Merge pull request #12077 from NixOS/mergify/bp/2.24-maintenance/pr-12045

EvalState::realiseContext(): Allow access to the entire closure (backport #12045)

src/libexpr/eval.cc

@@ -379,6 +379,16 @@ void EvalState::allowPath(const StorePath & storePath)
         rootFS2->allowPrefix(CanonPath(store->toRealPath(storePath)));
 }
 
+void EvalState::allowClosure(const StorePath & storePath)
+{
+    if (!rootFS.dynamic_pointer_cast<AllowListSourceAccessor>()) return;
+
+    StorePathSet closure;
+    store->computeFSClosure(storePath, closure);
+    for (auto & p : closure)
+        allowPath(p);
+}
+
 void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value & v)
 {
     allowPath(storePath);
@@ -3113,10 +3123,7 @@ std::optional<std::string> EvalState::resolveLookupPathPath(const LookupPath::Pa
             allowPath(path);
             if (store->isInStore(path)) {
                 try {
-                    StorePathSet closure;
+                    allowClosure(store->toStorePath(path).first);
-                    store->computeFSClosure(store->toStorePath(path).first, closure);
-                    for (auto & p : closure)
-                        allowPath(p);
                 } catch (InvalidPath &) { }
             }
         }

src/libexpr/eval.hh

@@ -392,6 +392,11 @@ public:
      */
     void allowPath(const StorePath & storePath);
 
+    /**
+     * Allow access to the closure of a store path.
+     */
+    void allowClosure(const StorePath & storePath);
+
     /**
      * Allow access to a store path and return it as a string.
      */

src/libexpr/primops.cc

@@ -113,11 +113,9 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
     if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);
 
     if (isIFD) {
-        for (auto & outputPath : outputsToCopyAndAllow) {
+        /* Allow access to the output closures of this derivation. */
-            /* Add the output of this derivations to the allowed
+        for (auto & outputPath : outputsToCopyAndAllow)
-            paths. */
+            allowClosure(outputPath);
-            allowPath(outputPath);
-        }
     }
 
     return res;

tests/functional/common/vars-and-functions.sh

@@ -29,6 +29,11 @@ source "$commonDir/test-root.sh"
 test_nix_conf_dir=$TEST_ROOT/etc
 test_nix_conf=$test_nix_conf_dir/nix.conf
 
+# introduced in master in 9d2ed0a7d384a7759d5981425fba41ecf1b4b9e1,
+# https://github.com/NixOS/nix/pull/11792. Could be replaced by a
+# full backport.
+config_nix="${commonDir}/config.nix"
+
 export TEST_HOME=$TEST_ROOT/test-home
 
 if ! isTestOnNixOS; then

tests/functional/import-from-derivation.nix

@@ -0,0 +1,52 @@
+with import <config>;
+
+rec {
+  bar = mkDerivation {
+    name = "bar";
+    builder = builtins.toFile "builder.sh"
+      ''
+        echo 'builtins.add 123 456' > $out
+      '';
+  };
+
+  value =
+    # Test that pathExists can check the existence of /nix/store paths
+    assert builtins.pathExists bar;
+    import bar;
+
+  result = mkDerivation {
+    name = "foo";
+    builder = builtins.toFile "builder.sh"
+      ''
+        echo -n FOO${toString value} > $out
+      '';
+  };
+
+  addPath = mkDerivation {
+    name = "add-path";
+    src = builtins.filterSource (path: type: true) result;
+    builder = builtins.toFile "builder.sh"
+      ''
+        echo -n BLA$(cat $src) > $out
+      '';
+  };
+
+  step1 = mkDerivation {
+    name = "step1";
+    buildCommand = ''
+      mkdir -p $out
+      echo 'foo' > $out/bla
+    '';
+  };
+
+  addPathExpr = mkDerivation {
+    name = "add-path";
+    inherit step1;
+    buildCommand = ''
+      mkdir -p $out
+      echo "builtins.path { path = \"$step1\"; sha256 = \"7ptL+pnrZXnSa5hwwB+2SXTLkcSb5264WGGokN8OXto=\"; }" > $out/default.nix
+    '';
+  };
+
+  importAddPathExpr = import addPathExpr;
+}

tests/functional/import-from-derivation.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+source common.sh
+
+TODO_NixOS
+
+clearStoreIfPossible
+
+export NIX_PATH=config="${config_nix}"
+
+if nix-instantiate --readonly-mode ./import-from-derivation.nix -A result; then
+    echo "read-only evaluation of an imported derivation unexpectedly failed"
+    exit 1
+fi
+
+outPath=$(nix-build ./import-from-derivation.nix -A result --no-out-link)
+
+[ "$(cat "$outPath")" = FOO579 ]
+
+# Check that we can have access to the entire closure of a derivation output.
+nix build --no-link --restrict-eval -I src=. -f ./import-from-derivation.nix importAddPathExpr -v
+
+# FIXME: the next tests are broken on CA.
+if [[ -n "${NIX_TESTS_CA_BY_DEFAULT:-}" ]]; then
+    exit 0
+fi
+
+# Test filterSource on the result of a derivation.
+outPath2=$(nix-build ./import-from-derivation.nix -A addPath --no-out-link)
+[[ "$(cat "$outPath2")" = BLAFOO579 ]]
+
+# Test that IFD works with a chroot store.
+if canUseSandbox; then
+
+    store2="$TEST_ROOT/store2"
+    store2_url="$store2?store=$NIX_STORE_DIR"
+
+    # Copy the derivation outputs to the chroot store to avoid having
+    # to actually build anything, as that would fail due to the lack
+    # of a shell in the sandbox. We only care about testing the IFD
+    # semantics.
+    for i in bar result addPath; do
+        nix copy --to "$store2_url" --no-check-sigs "$(nix-build ./import-from-derivation.nix -A "$i" --no-out-link)"
+    done
+
+    clearStore
+
+    outPath_check=$(nix-build ./import-from-derivation.nix -A result --no-out-link --store "$store2_url")
+    [[ "$outPath" = "$outPath_check" ]]
+    [[ ! -e "$outPath" ]]
+    [[ -e "$store2/nix/store/$(basename "$outPath")" ]]
+
+    outPath2_check=$(nix-build ./import-from-derivation.nix -A addPath --no-out-link --store "$store2_url")
+    [[ "$outPath2" = "$outPath2_check" ]]
+fi