Merge remote-tracking branch 'origin/2.24-maintenance' into sync-2.24.9

tests/functional/nix-shell.sh

@@ -31,6 +31,15 @@ output=$(nix-shell --pure --keep SELECTED_IMPURE_VAR "$shellDotNix" -A shellDrv
 
 [ "$output" = " - foo - bar - baz" ]
 
+# test NIX_BUILD_TOP
+testTmpDir=$(pwd)/nix-shell
+mkdir -p "$testTmpDir"
+output=$(TMPDIR="$testTmpDir" nix-shell --pure "$shellDotNix" -A shellDrv --run 'echo $NIX_BUILD_TOP')
+[[ "$output" =~ ${testTmpDir}.* ]] || {
+    echo "expected $output =~ ${testTmpDir}.*" >&2
+    exit 1
+}
+
 # Test nix-shell on a .drv
 [[ $(nix-shell --pure $(nix-instantiate "$shellDotNix" -A shellDrv) --run \
     'echo "$IMPURE_VAR - $VAR_FROM_STDENV_SETUP - $VAR_FROM_NIX - $TEST_inNixShell"') = " - foo - bar - false" ]]

tests/functional/tarball.sh

@@ -100,3 +100,17 @@ chmod +x "$TEST_ROOT/tar_root/foo"
 tar cvf "$TEST_ROOT/tar.tar" -C "$TEST_ROOT/tar_root" .
 path="$(nix flake prefetch --refresh --json "tarball+file://$TEST_ROOT/tar.tar" | jq -r .storePath)"
 [[ $(cat "$path/foo") = bar ]]
+
+# Test a tarball with non-contiguous directory entries.
+rm -rf "$TEST_ROOT/tar_root"
+mkdir -p "$TEST_ROOT/tar_root/a/b"
+echo foo > "$TEST_ROOT/tar_root/a/b/foo"
+echo bla > "$TEST_ROOT/tar_root/bla"
+tar cvf "$TEST_ROOT/tar.tar" -C "$TEST_ROOT/tar_root" .
+echo abc > "$TEST_ROOT/tar_root/bla"
+echo xyzzy > "$TEST_ROOT/tar_root/a/b/xyzzy"
+tar rvf "$TEST_ROOT/tar.tar" -C "$TEST_ROOT/tar_root" ./a/b/xyzzy ./bla
+path="$(nix flake prefetch --refresh --json "tarball+file://$TEST_ROOT/tar.tar" | jq -r .storePath)"
+[[ $(cat "$path/a/b/xyzzy") = xyzzy ]]
+[[ $(cat "$path/a/b/foo") = foo ]]
+[[ $(cat "$path/bla") = abc ]]

tests/nixos/default.nix

@@ -148,4 +148,6 @@ in
   user-sandboxing = runNixOSTestFor "x86_64-linux" ./user-sandboxing;
 
   fetchurl = runNixOSTestFor "x86_64-linux" ./fetchurl.nix;
+
+  s3-binary-cache-store = runNixOSTestFor "x86_64-linux" ./s3-binary-cache-store.nix;
 }

tests/nixos/fetchurl.nix

@@ -1,7 +1,7 @@
 # Test whether builtin:fetchurl properly performs TLS certificate
 # checks on HTTPS servers.
 
-{ lib, config, pkgs, ... }:
+{ pkgs, ... }:
 
 let
 
@@ -25,7 +25,7 @@ in
   name = "nss-preload";
 
   nodes = {
-    machine = { lib, pkgs, ... }: {
+    machine = { pkgs, ... }: {
       services.nginx = {
         enable = true;
 
@@ -60,13 +60,16 @@ in
     };
   };
 
-  testScript = { nodes, ... }: ''
+  testScript = ''
     machine.wait_for_unit("nginx")
     machine.wait_for_open_port(443)
 
     out = machine.succeed("curl https://good/index.html")
     assert out == "hello world\n"
 
+    out = machine.succeed("cat ${badCert}/cert.pem > /tmp/cafile.pem; curl --cacert /tmp/cafile.pem https://bad/index.html")
+    assert out == "foobar\n"
+
     # Fetching from a server with a trusted cert should work.
     machine.succeed("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://good/index.html\"; hash = \"sha256-qUiQTy8PR5uPgZdpSzAYSw0u0cHNKh7A+4XSmaGSpEc=\"; }'")
 
@@ -74,5 +77,8 @@ in
     err = machine.fail("nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }' 2>&1")
     print(err)
     assert "SSL certificate problem: self-signed certificate" in err
+
+    # Fetching from a server with a trusted cert should work via environment variable override.
+    machine.succeed("NIX_SSL_CERT_FILE=/tmp/cafile.pem nix build --no-substitute --expr 'import <nix/fetchurl.nix> { url = \"https://bad/index.html\"; hash = \"sha256-rsBwZF/lPuOzdjBZN2E08FjMM3JHyXit0Xi2zN+wAZ8=\"; }'")
   '';
 }

tests/nixos/nix-copy-closure.nix

@@ -1,6 +1,6 @@
 # Test ‘nix-copy-closure’.
 
-{ lib, config, nixpkgs, hostPkgs, ... }:
+{ lib, config, nixpkgs, ... }:
 
 let
   pkgs = config.nodes.client.nixpkgs.pkgs;

tests/nixos/s3-binary-cache-store.nix

@@ -0,0 +1,66 @@
+{ lib, config, nixpkgs, ... }:
+
+let
+  pkgs = config.nodes.client.nixpkgs.pkgs;
+
+  pkgA = pkgs.cowsay;
+
+  accessKey = "BKIKJAA5BMMU2RHO6IBB";
+  secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
+  env = "AWS_ACCESS_KEY_ID=${accessKey} AWS_SECRET_ACCESS_KEY=${secretKey}";
+
+  storeUrl = "s3://my-cache?endpoint=http://server:9000&region=eu-west-1";
+
+in {
+  name = "nix-copy-closure";
+
+  nodes =
+    { server =
+        { config, lib, pkgs, ... }:
+        { virtualisation.writableStore = true;
+          virtualisation.additionalPaths = [ pkgA ];
+          environment.systemPackages = [ pkgs.minio-client ];
+          nix.extraOptions = "experimental-features = nix-command";
+          services.minio = {
+            enable = true;
+            region = "eu-west-1";
+            rootCredentialsFile = pkgs.writeText "minio-credentials-full" ''
+              MINIO_ROOT_USER=${accessKey}
+              MINIO_ROOT_PASSWORD=${secretKey}
+            '';
+          };
+          networking.firewall.allowedTCPPorts = [ 9000 ];
+        };
+
+      client =
+        { config, pkgs, ... }:
+        { virtualisation.writableStore = true;
+          nix.extraOptions = "experimental-features = nix-command";
+        };
+    };
+
+  testScript = { nodes }: ''
+    # fmt: off
+    start_all()
+
+    # Create a binary cache.
+    server.wait_for_unit("minio")
+
+    server.succeed("mc config host add minio http://localhost:9000 ${accessKey} ${secretKey} --api s3v4")
+    server.succeed("mc mb minio/my-cache")
+
+    server.succeed("${env} nix copy --to '${storeUrl}' ${pkgA}")
+
+    # Test fetchurl on s3:// URLs while we're at it.
+    client.succeed("${env} nix eval --impure --expr 'builtins.fetchurl { name = \"foo\"; url = \"s3://my-cache/nix-cache-info?endpoint=http://server:9000&region=eu-west-1\"; }'")
+
+    # Copy a package from the binary cache.
+    client.fail("nix path-info ${pkgA}")
+
+    client.succeed("${env} nix store info --store '${storeUrl}' >&2")
+
+    client.succeed("${env} nix copy --no-check-sigs --from '${storeUrl}' ${pkgA}")
+
+    client.succeed("nix path-info ${pkgA}")
+  '';
+}