Merge remote-tracking branch 'upstream/master' into trustless-remote-builder-simple

2025-07-07 18:31:49 +02:00 · 2021-01-22 16:22:00 +00:00 · 2021-01-22 16:22:00 +00:00 · 5738b08233
commit 5738b08233
parent bd96403da6 b7bfc7ee52
199 changed files with 5472 additions and 1751 deletions
--- a/tests/binary-cache.sh
+++ b/tests/binary-cache.sh
@ -125,20 +125,18 @@ grep -q "copying path.*input-0" $TEST_ROOT/log
 grep -q "copying path.*top" $TEST_ROOT/log


-if [ -n "$HAVE_SODIUM" ]; then
-
 # Create a signed binary cache.
 clearCache
 clearCacheCache

-declare -a res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk1 $TEST_ROOT/pk1 ))
-publicKey="$(cat $TEST_ROOT/pk1)"
+nix key generate-secret --key-name test.nixos.org-1 > $TEST_ROOT/sk1
+publicKey=$(nix key convert-secret-to-public < $TEST_ROOT/sk1)

-res=($(nix-store --generate-binary-cache-key test.nixos.org-1 $TEST_ROOT/sk2 $TEST_ROOT/pk2))
-badKey="$(cat $TEST_ROOT/pk2)"
+nix key generate-secret --key-name test.nixos.org-1 > $TEST_ROOT/sk2
+badKey=$(nix key convert-secret-to-public < $TEST_ROOT/sk2)

-res=($(nix-store --generate-binary-cache-key foo.nixos.org-1 $TEST_ROOT/sk3 $TEST_ROOT/pk3))
-otherKey="$(cat $TEST_ROOT/pk3)"
+nix key generate-secret --key-name foo.nixos.org-1 > $TEST_ROOT/sk3
+otherKey=$(nix key convert-secret-to-public < $TEST_ROOT/sk3)

 _NIX_FORCE_HTTP= nix copy --to file://$cacheDir?secret-key=$TEST_ROOT/sk1 $outPath

@ -181,8 +179,6 @@ clearCacheCache

 nix-store -r $outPath --substituters "file://$cacheDir2 file://$cacheDir" --trusted-public-keys "$publicKey"

-fi # HAVE_LIBSODIUM
-

 unset _NIX_FORCE_HTTP

--- a/tests/common.sh.in
+++ b/tests/common.sh.in
@ -34,7 +34,6 @@ coreutils=@coreutils@
 export dot=@dot@
 export SHELL="@bash@"
 export PAGER=cat
-export HAVE_SODIUM="@HAVE_SODIUM@"
 export busybox="@sandbox_shell@"

 export version=@PACKAGE_VERSION@
@ -74,7 +73,7 @@ startDaemon() {
    # Start the daemon, wait for the socket to appear.  !!!
    # ‘nix-daemon’ should have an option to fork into the background.
    rm -f $NIX_STATE_DIR/daemon-socket/socket
-    nix-daemon &
+    nix daemon &
    for ((i = 0; i < 30; i++)); do
        if [ -e $NIX_DAEMON_SOCKET_PATH ]; then break; fi
        sleep 1
--- a/tests/fetchGit.sh
+++ b/tests/fetchGit.sh
@ -41,6 +41,19 @@ export _NIX_FORCE_HTTP=1
 path=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
 [[ $(cat $path/hello) = world ]]

+# Fetch a rev from another branch
+git -C $repo checkout -b devtest
+echo "different file" >> $TEST_ROOT/git/differentbranch
+git -C $repo add differentbranch
+git -C $repo commit -m 'Test2'
+git -C $repo checkout master
+devrev=$(git -C $repo rev-parse devtest)
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'Cannot find Git revision' ]]
+
+[[ $(nix eval --raw --expr "builtins.readFile (builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; allRefs = true; } + \"/differentbranch\")") = 'different file' ]]
+
 # In pure eval mode, fetchGit without a revision should fail.
 [[ $(nix eval --impure --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")") = world ]]
 (! nix eval --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")")
--- a/tests/fetchurl.sh
+++ b/tests/fetchurl.sh
@ -5,7 +5,7 @@ clearStore
 # Test fetching a flat file.
 hash=$(nix-hash --flat --type sha256 ./fetchurl.sh)

-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link)
+outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha256 $hash --no-out-link)

 cmp $outPath fetchurl.sh

@ -14,7 +14,7 @@ clearStore

 hash=$(nix hash file --type sha512 --base64 ./fetchurl.sh)

-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link)
+outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr sha512 $hash --no-out-link)

 cmp $outPath fetchurl.sh

@ -25,7 +25,7 @@ hash=$(nix hash file ./fetchurl.sh)

 [[ $hash =~ ^sha256- ]]

-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr hash $hash --no-out-link)
+outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$(pwd)/fetchurl.sh --argstr hash $hash --no-out-link)

 cmp $outPath fetchurl.sh

@ -38,10 +38,10 @@ hash=$(nix hash file --type sha256 --base16 ./fetchurl.sh)

 storePath=$(nix --store $other_store store add-file ./fetchurl.sh)

-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)
+outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr sha256 $hash --no-out-link --substituters $other_store)

 # Test hashed mirrors with an SRI hash.
-nix-build '<nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix hash to-sri --type sha256 $hash) \
+nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file:///no-such-dir/fetchurl.sh --argstr hash $(nix hash to-sri --type sha256 $hash) \
          --no-out-link --substituters $other_store

 # Test unpacking a NAR.
@ -55,7 +55,7 @@ nix-store --dump $TEST_ROOT/archive > $nar

 hash=$(nix-hash --flat --type sha256 $nar)

-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$nar --argstr sha256 $hash \
+outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$nar --argstr sha256 $hash \
          --arg unpack true --argstr name xyzzy --no-out-link)

 echo $outPath | grep -q 'xyzzy'
@ -69,7 +69,7 @@ nix-store --delete $outPath
 narxz=$TEST_ROOT/archive.nar.xz
 rm -f $narxz
 xz --keep $nar
-outPath=$(nix-build '<nix/fetchurl.nix>' --argstr url file://$narxz --argstr sha256 $hash \
+outPath=$(nix-build --expr 'import <nix/fetchurl.nix>' --argstr url file://$narxz --argstr sha256 $hash \
          --arg unpack true --argstr name xyzzy --no-out-link)

 test -x $outPath/fetchurl.sh
--- a/tests/flakes.sh
+++ b/tests/flakes.sh
@ -276,18 +276,18 @@ git -C $flake3Dir commit -m 'Add lockfile'
 # Test whether registry caching works.
 nix registry list --flake-registry file://$registry | grep -q flake3
 mv $registry $registry.tmp
-nix-store --gc
+nix store gc
 nix registry list --flake-registry file://$registry --refresh | grep -q flake3
 mv $registry.tmp $registry

 # Test whether flakes are registered as GC roots for offline use.
 # FIXME: use tarballs rather than git.
 rm -rf $TEST_HOME/.cache
-nix-store --gc # get rid of copies in the store to ensure they get fetched to our git cache
+nix store gc # get rid of copies in the store to ensure they get fetched to our git cache
 _NIX_FORCE_HTTP=1 nix build -o $TEST_ROOT/result git+file://$flake2Dir#bar
 mv $flake1Dir $flake1Dir.tmp
 mv $flake2Dir $flake2Dir.tmp
-nix-store --gc
+nix store gc
 _NIX_FORCE_HTTP=1 nix build -o $TEST_ROOT/result git+file://$flake2Dir#bar
 _NIX_FORCE_HTTP=1 nix build -o $TEST_ROOT/result git+file://$flake2Dir#bar --refresh
 mv $flake1Dir.tmp $flake1Dir
--- a/tests/lang/eval-okay-search-path.nix
+++ b/tests/lang/eval-okay-search-path.nix
@ -1,10 +1,9 @@
 with import ./lib.nix;
 with builtins;

-assert pathExists <nix/fetchurl.nix>;
+assert isFunction (import <nix/fetchurl.nix>);

-assert length __nixPath == 6;
-assert length (filter (x: x.prefix == "nix") __nixPath) == 1;
+assert length __nixPath == 5;
 assert length (filter (x: baseNameOf x.path == "dir4") __nixPath) == 1;

 import <a.nix> + import <b.nix> + import <c.nix> + import <dir5/c.nix>
--- a/tests/multiple-outputs.sh
+++ b/tests/multiple-outputs.sh
@ -58,7 +58,7 @@ outPath2=$(nix-build $(nix-instantiate multiple-outputs.nix -A a.second) --no-ou

 # Delete one of the outputs and rebuild it.  This will cause a hash
 # rewrite.
-nix-store --delete $TEST_ROOT/result-second --ignore-liveness
+nix store delete $TEST_ROOT/result-second --ignore-liveness
 nix-build multiple-outputs.nix -A a.all -o $TEST_ROOT/result
 [ "$(cat $TEST_ROOT/result-second/file)" = "second" ]
 [ "$(cat $TEST_ROOT/result-second/link/file)" = "first" ]
--- a/tests/nix-shell.sh
+++ b/tests/nix-shell.sh
@ -47,6 +47,14 @@ chmod a+rx $TEST_ROOT/shell.shebang.sh
 output=$($TEST_ROOT/shell.shebang.sh abc def)
 [ "$output" = "foo bar abc def" ]

+# Test nix-shell shebang mode again with metacharacters in the filename.
+# First word of filename is chosen to not match any file in the test root.
+sed -e "s|@ENV_PROG@|$(type -p env)|" shell.shebang.sh > $TEST_ROOT/spaced\ \\\'\"shell.shebang.sh
+chmod a+rx $TEST_ROOT/spaced\ \\\'\"shell.shebang.sh
+
+output=$($TEST_ROOT/spaced\ \\\'\"shell.shebang.sh abc def)
+[ "$output" = "foo bar abc def" ]
+
 # Test nix-shell shebang mode for ruby
 # This uses a fake interpreter that returns the arguments passed
 # This, in turn, verifies the `rc` script is valid and the `load()` script (given using `-e`) is as expected.
@ -54,7 +62,15 @@ sed -e "s|@SHELL_PROG@|$(type -p nix-shell)|" shell.shebang.rb > $TEST_ROOT/shel
 chmod a+rx $TEST_ROOT/shell.shebang.rb

 output=$($TEST_ROOT/shell.shebang.rb abc ruby)
-[ "$output" = '-e load("'"$TEST_ROOT"'/shell.shebang.rb") -- abc ruby' ]
+[ "$output" = '-e load(ARGV.shift) -- '"$TEST_ROOT"'/shell.shebang.rb abc ruby' ]
+
+# Test nix-shell shebang mode for ruby again with metacharacters in the filename.
+# Note: fake interpreter only space-separates args without adding escapes to its output.
+sed -e "s|@SHELL_PROG@|$(type -p nix-shell)|" shell.shebang.rb > $TEST_ROOT/spaced\ \\\'\"shell.shebang.rb
+chmod a+rx $TEST_ROOT/spaced\ \\\'\"shell.shebang.rb
+
+output=$($TEST_ROOT/spaced\ \\\'\"shell.shebang.rb abc ruby)
+[ "$output" = '-e load(ARGV.shift) -- '"$TEST_ROOT"'/spaced \'\''"shell.shebang.rb abc ruby' ]

 # Test 'nix develop'.
 nix develop -f shell.nix shellDrv -c bash -c '[[ -n $stdenv ]]'
--- a/tests/shell.nix
+++ b/tests/shell.nix
@ -50,7 +50,7 @@ let pkgs = rec {
  # ruby "interpreter" that outputs "$@"
  ruby = runCommand "ruby" {} ''
    mkdir -p $out/bin
-    echo 'printf -- "$*"' > $out/bin/ruby
+    echo 'printf %s "$*"' > $out/bin/ruby
    chmod a+rx $out/bin/ruby
  '';

--- a/tests/signing.sh
+++ b/tests/signing.sh
@ -47,8 +47,8 @@ expect 2 nix store verify -r $outPath2 --sigs-needed 1

 expect 2 nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1

-# Test "nix store sign-paths".
-nix store sign-paths --key-file $TEST_ROOT/sk1 $outPath2
+# Test "nix store sign".
+nix store sign --key-file $TEST_ROOT/sk1 $outPath2

 nix store verify -r $outPath2 --sigs-needed 1 --trusted-public-keys $pk1

@ -63,7 +63,7 @@ nix store verify $outPathCA
 nix store verify $outPathCA --sigs-needed 1000

 # Check that signing a content-addressed path doesn't overflow validSigs
-nix store sign-paths --key-file $TEST_ROOT/sk1 $outPathCA
+nix store sign --key-file $TEST_ROOT/sk1 $outPathCA
 nix store verify -r $outPathCA --sigs-needed 1000 --trusted-public-keys $pk1

 # Copy to a binary cache.
@ -76,7 +76,7 @@ info=$(nix path-info --store file://$cacheDir --json $outPath2)
 (! [[ $info =~ 'cache2.example.org' ]])

 # Verify that adding a signature to a path in a binary cache works.
-nix store sign-paths --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
+nix store sign --store file://$cacheDir --key-file $TEST_ROOT/sk2 $outPath2
 info=$(nix path-info --store file://$cacheDir --json $outPath2)
 [[ $info =~ 'cache1.example.org' ]]
 [[ $info =~ 'cache2.example.org' ]]