[pinch] / pinch.py

import argparse
import configparser
import filecmp
import functools
import getpass
import hashlib
import operator
import os
import os.path
import shlex
import shutil
import subprocess
import sys
import tempfile
import types
import urllib.parse
import urllib.request
import xml.dom.minidom

from typing import (
    Dict,
    Iterable,
    List,
    NewType,
    Tuple,
)

# Use xdg module when it's less painful to have as a dependency


class XDG(types.SimpleNamespace):
    XDG_CACHE_HOME: str


xdg = XDG(
    XDG_CACHE_HOME=os.getenv(
        'XDG_CACHE_HOME',
        os.path.expanduser('~/.cache')))


class VerificationError(Exception):
    pass


class Verification:

    def __init__(self) -> None:
        self.line_length = 0

    def status(self, s: str) -> None:
        print(s, end=' ', file=sys.stderr, flush=True)
        self.line_length += 1 + len(s)  # Unicode??

    @staticmethod
    def _color(s: str, c: int) -> str:
        return '\033[%2dm%s\033[00m' % (c, s)

    def result(self, r: bool) -> None:
        message, color = {True: ('OK ', 92), False: ('FAIL', 91)}[r]
        length = len(message)
        cols = shutil.get_terminal_size().columns or 80
        pad = (cols - (self.line_length + length)) % cols
        print(' ' * pad + self._color(message, color), file=sys.stderr)
        self.line_length = 0
        if not r:
            raise VerificationError()

    def check(self, s: str, r: bool) -> None:
        self.status(s)
        self.result(r)

    def ok(self) -> None:
        self.result(True)


Digest16 = NewType('Digest16', str)
Digest32 = NewType('Digest32', str)


class ChannelTableEntry(types.SimpleNamespace):
    absolute_url: str
    digest: Digest16
    file: str
    size: int
    url: str


class SearchPath(types.SimpleNamespace):
    release_name: str


class Channel(SearchPath):
    alias_of: str
    channel_html: bytes
    channel_url: str
    forwarded_url: str
    git_ref: str
    git_repo: str
    git_revision: str
    old_git_revision: str
    table: Dict[str, ChannelTableEntry]

    def pin(self, v: Verification, conf: configparser.SectionProxy) -> None:
        if hasattr(self, 'alias_of'):
            assert not hasattr(self, 'git_repo')
            return

        if hasattr(self, 'git_revision'):
            self.old_git_revision = self.git_revision
            del self.git_revision

        if 'channel_url' in conf:
            pin_channel(v, self)
            conf['release_name'] = self.release_name
            conf['tarball_url'] = self.table['nixexprs.tar.xz'].absolute_url
            conf['tarball_sha256'] = self.table['nixexprs.tar.xz'].digest
        else:
            git_fetch(v, self)
            conf['release_name'] = git_revision_name(v, self)
        conf['git_revision'] = self.git_revision


def compare(a: str, b: str) -> Tuple[List[str], List[str], List[str]]:

    def throw(error: OSError) -> None:
        raise error

    def join(x: str, y: str) -> str:
        return y if x == '.' else os.path.join(x, y)

    def recursive_files(d: str) -> Iterable[str]:
        all_files: List[str] = []
        for path, dirs, files in os.walk(d, onerror=throw):
            rel = os.path.relpath(path, start=d)
            all_files.extend(join(rel, f) for f in files)
            for dir_or_link in dirs:
                if os.path.islink(join(path, dir_or_link)):
                    all_files.append(join(rel, dir_or_link))
        return all_files

    def exclude_dot_git(files: Iterable[str]) -> Iterable[str]:
        return (f for f in files if not f.startswith('.git/'))

    files = functools.reduce(
        operator.or_, (set(
            exclude_dot_git(
                recursive_files(x))) for x in [a, b]))
    return filecmp.cmpfiles(a, b, files, shallow=False)


def fetch(v: Verification, channel: Channel) -> None:
    v.status('Fetching channel')
    request = urllib.request.urlopen(channel.channel_url, timeout=10)
    channel.channel_html = request.read()
    channel.forwarded_url = request.geturl()
    v.result(request.status == 200)  # type: ignore  # (for old mypy)
    v.check('Got forwarded', channel.channel_url != channel.forwarded_url)


def parse_channel(v: Verification, channel: Channel) -> None:
    v.status('Parsing channel description as XML')
    d = xml.dom.minidom.parseString(channel.channel_html)
    v.ok()

    v.status('Extracting release name:')
    title_name = d.getElementsByTagName(
        'title')[0].firstChild.nodeValue.split()[2]
    h1_name = d.getElementsByTagName('h1')[0].firstChild.nodeValue.split()[2]
    v.status(title_name)
    v.result(title_name == h1_name)
    channel.release_name = title_name

    v.status('Extracting git commit:')
    git_commit_node = d.getElementsByTagName('tt')[0]
    channel.git_revision = git_commit_node.firstChild.nodeValue
    v.status(channel.git_revision)
    v.ok()
    v.status('Verifying git commit label')
    v.result(git_commit_node.previousSibling.nodeValue == 'Git commit ')

    v.status('Parsing table')
    channel.table = {}
    for row in d.getElementsByTagName('tr')[1:]:
        name = row.childNodes[0].firstChild.firstChild.nodeValue
        url = row.childNodes[0].firstChild.getAttribute('href')
        size = int(row.childNodes[1].firstChild.nodeValue)
        digest = Digest16(row.childNodes[2].firstChild.firstChild.nodeValue)
        channel.table[name] = ChannelTableEntry(
            url=url, digest=digest, size=size)
    v.ok()


def digest_string(s: bytes) -> Digest16:
    return Digest16(hashlib.sha256(s).hexdigest())


def digest_file(filename: str) -> Digest16:
    hasher = hashlib.sha256()
    with open(filename, 'rb') as f:
        # pylint: disable=cell-var-from-loop
        for block in iter(lambda: f.read(4096), b''):
            hasher.update(block)
    return Digest16(hasher.hexdigest())


def to_Digest16(v: Verification, digest32: Digest32) -> Digest16:
    v.status('Converting digest to base16')
    process = subprocess.run(
        ['nix', 'to-base16', '--type', 'sha256', digest32], stdout=subprocess.PIPE)
    v.result(process.returncode == 0)
    return Digest16(process.stdout.decode().strip())


def to_Digest32(v: Verification, digest16: Digest16) -> Digest32:
    v.status('Converting digest to base32')
    process = subprocess.run(
        ['nix', 'to-base32', '--type', 'sha256', digest16], stdout=subprocess.PIPE)
    v.result(process.returncode == 0)
    return Digest32(process.stdout.decode().strip())


def fetch_with_nix_prefetch_url(
        v: Verification,
        url: str,
        digest: Digest16) -> str:
    v.status('Fetching %s' % url)
    process = subprocess.run(
        ['nix-prefetch-url', '--print-path', url, digest], stdout=subprocess.PIPE)
    v.result(process.returncode == 0)
    prefetch_digest, path, empty = process.stdout.decode().split('\n')
    assert empty == ''
    v.check("Verifying nix-prefetch-url's digest",
            to_Digest16(v, Digest32(prefetch_digest)) == digest)
    v.status("Verifying file digest")
    file_digest = digest_file(path)
    v.result(file_digest == digest)
    return path  # type: ignore  # (for old mypy)


def fetch_resources(v: Verification, channel: Channel) -> None:
    for resource in ['git-revision', 'nixexprs.tar.xz']:
        fields = channel.table[resource]
        fields.absolute_url = urllib.parse.urljoin(
            channel.forwarded_url, fields.url)
        fields.file = fetch_with_nix_prefetch_url(
            v, fields.absolute_url, fields.digest)
    v.status('Verifying git commit on main page matches git commit in table')
    v.result(
        open(
            channel.table['git-revision'].file).read(999) == channel.git_revision)


def git_cachedir(git_repo: str) -> str:
    return os.path.join(
        xdg.XDG_CACHE_HOME,
        'pinch/git',
        digest_string(git_repo.encode()))


def tarball_cache_file(channel: Channel) -> str:
    return os.path.join(
        xdg.XDG_CACHE_HOME,
        'pinch/git-tarball',
        '%s-%s-%s' %
        (digest_string(channel.git_repo.encode()),
         channel.git_revision,
         channel.release_name))


def verify_git_ancestry(v: Verification, channel: Channel) -> None:
    cachedir = git_cachedir(channel.git_repo)
    v.status('Verifying rev is an ancestor of ref')
    process = subprocess.run(['git',
                              '-C',
                              cachedir,
                              'merge-base',
                              '--is-ancestor',
                              channel.git_revision,
                              channel.git_ref])
    v.result(process.returncode == 0)

    if hasattr(channel, 'old_git_revision'):
        v.status(
            'Verifying rev is an ancestor of previous rev %s' %
            channel.old_git_revision)
        process = subprocess.run(['git',
                                  '-C',
                                  cachedir,
                                  'merge-base',
                                  '--is-ancestor',
                                  channel.old_git_revision,
                                  channel.git_revision])
        v.result(process.returncode == 0)


def git_fetch(v: Verification, channel: Channel) -> None:
    # It would be nice if we could share the nix git cache, but as of the time
    # of writing it is transitioning from gitv2 (deprecated) to gitv3 (not ready
    # yet), and trying to straddle them both is too far into nix implementation
    # details for my comfort.  So we re-implement here half of nix.fetchGit.
    # :(

    cachedir = git_cachedir(channel.git_repo)
    if not os.path.exists(cachedir):
        v.status("Initializing git repo")
        process = subprocess.run(
            ['git', 'init', '--bare', cachedir])
        v.result(process.returncode == 0)

    v.status('Fetching ref "%s" from %s' % (channel.git_ref, channel.git_repo))
    # We don't use --force here because we want to abort and freak out if forced
    # updates are happening.
    process = subprocess.run(['git',
                              '-C',
                              cachedir,
                              'fetch',
                              channel.git_repo,
                              '%s:%s' % (channel.git_ref,
                                         channel.git_ref)])
    v.result(process.returncode == 0)

    if hasattr(channel, 'git_revision'):
        v.status('Verifying that fetch retrieved this rev')
        process = subprocess.run(
            ['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
        v.result(process.returncode == 0)
    else:
        channel.git_revision = open(
            os.path.join(
                cachedir,
                'refs',
                'heads',
                channel.git_ref)).read(999).strip()

    verify_git_ancestry(v, channel)


def ensure_git_rev_available(v: Verification, channel: Channel) -> None:
    cachedir = git_cachedir(channel.git_repo)
    if os.path.exists(cachedir):
        v.status('Checking if we already have this rev:')
        process = subprocess.run(
            ['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
        if process.returncode == 0:
            v.status('yes')
        if process.returncode == 1:
            v.status('no')
        v.result(process.returncode == 0 or process.returncode == 1)
        if process.returncode == 0:
            verify_git_ancestry(v, channel)
            return
    git_fetch(v, channel)


def compare_tarball_and_git(
        v: Verification,
        channel: Channel,
        channel_contents: str,
        git_contents: str) -> None:
    v.status('Comparing channel tarball with git checkout')
    match, mismatch, errors = compare(os.path.join(
        channel_contents, channel.release_name), git_contents)
    v.ok()
    v.check('%d files match' % len(match), len(match) > 0)
    v.check('%d files differ' % len(mismatch), len(mismatch) == 0)
    expected_errors = [
        '.git-revision',
        '.version-suffix',
        'nixpkgs',
        'programs.sqlite',
        'svn-revision']
    benign_errors = []
    for ee in expected_errors:
        if ee in errors:
            errors.remove(ee)
            benign_errors.append(ee)
    v.check(
        '%d unexpected incomparable files' %
        len(errors),
        len(errors) == 0)
    v.check(
        '(%d of %d expected incomparable files)' %
        (len(benign_errors),
         len(expected_errors)),
        len(benign_errors) == len(expected_errors))


def extract_tarball(v: Verification, channel: Channel, dest: str) -> None:
    v.status('Extracting tarball %s' %
             channel.table['nixexprs.tar.xz'].file)
    shutil.unpack_archive(
        channel.table['nixexprs.tar.xz'].file,
        dest)
    v.ok()


def git_checkout(v: Verification, channel: Channel, dest: str) -> None:
    v.status('Checking out corresponding git revision')
    git = subprocess.Popen(['git',
                            '-C',
                            git_cachedir(channel.git_repo),
                            'archive',
                            channel.git_revision],
                           stdout=subprocess.PIPE)
    tar = subprocess.Popen(
        ['tar', 'x', '-C', dest, '-f', '-'], stdin=git.stdout)
    if git.stdout:
        git.stdout.close()
    tar.wait()
    git.wait()
    v.result(git.returncode == 0 and tar.returncode == 0)


def git_get_tarball(v: Verification, channel: Channel) -> str:
    cache_file = tarball_cache_file(channel)
    if os.path.exists(cache_file):
        cached_tarball = open(cache_file).read(9999)
        if os.path.exists(cached_tarball):
            return cached_tarball

    with tempfile.TemporaryDirectory() as output_dir:
        output_filename = os.path.join(
            output_dir, channel.release_name + '.tar.xz')
        with open(output_filename, 'w') as output_file:
            v.status(
                'Generating tarball for git revision %s' %
                channel.git_revision)
            git = subprocess.Popen(['git',
                                    '-C',
                                    git_cachedir(channel.git_repo),
                                    'archive',
                                    '--prefix=%s/' % channel.release_name,
                                    channel.git_revision],
                                   stdout=subprocess.PIPE)
            xz = subprocess.Popen(['xz'], stdin=git.stdout, stdout=output_file)
            xz.wait()
            git.wait()
            v.result(git.returncode == 0 and xz.returncode == 0)

        v.status('Putting tarball in Nix store')
        process = subprocess.run(
            ['nix-store', '--add', output_filename], stdout=subprocess.PIPE)
        v.result(process.returncode == 0)
        store_tarball = process.stdout.decode().strip()

        os.makedirs(os.path.dirname(cache_file), exist_ok=True)
        open(cache_file, 'w').write(store_tarball)
        return store_tarball  # type: ignore  # (for old mypy)


def check_channel_metadata(
        v: Verification,
        channel: Channel,
        channel_contents: str) -> None:
    v.status('Verifying git commit in channel tarball')
    v.result(
        open(
            os.path.join(
                channel_contents,
                channel.release_name,
                '.git-revision')).read(999) == channel.git_revision)

    v.status(
        'Verifying version-suffix is a suffix of release name %s:' %
        channel.release_name)
    version_suffix = open(
        os.path.join(
            channel_contents,
            channel.release_name,
            '.version-suffix')).read(999)
    v.status(version_suffix)
    v.result(channel.release_name.endswith(version_suffix))


def check_channel_contents(v: Verification, channel: Channel) -> None:
    with tempfile.TemporaryDirectory() as channel_contents, \
            tempfile.TemporaryDirectory() as git_contents:

        extract_tarball(v, channel, channel_contents)
        check_channel_metadata(v, channel, channel_contents)

        git_checkout(v, channel, git_contents)

        compare_tarball_and_git(v, channel, channel_contents, git_contents)

        v.status('Removing temporary directories')
    v.ok()


def pin_channel(v: Verification, channel: Channel) -> None:
    fetch(v, channel)
    parse_channel(v, channel)
    fetch_resources(v, channel)
    ensure_git_rev_available(v, channel)
    check_channel_contents(v, channel)


def git_revision_name(v: Verification, channel: Channel) -> str:
    v.status('Getting commit date')
    process = subprocess.run(['git',
                              '-C',
                              git_cachedir(channel.git_repo),
                              'log',
                              '-n1',
                              '--format=%ct-%h',
                              '--abbrev=11',
                              '--no-show-signature',
                              channel.git_revision],
                             stdout=subprocess.PIPE)
    v.result(process.returncode == 0 and process.stdout != b'')
    return '%s-%s' % (os.path.basename(channel.git_repo),
                      process.stdout.decode().strip())


def read_search_path(conf: configparser.SectionProxy) -> Channel:
    return Channel(**dict(conf.items()))


def read_config(filename: str) -> configparser.ConfigParser:
    config = configparser.ConfigParser()
    config.read_file(open(filename), filename)
    return config


def pin(args: argparse.Namespace) -> None:
    v = Verification()
    config = read_config(args.channels_file)
    for section in config.sections():
        if args.channels and section not in args.channels:
            continue

        channel = read_search_path(config[section])

        channel.pin(v, config[section])

    with open(args.channels_file, 'w') as configfile:
        config.write(configfile)


def fetch_channel(
        v: Verification,
        section: str,
        conf: configparser.SectionProxy) -> str:
    if 'git_repo' not in conf or 'release_name' not in conf:
        raise Exception(
            'Cannot update unpinned channel "%s" (Run "pin" before "update")' %
            section)

    if 'channel_url' in conf:
        return fetch_with_nix_prefetch_url(
            v, conf['tarball_url'], Digest16(
                conf['tarball_sha256']))

    channel = read_search_path(conf)
    ensure_git_rev_available(v, channel)
    return git_get_tarball(v, channel)


def update(args: argparse.Namespace) -> None:
    v = Verification()
    config = configparser.ConfigParser()
    exprs: Dict[str, str] = {}
    configs = [read_config(filename) for filename in args.channels_file]
    for config in configs:
        for section in config.sections():
            if 'alias_of' in config[section]:
                assert 'git_repo' not in config[section]
                continue
            tarball = fetch_channel(v, section, config[section])
            if section in exprs:
                raise Exception('Duplicate channel "%s"' % section)
            exprs[section] = (
                'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' %
                (config[section]['release_name'], tarball))

    for config in configs:
        for section in config.sections():
            if 'alias_of' in config[section]:
                if section in exprs:
                    raise Exception('Duplicate channel "%s"' % section)
                exprs[section] = exprs[str(config[section]['alias_of'])]

    command = [
        'nix-env',
        '--profile',
        '/nix/var/nix/profiles/per-user/%s/channels' %
        getpass.getuser(),
        '--show-trace',
        '--file',
        '<nix/unpack-channel.nix>',
        '--install',
        '--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())]
    if args.dry_run:
        print(' '.join(map(shlex.quote, command)))
    else:
        v.status('Installing channels with nix-env')
        process = subprocess.run(command)
        v.result(process.returncode == 0)


def main() -> None:
    parser = argparse.ArgumentParser(prog='pinch')
    subparsers = parser.add_subparsers(dest='mode', required=True)
    parser_pin = subparsers.add_parser('pin')
    parser_pin.add_argument('channels_file', type=str)
    parser_pin.add_argument('channels', type=str, nargs='*')
    parser_pin.set_defaults(func=pin)
    parser_update = subparsers.add_parser('update')
    parser_update.add_argument('--dry-run', action='store_true')
    parser_update.add_argument('channels_file', type=str, nargs='+')
    parser_update.set_defaults(func=update)
    args = parser.parse_args()
    args.func(args)


if __name__ == '__main__':
    main()
Commit	Line	Data
0e5e611d	1	import argparse
f15e458d	2	import configparser
2f96f32a SW	3	import filecmp
2f96f32a SW	4	import functools
736c25eb	5	import getpass
2f96f32a SW	6	import hashlib
	7	import operator
	8	import os
	9	import os.path
9a78329e	10	import shlex
2f96f32a	11	import shutil
73bec7e8	12	import subprocess
9d7844bb	13	import sys
2f96f32a	14	import tempfile
89e79125	15	import types
2f96f32a SW	16	import urllib.parse
	17	import urllib.request
	18	import xml.dom.minidom
	19
	20	from typing import (
2f96f32a SW	21	Dict,
	22	Iterable,
	23	List,
73bec7e8	24	NewType,
2f96f32a SW	25	Tuple,
	26	)
	27
3603dde2 SW	28	# Use xdg module when it's less painful to have as a dependency
	29
	30
	31	class XDG(types.SimpleNamespace):
	32	XDG_CACHE_HOME: str
	33
	34
	35	xdg = XDG(
	36	XDG_CACHE_HOME=os.getenv(
	37	'XDG_CACHE_HOME',
	38	os.path.expanduser('~/.cache')))
26125a28 SW	39
26125a28 SW	40
2f96f32a SW	41	class VerificationError(Exception):
	42	pass
	43
	44
	45	class Verification:
	46
	47	def __init__(self) -> None:
	48	self.line_length = 0
	49
	50	def status(self, s: str) -> None:
9d7844bb	51	print(s, end=' ', file=sys.stderr, flush=True)
2f96f32a SW	52	self.line_length += 1 + len(s) # Unicode??
	53
	54	@staticmethod
	55	def _color(s: str, c: int) -> str:
	56	return '\033[%2dm%s\033[00m' % (c, s)
	57
	58	def result(self, r: bool) -> None:
	59	message, color = {True: ('OK ', 92), False: ('FAIL', 91)}[r]
	60	length = len(message)
dd1026fe	61	cols = shutil.get_terminal_size().columns or 80
2f96f32a	62	pad = (cols - (self.line_length + length)) % cols
9d7844bb	63	print(' ' * pad + self._color(message, color), file=sys.stderr)
2f96f32a SW	64	self.line_length = 0
	65	if not r:
	66	raise VerificationError()
	67
	68	def check(self, s: str, r: bool) -> None:
	69	self.status(s)
	70	self.result(r)
	71
	72	def ok(self) -> None:
	73	self.result(True)
	74
	75
faff8642 SW	76	Digest16 = NewType('Digest16', str)
	77	Digest32 = NewType('Digest32', str)
	78
	79
	80	class ChannelTableEntry(types.SimpleNamespace):
	81	absolute_url: str
	82	digest: Digest16
	83	file: str
	84	size: int
	85	url: str
	86
	87
	88	class SearchPath(types.SimpleNamespace):
	89	release_name: str
	90
	91
	92	class Channel(SearchPath):
	93	alias_of: str
	94	channel_html: bytes
	95	channel_url: str
	96	forwarded_url: str
	97	git_ref: str
	98	git_repo: str
	99	git_revision: str
	100	old_git_revision: str
	101	table: Dict[str, ChannelTableEntry]
	102
3aa393bb SW	103	def pin(self, v: Verification, conf: configparser.SectionProxy) -> None:
	104	if hasattr(self, 'alias_of'):
	105	assert not hasattr(self, 'git_repo')
	106	return
	107
	108	if hasattr(self, 'git_revision'):
	109	self.old_git_revision = self.git_revision
	110	del self.git_revision
	111
	112	if 'channel_url' in conf:
	113	pin_channel(v, self)
	114	conf['release_name'] = self.release_name
	115	conf['tarball_url'] = self.table['nixexprs.tar.xz'].absolute_url
	116	conf['tarball_sha256'] = self.table['nixexprs.tar.xz'].digest
	117	else:
	118	git_fetch(v, self)
	119	conf['release_name'] = git_revision_name(v, self)
	120	conf['git_revision'] = self.git_revision
	121
faff8642	122
dc038df0	123	def compare(a: str, b: str) -> Tuple[List[str], List[str], List[str]]:
2f96f32a SW	124
	125	def throw(error: OSError) -> None:
	126	raise error
	127
	128	def join(x: str, y: str) -> str:
	129	return y if x == '.' else os.path.join(x, y)
	130
	131	def recursive_files(d: str) -> Iterable[str]:
	132	all_files: List[str] = []
	133	for path, dirs, files in os.walk(d, onerror=throw):
	134	rel = os.path.relpath(path, start=d)
	135	all_files.extend(join(rel, f) for f in files)
	136	for dir_or_link in dirs:
	137	if os.path.islink(join(path, dir_or_link)):
	138	all_files.append(join(rel, dir_or_link))
	139	return all_files
	140
	141	def exclude_dot_git(files: Iterable[str]) -> Iterable[str]:
	142	return (f for f in files if not f.startswith('.git/'))
	143
	144	files = functools.reduce(
	145	operator.or_, (set(
	146	exclude_dot_git(
	147	recursive_files(x))) for x in [a, b]))
	148	return filecmp.cmpfiles(a, b, files, shallow=False)
	149
	150
ca2c3edd	151	def fetch(v: Verification, channel: Channel) -> None:
2f96f32a	152	v.status('Fetching channel')
b17def3f	153	request = urllib.request.urlopen(channel.channel_url, timeout=10)
72d3478a SW	154	channel.channel_html = request.read()
72d3478a SW	155	channel.forwarded_url = request.geturl()
7c4de64c	156	v.result(request.status == 200) # type: ignore # (for old mypy)
b17def3f	157	v.check('Got forwarded', channel.channel_url != channel.forwarded_url)
2f96f32a SW	158
2f96f32a SW	159
72d3478a	160	def parse_channel(v: Verification, channel: Channel) -> None:
2f96f32a	161	v.status('Parsing channel description as XML')
72d3478a	162	d = xml.dom.minidom.parseString(channel.channel_html)
2f96f32a SW	163	v.ok()
2f96f32a SW	164
3e6421c4 SW	165	v.status('Extracting release name:')
	166	title_name = d.getElementsByTagName(
	167	'title')[0].firstChild.nodeValue.split()[2]
	168	h1_name = d.getElementsByTagName('h1')[0].firstChild.nodeValue.split()[2]
	169	v.status(title_name)
	170	v.result(title_name == h1_name)
72d3478a	171	channel.release_name = title_name
3e6421c4 SW	172
3e6421c4 SW	173	v.status('Extracting git commit:')
2f96f32a	174	git_commit_node = d.getElementsByTagName('tt')[0]
61aaf799 SW	175	channel.git_revision = git_commit_node.firstChild.nodeValue
61aaf799 SW	176	v.status(channel.git_revision)
2f96f32a SW	177	v.ok()
	178	v.status('Verifying git commit label')
	179	v.result(git_commit_node.previousSibling.nodeValue == 'Git commit ')
	180
	181	v.status('Parsing table')
72d3478a	182	channel.table = {}
2f96f32a SW	183	for row in d.getElementsByTagName('tr')[1:]:
	184	name = row.childNodes[0].firstChild.firstChild.nodeValue
	185	url = row.childNodes[0].firstChild.getAttribute('href')
	186	size = int(row.childNodes[1].firstChild.nodeValue)
73bec7e8	187	digest = Digest16(row.childNodes[2].firstChild.firstChild.nodeValue)
dc038df0 SW	188	channel.table[name] = ChannelTableEntry(
dc038df0 SW	189	url=url, digest=digest, size=size)
2f96f32a SW	190	v.ok()
	191
	192
dc038df0 SW	193	def digest_string(s: bytes) -> Digest16:
	194	return Digest16(hashlib.sha256(s).hexdigest())
	195
	196
73bec7e8 SW	197	def digest_file(filename: str) -> Digest16:
	198	hasher = hashlib.sha256()
	199	with open(filename, 'rb') as f:
	200	# pylint: disable=cell-var-from-loop
	201	for block in iter(lambda: f.read(4096), b''):
	202	hasher.update(block)
	203	return Digest16(hasher.hexdigest())
	204
	205
	206	def to_Digest16(v: Verification, digest32: Digest32) -> Digest16:
	207	v.status('Converting digest to base16')
	208	process = subprocess.run(
ba596fc0	209	['nix', 'to-base16', '--type', 'sha256', digest32], stdout=subprocess.PIPE)
73bec7e8 SW	210	v.result(process.returncode == 0)
	211	return Digest16(process.stdout.decode().strip())
	212
	213
	214	def to_Digest32(v: Verification, digest16: Digest16) -> Digest32:
	215	v.status('Converting digest to base32')
	216	process = subprocess.run(
ba596fc0	217	['nix', 'to-base32', '--type', 'sha256', digest16], stdout=subprocess.PIPE)
73bec7e8 SW	218	v.result(process.returncode == 0)
	219	return Digest32(process.stdout.decode().strip())
	220
	221
	222	def fetch_with_nix_prefetch_url(
	223	v: Verification,
	224	url: str,
	225	digest: Digest16) -> str:
	226	v.status('Fetching %s' % url)
	227	process = subprocess.run(
ba596fc0	228	['nix-prefetch-url', '--print-path', url, digest], stdout=subprocess.PIPE)
73bec7e8 SW	229	v.result(process.returncode == 0)
	230	prefetch_digest, path, empty = process.stdout.decode().split('\n')
	231	assert empty == ''
	232	v.check("Verifying nix-prefetch-url's digest",
	233	to_Digest16(v, Digest32(prefetch_digest)) == digest)
	234	v.status("Verifying file digest")
	235	file_digest = digest_file(path)
	236	v.result(file_digest == digest)
7c4de64c	237	return path # type: ignore # (for old mypy)
2f96f32a	238
73bec7e8	239
72d3478a	240	def fetch_resources(v: Verification, channel: Channel) -> None:
2f96f32a	241	for resource in ['git-revision', 'nixexprs.tar.xz']:
72d3478a	242	fields = channel.table[resource]
e434d96d SW	243	fields.absolute_url = urllib.parse.urljoin(
	244	channel.forwarded_url, fields.url)
	245	fields.file = fetch_with_nix_prefetch_url(
	246	v, fields.absolute_url, fields.digest)
73bec7e8 SW	247	v.status('Verifying git commit on main page matches git commit in table')
	248	v.result(
	249	open(
61aaf799	250	channel.table['git-revision'].file).read(999) == channel.git_revision)
2f96f32a	251
971d3659	252
9836141c	253	def git_cachedir(git_repo: str) -> str:
26125a28 SW	254	return os.path.join(
	255	xdg.XDG_CACHE_HOME,
	256	'pinch/git',
eb0c6f1b SW	257	digest_string(git_repo.encode()))
	258
	259
	260	def tarball_cache_file(channel: Channel) -> str:
	261	return os.path.join(
	262	xdg.XDG_CACHE_HOME,
	263	'pinch/git-tarball',
	264	'%s-%s-%s' %
	265	(digest_string(channel.git_repo.encode()),
	266	channel.git_revision,
	267	channel.release_name))
971d3659 SW	268
	269
	270	def verify_git_ancestry(v: Verification, channel: Channel) -> None:
	271	cachedir = git_cachedir(channel.git_repo)
	272	v.status('Verifying rev is an ancestor of ref')
	273	process = subprocess.run(['git',
	274	'-C',
	275	cachedir,
	276	'merge-base',
	277	'--is-ancestor',
	278	channel.git_revision,
	279	channel.git_ref])
	280	v.result(process.returncode == 0)
	281
	282	if hasattr(channel, 'old_git_revision'):
	283	v.status(
	284	'Verifying rev is an ancestor of previous rev %s' %
	285	channel.old_git_revision)
	286	process = subprocess.run(['git',
	287	'-C',
	288	cachedir,
	289	'merge-base',
	290	'--is-ancestor',
	291	channel.old_git_revision,
	292	channel.git_revision])
	293	v.result(process.returncode == 0)
9836141c	294
2f96f32a	295
dc038df0 SW	296	def git_fetch(v: Verification, channel: Channel) -> None:
	297	# It would be nice if we could share the nix git cache, but as of the time
	298	# of writing it is transitioning from gitv2 (deprecated) to gitv3 (not ready
	299	# yet), and trying to straddle them both is too far into nix implementation
	300	# details for my comfort. So we re-implement here half of nix.fetchGit.
	301	# :(
	302
9836141c SW	303	cachedir = git_cachedir(channel.git_repo)
9836141c SW	304	if not os.path.exists(cachedir):
dc038df0 SW	305	v.status("Initializing git repo")
dc038df0 SW	306	process = subprocess.run(
9836141c	307	['git', 'init', '--bare', cachedir])
dc038df0 SW	308	v.result(process.returncode == 0)
dc038df0 SW	309
971d3659 SW	310	v.status('Fetching ref "%s" from %s' % (channel.git_ref, channel.git_repo))
	311	# We don't use --force here because we want to abort and freak out if forced
	312	# updates are happening.
	313	process = subprocess.run(['git',
	314	'-C',
	315	cachedir,
	316	'fetch',
	317	channel.git_repo,
	318	'%s:%s' % (channel.git_ref,
	319	channel.git_ref)])
	320	v.result(process.returncode == 0)
	321
8fca6c28	322	if hasattr(channel, 'git_revision'):
971d3659	323	v.status('Verifying that fetch retrieved this rev')
8fca6c28	324	process = subprocess.run(
9836141c	325	['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
dc038df0	326	v.result(process.returncode == 0)
971d3659	327	else:
8fca6c28 SW	328	channel.git_revision = open(
8fca6c28 SW	329	os.path.join(
9836141c	330	cachedir,
8fca6c28 SW	331	'refs',
	332	'heads',
	333	channel.git_ref)).read(999).strip()
dc038df0	334
971d3659	335	verify_git_ancestry(v, channel)
dc038df0	336
971d3659 SW	337
	338	def ensure_git_rev_available(v: Verification, channel: Channel) -> None:
	339	cachedir = git_cachedir(channel.git_repo)
	340	if os.path.exists(cachedir):
	341	v.status('Checking if we already have this rev:')
	342	process = subprocess.run(
	343	['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
	344	if process.returncode == 0:
	345	v.status('yes')
	346	if process.returncode == 1:
	347	v.status('no')
	348	v.result(process.returncode == 0 or process.returncode == 1)
	349	if process.returncode == 0:
	350	verify_git_ancestry(v, channel)
	351	return
	352	git_fetch(v, channel)
7d889b12	353
dc038df0	354
925c801b SW	355	def compare_tarball_and_git(
	356	v: Verification,
	357	channel: Channel,
	358	channel_contents: str,
	359	git_contents: str) -> None:
	360	v.status('Comparing channel tarball with git checkout')
	361	match, mismatch, errors = compare(os.path.join(
	362	channel_contents, channel.release_name), git_contents)
	363	v.ok()
	364	v.check('%d files match' % len(match), len(match) > 0)
	365	v.check('%d files differ' % len(mismatch), len(mismatch) == 0)
	366	expected_errors = [
	367	'.git-revision',
	368	'.version-suffix',
	369	'nixpkgs',
	370	'programs.sqlite',
	371	'svn-revision']
	372	benign_errors = []
	373	for ee in expected_errors:
	374	if ee in errors:
	375	errors.remove(ee)
	376	benign_errors.append(ee)
	377	v.check(
	378	'%d unexpected incomparable files' %
	379	len(errors),
	380	len(errors) == 0)
	381	v.check(
	382	'(%d of %d expected incomparable files)' %
	383	(len(benign_errors),
	384	len(expected_errors)),
	385	len(benign_errors) == len(expected_errors))
	386
	387
	388	def extract_tarball(v: Verification, channel: Channel, dest: str) -> None:
	389	v.status('Extracting tarball %s' %
	390	channel.table['nixexprs.tar.xz'].file)
	391	shutil.unpack_archive(
	392	channel.table['nixexprs.tar.xz'].file,
	393	dest)
	394	v.ok()
	395
	396
	397	def git_checkout(v: Verification, channel: Channel, dest: str) -> None:
	398	v.status('Checking out corresponding git revision')
	399	git = subprocess.Popen(['git',
	400	'-C',
9836141c	401	git_cachedir(channel.git_repo),
925c801b	402	'archive',
61aaf799	403	channel.git_revision],
925c801b SW	404	stdout=subprocess.PIPE)
	405	tar = subprocess.Popen(
	406	['tar', 'x', '-C', dest, '-f', '-'], stdin=git.stdout)
de68382a SW	407	if git.stdout:
de68382a SW	408	git.stdout.close()
925c801b SW	409	tar.wait()
	410	git.wait()
	411	v.result(git.returncode == 0 and tar.returncode == 0)
	412
	413
736c25eb	414	def git_get_tarball(v: Verification, channel: Channel) -> str:
eb0c6f1b SW	415	cache_file = tarball_cache_file(channel)
	416	if os.path.exists(cache_file):
	417	cached_tarball = open(cache_file).read(9999)
	418	if os.path.exists(cached_tarball):
	419	return cached_tarball
	420
736c25eb SW	421	with tempfile.TemporaryDirectory() as output_dir:
	422	output_filename = os.path.join(
	423	output_dir, channel.release_name + '.tar.xz')
	424	with open(output_filename, 'w') as output_file:
	425	v.status(
	426	'Generating tarball for git revision %s' %
	427	channel.git_revision)
	428	git = subprocess.Popen(['git',
	429	'-C',
	430	git_cachedir(channel.git_repo),
	431	'archive',
	432	'--prefix=%s/' % channel.release_name,
	433	channel.git_revision],
	434	stdout=subprocess.PIPE)
	435	xz = subprocess.Popen(['xz'], stdin=git.stdout, stdout=output_file)
	436	xz.wait()
	437	git.wait()
	438	v.result(git.returncode == 0 and xz.returncode == 0)
	439
	440	v.status('Putting tarball in Nix store')
	441	process = subprocess.run(
ba596fc0	442	['nix-store', '--add', output_filename], stdout=subprocess.PIPE)
736c25eb	443	v.result(process.returncode == 0)
eb0c6f1b SW	444	store_tarball = process.stdout.decode().strip()
	445
	446	os.makedirs(os.path.dirname(cache_file), exist_ok=True)
	447	open(cache_file, 'w').write(store_tarball)
7c4de64c	448	return store_tarball # type: ignore # (for old mypy)
736c25eb SW	449
736c25eb SW	450
f9cd7bdc SW	451	def check_channel_metadata(
	452	v: Verification,
	453	channel: Channel,
	454	channel_contents: str) -> None:
	455	v.status('Verifying git commit in channel tarball')
	456	v.result(
	457	open(
	458	os.path.join(
	459	channel_contents,
	460	channel.release_name,
61aaf799	461	'.git-revision')).read(999) == channel.git_revision)
f9cd7bdc SW	462
	463	v.status(
	464	'Verifying version-suffix is a suffix of release name %s:' %
	465	channel.release_name)
	466	version_suffix = open(
	467	os.path.join(
	468	channel_contents,
	469	channel.release_name,
	470	'.version-suffix')).read(999)
	471	v.status(version_suffix)
	472	v.result(channel.release_name.endswith(version_suffix))
	473
	474
72d3478a	475	def check_channel_contents(v: Verification, channel: Channel) -> None:
dc038df0 SW	476	with tempfile.TemporaryDirectory() as channel_contents, \
dc038df0 SW	477	tempfile.TemporaryDirectory() as git_contents:
925c801b SW	478
925c801b SW	479	extract_tarball(v, channel, channel_contents)
f9cd7bdc SW	480	check_channel_metadata(v, channel, channel_contents)
f9cd7bdc SW	481
925c801b SW	482	git_checkout(v, channel, git_contents)
	483
	484	compare_tarball_and_git(v, channel, channel_contents, git_contents)
	485
dc038df0	486	v.status('Removing temporary directories')
2f96f32a SW	487	v.ok()
	488
	489
8fca6c28 SW	490	def pin_channel(v: Verification, channel: Channel) -> None:
	491	fetch(v, channel)
	492	parse_channel(v, channel)
	493	fetch_resources(v, channel)
971d3659	494	ensure_git_rev_available(v, channel)
8fca6c28 SW	495	check_channel_contents(v, channel)
	496
	497
e3cae769 SW	498	def git_revision_name(v: Verification, channel: Channel) -> str:
	499	v.status('Getting commit date')
	500	process = subprocess.run(['git',
	501	'-C',
9836141c	502	git_cachedir(channel.git_repo),
bed32182	503	'log',
e3cae769 SW	504	'-n1',
	505	'--format=%ct-%h',
	506	'--abbrev=11',
88af5903	507	'--no-show-signature',
e3cae769	508	channel.git_revision],
ba596fc0	509	stdout=subprocess.PIPE)
de68382a	510	v.result(process.returncode == 0 and process.stdout != b'')
e3cae769 SW	511	return '%s-%s' % (os.path.basename(channel.git_repo),
	512	process.stdout.decode().strip())
	513
	514
f8f5b125 SW	515	def read_search_path(conf: configparser.SectionProxy) -> Channel:
	516	return Channel(**dict(conf.items()))
	517
	518
01ba0eb2 SW	519	def read_config(filename: str) -> configparser.ConfigParser:
	520	config = configparser.ConfigParser()
	521	config.read_file(open(filename), filename)
	522	return config
	523
	524
0e5e611d	525	def pin(args: argparse.Namespace) -> None:
2f96f32a	526	v = Verification()
01ba0eb2	527	config = read_config(args.channels_file)
5cfa8e11	528	for section in config.sections():
98853153 SW	529	if args.channels and section not in args.channels:
98853153 SW	530	continue
736c25eb	531
f8f5b125	532	channel = read_search_path(config[section])
17906b27	533
3aa393bb	534	channel.pin(v, config[section])
8fca6c28	535
0e5e611d	536	with open(args.channels_file, 'w') as configfile:
e434d96d	537	config.write(configfile)
2f96f32a SW	538
2f96f32a SW	539
10ddbaff SW	540	def fetch_channel(
	541	v: Verification,
	542	section: str,
	543	conf: configparser.SectionProxy) -> str:
	544	if 'git_repo' not in conf or 'release_name' not in conf:
	545	raise Exception(
	546	'Cannot update unpinned channel "%s" (Run "pin" before "update")' %
	547	section)
	548
	549	if 'channel_url' in conf:
	550	return fetch_with_nix_prefetch_url(
	551	v, conf['tarball_url'], Digest16(
	552	conf['tarball_sha256']))
	553
f8f5b125	554	channel = read_search_path(conf)
10ddbaff SW	555	ensure_git_rev_available(v, channel)
	556	return git_get_tarball(v, channel)
	557
	558
736c25eb SW	559	def update(args: argparse.Namespace) -> None:
	560	v = Verification()
	561	config = configparser.ConfigParser()
da135b07	562	exprs: Dict[str, str] = {}
01ba0eb2 SW	563	configs = [read_config(filename) for filename in args.channels_file]
	564	for config in configs:
	565	for section in config.sections():
01ba0eb2 SW	566	if 'alias_of' in config[section]:
	567	assert 'git_repo' not in config[section]
	568	continue
10ddbaff	569	tarball = fetch_channel(v, section, config[section])
ab7ebb2f SW	570	if section in exprs:
ab7ebb2f SW	571	raise Exception('Duplicate channel "%s"' % section)
01ba0eb2 SW	572	exprs[section] = (
	573	'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' %
	574	(config[section]['release_name'], tarball))
	575
	576	for config in configs:
	577	for section in config.sections():
	578	if 'alias_of' in config[section]:
ab7ebb2f SW	579	if section in exprs:
ab7ebb2f SW	580	raise Exception('Duplicate channel "%s"' % section)
01ba0eb2	581	exprs[section] = exprs[str(config[section]['alias_of'])]
17906b27	582
9a78329e SW	583	command = [
	584	'nix-env',
	585	'--profile',
	586	'/nix/var/nix/profiles/per-user/%s/channels' %
	587	getpass.getuser(),
	588	'--show-trace',
	589	'--file',
	590	'<nix/unpack-channel.nix>',
	591	'--install',
17906b27	592	'--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())]
9a78329e SW	593	if args.dry_run:
	594	print(' '.join(map(shlex.quote, command)))
	595	else:
	596	v.status('Installing channels with nix-env')
	597	process = subprocess.run(command)
	598	v.result(process.returncode == 0)
736c25eb SW	599
736c25eb SW	600
0e5e611d SW	601	def main() -> None:
	602	parser = argparse.ArgumentParser(prog='pinch')
	603	subparsers = parser.add_subparsers(dest='mode', required=True)
	604	parser_pin = subparsers.add_parser('pin')
	605	parser_pin.add_argument('channels_file', type=str)
98853153	606	parser_pin.add_argument('channels', type=str, nargs='*')
0e5e611d	607	parser_pin.set_defaults(func=pin)
736c25eb	608	parser_update = subparsers.add_parser('update')
9a78329e	609	parser_update.add_argument('--dry-run', action='store_true')
01ba0eb2	610	parser_update.add_argument('channels_file', type=str, nargs='+')
736c25eb	611	parser_update.set_defaults(func=update)
0e5e611d SW	612	args = parser.parse_args()
	613	args.func(args)
	614
	615
b5964ec3 SW	616	if __name__ == '__main__':
b5964ec3 SW	617	main()