Make CA derivations compatible with recursive Nix

Add an access-control list to the realisations in recursive-nix (similar to the already existing one for store paths), so that we can build content-addressed derivations in the restricted store. Fix #4353
2025-07-07 14:21:48 +02:00 · 2021-06-23 17:27:18 +02:00 · 2021-06-23 17:27:18 +02:00 · 7746cb13dc
commit 7746cb13dc
parent 0a535dd5ac
5 changed files with 48 additions and 10 deletions
--- a/tests/ca/recursive.sh
+++ b/tests/ca/recursive.sh
@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+source common.sh
+
+sed -i 's/experimental-features .*/& ca-derivations ca-references nix-command flakes/' "$NIX_CONF_DIR"/nix.conf
+
+export NIX_TESTS_CA_BY_DEFAULT=1
+cd ..
+source ./recursive.sh
+
+
--- a/tests/local.mk
+++ b/tests/local.mk
@ -52,6 +52,7 @@ nix_tests = \
  ca/signatures.sh \
  ca/nix-shell.sh \
  ca/nix-run.sh \
+  ca/recursive.sh \
  ca/nix-copy.sh
  # parallel.sh

--- a/tests/recursive.sh
+++ b/tests/recursive.sh
@ -9,9 +9,9 @@ rm -f $TEST_ROOT/result

 export unreachable=$(nix store add-path ./recursive.sh)

-NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command recursive-nix' build -o $TEST_ROOT/result -L --impure --expr '
+NIX_BIN_DIR=$(dirname $(type -p nix)) nix --extra-experimental-features 'nix-command recursive-nix' build -o $TEST_ROOT/result -L --impure --expr '
  with import ./config.nix;
-  mkDerivation {
+  mkDerivation rec {
    name = "recursive";
    dummy = builtins.toFile "dummy" "bla bla";
    SHELL = shell;
@ -19,11 +19,13 @@ NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command r
    # Note: this is a string without context.
    unreachable = builtins.getEnv "unreachable";

+    NIX_TESTS_CA_BY_DEFAULT = builtins.getEnv "NIX_TESTS_CA_BY_DEFAULT";
+
    requiredSystemFeatures = [ "recursive-nix" ];

    buildCommand = '\'\''
      mkdir $out
-      opts="--experimental-features nix-command"
+      opts="--experimental-features nix-command ${if (NIX_TESTS_CA_BY_DEFAULT == "1") then "--extra-experimental-features ca-derivations" else ""}"

      PATH=${builtins.getEnv "NIX_BIN_DIR"}:$PATH

@ -46,16 +48,15 @@ NIX_BIN_DIR=$(dirname $(type -p nix)) nix --experimental-features 'nix-command r
      # Add it to our closure.
      ln -s $foobar $out/foobar

-      [[ $(nix $opts path-info --all | wc -l) -eq 3 ]]
+      [[ $(nix $opts path-info --all | wc -l) -eq 4 ]]

      # Build a derivation.
      nix $opts build -L --impure --expr '\''
-        derivation {
+        with import ${./config.nix};
+        mkDerivation {
          name = "inner1";
-          builder = builtins.getEnv "SHELL";
-          system = builtins.getEnv "system";
+          buildCommand = "echo $fnord blaat > $out";
          fnord = builtins.toFile "fnord" "fnord";
-          args = [ "-c" "echo $fnord blaat > $out" ];
        }
      '\''