Merge remote-tracking branch 'upstream/master' into overlayfs-store

tests/ca/build.sh

@@ -3,7 +3,7 @@
 source common.sh
 
 drv=$(nix-instantiate ./content-addressed.nix -A rootCA --arg seed 1)
-nix show-derivation "$drv" --arg seed 1
+nix derivation show "$drv" --arg seed 1
 
 buildAttr () {
     local derivationPath=$1

tests/ca/derivation-json.sh

@@ -0,0 +1,26 @@
+source common.sh
+
+export NIX_TESTS_CA_BY_DEFAULT=1
+
+drvPath=$(nix-instantiate ../simple.nix)
+
+nix derivation show $drvPath | jq .[] > $TEST_HOME/simple.json
+
+drvPath2=$(nix derivation add < $TEST_HOME/simple.json)
+
+[[ "$drvPath" = "$drvPath2" ]]
+
+# Content-addressed derivations can be renamed.
+jq '.name = "foo"' < $TEST_HOME/simple.json > $TEST_HOME/foo.json
+drvPath3=$(nix derivation add --dry-run < $TEST_HOME/foo.json)
+# With --dry-run nothing is actually written
+[[ ! -e "$drvPath3" ]]
+
+# Without --dry-run it is actually written
+drvPath4=$(nix derivation add < $TEST_HOME/foo.json)
+[[ "$drvPath4" = "$drvPath3" ]]
+[[ -e "$drvPath3" ]]
+
+# The modified derivation read back as JSON matches
+nix derivation show $drvPath3 | jq .[] > $TEST_HOME/foo-read.json
+diff $TEST_HOME/foo.json $TEST_HOME/foo-read.json

tests/derivation-json.sh

@@ -0,0 +1,12 @@
+source common.sh
+
+drvPath=$(nix-instantiate simple.nix)
+
+nix derivation show $drvPath | jq .[] > $TEST_HOME/simple.json
+
+drvPath2=$(nix derivation add < $TEST_HOME/simple.json)
+
+[[ "$drvPath" = "$drvPath2" ]]
+
+# Input addressed derivations cannot be renamed.
+jq '.name = "foo"' < $TEST_HOME/simple.json | expectStderr 1 nix derivation add | grepQuiet "has incorrect output"

tests/describe-stores.sh

@@ -1,8 +0,0 @@
-source common.sh
-
-# Query an arbitrary value in `nix describe-stores --json`'s output just to
-# check that it has the right structure
-[[ $(nix --experimental-features 'nix-command flakes' describe-stores --json | jq '.["SSH Store"]["compress"]["defaultValue"]') == false ]]
-
-# Ensure that the output of `nix describe-stores` isn't empty
-[[ -n $(nix --experimental-features 'nix-command flakes' describe-stores) ]]

tests/experimental-features.sh

@@ -0,0 +1,40 @@
+source common.sh
+
+# Without flakes, flake options should not show up
+# With flakes, flake options should show up
+
+function both_ways {
+    nix --experimental-features 'nix-command' "$@" | grepQuietInverse flake
+    nix --experimental-features 'nix-command flakes' "$@" | grepQuiet flake
+
+    # Also, the order should not matter
+    nix "$@" --experimental-features 'nix-command' | grepQuietInverse flake
+    nix "$@" --experimental-features 'nix-command flakes' | grepQuiet flake
+}
+
+# Simple case, the configuration effects the running command
+both_ways show-config
+
+# Skipping for now, because we actually *do* want these to show up in
+# the manual, just be marked experimental. Will reenable once the manual
+# generation takes advantage of the JSON metadata on this.
+
+# both_ways store gc --help
+
+expect 1 nix --experimental-features 'nix-command' show-config --flake-registry 'https://no'
+nix --experimental-features 'nix-command flakes' show-config --flake-registry 'https://no'
+
+# Double check these are stable
+nix --experimental-features '' --help
+nix --experimental-features '' doctor --help
+nix --experimental-features '' repl --help
+nix --experimental-features '' upgrade-nix --help
+
+# These 3 arguments are currently given to all commands, which is wrong (as not
+# all care). To deal with fixing later, we simply make them require the
+# nix-command experimental features --- it so happens that the commands we wish
+# stabilizing to do not need them anyways.
+for arg in '--print-build-logs' '--offline' '--refresh'; do
+    nix --experimental-features 'nix-command' "$arg" --help
+    ! nix --experimental-features '' "$arg" --help
+done

tests/flakes/flakes.sh

@@ -96,7 +96,9 @@ json=$(nix flake metadata flake1 --json | jq .)
 hash1=$(echo "$json" | jq -r .revision)
 
 echo -n '# foo' >> $flake1Dir/flake.nix
+flake1OriginalCommit=$(git -C $flake1Dir rev-parse HEAD)
 git -C $flake1Dir commit -a -m 'Foo'
+flake1NewCommit=$(git -C $flake1Dir rev-parse HEAD)
 hash2=$(nix flake metadata flake1 --json --refresh | jq -r .revision)
 [[ $hash1 != $hash2 ]]
 
@@ -491,3 +493,14 @@ nix store delete $(nix store add-path $badFlakeDir)
 [[ $(nix-instantiate --eval flake:git+file://$flake3Dir -A x) = 123 ]]
 [[ $(nix-instantiate -I flake3=flake:flake3 --eval '<flake3>' -A x) = 123 ]]
 [[ $(NIX_PATH=flake3=flake:flake3 nix-instantiate --eval '<flake3>' -A x) = 123 ]]
+
+# Test alternate lockfile paths.
+nix flake lock $flake2Dir --output-lock-file $TEST_ROOT/flake2.lock
+cmp $flake2Dir/flake.lock $TEST_ROOT/flake2.lock >/dev/null # lockfiles should be identical, since we're referencing flake2's original one
+
+nix flake lock $flake2Dir --output-lock-file $TEST_ROOT/flake2-overridden.lock --override-input flake1 git+file://$flake1Dir?rev=$flake1OriginalCommit
+expectStderr 1 cmp $flake2Dir/flake.lock $TEST_ROOT/flake2-overridden.lock
+nix flake metadata $flake2Dir --reference-lock-file $TEST_ROOT/flake2-overridden.lock | grepQuiet $flake1OriginalCommit
+
+# reference-lock-file can only be used if allow-dirty is set.
+expectStderr 1 nix flake metadata $flake2Dir --no-allow-dirty --reference-lock-file $TEST_ROOT/flake2-overridden.lock

tests/flakes/show.sh

@@ -64,3 +64,24 @@ in
 assert show_output == { };
 true
 '
+
+# Test that attributes with errors are handled correctly.
+# nixpkgs.legacyPackages is a particularly prominent instance of this.
+cat >flake.nix <<EOF
+{
+  outputs = inputs: {
+    legacyPackages.$system = {
+      AAAAAASomeThingsFailToEvaluate = throw "nooo";
+      simple = import ./simple.nix;
+    };
+  };
+}
+EOF
+nix flake show --json --legacy --all-systems > show-output.json
+nix eval --impure --expr '
+let show_output = builtins.fromJSON (builtins.readFile ./show-output.json);
+in
+assert show_output.legacyPackages.${builtins.currentSystem}.AAAAAASomeThingsFailToEvaluate == { };
+assert show_output.legacyPackages.${builtins.currentSystem}.simple.name == "simple";
+true
+'

tests/impure-derivations.sh

@@ -37,8 +37,8 @@ path4=$(nix build -L --no-link --json --file ./impure-derivations.nix impureOnIm
 (! nix build -L --no-link --json --file ./impure-derivations.nix inputAddressed 2>&1) | grep 'depends on impure derivation'
 
 drvPath=$(nix eval --json --file ./impure-derivations.nix impure.drvPath | jq -r .)
-[[ $(nix show-derivation $drvPath | jq ".[\"$drvPath\"].outputs.out.impure") = true ]]
-[[ $(nix show-derivation $drvPath | jq ".[\"$drvPath\"].outputs.stuff.impure") = true ]]
+[[ $(nix derivation show $drvPath | jq ".[\"$drvPath\"].outputs.out.impure") = true ]]
+[[ $(nix derivation show $drvPath | jq ".[\"$drvPath\"].outputs.stuff.impure") = true ]]
 
 # Fixed-output derivations *can* depend on impure derivations.
 path5=$(nix build -L --no-link --json --file ./impure-derivations.nix contentAddressed | jq -r .[].outputs.out)

tests/installer/default.nix

@@ -17,7 +17,7 @@ let
       script = ''
         tar -xf ./nix.tar.xz
         mv ./nix-* nix
-        ./nix/install --no-daemon
+        ./nix/install --no-daemon --no-channel-add
       '';
     };
 
@@ -30,6 +30,14 @@ let
     };
   };
 
+  mockChannel = pkgs:
+    pkgs.runCommandNoCC "mock-channel" {} ''
+      mkdir nixexprs
+      mkdir -p $out/channel
+      echo -n 'someContent' > nixexprs/someFile
+      tar cvf - nixexprs | bzip2 > $out/channel/nixexprs.tar.bz2
+    '';
+
   disableSELinux = "sudo setenforce 0";
 
   images = {
@@ -189,6 +197,11 @@ let
         echo "Running installer..."
         $ssh "set -eux; $installScript"
 
+        echo "Copying the mock channel"
+        # `scp -r` doesn't seem to work properly on some rhel instances, so let's
+        # use a plain tarpipe instead
+        tar -C ${mockChannel pkgs} -c channel | ssh -p 20022 $ssh_opts vagrant@localhost tar x -f-
+
         echo "Testing Nix installation..."
         $ssh <<EOF
           set -ex
@@ -204,6 +217,17 @@ let
 
           out=\$(nix-build --no-substitute -E 'derivation { name = "foo"; system = "x86_64-linux"; builder = "/bin/sh"; args = ["-c" "echo foobar > \$out"]; }')
           [[ \$(cat \$out) = foobar ]]
+
+          if pgrep nix-daemon; then
+            MAYBESUDO="sudo"
+          else
+            MAYBESUDO=""
+          fi
+
+
+          $MAYBESUDO \$(which nix-channel) --add file://\$HOME/channel myChannel
+          $MAYBESUDO \$(which nix-channel) --update
+          [[ \$(nix-instantiate --eval --expr 'builtins.readFile <myChannel/someFile>') = '"someContent"' ]]
         EOF
 
         echo "Done!"

tests/lang.sh

@@ -5,12 +5,19 @@ export NIX_REMOTE=dummy://
 export NIX_STORE_DIR=/nix/store
 
 nix-instantiate --eval -E 'builtins.trace "Hello" 123' 2>&1 | grepQuiet Hello
+nix-instantiate --eval -E 'builtins.trace "Hello" 123' 2>/dev/null | grepQuiet 123
 nix-instantiate --eval -E 'builtins.addErrorContext "Hello" 123' 2>&1
 nix-instantiate --trace-verbose --eval -E 'builtins.traceVerbose "Hello" 123' 2>&1 | grepQuiet Hello
 nix-instantiate --eval -E 'builtins.traceVerbose "Hello" 123' 2>&1 | grepQuietInverse Hello
 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello" 123' 2>&1 | grepQuietInverse Hello
 expectStderr 1 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello" (throw "Foo")' | grepQuiet Hello
 
+nix-instantiate --eval -E 'let x = builtins.trace { x = x; } true; in x' \
+  2>&1 | grepQuiet -E 'trace: { x = «potential infinite recursion»; }'
+
+nix-instantiate --eval -E 'let x = { repeating = x; tracing = builtins.trace x true; }; in x.tracing'\
+  2>&1 | grepQuiet -F 'trace: { repeating = «repeated»; tracing = «potential infinite recursion»; }'
+
 set +x
 
 fail=0

tests/legacy-ssh-store.sh

@@ -0,0 +1,4 @@
+source common.sh
+
+# Check that store ping trusted doesn't yet work with ssh://
+nix --store ssh://localhost?remote-store=$TEST_ROOT/other-store store ping --json | jq -e 'has("trusted") | not'

tests/local-store.sh

@@ -17,3 +17,6 @@ PATH2=$(nix path-info --store "$PWD/x" $CORRECT_PATH)
 
 PATH3=$(nix path-info --store "local?root=$PWD/x" $CORRECT_PATH)
 [ $CORRECT_PATH == $PATH3 ]
+
+# Ensure store ping trusted works with local store
+nix --store ./x store ping --json | jq -e '.trusted'

tests/local.mk

@@ -17,7 +17,9 @@ nix_tests = \
   ca/gc.sh \
   gc.sh \
   remote-store.sh \
+  legacy-ssh-store.sh \
   lang.sh \
+  experimental-features.sh \
   fetchMercurial.sh \
   gc-auto.sh \
   user-envs.sh \
@@ -100,6 +102,8 @@ nix_tests = \
   eval-store.sh \
   why-depends.sh \
   ca/why-depends.sh \
+  derivation-json.sh \
+  ca/derivation-json.sh \
   import-derivation.sh \
   ca/import-derivation.sh \
   nix_path.sh \
@@ -115,7 +119,6 @@ nix_tests = \
   db-migration.sh \
   bash-profile.sh \
   pass-as-file.sh \
-  describe-stores.sh \
   nix-profile.sh \
   suggestions.sh \
   store-ping.sh \

tests/nixos/nix-copy.nix

@@ -0,0 +1,85 @@
+# Test that ‘nix copy’ works over ssh.
+
+{ lib, config, nixpkgs, hostPkgs, ... }:
+
+let
+  pkgs = config.nodes.client.nixpkgs.pkgs;
+
+  pkgA = pkgs.cowsay;
+  pkgB = pkgs.wget;
+  pkgC = pkgs.hello;
+  pkgD = pkgs.tmux;
+
+in {
+  name = "nix-copy";
+
+  enableOCR = true;
+
+  nodes =
+    { client =
+        { config, lib, pkgs, ... }:
+        { virtualisation.writableStore = true;
+          virtualisation.additionalPaths = [ pkgA pkgD.drvPath ];
+          nix.settings.substituters = lib.mkForce [ ];
+          nix.settings.experimental-features = [ "nix-command" ];
+          services.getty.autologinUser = "root";
+        };
+
+      server =
+        { config, pkgs, ... }:
+        { services.openssh.enable = true;
+          services.openssh.permitRootLogin = "yes";
+					users.users.root.password = "foobar";
+          virtualisation.writableStore = true;
+          virtualisation.additionalPaths = [ pkgB pkgC ];
+        };
+    };
+
+  testScript = { nodes }: ''
+    # fmt: off
+    import subprocess
+
+    # Create an SSH key on the client.
+    subprocess.run([
+      "${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
+    ], capture_output=True, check=True)
+
+    start_all()
+
+    server.wait_for_unit("sshd")
+    client.wait_for_unit("network.target")
+    client.wait_for_unit("getty@tty1.service")
+    client.wait_for_text("]#")
+
+    # Copy the closure of package A from the client to the server using password authentication,
+    # and check that all prompts are visible
+    server.fail("nix-store --check-validity ${pkgA}")
+    client.send_chars("nix copy --to ssh://server ${pkgA} >&2; echo done\n")
+    client.wait_for_text("continue connecting")
+    client.send_chars("yes\n")
+    client.wait_for_text("Password:")
+    client.send_chars("foobar\n")
+    client.wait_for_text("done")
+    server.succeed("nix-store --check-validity ${pkgA}")
+
+    client.copy_from_host("key", "/root/.ssh/id_ed25519")
+    client.succeed("chmod 600 /root/.ssh/id_ed25519")
+
+    # Install the SSH key on the server.
+    server.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
+    server.succeed("systemctl restart sshd")
+    client.succeed(f"ssh -o StrictHostKeyChecking=no {server.name} 'echo hello world'")
+
+    # Copy the closure of package B from the server to the client, using ssh-ng.
+    client.fail("nix-store --check-validity ${pkgB}")
+    # Shouldn't download untrusted paths by default
+    client.fail("nix copy --from ssh-ng://server ${pkgB} >&2")
+    client.succeed("nix copy --no-check-sigs --from ssh-ng://server ${pkgB} >&2")
+    client.succeed("nix-store --check-validity ${pkgB}")
+
+    # Copy the derivation of package D's derivation from the client to the server.
+    server.fail("nix-store --check-validity ${pkgD.drvPath}")
+    client.succeed("nix copy --derivation --to ssh://server ${pkgD.drvPath} >&2")
+    server.succeed("nix-store --check-validity ${pkgD.drvPath}")
+  '';
+}

tests/remote-store.sh

@@ -5,8 +5,19 @@ clearStore
 # Ensure "fake ssh" remote store works just as legacy fake ssh would.
 nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store doctor
 
+# Ensure that store ping trusted works with ssh-ng://
+nix --store ssh-ng://localhost?remote-store=$TEST_ROOT/other-store store ping --json | jq -e '.trusted'
+
 startDaemon
 
+if isDaemonNewer "2.15pre0"; then
+    # Ensure that ping works trusted with new daemon
+    nix store ping --json | jq -e '.trusted'
+else
+    # And the the field is absent with the old daemon
+    nix store ping --json | jq -e 'has("trusted") | not'
+fi
+
 # Test import-from-derivation through the daemon.
 [[ $(nix eval --impure --raw --expr '
   with import ./config.nix;