Add support for impure derivations

Impure derivations are derivations that can produce a different result
every time they're built. Example:

  stdenv.mkDerivation {
    name = "impure";
    __impure = true; # marks this derivation as impure
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
    buildCommand = "date > $out";
  };

Some important characteristics:

* This requires the 'impure-derivations' experimental feature.

* Impure derivations are not "cached". Thus, running "nix-build" on
  the example above multiple times will cause a rebuild every time.

* They are implemented similar to CA derivations, i.e. the output is
  moved to a content-addressed path in the store. The difference is
  that we don't register a realisation in the Nix database.

* Pure derivations are not allowed to depend on impure derivations. In
  the future fixed-output derivations will be allowed to depend on
  impure derivations, thus forming an "impurity barrier" in the
  dependency graph.

* When sandboxing is enabled, impure derivations can access the
  network in the same way as fixed-output derivations. In relaxed
  sandboxing mode, they can access the local filesystem.

src/libstore/derivations.hh

@@ -41,15 +41,26 @@ struct DerivationOutputCAFloating
 };
 
 /* Input-addressed output which depends on a (CA) derivation whose hash isn't
- * known atm
+ * known yet.
  */
 struct DerivationOutputDeferred {};
 
+/* Impure output which is moved to a content-addressed location (like
+   CAFloating) but isn't registered as a realization.
+ */
+struct DerivationOutputImpure
+{
+    /* information used for expected hash computation */
+    FileIngestionMethod method;
+    HashType hashType;
+};
+
 typedef std::variant<
     DerivationOutputInputAddressed,
     DerivationOutputCAFixed,
     DerivationOutputCAFloating,
-    DerivationOutputDeferred
+    DerivationOutputDeferred,
+    DerivationOutputImpure
 > _DerivationOutputRaw;
 
 struct DerivationOutput : _DerivationOutputRaw
@@ -61,6 +72,7 @@ struct DerivationOutput : _DerivationOutputRaw
     using CAFixed = DerivationOutputCAFixed;
     using CAFloating = DerivationOutputCAFloating;
     using Deferred = DerivationOutputDeferred;
+    using Impure = DerivationOutputImpure;
 
     /* Note, when you use this function you should make sure that you're passing
        the right derivation name. When in doubt, you should use the safer
@@ -94,9 +106,13 @@ struct DerivationType_ContentAddressed {
     bool fixed;
 };
 
+struct DerivationType_Impure {
+};
+
 typedef std::variant<
     DerivationType_InputAddressed,
-    DerivationType_ContentAddressed
+    DerivationType_ContentAddressed,
+    DerivationType_Impure
 > _DerivationTypeRaw;
 
 struct DerivationType : _DerivationTypeRaw {
@@ -104,7 +120,7 @@ struct DerivationType : _DerivationTypeRaw {
     using Raw::Raw;
     using InputAddressed = DerivationType_InputAddressed;
     using ContentAddressed = DerivationType_ContentAddressed;
-
+    using Impure = DerivationType_Impure;
 
     /* Do the outputs of the derivation have paths calculated from their content,
        or from the derivation itself? */
@@ -114,10 +130,13 @@ struct DerivationType : _DerivationTypeRaw {
        non-CA derivations. */
     bool isFixed() const;
 
-    /* Is the derivation impure and needs to access non-deterministic resources, or
-       pure and can be sandboxed? Note that whether or not we actually sandbox the
-       derivation is controlled separately. Never true for non-CA derivations. */
-    bool isImpure() const;
+    /* Whether the derivation needs to access the network. Note that
+       whether or not we actually sandbox the derivation is controlled
+       separately. Never true for non-CA derivations. */
+    bool needsNetworkAccess() const;
+
+    /* FIXME */
+    bool isPure() const;
 
     /* Does the derivation knows its own output paths?
        Only true when there's no floating-ca derivation involved in the
@@ -173,7 +192,14 @@ struct Derivation : BasicDerivation
           added directly to input sources.
 
        2. Input placeholders are replaced with realized input store paths. */
-    std::optional<BasicDerivation> tryResolve(Store & store);
+    std::optional<BasicDerivation> tryResolve(Store & store) const;
+
+    /* Like the above, but instead of querying the Nix database for
+       realisations, uses a given mapping from input derivation paths
+       + output names to actual output store paths. */
+    std::optional<BasicDerivation> tryResolve(
+        Store & store,
+        const std::map<std::pair<StorePath, std::string>, StorePath> & inputDrvOutputs) const;
 
     Derivation() = default;
     Derivation(const BasicDerivation & bd) : BasicDerivation(bd) { }
@@ -211,7 +237,7 @@ std::string outputPathName(std::string_view drvName, std::string_view outputName
 struct DrvHash {
     std::map<std::string, Hash> hashes;
 
-    enum struct Kind: bool {
+    enum struct Kind : bool {
         // Statically determined derivations.
         // This hash will be directly used to compute the output paths
         Regular,
@@ -252,8 +278,10 @@ DrvHash hashDerivationModulo(Store & store, const Derivation & drv, bool maskOut
 /*
    Return a map associating each output to a hash that uniquely identifies its
    derivation (modulo the self-references).
+
+   FIXME: what is the Hash in this map?
  */
-std::map<std::string, Hash> staticOutputHashes(Store& store, const Derivation& drv);
+std::map<std::string, Hash> staticOutputHashes(Store & store, const Derivation & drv);
 
 /* Memoisation of hashDerivationModulo(). */
 typedef std::map<StorePath, DrvHash> DrvHashes;
@@ -286,4 +314,6 @@ std::string hashPlaceholder(const std::string_view outputName);
    dependency which is a CA derivation. */
 std::string downstreamPlaceholder(const Store & store, const StorePath & drvPath, std::string_view outputName);
 
+extern const Hash impureOutputHash;
+
 }