fetchClosure: Allow a path to be rewritten to CA on the fly

The advantage is that the resulting closure doesn't need to be signed, so you don't need to configure any binary cache keys on the client.
2025-06-25 10:41:16 +02:00 · 2022-03-22 21:14:58 +01:00 · 2022-03-22 21:14:58 +01:00 · 545c2d0d8c
commit 545c2d0d8c
parent 7f6fe8ca1d
4 changed files with 150 additions and 72 deletions
--- a/src/libexpr/primops/fetchClosure.cc
+++ b/src/libexpr/primops/fetchClosure.cc
@ -1,5 +1,6 @@
 #include "primops.hh"
 #include "store-api.hh"
+#include "make-content-addressed.hh"

 namespace nix {

@ -9,6 +10,8 @@ static void prim_fetchClosure(EvalState & state, const Pos & pos, Value * * args

    std::optional<std::string> fromStoreUrl;
    std::optional<StorePath> fromPath;
+    bool toCA = false;
+    std::optional<StorePath> toPath;

    for (auto & attr : *args[0]->attrs) {
        if (attr.name == "fromPath") {
@ -16,6 +19,15 @@ static void prim_fetchClosure(EvalState & state, const Pos & pos, Value * * args
            fromPath = state.coerceToStorePath(*attr.pos, *attr.value, context);
        }

+        else if (attr.name == "toPath") {
+            state.forceValue(*attr.value, *attr.pos);
+            toCA = true;
+            if (attr.value->type() != nString || attr.value->string.s != std::string("")) {
+                PathSet context;
+                toPath = state.coerceToStorePath(*attr.pos, *attr.value, context);
+            }
+        }
+
        else if (attr.name == "fromStore")
            fromStoreUrl = state.forceStringNoCtx(*attr.value, *attr.pos);

@ -41,21 +53,45 @@ static void prim_fetchClosure(EvalState & state, const Pos & pos, Value * * args
    // FIXME: only allow some "trusted" store types (like BinaryCacheStore).
    auto fromStore = openStore(*fromStoreUrl);

-    copyClosure(*fromStore, *state.store, RealisedPath::Set { *fromPath });
+    if (toCA) {
+        auto remappings = makeContentAddressed(*fromStore, *state.store, { *fromPath });
+        auto i = remappings.find(*fromPath);
+        assert(i != remappings.end());
+        if (toPath && *toPath != i->second)
+            throw Error({
+                .msg = hintfmt("rewriting '%s' to content-addressed form yielded '%s', while '%s' was expected",
+                    state.store->printStorePath(*fromPath),
+                    state.store->printStorePath(i->second),
+                    state.store->printStorePath(*toPath)),
+                .errPos = pos
+            });
+        if (!toPath)
+            throw Error({
+                .msg = hintfmt(
+                    "rewriting '%s' to content-addressed form yielded '%s'; "
+                    "please set this in the 'toPath' attribute passed to 'fetchClosure'",
+                    state.store->printStorePath(*fromPath),
+                    state.store->printStorePath(i->second)),
+                .errPos = pos
+            });
+    } else {
+        copyClosure(*fromStore, *state.store, RealisedPath::Set { *fromPath });
+        toPath = fromPath;
+    }

    /* In pure mode, require a CA path. */
    if (evalSettings.pureEval) {
-        auto info = state.store->queryPathInfo(*fromPath);
+        auto info = state.store->queryPathInfo(*toPath);
        if (!info->isContentAddressed(*state.store))
            throw Error({
                .msg = hintfmt("in pure mode, 'fetchClosure' requires a content-addressed path, which '%s' isn't",
-                    state.store->printStorePath(*fromPath)),
+                    state.store->printStorePath(*toPath)),
                .errPos = pos
            });
    }

-    auto fromPathS = state.store->printStorePath(*fromPath);
-    v.mkString(fromPathS, {fromPathS});
+    auto toPathS = state.store->printStorePath(*toPath);
+    v.mkString(toPathS, {toPathS});
 }

 static RegisterPrimOp primop_fetchClosure({