Merge branch 'path-info' into ca-drv-exotic

tests/build-delete.sh

@@ -0,0 +1,56 @@
+source common.sh
+
+clearStore
+
+set -o pipefail
+
+# https://github.com/NixOS/nix/issues/6572
+issue_6572_independent_outputs() {
+    nix build -f multiple-outputs.nix --json independent --no-link > $TEST_ROOT/independent.json
+
+    # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
+    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
+    nix-store --delete "$p" # Clean up for next test
+
+    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
+    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.first)"
+    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
+    cmp $p <<EOF
+first
+second
+EOF
+    nix-store --delete "$p" # Clean up for next test
+
+    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
+    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.second)"
+    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
+    cmp $p <<EOF
+first
+second
+EOF
+    nix-store --delete "$p" # Clean up for next test
+}
+issue_6572_independent_outputs
+
+
+# https://github.com/NixOS/nix/issues/6572
+issue_6572_dependent_outputs() {
+
+    nix build -f multiple-outputs.nix --json a --no-link > $TEST_ROOT/a.json
+
+    # # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
+    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
+    nix-store --delete "$p" # Clean up for next test
+
+    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
+    nix-store --delete "$(jq -r <$TEST_ROOT/a.json .[0].outputs.second)"
+    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
+    cmp $p <<EOF
+first
+second
+EOF
+    nix-store --delete "$p" # Clean up for next test
+}
+if isDaemonNewer "2.12pre0"; then
+    issue_6572_dependent_outputs
+fi

tests/build.sh

@@ -107,62 +107,3 @@ nix build --impure -f multiple-outputs.nix --json e --no-link | jq --exit-status
     (.drvPath | match(".*multiple-outputs-e.drv")) and
     (.outputs | keys == ["a_a", "b"]))
 '
-
-testNormalization () {
-    clearStore
-    outPath=$(nix-build ./simple.nix --no-out-link)
-    test "$(stat -c %Y $outPath)" -eq 1
-}
-
-testNormalization
-
-# https://github.com/NixOS/nix/issues/6572
-issue_6572_independent_outputs() {
-    nix build -f multiple-outputs.nix --json independent --no-link > $TEST_ROOT/independent.json
-
-    # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
-    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
-    nix-store --delete "$p" # Clean up for next test
-
-    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
-    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.first)"
-    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
-    cmp $p <<EOF
-first
-second
-EOF
-    nix-store --delete "$p" # Clean up for next test
-
-    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
-    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.second)"
-    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
-    cmp $p <<EOF
-first
-second
-EOF
-    nix-store --delete "$p" # Clean up for next test
-}
-issue_6572_independent_outputs
-
-
-# https://github.com/NixOS/nix/issues/6572
-issue_6572_dependent_outputs() {
-
-    nix build -f multiple-outputs.nix --json a --no-link > $TEST_ROOT/a.json
-
-    # # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
-    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
-    nix-store --delete "$p" # Clean up for next test
-
-    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
-    nix-store --delete "$(jq -r <$TEST_ROOT/a.json .[0].outputs.second)"
-    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
-    cmp $p <<EOF
-first
-second
-EOF
-    nix-store --delete "$p" # Clean up for next test
-}
-if isDaemonNewer "2.12pre0"; then
-    issue_6572_dependent_outputs
-fi

tests/ca/build.sh

@@ -3,7 +3,7 @@
 source common.sh
 
 drv=$(nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 1)
-nix --experimental-features 'nix-command ca-derivations' show-derivation --derivation "$drv" --arg seed 1
+nix --experimental-features 'nix-command ca-derivations' show-derivation "$drv" --arg seed 1
 
 buildAttr () {
     local derivationPath=$1

tests/ca/new-build-cmd.sh

@@ -0,0 +1,5 @@
+source common.sh
+
+export NIX_TESTS_CA_BY_DEFAULT=1
+cd ..
+source ./build.sh

tests/ca/recursive.sh

@@ -7,5 +7,3 @@ requireDaemonNewerThan "2.4pre20210623"
 export NIX_TESTS_CA_BY_DEFAULT=1
 cd ..
 source ./recursive.sh
-
-

tests/ca/text-hashed-output.sh

@@ -16,10 +16,10 @@ sed -i 's/experimental-features = .*/& ca-derivations ca-references/' "$NIX_CONF
 # - check that the path of the output coincides with that of the original derivation
 
 drv=$(nix-instantiate --experimental-features ca-derivations ./text-hashed-output.nix -A root)
-nix show-derivation --derivation "$drv"
+nix show-derivation "$drv"
 
 drvDep=$(nix-instantiate --experimental-features ca-derivations ./text-hashed-output.nix -A dependent)
-nix show-derivation --derivation "$drvDep"
+nix show-derivation "$drvDep"
 
 out1=$(nix-build --experimental-features ca-derivations ./text-hashed-output.nix -A dependent --no-out-link)
 

tests/check-refs.nix

@@ -67,4 +67,11 @@ rec {
     disallowedReferences = [test5];
   };
 
+  test11 = makeTest 11 {
+    __structuredAttrs = true;
+    unsafeDiscardReferences.out = true;
+    outputChecks.out.allowedReferences = [];
+    buildCommand = ''echo ${dep} > "''${outputs[out]}"'';
+  };
+
 }

tests/check-refs.sh

@@ -40,3 +40,12 @@ nix-build -o $RESULT check-refs.nix -A test7
 
 # test10 should succeed (no disallowed references).
 nix-build -o $RESULT check-refs.nix -A test10
+
+if isDaemonNewer 2.12pre20230103; then
+    enableFeatures discard-references
+    restartDaemon
+
+    # test11 should succeed.
+    test11=$(nix-build -o $RESULT check-refs.nix -A test11)
+    [[ -z $(nix-store -q --references "$test11") ]]
+fi

tests/common.sh

@@ -0,0 +1,12 @@
+set -e
+
+if [[ -z "${COMMON_SH_SOURCED-}" ]]; then
+
+COMMON_SH_SOURCED=1
+
+source "$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")/common/vars-and-functions.sh"
+if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
+    startDaemon
+fi
+
+fi # COMMON_SH_SOURCED

tests/common/vars-and-functions.sh.in

@@ -1,8 +1,10 @@
 set -e
 
-if [[ -z "$COMMON_SH_SOURCED" ]]; then
+if [[ -z "${COMMON_VARS_AND_FUNCTIONS_SH_SOURCED-}" ]]; then
 
-COMMON_SH_SOURCED=1
+COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1
+
+export PS4='+(${BASH_SOURCE[0]}:$LINENO) '
 
 export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
 export NIX_STORE_DIR
@@ -23,10 +25,12 @@ if [[ -n $NIX_STORE ]]; then
 fi
 export _NIX_IN_TEST=$TEST_ROOT/shared
 export _NIX_TEST_NO_LSOF=1
-export NIX_REMOTE=$NIX_REMOTE_
+export NIX_REMOTE=${NIX_REMOTE_-}
 unset NIX_PATH
 export TEST_HOME=$TEST_ROOT/test-home
 export HOME=$TEST_HOME
+unset XDG_STATE_HOME
+unset XDG_DATA_HOME
 unset XDG_CONFIG_HOME
 unset XDG_CONFIG_DIRS
 unset XDG_CACHE_HOME
@@ -62,8 +66,8 @@ readLink() {
 }
 
 clearProfiles() {
-    profiles="$NIX_STATE_DIR"/profiles
-    rm -rf $profiles
+    profiles="$HOME"/.local/state/nix/profiles
+    rm -rf "$profiles"
 }
 
 clearStore() {
@@ -86,13 +90,14 @@ clearCacheCache() {
 
 startDaemon() {
     # Don’t start the daemon twice, as this would just make it loop indefinitely
-    if [[ "$NIX_REMOTE" == daemon ]]; then
-      return
+    if [[ "${_NIX_TEST_DAEMON_PID-}" != '' ]]; then
+        return
     fi
     # Start the daemon, wait for the socket to appear.
     rm -f $NIX_DAEMON_SOCKET_PATH
-    PATH=$DAEMON_PATH nix-daemon&
-    pidDaemon=$!
+    PATH=$DAEMON_PATH nix-daemon &
+    _NIX_TEST_DAEMON_PID=$!
+    export _NIX_TEST_DAEMON_PID
     for ((i = 0; i < 300; i++)); do
         if [[ -S $NIX_DAEMON_SOCKET_PATH ]]; then
           DAEMON_STARTED=1
@@ -104,25 +109,35 @@ startDaemon() {
       fail "Didn’t manage to start the daemon"
     fi
     trap "killDaemon" EXIT
+    # Save for if daemon is killed
+    NIX_REMOTE_OLD=$NIX_REMOTE
     export NIX_REMOTE=daemon
 }
 
 killDaemon() {
-    kill $pidDaemon
+    # Don’t fail trying to stop a non-existant daemon twice
+    if [[ "${_NIX_TEST_DAEMON_PID-}" == '' ]]; then
+        return
+    fi
+    kill $_NIX_TEST_DAEMON_PID
     for i in {0..100}; do
-        kill -0 $pidDaemon 2> /dev/null || break
+        kill -0 $_NIX_TEST_DAEMON_PID 2> /dev/null || break
         sleep 0.1
     done
-    kill -9 $pidDaemon 2> /dev/null || true
-    wait $pidDaemon || true
+    kill -9 $_NIX_TEST_DAEMON_PID 2> /dev/null || true
+    wait $_NIX_TEST_DAEMON_PID || true
+    rm -f $NIX_DAEMON_SOCKET_PATH
+    # Indicate daemon is stopped
+    unset _NIX_TEST_DAEMON_PID
+    # Restore old nix remote
+    NIX_REMOTE=$NIX_REMOTE_OLD
     trap "" EXIT
 }
 
 restartDaemon() {
-    [[ -z "${pidDaemon:-}" ]] && return 0
+    [[ -z "${_NIX_TEST_DAEMON_PID:-}" ]] && return 0
 
     killDaemon
-    unset NIX_REMOTE
     startDaemon
 }
 
@@ -186,10 +201,6 @@ enableFeatures() {
 
 set -x
 
-if [[ -n "${NIX_DAEMON_PACKAGE:-}" ]]; then
-    startDaemon
-fi
-
 onError() {
     set +x
     echo "$0: test failed at:" >&2
@@ -201,4 +212,4 @@ onError() {
 
 trap onError ERR
 
-fi # COMMON_SH_SOURCED
+fi # COMMON_VARS_AND_FUNCTIONS_SH_SOURCED

tests/config.sh

@@ -51,3 +51,8 @@ exp_features=$(nix show-config | grep '^experimental-features' | cut -d '=' -f 2
 [[ $prev != $exp_cores ]]
 [[ $exp_cores == "4242" ]]
 [[ $exp_features == "flakes nix-command" ]]
+
+# Test that it's possible to retrieve a single setting's value
+val=$(nix show-config | grep '^warn-dirty' | cut -d '=' -f  2 | xargs)
+val2=$(nix show-config warn-dirty)
+[[ $val == $val2 ]]

tests/db-migration.sh

@@ -9,7 +9,6 @@ fi
 source common.sh
 
 killDaemon
-unset NIX_REMOTE
 
 # Fill the db using the older Nix
 PATH_WITH_NEW_NIX="$PATH"

tests/export-graph.sh

@@ -4,7 +4,7 @@ clearStore
 clearProfiles
 
 checkRef() {
-    nix-store -q --references $TEST_ROOT/result | grep -q "$1" || fail "missing reference $1"
+    nix-store -q --references $TEST_ROOT/result | grep -q "$1"'$' || fail "missing reference $1"
 }
 
 # Test the export of the runtime dependency graph.

tests/fetchGit.sh

@@ -237,3 +237,17 @@ rm -rf $repo/.git
 # should succeed for a repo without commits
 git init $repo
 path10=$(nix eval --impure --raw --expr "(builtins.fetchGit \"file://$repo\").outPath")
+
+# should succeed for a path with a space
+# regression test for #7707
+repo="$TEST_ROOT/a b"
+git init "$repo"
+git -C "$repo" config user.email "foobar@example.com"
+git -C "$repo" config user.name "Foobar"
+
+echo utrecht > "$repo/hello"
+touch "$repo/.gitignore"
+git -C "$repo" add hello .gitignore
+git -C "$repo" commit -m 'Bla1'
+cd "$repo"
+path11=$(nix eval --impure --raw --expr "(builtins.fetchGit ./.).outPath")

tests/fetchGitSubmodules.sh

@@ -104,3 +104,28 @@ noSubmoduleRepoBaseline=$(nix eval --raw --expr "(builtins.fetchGit { url = file
 noSubmoduleRepo=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$subRepo; rev = \"$subRev\"; submodules = true; }).outPath")
 
 [[ $noSubmoduleRepoBaseline == $noSubmoduleRepo ]]
+
+# Test relative submodule URLs.
+rm $TEST_HOME/.cache/nix/fetcher-cache*
+rm -rf $rootRepo/.git $rootRepo/.gitmodules $rootRepo/sub
+initGitRepo $rootRepo
+git -C $rootRepo submodule add ../gitSubmodulesSub sub
+git -C $rootRepo commit -m "Add submodule"
+rev2=$(git -C $rootRepo rev-parse HEAD)
+pathWithRelative=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; rev = \"$rev2\"; submodules = true; }).outPath")
+diff -r -x .gitmodules $pathWithSubmodules $pathWithRelative
+
+# Test clones that have an upstream with relative submodule URLs.
+rm $TEST_HOME/.cache/nix/fetcher-cache*
+cloneRepo=$TEST_ROOT/a/b/gitSubmodulesClone # NB /a/b to make the relative path not work relative to $cloneRepo
+git clone $rootRepo $cloneRepo
+pathIndirect=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
+[[ $pathIndirect = $pathWithRelative ]]
+
+# Test that if the clone has the submodule already, we're not fetching
+# it again.
+git -C $cloneRepo submodule update --init
+rm $TEST_HOME/.cache/nix/fetcher-cache*
+rm -rf $subRepo
+pathSubmoduleGone=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
+[[ $pathSubmoduleGone = $pathWithRelative ]]

tests/flakes/common.sh

@@ -20,9 +20,13 @@ writeSimpleFlake() {
       foo = import ./simple.nix;
       default = foo;
     };
+    packages.someOtherSystem = rec {
+      foo = import ./simple.nix;
+      default = foo;
+    };
 
     # To test "nix flake init".
-    legacyPackages.x86_64-linux.hello = import ./simple.nix;
+    legacyPackages.$system.hello = import ./simple.nix;
   };
 }
 EOF

tests/flakes/init.sh

@@ -41,8 +41,8 @@ cat > $templatesDir/trivial/flake.nix <<EOF
   description = "A flake for building Hello World";
 
   outputs = { self, nixpkgs }: {
-    packages.x86_64-linux = rec {
-      hello = nixpkgs.legacyPackages.x86_64-linux.hello;
+    packages.$system = rec {
+      hello = nixpkgs.legacyPackages.$system.hello;
       default = hello;
     };
   };

tests/flakes/inputs.sh

@@ -0,0 +1,80 @@
+source ./common.sh
+
+requireGit
+
+
+test_subdir_self_path() {
+    baseDir=$TEST_ROOT/$RANDOM
+    flakeDir=$baseDir/b-low
+    mkdir -p $flakeDir
+    writeSimpleFlake $baseDir
+    writeSimpleFlake $flakeDir
+
+    echo all good > $flakeDir/message
+    cat > $flakeDir/flake.nix <<EOF
+{
+  outputs = inputs: rec {
+    packages.$system = rec {
+      default =
+        assert builtins.readFile ./message == "all good\n";
+        assert builtins.readFile (inputs.self + "/message") == "all good\n";
+        import ./simple.nix;
+    };
+  };
+}
+EOF
+    (
+        nix build $baseDir?dir=b-low --no-link
+    )
+}
+test_subdir_self_path
+
+
+test_git_subdir_self_path() {
+    repoDir=$TEST_ROOT/repo-$RANDOM
+    createGitRepo $repoDir
+    flakeDir=$repoDir/b-low
+    mkdir -p $flakeDir
+    writeSimpleFlake $repoDir
+    writeSimpleFlake $flakeDir
+
+    echo all good > $flakeDir/message
+    cat > $flakeDir/flake.nix <<EOF
+{
+  outputs = inputs: rec {
+    packages.$system = rec {
+      default =
+        assert builtins.readFile ./message == "all good\n";
+        assert builtins.readFile (inputs.self + "/message") == "all good\n";
+        assert inputs.self.outPath == inputs.self.sourceInfo.outPath + "/b-low";
+        import ./simple.nix;
+    };
+  };
+}
+EOF
+    (
+        cd $flakeDir
+        git add .
+        git commit -m init
+        # nix build
+    )
+
+    clientDir=$TEST_ROOT/client-$RANDOM
+    mkdir -p $clientDir
+    cat > $clientDir/flake.nix <<EOF
+{
+  inputs.inp = {
+    type = "git";
+    url = "file://$repoDir";
+    dir = "b-low";
+  };
+
+  outputs = inputs: rec {
+    packages = inputs.inp.packages;
+  };
+}
+EOF
+    nix build $clientDir --no-link
+
+}
+test_git_subdir_self_path

tests/flakes/show.sh

@@ -0,0 +1,66 @@
+source ./common.sh
+
+flakeDir=$TEST_ROOT/flake
+mkdir -p "$flakeDir"
+
+writeSimpleFlake "$flakeDir"
+cd "$flakeDir"
+
+
+# By default: Only show the packages content for the current system and no
+# legacyPackages at all
+nix flake show --json > show-output.json
+nix eval --impure --expr '
+let show_output = builtins.fromJSON (builtins.readFile ./show-output.json);
+in
+assert show_output.packages.someOtherSystem.default == {};
+assert show_output.packages.${builtins.currentSystem}.default.name == "simple";
+assert show_output.legacyPackages.${builtins.currentSystem} == {};
+true
+'
+
+# With `--all-systems`, show the packages for all systems
+nix flake show --json --all-systems > show-output.json
+nix eval --impure --expr '
+let show_output = builtins.fromJSON (builtins.readFile ./show-output.json);
+in
+assert show_output.packages.someOtherSystem.default.name == "simple";
+assert show_output.legacyPackages.${builtins.currentSystem} == {};
+true
+'
+
+# With `--legacy`, show the legacy packages
+nix flake show --json --legacy > show-output.json
+nix eval --impure --expr '
+let show_output = builtins.fromJSON (builtins.readFile ./show-output.json);
+in
+assert show_output.legacyPackages.${builtins.currentSystem}.hello.name == "simple";
+true
+'
+
+# Test that attributes are only reported when they have actual content
+cat >flake.nix <<EOF
+{
+  description = "Bla bla";
+
+  outputs = inputs: rec {
+    apps.$system = { };
+    checks.$system = { };
+    devShells.$system = { };
+    legacyPackages.$system = { };
+    packages.$system = { };
+    packages.someOtherSystem = { };
+
+    formatter = { };
+    nixosConfigurations = { };
+    nixosModules = { };
+  };
+}
+EOF
+nix flake show --json --all-systems > show-output.json
+nix eval --impure --expr '
+let show_output = builtins.fromJSON (builtins.readFile ./show-output.json);
+in
+assert show_output == { };
+true
+'

tests/init.sh

@@ -1,8 +1,13 @@
-source common.sh
+set -eu -o pipefail
+
+# Don't start the daemon
+source common/vars-and-functions.sh
 
 test -n "$TEST_ROOT"
 if test -d "$TEST_ROOT"; then
     chmod -R u+w "$TEST_ROOT"
+    # We would delete any daemon socket, so let's stop the daemon first.
+    killDaemon
     rm -rf "$TEST_ROOT"
 fi
 mkdir "$TEST_ROOT"

tests/installer/default.nix

@@ -120,7 +120,7 @@ let
 
   makeTest = imageName: testName:
     let image = images.${imageName}; in
-    with nixpkgsFor.${image.system};
+    with nixpkgsFor.${image.system}.native;
     runCommand
       "installer-test-${imageName}-${testName}"
       { buildInputs = [ qemu_kvm openssh ];

tests/lang/eval-fail-foldlStrict-strict-op-application.nix

@@ -0,0 +1,5 @@
+# Tests that the result of applying op is forced even if the value is never used
+builtins.foldl'
+  (_: f: f null)
+  null
+  [ (_: throw "Not the final value, but is still forced!") (_: 23) ]

tests/lang/eval-okay-foldlStrict-lazy-elements.exp

@@ -0,0 +1 @@
+42

tests/lang/eval-okay-foldlStrict-lazy-elements.nix

@@ -0,0 +1,9 @@
+# Tests that the rhs argument of op is not forced unconditionally
+let
+  lst = builtins.foldl'
+    (acc: x: acc ++ [ x ])
+    [ ]
+    [ 42 (throw "this shouldn't be evaluated") ];
+in
+
+builtins.head lst

tests/lang/eval-okay-foldlStrict-lazy-initial-accumulator.exp

@@ -0,0 +1 @@
+42

tests/lang/eval-okay-foldlStrict-lazy-initial-accumulator.nix

@@ -0,0 +1,6 @@
+# Checks that the nul value for the accumulator is not forced unconditionally.
+# Some languages provide a foldl' that is strict in this argument, but Nix does not.
+builtins.foldl'
+  (_: x: x)
+  (throw "This is never forced")
+  [ "but the results of applying op are" 42 ]

tests/linux-sandbox.sh

@@ -37,3 +37,6 @@ nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
 (! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
 if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi
 grep -q 'may not be deterministic' $TEST_ROOT/log
+
+# Test that sandboxed builds cannot write to /etc easily
+(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)

tests/local.mk

@@ -1,9 +1,11 @@
 nix_tests = \
+  init.sh \
   flakes/flakes.sh \
   flakes/run.sh \
   flakes/mercurial.sh \
   flakes/circular.sh \
   flakes/init.sh \
+  flakes/inputs.sh \
   flakes/follow-paths.sh \
   flakes/bundle.sh \
   flakes/check.sh \
@@ -17,9 +19,11 @@ nix_tests = \
   fetchMercurial.sh \
   gc-auto.sh \
   user-envs.sh \
+  user-envs-migration.sh \
   binary-cache.sh \
   multiple-outputs.sh \
   ca/build.sh \
+  ca/new-build-cmd.sh \
   nix-build.sh \
   gc-concurrent.sh \
   repair.sh \
@@ -103,6 +107,8 @@ nix_tests = \
   ssh-relay.sh \
   plugins.sh \
   build.sh \
+  build-delete.sh \
+  output-normalization.sh \
   ca/nix-run.sh \
   selfref-gc.sh ca/selfref-gc.sh \
   db-migration.sh \
@@ -114,6 +120,7 @@ nix_tests = \
   store-ping.sh \
   fetchClosure.sh \
   completions.sh \
+  flakes/show.sh \
   impure-derivations.sh \
   path-from-hash-part.sh \
   toString-path.sh
@@ -124,9 +131,9 @@ endif
 
 install-tests += $(foreach x, $(nix_tests), tests/$(x))
 
-clean-files += $(d)/common.sh $(d)/config.nix $(d)/ca/config.nix
+clean-files += $(d)/tests/common/vars-and-functions.sh $(d)/config.nix $(d)/ca/config.nix
 
-test-deps += tests/common.sh tests/config.nix tests/ca/config.nix
+test-deps += tests/common/vars-and-functions.sh tests/config.nix tests/ca/config.nix tests/plugins/libplugintest.$(SO_EXT)
 
 ifeq ($(BUILD_SHARED_LIBS), 1)
   test-deps += tests/plugins/libplugintest.$(SO_EXT)

tests/nix-channel.sh

@@ -12,6 +12,19 @@ nix-channel --remove xyzzy
 [ -e $TEST_HOME/.nix-channels ]
 [ "$(cat $TEST_HOME/.nix-channels)" = '' ]
 
+# Test the XDG Base Directories support
+
+export NIX_CONFIG="use-xdg-base-directories = true"
+
+nix-channel --add http://foo/bar xyzzy
+nix-channel --list | grep -q http://foo/bar
+nix-channel --remove xyzzy
+
+unset NIX_CONFIG
+
+[ -e $TEST_HOME/.local/state/nix/channels ]
+[ "$(cat $TEST_HOME/.local/state/nix/channels)" = '' ]
+
 # Create a channel.
 rm -rf $TEST_ROOT/foo
 mkdir -p $TEST_ROOT/foo

tests/nix-profile.sh

@@ -56,6 +56,14 @@ nix profile history
 nix profile history | grep "packages.$system.default: ∅ -> 1.0"
 nix profile diff-closures | grep 'env-manifest.nix: ε → ∅'
 
+# Test XDG Base Directories support
+
+export NIX_CONFIG="use-xdg-base-directories = true"
+nix profile remove 1
+nix profile install $flake1Dir
+[[ $($TEST_HOME/.local/state/nix/profile/bin/hello) = "Hello World" ]]
+unset NIX_CONFIG
+
 # Test upgrading a package.
 printf NixOS > $flake1Dir/who
 printf 2.0 > $flake1Dir/version

tests/nixos/authorization.nix

@@ -0,0 +1,79 @@
+{
+  name = "authorization";
+
+  nodes.machine = {
+    virtualisation.writableStore = true;
+    # TODO add a test without allowed-users setting. allowed-users is uncommon among NixOS users.
+    nix.settings.allowed-users = ["alice" "bob"];
+    nix.settings.trusted-users = ["alice"];
+
+    users.users.alice.isNormalUser = true;
+    users.users.bob.isNormalUser = true;
+    users.users.mallory.isNormalUser = true;
+
+    nix.settings.experimental-features = "nix-command";
+  };
+
+  testScript =
+  let
+    pathFour = "/nix/store/20xfy868aiic0r0flgzq4n5dq1yvmxkn-four";
+  in
+  ''
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("""
+      exec 1>&2
+      echo kSELDhobKaF8/VdxIxdP7EQe+Q > one
+      diff $(nix store add-file one) one
+    """)
+    machine.succeed("""
+      su --login alice -c '
+        set -x
+        cd ~
+        echo ehHtmfuULXYyBV6NBk6QUi8iE0 > two
+        ls
+        diff $(echo $(nix store add-file two)) two' 1>&2
+    """)
+    machine.succeed("""
+      su --login bob -c '
+        set -x
+        cd ~
+        echo 0Jw8RNp7cK0W2AdNbcquofcOVk > three
+        diff $(nix store add-file three) three
+      ' 1>&2
+    """)
+
+    # We're going to check that a path is not created
+    machine.succeed("""
+      ! [[ -e ${pathFour} ]]
+    """)
+    machine.succeed("""
+      su --login mallory -c '
+        set -x
+        cd ~
+        echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four;
+        (! nix store add-file four 2>&1) | grep -F "cannot open connection to remote store"
+        (! nix store add-file four 2>&1) | grep -F "Connection reset by peer"
+        ! [[ -e ${pathFour} ]]
+      ' 1>&2
+    """)
+
+    # Check that the file _can_ be added, and matches the expected path we were checking
+    machine.succeed("""
+      exec 1>&2
+      echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four
+      four="$(nix store add-file four)"
+      diff $four four
+      diff <(echo $four) <(echo ${pathFour})
+    """)
+
+    machine.succeed("""
+      su --login alice -c 'nix-store --verify --repair'
+    """)
+
+    machine.succeed("""
+      set -x
+      su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
+      grep -F "you are not privileged to repair paths" diag
+    """)
+  '';
+}

tests/nixos/containers/containers.nix

@@ -1,12 +1,7 @@
 # Test whether we can run a NixOS container inside a Nix build using systemd-nspawn.
-{ nixpkgs, system, overlay }:
+{ lib, nixpkgs, ... }:
 
-with import (nixpkgs + "/nixos/lib/testing-python.nix") {
-  inherit system;
-  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
-};
-
-makeTest ({
+{
   name = "containers";
 
   nodes =
@@ -65,4 +60,4 @@ makeTest ({
     host.succeed("[[ $(cat ./result/msg) = 'Hello World' ]]")
   '';
 
-})
+}

tests/nixos/containers/systemd-nspawn.nix

@@ -56,12 +56,12 @@ runCommand "test"
     # Make /run a tmpfs to shut up a systemd warning.
     mkdir /run
     mount -t tmpfs none /run
-    chmod 0700 /run
 
     mount -t cgroup2 none /sys/fs/cgroup
 
     mkdir -p $out
 
+    chmod +w /etc
     touch /etc/os-release
     echo a5ea3f98dedc0278b6f3cc8c37eeaeac > /etc/machine-id
 

tests/nixos/github-flakes.nix

@@ -1,14 +1,9 @@
-{ nixpkgs, system, overlay }:
-
-with import (nixpkgs + "/nixos/lib/testing-python.nix") {
-  inherit system;
-  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
-};
-
+{ lib, config, nixpkgs, ... }:
 let
+  pkgs = config.nodes.client.nixpkgs.pkgs;
 
   # Generate a fake root CA and a fake api.github.com / github.com / channels.nixos.org certificate.
-  cert = pkgs.runCommand "cert" { buildInputs = [ pkgs.openssl ]; }
+  cert = pkgs.runCommand "cert" { nativeBuildInputs = [ pkgs.openssl ]; }
     ''
       mkdir -p $out
 
@@ -92,8 +87,6 @@ let
     '';
 in
 
-makeTest (
-
 {
   name = "github-flakes";
 
@@ -207,4 +200,4 @@ makeTest (
     client.succeed("nix build nixpkgs#fuse --tarball-ttl 0")
   '';
 
-})
+}

tests/nixos/nix-copy-closure.nix

@@ -1,13 +1,16 @@
 # Test ‘nix-copy-closure’.
 
-{ nixpkgs, system, overlay }:
+{ lib, config, nixpkgs, hostPkgs, ... }:
 
-with import (nixpkgs + "/nixos/lib/testing-python.nix") {
-  inherit system;
-  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
-};
+let
+  pkgs = config.nodes.client.nixpkgs.pkgs;
 
-makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; pkgD = pkgs.tmux; in {
+  pkgA = pkgs.cowsay;
+  pkgB = pkgs.wget;
+  pkgC = pkgs.hello;
+  pkgD = pkgs.tmux;
+
+in {
   name = "nix-copy-closure";
 
   nodes =
@@ -74,4 +77,4 @@ makeTest (let pkgA = pkgs.cowsay; pkgB = pkgs.wget; pkgC = pkgs.hello; pkgD = pk
     # )
     # client.succeed("nix-store --check-validity ${pkgC}")
   '';
-})
+}

tests/nixos/nss-preload.nix

@@ -1,11 +1,9 @@
-{ nixpkgs, system, overlay }:
-
-with import (nixpkgs + "/nixos/lib/testing-python.nix") {
-  inherit system;
-  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
-};
+{ lib, config, nixpkgs, ... }:
 
 let
+
+  pkgs = config.nodes.client.nixpkgs.pkgs;
+
   nix-fetch = pkgs.writeText "fetch.nix" ''
     derivation {
         # This derivation is an copy from what is available over at
@@ -41,9 +39,7 @@ let
   '';
 in
 
-makeTest (
-
-rec {
+{
   name = "nss-preload";
 
   nodes = {
@@ -122,4 +118,4 @@ rec {
           nix-build ${nix-fetch} >&2
           """)
   '';
-})
+}

tests/nixos/remote-builds.nix

@@ -1,15 +1,9 @@
 # Test Nix's remote build feature.
 
-{ nixpkgs, system, overlay }:
-
-with import (nixpkgs + "/nixos/lib/testing-python.nix") {
-  inherit system;
-  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
-};
-
-makeTest (
+{ config, lib, hostPkgs, ... }:
 
 let
+  pkgs = config.nodes.client.nixpkgs.pkgs;
 
   # The configuration of the remote builders.
   builder =
@@ -17,6 +11,11 @@ let
     { services.openssh.enable = true;
       virtualisation.writableStore = true;
       nix.settings.sandbox = true;
+
+      # Regression test for use of PID namespaces when /proc has
+      # filesystems mounted on top of it
+      # (i.e. /proc/sys/fs/binfmt_misc).
+      boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
     };
 
   # Trivial Nix expression to build remotely.
@@ -75,7 +74,7 @@ in
 
     # Create an SSH key on the client.
     subprocess.run([
-      "${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
+      "${hostPkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
     ], capture_output=True, check=True)
     client.succeed("mkdir -p -m 700 /root/.ssh")
     client.copy_from_host("key", "/root/.ssh/id_ed25519")
@@ -109,4 +108,4 @@ in
     builder1.block()
     client.succeed("nix-build ${expr nodes.client.config 4}")
   '';
-})
+}

tests/nixos/setuid.nix

@@ -1,13 +1,12 @@
 # Verify that Linux builds cannot create setuid or setgid binaries.
 
-{ nixpkgs, system, overlay }:
+{ lib, config, nixpkgs, ... }:
 
-with import (nixpkgs + "/nixos/lib/testing-python.nix") {
-  inherit system;
-  extraConfigurations = [ { nixpkgs.overlays = [ overlay ]; } ];
-};
+let
+  pkgs = config.nodes.machine.nixpkgs.pkgs;
 
-makeTest {
+in
+{
   name = "setuid";
 
   nodes.machine =

tests/nixos/sourcehut-flakes.nix

@@ -1,12 +1,8 @@
-{ nixpkgs, system, overlay }:
-
-with import (nixpkgs + "/nixos/lib/testing-python.nix")
-{
-  inherit system;
-  extraConfigurations = [{ nixpkgs.overlays = [ overlay ]; }];
-};
+{ lib, config, hostPkgs, nixpkgs, ... }:
 
 let
+  pkgs = config.nodes.sourcehut.nixpkgs.pkgs;
+
   # Generate a fake root CA and a fake git.sr.ht certificate.
   cert = pkgs.runCommand "cert" { buildInputs = [ pkgs.openssl ]; }
     ''
@@ -64,8 +60,6 @@ let
 
 in
 
-makeTest (
-
   {
     name = "sourcehut-flakes";
 
@@ -164,4 +158,4 @@ makeTest (
       client.succeed("nix build nixpkgs#fuse --tarball-ttl 0")
     '';
 
-  })
+}

tests/output-normalization.sh

@@ -0,0 +1,9 @@
+source common.sh
+
+testNormalization () {
+    clearStore
+    outPath=$(nix-build ./simple.nix --no-out-link)
+    test "$(stat -c %Y $outPath)" -eq 1
+}
+
+testNormalization

tests/remote-store.sh

@@ -30,7 +30,3 @@ NIX_REMOTE= nix-store --dump-db > $TEST_ROOT/d2
 cmp $TEST_ROOT/d1 $TEST_ROOT/d2
 
 killDaemon
-
-user=$(whoami)
-[ -e $NIX_STATE_DIR/gcroots/per-user/$user ]
-[ -e $NIX_STATE_DIR/profiles/per-user/$user ]

tests/store-ping.sh

@@ -1,13 +1,17 @@
 source common.sh
 
 STORE_INFO=$(nix store ping 2>&1)
+STORE_INFO_JSON=$(nix store ping --json)
 
 echo "$STORE_INFO" | grep "Store URL: ${NIX_REMOTE}"
 
 if [[ -v NIX_DAEMON_PACKAGE ]] && isDaemonNewer "2.7.0pre20220126"; then
     DAEMON_VERSION=$($NIX_DAEMON_PACKAGE/bin/nix-daemon --version | cut -d' ' -f3)
     echo "$STORE_INFO" | grep "Version: $DAEMON_VERSION"
+    [[ "$(echo "$STORE_INFO_JSON" | jq -r ".version")" == "$DAEMON_VERSION" ]]
 fi
 
 expect 127 NIX_REMOTE=unix:$PWD/store nix store ping || \
     fail "nix store ping on a non-existent store should fail"
+
+[[ "$(echo "$STORE_INFO_JSON" | jq -r ".url")" == "${NIX_REMOTE:-local}" ]]

tests/user-envs-migration.sh

@@ -0,0 +1,35 @@
+# Test that the migration of user environments
+# (https://github.com/NixOS/nix/pull/5226) does preserve everything
+
+source common.sh
+
+if isDaemonNewer "2.4pre20211005"; then
+    exit 99
+fi
+
+
+killDaemon
+unset NIX_REMOTE
+
+clearStore
+clearProfiles
+rm -rf ~/.nix-profile
+
+# Fill the environment using the older Nix
+PATH_WITH_NEW_NIX="$PATH"
+export PATH="$NIX_DAEMON_PACKAGE/bin:$PATH"
+
+nix-env -f user-envs.nix -i foo-1.0
+nix-env -f user-envs.nix -i bar-0.1
+
+# Migrate to the new profile dir, and ensure that everything’s there
+export PATH="$PATH_WITH_NEW_NIX"
+nix-env -q # Trigger the migration
+( [[ -L ~/.nix-profile ]] && \
+    [[ $(readlink ~/.nix-profile) == ~/.local/share/nix/profiles/profile ]] ) || \
+    fail "The nix profile should point to the new location"
+
+(nix-env -q | grep foo && nix-env -q | grep bar && \
+    [[ -e ~/.nix-profile/bin/foo ]] && \
+    [[ $(nix-env --list-generations | wc -l) == 2 ]]) ||
+    fail "The nix profile should have the same content as before the migration"