Merge remote-tracking branch 'origin/master' into libgit2

tests/functional/config.sh

@@ -50,7 +50,8 @@ exp_cores=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
 exp_features=$(nix show-config | grep '^experimental-features' | cut -d '=' -f 2 | xargs)
 [[ $prev != $exp_cores ]]
 [[ $exp_cores == "4242" ]]
-[[ $exp_features == "flakes nix-command" ]]
+# flakes implies fetch-tree
+[[ $exp_features == "fetch-tree flakes nix-command" ]]
 
 # Test that it's possible to retrieve a single setting's value
 val=$(nix show-config | grep '^warn-dirty' | cut -d '=' -f  2 | xargs)

tests/functional/fetchGitVerification.sh

@@ -0,0 +1,82 @@
+source common.sh
+
+requireGit
+[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen
+
+enableFeatures "verified-fetches"
+
+clearStore
+
+repo="$TEST_ROOT/git"
+
+# generate signing keys
+keysDir=$TEST_ROOT/.ssh
+mkdir -p "$keysDir"
+ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
+key1File="$keysDir/testkey1.pub"
+publicKey1=$(awk '{print $2}' "$key1File")
+ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
+key2File="$keysDir/testkey2.pub"
+publicKey2=$(awk '{print $2}' "$key2File")
+
+git init $repo
+git -C $repo config user.email "foobar@example.com"
+git -C $repo config user.name "Foobar"
+git -C $repo config gpg.format ssh
+
+echo 'hello' > $repo/text
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
+
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
+
+echo 'hello world' > $repo/text
+
+# Verification on a dirty repo should fail.
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'dirty' ]]
+
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
+
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
+
+# Flake input test
+flakeDir="$TEST_ROOT/flake"
+mkdir -p "$flakeDir"
+cat > "$flakeDir/flake.nix" <<EOF
+{
+  inputs.test = {
+    type = "git";
+    url = "file://$repo";
+    flake = false;
+    publicKeys = [
+      { type = "ssh-rsa"; key = "$publicKey2"; }
+    ];
+  };
+
+  outputs = { test, ... }: { test = test.outPath; };
+}
+EOF
+nix build --out-link "$flakeDir/result" "$flakeDir#test"
+[[ $(cat "$flakeDir/result/text") = 'hello world' ]]
+
+cat > "$flakeDir/flake.nix" <<EOF
+{
+  inputs.test = {
+    type = "git";
+    url = "file://$repo";
+    flake = false;
+    publicKey= "$publicKey1";
+  };
+
+  outputs = { test, ... }: { test = test.outPath; };
+}
+EOF
+out=$(nix build "$flakeDir#test" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]

tests/functional/flakes/common.sh

@@ -11,6 +11,7 @@ writeSimpleFlake() {
   outputs = inputs: rec {
     packages.$system = rec {
       foo = import ./simple.nix;
+      fooScript = (import ./shell.nix {}).foo;
       default = foo;
     };
     packages.someOtherSystem = rec {
@@ -24,13 +25,13 @@ writeSimpleFlake() {
 }
 EOF
 
-    cp ../simple.nix ../simple.builder.sh ../config.nix $flakeDir/
+    cp ../simple.nix ../shell.nix ../simple.builder.sh ../config.nix $flakeDir/
 }
 
 createSimpleGitFlake() {
     local flakeDir="$1"
     writeSimpleFlake $flakeDir
-    git -C $flakeDir add flake.nix simple.nix simple.builder.sh config.nix
+    git -C $flakeDir add flake.nix simple.nix shell.nix simple.builder.sh config.nix
     git -C $flakeDir commit -m 'Initial'
 }
 

tests/functional/flakes/flakes.sh

@@ -66,9 +66,82 @@ cat > "$nonFlakeDir/README.md" <<EOF
 FNORD
 EOF
 
-git -C "$nonFlakeDir" add README.md
+cat > "$nonFlakeDir/shebang.sh" <<EOF
+#! $(type -P env) nix
+#! nix --offline shell
+#! nix flake1#fooScript
+#! nix --no-write-lock-file --command bash
+set -ex
+foo
+echo "\$@"
+EOF
+chmod +x "$nonFlakeDir/shebang.sh"
+
+git -C "$nonFlakeDir" add README.md shebang.sh
 git -C "$nonFlakeDir" commit -m 'Initial'
 
+# this also tests a fairly trivial double backtick quoted string, ``--command``
+cat > $nonFlakeDir/shebang-comments.sh <<EOF
+#! $(type -P env) nix
+# some comments
+# some comments
+# some comments
+#! nix --offline shell
+#! nix flake1#fooScript
+#! nix --no-write-lock-file ``--command`` bash
+foo
+EOF
+chmod +x $nonFlakeDir/shebang-comments.sh
+
+cat > $nonFlakeDir/shebang-reject.sh <<EOF
+#! $(type -P env) nix
+# some comments
+# some comments
+# some comments
+#! nix --offline shell *
+#! nix flake1#fooScript
+#! nix --no-write-lock-file --command bash
+foo
+EOF
+chmod +x $nonFlakeDir/shebang-reject.sh
+
+cat > $nonFlakeDir/shebang-inline-expr.sh <<EOF
+#! $(type -P env) nix
+EOF
+cat >> $nonFlakeDir/shebang-inline-expr.sh <<"EOF"
+#! nix --offline shell
+#! nix --impure --expr ``
+#! nix let flake = (builtins.getFlake (toString ../flake1)).packages;
+#! nix     fooScript = flake.${builtins.currentSystem}.fooScript;
+#! nix     /* just a comment !@#$%^&*()__+ # */
+#! nix  in fooScript
+#! nix ``
+#! nix --no-write-lock-file --command bash
+set -ex
+foo
+echo "$@"
+EOF
+chmod +x $nonFlakeDir/shebang-inline-expr.sh
+
+cat > $nonFlakeDir/fooScript.nix <<"EOF"
+let flake = (builtins.getFlake (toString ../flake1)).packages;
+    fooScript = flake.${builtins.currentSystem}.fooScript;
+ in fooScript
+EOF
+
+cat > $nonFlakeDir/shebang-file.sh <<EOF
+#! $(type -P env) nix
+EOF
+cat >> $nonFlakeDir/shebang-file.sh <<"EOF"
+#! nix --offline shell
+#! nix --impure --file ./fooScript.nix
+#! nix --no-write-lock-file --command bash
+set -ex
+foo
+echo "$@"
+EOF
+chmod +x $nonFlakeDir/shebang-file.sh
+
 # Construct a custom registry, additionally test the --registry flag
 nix registry add --registry "$registry" flake1 "git+file://$flake1Dir"
 nix registry add --registry "$registry" flake2 "git+file://$percentEncodedFlake2Dir"
@@ -511,3 +584,11 @@ nix flake metadata "$flake2Dir" --reference-lock-file $TEST_ROOT/flake2-overridd
 
 # reference-lock-file can only be used if allow-dirty is set.
 expectStderr 1 nix flake metadata "$flake2Dir" --no-allow-dirty --reference-lock-file $TEST_ROOT/flake2-overridden.lock
+
+# Test shebang
+[[ $($nonFlakeDir/shebang.sh) = "foo" ]]
+[[ $($nonFlakeDir/shebang.sh "bar") = "foo"$'\n'"bar" ]]
+[[ $($nonFlakeDir/shebang-comments.sh ) = "foo" ]]
+[[ $($nonFlakeDir/shebang-inline-expr.sh baz) = "foo"$'\n'"baz" ]]
+[[ $($nonFlakeDir/shebang-file.sh baz) = "foo"$'\n'"baz" ]]
+expect 1 $nonFlakeDir/shebang-reject.sh 2>&1 | grepQuiet -F 'error: unsupported unquoted character in nix shebang: *. Use double backticks to escape?'

tests/functional/lang.sh

@@ -23,6 +23,7 @@ nix-instantiate --trace-verbose --eval -E 'builtins.traceVerbose "Hello" 123' 2>
 nix-instantiate --eval -E 'builtins.traceVerbose "Hello" 123' 2>&1 | grepQuietInverse Hello
 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello" 123' 2>&1 | grepQuietInverse Hello
 expectStderr 1 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello" (throw "Foo")' | grepQuiet Hello
+expectStderr 1 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello %" (throw "Foo")' | grepQuiet 'Hello %'
 
 nix-instantiate --eval -E 'let x = builtins.trace { x = x; } true; in x' \
   2>&1 | grepQuiet -E 'trace: { x = «potential infinite recursion»; }'

tests/functional/local.mk

@@ -55,6 +55,7 @@ nix_tests = \
   secure-drv-outputs.sh \
   restricted.sh \
   fetchGitSubmodules.sh \
+  fetchGitVerification.sh \
   flakes/search-root.sh \
   readfile-context.sh \
   nix-channel.sh \
@@ -119,6 +120,7 @@ nix_tests = \
   flakes/show.sh \
   impure-derivations.sh \
   path-from-hash-part.sh \
+  path-info.sh \
   toString-path.sh \
   read-only-store.sh \
   nested-sandboxing.sh \

tests/functional/nar-access.sh

@@ -27,9 +27,8 @@ diff -u baz.cat-nar $storePath/foo/baz
 
 # Check that 'nix store cat' fails on invalid store paths.
 invalidPath="$(dirname $storePath)/99999999999999999999999999999999-foo"
-mv $storePath $invalidPath
+cp -r $storePath $invalidPath
 expect 1 nix store cat $invalidPath/foo/baz
-mv $invalidPath $storePath
 
 # Test --json.
 diff -u \

tests/functional/path-info.sh

@@ -0,0 +1,23 @@
+source common.sh
+
+echo foo > $TEST_ROOT/foo
+foo=$(nix store add-file $TEST_ROOT/foo)
+
+echo bar > $TEST_ROOT/bar
+bar=$(nix store add-file $TEST_ROOT/bar)
+
+echo baz > $TEST_ROOT/baz
+baz=$(nix store add-file $TEST_ROOT/baz)
+nix-store --delete "$baz"
+
+diff --unified --color=always \
+    <(nix path-info --json "$foo" "$bar" "$baz" |
+        jq --sort-keys 'map_values(.narHash)') \
+    <(jq --sort-keys <<-EOF
+        {
+          "$foo": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$bar": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
+          "$baz": null
+        }
+EOF
+    )

tests/functional/tarball.sh

@@ -18,7 +18,7 @@ test_tarball() {
     local compressor="$2"
 
     tarball=$TEST_ROOT/tarball.tar$ext
-    (cd $TEST_ROOT && tar cf - tarball) | $compressor > $tarball
+    (cd $TEST_ROOT && GNUTAR_REPRODUCIBLE= tar --mtime=$tarroot/default.nix --owner=0 --group=0 --numeric-owner --sort=name -c -f - tarball) | $compressor > $tarball
 
     nix-env -f file://$tarball -qa --out-path | grepQuiet dependencies