
+          (! nix store sign --key-file sk1 ${pathFour} 2>&1)' | tee diag 1>&2
+        grep -F "cannot open connection to remote store 'daemon'" diag
+    """)
+
+    machine.succeed("""
+        su --login bob -c '
+          nix-store --generate-binary-cache-key cache1.example.org sk1 pk1
+          nix store sign --key-file sk1 ${pathFour}
+        '
+    """)
  '';
 }
--- a/tests/test-libstoreconsumer/local.mk
+++ b/tests/test-libstoreconsumer/local.mk
@ -2,6 +2,9 @@ programs += test-libstoreconsumer

 test-libstoreconsumer_DIR := $(d)

+# do not install
+test-libstoreconsumer_INSTALL_DIR :=
+
 test-libstoreconsumer_SOURCES := \
  $(wildcard $(d)/*.cc) \