[pinch] / pinch.py

import argparse
import configparser
import filecmp
import functools
import getpass
import hashlib
import operator
import os
import os.path
import shlex
import shutil
import subprocess
import sys
import tempfile
import types
import urllib.parse
import urllib.request
import xml.dom.minidom

from typing import (
    Dict,
    Iterable,
    List,
    NewType,
    Tuple,
)

# Use xdg module when it's less painful to have as a dependency


class XDG(types.SimpleNamespace):
    XDG_CACHE_HOME: str


xdg = XDG(
    XDG_CACHE_HOME=os.getenv(
        'XDG_CACHE_HOME',
        os.path.expanduser('~/.cache')))


Digest16 = NewType('Digest16', str)
Digest32 = NewType('Digest32', str)


class ChannelTableEntry(types.SimpleNamespace):
    absolute_url: str
    digest: Digest16
    file: str
    size: int
    url: str


class Channel(types.SimpleNamespace):
    alias_of: str
    channel_html: bytes
    channel_url: str
    forwarded_url: str
    git_ref: str
    git_repo: str
    git_revision: str
    old_git_revision: str
    release_name: str
    table: Dict[str, ChannelTableEntry]


class VerificationError(Exception):
    pass


class Verification:

    def __init__(self) -> None:
        self.line_length = 0

    def status(self, s: str) -> None:
        print(s, end=' ', file=sys.stderr, flush=True)
        self.line_length += 1 + len(s)  # Unicode??

    @staticmethod
    def _color(s: str, c: int) -> str:
        return '\033[%2dm%s\033[00m' % (c, s)

    def result(self, r: bool) -> None:
        message, color = {True: ('OK ', 92), False: ('FAIL', 91)}[r]
        length = len(message)
        cols = shutil.get_terminal_size().columns or 80
        pad = (cols - (self.line_length + length)) % cols
        print(' ' * pad + self._color(message, color), file=sys.stderr)
        self.line_length = 0
        if not r:
            raise VerificationError()

    def check(self, s: str, r: bool) -> None:
        self.status(s)
        self.result(r)

    def ok(self) -> None:
        self.result(True)


def compare(a: str, b: str) -> Tuple[List[str], List[str], List[str]]:

    def throw(error: OSError) -> None:
        raise error

    def join(x: str, y: str) -> str:
        return y if x == '.' else os.path.join(x, y)

    def recursive_files(d: str) -> Iterable[str]:
        all_files: List[str] = []
        for path, dirs, files in os.walk(d, onerror=throw):
            rel = os.path.relpath(path, start=d)
            all_files.extend(join(rel, f) for f in files)
            for dir_or_link in dirs:
                if os.path.islink(join(path, dir_or_link)):
                    all_files.append(join(rel, dir_or_link))
        return all_files

    def exclude_dot_git(files: Iterable[str]) -> Iterable[str]:
        return (f for f in files if not f.startswith('.git/'))

    files = functools.reduce(
        operator.or_, (set(
            exclude_dot_git(
                recursive_files(x))) for x in [a, b]))
    return filecmp.cmpfiles(a, b, files, shallow=False)


def fetch(v: Verification, channel: Channel) -> None:
    v.status('Fetching channel')
    request = urllib.request.urlopen(channel.channel_url, timeout=10)
    channel.channel_html = request.read()
    channel.forwarded_url = request.geturl()
    v.result(request.status == 200)
    v.check('Got forwarded', channel.channel_url != channel.forwarded_url)


def parse_channel(v: Verification, channel: Channel) -> None:
    v.status('Parsing channel description as XML')
    d = xml.dom.minidom.parseString(channel.channel_html)
    v.ok()

    v.status('Extracting release name:')
    title_name = d.getElementsByTagName(
        'title')[0].firstChild.nodeValue.split()[2]
    h1_name = d.getElementsByTagName('h1')[0].firstChild.nodeValue.split()[2]
    v.status(title_name)
    v.result(title_name == h1_name)
    channel.release_name = title_name

    v.status('Extracting git commit:')
    git_commit_node = d.getElementsByTagName('tt')[0]
    channel.git_revision = git_commit_node.firstChild.nodeValue
    v.status(channel.git_revision)
    v.ok()
    v.status('Verifying git commit label')
    v.result(git_commit_node.previousSibling.nodeValue == 'Git commit ')

    v.status('Parsing table')
    channel.table = {}
    for row in d.getElementsByTagName('tr')[1:]:
        name = row.childNodes[0].firstChild.firstChild.nodeValue
        url = row.childNodes[0].firstChild.getAttribute('href')
        size = int(row.childNodes[1].firstChild.nodeValue)
        digest = Digest16(row.childNodes[2].firstChild.firstChild.nodeValue)
        channel.table[name] = ChannelTableEntry(
            url=url, digest=digest, size=size)
    v.ok()


def digest_string(s: bytes) -> Digest16:
    return Digest16(hashlib.sha256(s).hexdigest())


def digest_file(filename: str) -> Digest16:
    hasher = hashlib.sha256()
    with open(filename, 'rb') as f:
        # pylint: disable=cell-var-from-loop
        for block in iter(lambda: f.read(4096), b''):
            hasher.update(block)
    return Digest16(hasher.hexdigest())


def to_Digest16(v: Verification, digest32: Digest32) -> Digest16:
    v.status('Converting digest to base16')
    process = subprocess.run(
        ['nix', 'to-base16', '--type', 'sha256', digest32], stdout=subprocess.PIPE)
    v.result(process.returncode == 0)
    return Digest16(process.stdout.decode().strip())


def to_Digest32(v: Verification, digest16: Digest16) -> Digest32:
    v.status('Converting digest to base32')
    process = subprocess.run(
        ['nix', 'to-base32', '--type', 'sha256', digest16], stdout=subprocess.PIPE)
    v.result(process.returncode == 0)
    return Digest32(process.stdout.decode().strip())


def fetch_with_nix_prefetch_url(
        v: Verification,
        url: str,
        digest: Digest16) -> str:
    v.status('Fetching %s' % url)
    process = subprocess.run(
        ['nix-prefetch-url', '--print-path', url, digest], stdout=subprocess.PIPE)
    v.result(process.returncode == 0)
    prefetch_digest, path, empty = process.stdout.decode().split('\n')
    assert empty == ''
    v.check("Verifying nix-prefetch-url's digest",
            to_Digest16(v, Digest32(prefetch_digest)) == digest)
    v.status("Verifying file digest")
    file_digest = digest_file(path)
    v.result(file_digest == digest)
    return path


def fetch_resources(v: Verification, channel: Channel) -> None:
    for resource in ['git-revision', 'nixexprs.tar.xz']:
        fields = channel.table[resource]
        fields.absolute_url = urllib.parse.urljoin(
            channel.forwarded_url, fields.url)
        fields.file = fetch_with_nix_prefetch_url(
            v, fields.absolute_url, fields.digest)
    v.status('Verifying git commit on main page matches git commit in table')
    v.result(
        open(
            channel.table['git-revision'].file).read(999) == channel.git_revision)


def git_cachedir(git_repo: str) -> str:
    return os.path.join(
        xdg.XDG_CACHE_HOME,
        'pinch/git',
        digest_string(git_repo.encode()))


def tarball_cache_file(channel: Channel) -> str:
    return os.path.join(
        xdg.XDG_CACHE_HOME,
        'pinch/git-tarball',
        '%s-%s-%s' %
        (digest_string(channel.git_repo.encode()),
         channel.git_revision,
         channel.release_name))


def verify_git_ancestry(v: Verification, channel: Channel) -> None:
    cachedir = git_cachedir(channel.git_repo)
    v.status('Verifying rev is an ancestor of ref')
    process = subprocess.run(['git',
                              '-C',
                              cachedir,
                              'merge-base',
                              '--is-ancestor',
                              channel.git_revision,
                              channel.git_ref])
    v.result(process.returncode == 0)

    if hasattr(channel, 'old_git_revision'):
        v.status(
            'Verifying rev is an ancestor of previous rev %s' %
            channel.old_git_revision)
        process = subprocess.run(['git',
                                  '-C',
                                  cachedir,
                                  'merge-base',
                                  '--is-ancestor',
                                  channel.old_git_revision,
                                  channel.git_revision])
        v.result(process.returncode == 0)


def git_fetch(v: Verification, channel: Channel) -> None:
    # It would be nice if we could share the nix git cache, but as of the time
    # of writing it is transitioning from gitv2 (deprecated) to gitv3 (not ready
    # yet), and trying to straddle them both is too far into nix implementation
    # details for my comfort.  So we re-implement here half of nix.fetchGit.
    # :(

    cachedir = git_cachedir(channel.git_repo)
    if not os.path.exists(cachedir):
        v.status("Initializing git repo")
        process = subprocess.run(
            ['git', 'init', '--bare', cachedir])
        v.result(process.returncode == 0)

    v.status('Fetching ref "%s" from %s' % (channel.git_ref, channel.git_repo))
    # We don't use --force here because we want to abort and freak out if forced
    # updates are happening.
    process = subprocess.run(['git',
                              '-C',
                              cachedir,
                              'fetch',
                              channel.git_repo,
                              '%s:%s' % (channel.git_ref,
                                         channel.git_ref)])
    v.result(process.returncode == 0)

    if hasattr(channel, 'git_revision'):
        v.status('Verifying that fetch retrieved this rev')
        process = subprocess.run(
            ['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
        v.result(process.returncode == 0)
    else:
        channel.git_revision = open(
            os.path.join(
                cachedir,
                'refs',
                'heads',
                channel.git_ref)).read(999).strip()

    verify_git_ancestry(v, channel)


def ensure_git_rev_available(v: Verification, channel: Channel) -> None:
    cachedir = git_cachedir(channel.git_repo)
    if os.path.exists(cachedir):
        v.status('Checking if we already have this rev:')
        process = subprocess.run(
            ['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
        if process.returncode == 0:
            v.status('yes')
        if process.returncode == 1:
            v.status('no')
        v.result(process.returncode == 0 or process.returncode == 1)
        if process.returncode == 0:
            verify_git_ancestry(v, channel)
            return
    git_fetch(v, channel)


def compare_tarball_and_git(
        v: Verification,
        channel: Channel,
        channel_contents: str,
        git_contents: str) -> None:
    v.status('Comparing channel tarball with git checkout')
    match, mismatch, errors = compare(os.path.join(
        channel_contents, channel.release_name), git_contents)
    v.ok()
    v.check('%d files match' % len(match), len(match) > 0)
    v.check('%d files differ' % len(mismatch), len(mismatch) == 0)
    expected_errors = [
        '.git-revision',
        '.version-suffix',
        'nixpkgs',
        'programs.sqlite',
        'svn-revision']
    benign_errors = []
    for ee in expected_errors:
        if ee in errors:
            errors.remove(ee)
            benign_errors.append(ee)
    v.check(
        '%d unexpected incomparable files' %
        len(errors),
        len(errors) == 0)
    v.check(
        '(%d of %d expected incomparable files)' %
        (len(benign_errors),
         len(expected_errors)),
        len(benign_errors) == len(expected_errors))


def extract_tarball(v: Verification, channel: Channel, dest: str) -> None:
    v.status('Extracting tarball %s' %
             channel.table['nixexprs.tar.xz'].file)
    shutil.unpack_archive(
        channel.table['nixexprs.tar.xz'].file,
        dest)
    v.ok()


def git_checkout(v: Verification, channel: Channel, dest: str) -> None:
    v.status('Checking out corresponding git revision')
    git = subprocess.Popen(['git',
                            '-C',
                            git_cachedir(channel.git_repo),
                            'archive',
                            channel.git_revision],
                           stdout=subprocess.PIPE)
    tar = subprocess.Popen(
        ['tar', 'x', '-C', dest, '-f', '-'], stdin=git.stdout)
    if git.stdout:
        git.stdout.close()
    tar.wait()
    git.wait()
    v.result(git.returncode == 0 and tar.returncode == 0)


def git_get_tarball(v: Verification, channel: Channel) -> str:
    cache_file = tarball_cache_file(channel)
    if os.path.exists(cache_file):
        cached_tarball = open(cache_file).read(9999)
        if os.path.exists(cached_tarball):
            return cached_tarball

    with tempfile.TemporaryDirectory() as output_dir:
        output_filename = os.path.join(
            output_dir, channel.release_name + '.tar.xz')
        with open(output_filename, 'w') as output_file:
            v.status(
                'Generating tarball for git revision %s' %
                channel.git_revision)
            git = subprocess.Popen(['git',
                                    '-C',
                                    git_cachedir(channel.git_repo),
                                    'archive',
                                    '--prefix=%s/' % channel.release_name,
                                    channel.git_revision],
                                   stdout=subprocess.PIPE)
            xz = subprocess.Popen(['xz'], stdin=git.stdout, stdout=output_file)
            xz.wait()
            git.wait()
            v.result(git.returncode == 0 and xz.returncode == 0)

        v.status('Putting tarball in Nix store')
        process = subprocess.run(
            ['nix-store', '--add', output_filename], stdout=subprocess.PIPE)
        v.result(process.returncode == 0)
        store_tarball = process.stdout.decode().strip()

        os.makedirs(os.path.dirname(cache_file), exist_ok=True)
        open(cache_file, 'w').write(store_tarball)
        return store_tarball


def check_channel_metadata(
        v: Verification,
        channel: Channel,
        channel_contents: str) -> None:
    v.status('Verifying git commit in channel tarball')
    v.result(
        open(
            os.path.join(
                channel_contents,
                channel.release_name,
                '.git-revision')).read(999) == channel.git_revision)

    v.status(
        'Verifying version-suffix is a suffix of release name %s:' %
        channel.release_name)
    version_suffix = open(
        os.path.join(
            channel_contents,
            channel.release_name,
            '.version-suffix')).read(999)
    v.status(version_suffix)
    v.result(channel.release_name.endswith(version_suffix))


def check_channel_contents(v: Verification, channel: Channel) -> None:
    with tempfile.TemporaryDirectory() as channel_contents, \
            tempfile.TemporaryDirectory() as git_contents:

        extract_tarball(v, channel, channel_contents)
        check_channel_metadata(v, channel, channel_contents)

        git_checkout(v, channel, git_contents)

        compare_tarball_and_git(v, channel, channel_contents, git_contents)

        v.status('Removing temporary directories')
    v.ok()


def pin_channel(v: Verification, channel: Channel) -> None:
    fetch(v, channel)
    parse_channel(v, channel)
    fetch_resources(v, channel)
    ensure_git_rev_available(v, channel)
    check_channel_contents(v, channel)


def git_revision_name(v: Verification, channel: Channel) -> str:
    v.status('Getting commit date')
    process = subprocess.run(['git',
                              '-C',
                              git_cachedir(channel.git_repo),
                              'log',
                              '-n1',
                              '--format=%ct-%h',
                              '--abbrev=11',
                              '--no-show-signature',
                              channel.git_revision],
                             stdout=subprocess.PIPE)
    v.result(process.returncode == 0 and process.stdout != b'')
    return '%s-%s' % (os.path.basename(channel.git_repo),
                      process.stdout.decode().strip())


def read_config(filename: str) -> configparser.ConfigParser:
    config = configparser.ConfigParser()
    config.read_file(open(filename), filename)
    return config


def pin(args: argparse.Namespace) -> None:
    v = Verification()
    config = read_config(args.channels_file)
    for section in config.sections():
        if args.channels and section not in args.channels:
            continue

        channel = Channel(**dict(config[section].items()))

        if hasattr(channel, 'alias_of'):
            assert not hasattr(channel, 'git_repo')
            continue

        if hasattr(channel, 'git_revision'):
            channel.old_git_revision = channel.git_revision
            del channel.git_revision

        if 'channel_url' in config[section]:
            pin_channel(v, channel)
            config[section]['release_name'] = channel.release_name
            config[section]['tarball_url'] = channel.table['nixexprs.tar.xz'].absolute_url
            config[section]['tarball_sha256'] = channel.table['nixexprs.tar.xz'].digest
        else:
            git_fetch(v, channel)
            config[section]['release_name'] = git_revision_name(v, channel)
        config[section]['git_revision'] = channel.git_revision

    with open(args.channels_file, 'w') as configfile:
        config.write(configfile)


def fetch_channel(
        v: Verification,
        section: str,
        conf: configparser.SectionProxy) -> str:
    if 'git_repo' not in conf or 'release_name' not in conf:
        raise Exception(
            'Cannot update unpinned channel "%s" (Run "pin" before "update")' %
            section)

    if 'channel_url' in conf:
        return fetch_with_nix_prefetch_url(
            v, conf['tarball_url'], Digest16(
                conf['tarball_sha256']))

    channel = Channel(**dict(conf.items()))
    ensure_git_rev_available(v, channel)
    return git_get_tarball(v, channel)


def update(args: argparse.Namespace) -> None:
    v = Verification()
    config = configparser.ConfigParser()
    exprs: Dict[str, str] = {}
    configs = [read_config(filename) for filename in args.channels_file]
    for config in configs:
        for section in config.sections():
            if 'alias_of' in config[section]:
                assert 'git_repo' not in config[section]
                continue
            tarball = fetch_channel(v, section, config[section])
            if section in exprs:
                raise Exception('Duplicate channel "%s"' % section)
            exprs[section] = (
                'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' %
                (config[section]['release_name'], tarball))

    for config in configs:
        for section in config.sections():
            if 'alias_of' in config[section]:
                if section in exprs:
                    raise Exception('Duplicate channel "%s"' % section)
                exprs[section] = exprs[str(config[section]['alias_of'])]

    command = [
        'nix-env',
        '--profile',
        '/nix/var/nix/profiles/per-user/%s/channels' %
        getpass.getuser(),
        '--show-trace',
        '--file',
        '<nix/unpack-channel.nix>',
        '--install',
        '--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())]
    if args.dry_run:
        print(' '.join(map(shlex.quote, command)))
    else:
        v.status('Installing channels with nix-env')
        process = subprocess.run(command)
        v.result(process.returncode == 0)


def main() -> None:
    parser = argparse.ArgumentParser(prog='pinch')
    subparsers = parser.add_subparsers(dest='mode', required=True)
    parser_pin = subparsers.add_parser('pin')
    parser_pin.add_argument('channels_file', type=str)
    parser_pin.add_argument('channels', type=str, nargs='*')
    parser_pin.set_defaults(func=pin)
    parser_update = subparsers.add_parser('update')
    parser_update.add_argument('--dry-run', action='store_true')
    parser_update.add_argument('channels_file', type=str, nargs='+')
    parser_update.set_defaults(func=update)
    args = parser.parse_args()
    args.func(args)


if __name__ == '__main__':
    main()
Commit	Line	Data
0e5e611d	1	import argparse
f15e458d	2	import configparser
2f96f32a SW	3	import filecmp
2f96f32a SW	4	import functools
736c25eb	5	import getpass
2f96f32a SW	6	import hashlib
	7	import operator
	8	import os
	9	import os.path
9a78329e	10	import shlex
2f96f32a	11	import shutil
73bec7e8	12	import subprocess
9d7844bb	13	import sys
2f96f32a	14	import tempfile
89e79125	15	import types
2f96f32a SW	16	import urllib.parse
	17	import urllib.request
	18	import xml.dom.minidom
	19
	20	from typing import (
2f96f32a SW	21	Dict,
	22	Iterable,
	23	List,
73bec7e8	24	NewType,
2f96f32a SW	25	Tuple,
	26	)
	27
3603dde2 SW	28	# Use xdg module when it's less painful to have as a dependency
	29
	30
	31	class XDG(types.SimpleNamespace):
	32	XDG_CACHE_HOME: str
	33
	34
	35	xdg = XDG(
	36	XDG_CACHE_HOME=os.getenv(
	37	'XDG_CACHE_HOME',
	38	os.path.expanduser('~/.cache')))
26125a28 SW	39
26125a28 SW	40
73bec7e8 SW	41	Digest16 = NewType('Digest16', str)
	42	Digest32 = NewType('Digest32', str)
	43
2f96f32a	44
72d3478a	45	class ChannelTableEntry(types.SimpleNamespace):
e434d96d	46	absolute_url: str
73bec7e8	47	digest: Digest16
89e79125 SW	48	file: str
	49	size: int
	50	url: str
	51
	52
72d3478a	53	class Channel(types.SimpleNamespace):
17906b27	54	alias_of: str
89e79125	55	channel_html: bytes
b17def3f	56	channel_url: str
89e79125	57	forwarded_url: str
dc038df0 SW	58	git_ref: str
dc038df0 SW	59	git_repo: str
89e79125	60	git_revision: str
8fca6c28	61	old_git_revision: str
3e6421c4	62	release_name: str
72d3478a	63	table: Dict[str, ChannelTableEntry]
89e79125 SW	64
89e79125 SW	65
2f96f32a SW	66	class VerificationError(Exception):
	67	pass
	68
	69
	70	class Verification:
	71
	72	def __init__(self) -> None:
	73	self.line_length = 0
	74
	75	def status(self, s: str) -> None:
9d7844bb	76	print(s, end=' ', file=sys.stderr, flush=True)
2f96f32a SW	77	self.line_length += 1 + len(s) # Unicode??
	78
	79	@staticmethod
	80	def _color(s: str, c: int) -> str:
	81	return '\033[%2dm%s\033[00m' % (c, s)
	82
	83	def result(self, r: bool) -> None:
	84	message, color = {True: ('OK ', 92), False: ('FAIL', 91)}[r]
	85	length = len(message)
dd1026fe	86	cols = shutil.get_terminal_size().columns or 80
2f96f32a	87	pad = (cols - (self.line_length + length)) % cols
9d7844bb	88	print(' ' * pad + self._color(message, color), file=sys.stderr)
2f96f32a SW	89	self.line_length = 0
	90	if not r:
	91	raise VerificationError()
	92
	93	def check(self, s: str, r: bool) -> None:
	94	self.status(s)
	95	self.result(r)
	96
	97	def ok(self) -> None:
	98	self.result(True)
	99
	100
dc038df0	101	def compare(a: str, b: str) -> Tuple[List[str], List[str], List[str]]:
2f96f32a SW	102
	103	def throw(error: OSError) -> None:
	104	raise error
	105
	106	def join(x: str, y: str) -> str:
	107	return y if x == '.' else os.path.join(x, y)
	108
	109	def recursive_files(d: str) -> Iterable[str]:
	110	all_files: List[str] = []
	111	for path, dirs, files in os.walk(d, onerror=throw):
	112	rel = os.path.relpath(path, start=d)
	113	all_files.extend(join(rel, f) for f in files)
	114	for dir_or_link in dirs:
	115	if os.path.islink(join(path, dir_or_link)):
	116	all_files.append(join(rel, dir_or_link))
	117	return all_files
	118
	119	def exclude_dot_git(files: Iterable[str]) -> Iterable[str]:
	120	return (f for f in files if not f.startswith('.git/'))
	121
	122	files = functools.reduce(
	123	operator.or_, (set(
	124	exclude_dot_git(
	125	recursive_files(x))) for x in [a, b]))
	126	return filecmp.cmpfiles(a, b, files, shallow=False)
	127
	128
ca2c3edd	129	def fetch(v: Verification, channel: Channel) -> None:
2f96f32a	130	v.status('Fetching channel')
b17def3f	131	request = urllib.request.urlopen(channel.channel_url, timeout=10)
72d3478a SW	132	channel.channel_html = request.read()
72d3478a SW	133	channel.forwarded_url = request.geturl()
2f96f32a	134	v.result(request.status == 200)
b17def3f	135	v.check('Got forwarded', channel.channel_url != channel.forwarded_url)
2f96f32a SW	136
2f96f32a SW	137
72d3478a	138	def parse_channel(v: Verification, channel: Channel) -> None:
2f96f32a	139	v.status('Parsing channel description as XML')
72d3478a	140	d = xml.dom.minidom.parseString(channel.channel_html)
2f96f32a SW	141	v.ok()
2f96f32a SW	142
3e6421c4 SW	143	v.status('Extracting release name:')
	144	title_name = d.getElementsByTagName(
	145	'title')[0].firstChild.nodeValue.split()[2]
	146	h1_name = d.getElementsByTagName('h1')[0].firstChild.nodeValue.split()[2]
	147	v.status(title_name)
	148	v.result(title_name == h1_name)
72d3478a	149	channel.release_name = title_name
3e6421c4 SW	150
3e6421c4 SW	151	v.status('Extracting git commit:')
2f96f32a	152	git_commit_node = d.getElementsByTagName('tt')[0]
61aaf799 SW	153	channel.git_revision = git_commit_node.firstChild.nodeValue
61aaf799 SW	154	v.status(channel.git_revision)
2f96f32a SW	155	v.ok()
	156	v.status('Verifying git commit label')
	157	v.result(git_commit_node.previousSibling.nodeValue == 'Git commit ')
	158
	159	v.status('Parsing table')
72d3478a	160	channel.table = {}
2f96f32a SW	161	for row in d.getElementsByTagName('tr')[1:]:
	162	name = row.childNodes[0].firstChild.firstChild.nodeValue
	163	url = row.childNodes[0].firstChild.getAttribute('href')
	164	size = int(row.childNodes[1].firstChild.nodeValue)
73bec7e8	165	digest = Digest16(row.childNodes[2].firstChild.firstChild.nodeValue)
dc038df0 SW	166	channel.table[name] = ChannelTableEntry(
dc038df0 SW	167	url=url, digest=digest, size=size)
2f96f32a SW	168	v.ok()
	169
	170
dc038df0 SW	171	def digest_string(s: bytes) -> Digest16:
	172	return Digest16(hashlib.sha256(s).hexdigest())
	173
	174
73bec7e8 SW	175	def digest_file(filename: str) -> Digest16:
	176	hasher = hashlib.sha256()
	177	with open(filename, 'rb') as f:
	178	# pylint: disable=cell-var-from-loop
	179	for block in iter(lambda: f.read(4096), b''):
	180	hasher.update(block)
	181	return Digest16(hasher.hexdigest())
	182
	183
	184	def to_Digest16(v: Verification, digest32: Digest32) -> Digest16:
	185	v.status('Converting digest to base16')
	186	process = subprocess.run(
ba596fc0	187	['nix', 'to-base16', '--type', 'sha256', digest32], stdout=subprocess.PIPE)
73bec7e8 SW	188	v.result(process.returncode == 0)
	189	return Digest16(process.stdout.decode().strip())
	190
	191
	192	def to_Digest32(v: Verification, digest16: Digest16) -> Digest32:
	193	v.status('Converting digest to base32')
	194	process = subprocess.run(
ba596fc0	195	['nix', 'to-base32', '--type', 'sha256', digest16], stdout=subprocess.PIPE)
73bec7e8 SW	196	v.result(process.returncode == 0)
	197	return Digest32(process.stdout.decode().strip())
	198
	199
	200	def fetch_with_nix_prefetch_url(
	201	v: Verification,
	202	url: str,
	203	digest: Digest16) -> str:
	204	v.status('Fetching %s' % url)
	205	process = subprocess.run(
ba596fc0	206	['nix-prefetch-url', '--print-path', url, digest], stdout=subprocess.PIPE)
73bec7e8 SW	207	v.result(process.returncode == 0)
	208	prefetch_digest, path, empty = process.stdout.decode().split('\n')
	209	assert empty == ''
	210	v.check("Verifying nix-prefetch-url's digest",
	211	to_Digest16(v, Digest32(prefetch_digest)) == digest)
	212	v.status("Verifying file digest")
	213	file_digest = digest_file(path)
	214	v.result(file_digest == digest)
	215	return path
2f96f32a	216
73bec7e8	217
72d3478a	218	def fetch_resources(v: Verification, channel: Channel) -> None:
2f96f32a	219	for resource in ['git-revision', 'nixexprs.tar.xz']:
72d3478a	220	fields = channel.table[resource]
e434d96d SW	221	fields.absolute_url = urllib.parse.urljoin(
	222	channel.forwarded_url, fields.url)
	223	fields.file = fetch_with_nix_prefetch_url(
	224	v, fields.absolute_url, fields.digest)
73bec7e8 SW	225	v.status('Verifying git commit on main page matches git commit in table')
	226	v.result(
	227	open(
61aaf799	228	channel.table['git-revision'].file).read(999) == channel.git_revision)
2f96f32a	229
971d3659	230
9836141c	231	def git_cachedir(git_repo: str) -> str:
26125a28 SW	232	return os.path.join(
	233	xdg.XDG_CACHE_HOME,
	234	'pinch/git',
eb0c6f1b SW	235	digest_string(git_repo.encode()))
	236
	237
	238	def tarball_cache_file(channel: Channel) -> str:
	239	return os.path.join(
	240	xdg.XDG_CACHE_HOME,
	241	'pinch/git-tarball',
	242	'%s-%s-%s' %
	243	(digest_string(channel.git_repo.encode()),
	244	channel.git_revision,
	245	channel.release_name))
971d3659 SW	246
	247
	248	def verify_git_ancestry(v: Verification, channel: Channel) -> None:
	249	cachedir = git_cachedir(channel.git_repo)
	250	v.status('Verifying rev is an ancestor of ref')
	251	process = subprocess.run(['git',
	252	'-C',
	253	cachedir,
	254	'merge-base',
	255	'--is-ancestor',
	256	channel.git_revision,
	257	channel.git_ref])
	258	v.result(process.returncode == 0)
	259
	260	if hasattr(channel, 'old_git_revision'):
	261	v.status(
	262	'Verifying rev is an ancestor of previous rev %s' %
	263	channel.old_git_revision)
	264	process = subprocess.run(['git',
	265	'-C',
	266	cachedir,
	267	'merge-base',
	268	'--is-ancestor',
	269	channel.old_git_revision,
	270	channel.git_revision])
	271	v.result(process.returncode == 0)
9836141c	272
2f96f32a	273
dc038df0 SW	274	def git_fetch(v: Verification, channel: Channel) -> None:
	275	# It would be nice if we could share the nix git cache, but as of the time
	276	# of writing it is transitioning from gitv2 (deprecated) to gitv3 (not ready
	277	# yet), and trying to straddle them both is too far into nix implementation
	278	# details for my comfort. So we re-implement here half of nix.fetchGit.
	279	# :(
	280
9836141c SW	281	cachedir = git_cachedir(channel.git_repo)
9836141c SW	282	if not os.path.exists(cachedir):
dc038df0 SW	283	v.status("Initializing git repo")
dc038df0 SW	284	process = subprocess.run(
9836141c	285	['git', 'init', '--bare', cachedir])
dc038df0 SW	286	v.result(process.returncode == 0)
dc038df0 SW	287
971d3659 SW	288	v.status('Fetching ref "%s" from %s' % (channel.git_ref, channel.git_repo))
	289	# We don't use --force here because we want to abort and freak out if forced
	290	# updates are happening.
	291	process = subprocess.run(['git',
	292	'-C',
	293	cachedir,
	294	'fetch',
	295	channel.git_repo,
	296	'%s:%s' % (channel.git_ref,
	297	channel.git_ref)])
	298	v.result(process.returncode == 0)
	299
8fca6c28	300	if hasattr(channel, 'git_revision'):
971d3659	301	v.status('Verifying that fetch retrieved this rev')
8fca6c28	302	process = subprocess.run(
9836141c	303	['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
dc038df0	304	v.result(process.returncode == 0)
971d3659	305	else:
8fca6c28 SW	306	channel.git_revision = open(
8fca6c28 SW	307	os.path.join(
9836141c	308	cachedir,
8fca6c28 SW	309	'refs',
	310	'heads',
	311	channel.git_ref)).read(999).strip()
dc038df0	312
971d3659	313	verify_git_ancestry(v, channel)
dc038df0	314
971d3659 SW	315
	316	def ensure_git_rev_available(v: Verification, channel: Channel) -> None:
	317	cachedir = git_cachedir(channel.git_repo)
	318	if os.path.exists(cachedir):
	319	v.status('Checking if we already have this rev:')
	320	process = subprocess.run(
	321	['git', '-C', cachedir, 'cat-file', '-e', channel.git_revision])
	322	if process.returncode == 0:
	323	v.status('yes')
	324	if process.returncode == 1:
	325	v.status('no')
	326	v.result(process.returncode == 0 or process.returncode == 1)
	327	if process.returncode == 0:
	328	verify_git_ancestry(v, channel)
	329	return
	330	git_fetch(v, channel)
7d889b12	331
dc038df0	332
925c801b SW	333	def compare_tarball_and_git(
	334	v: Verification,
	335	channel: Channel,
	336	channel_contents: str,
	337	git_contents: str) -> None:
	338	v.status('Comparing channel tarball with git checkout')
	339	match, mismatch, errors = compare(os.path.join(
	340	channel_contents, channel.release_name), git_contents)
	341	v.ok()
	342	v.check('%d files match' % len(match), len(match) > 0)
	343	v.check('%d files differ' % len(mismatch), len(mismatch) == 0)
	344	expected_errors = [
	345	'.git-revision',
	346	'.version-suffix',
	347	'nixpkgs',
	348	'programs.sqlite',
	349	'svn-revision']
	350	benign_errors = []
	351	for ee in expected_errors:
	352	if ee in errors:
	353	errors.remove(ee)
	354	benign_errors.append(ee)
	355	v.check(
	356	'%d unexpected incomparable files' %
	357	len(errors),
	358	len(errors) == 0)
	359	v.check(
	360	'(%d of %d expected incomparable files)' %
	361	(len(benign_errors),
	362	len(expected_errors)),
	363	len(benign_errors) == len(expected_errors))
	364
	365
	366	def extract_tarball(v: Verification, channel: Channel, dest: str) -> None:
	367	v.status('Extracting tarball %s' %
	368	channel.table['nixexprs.tar.xz'].file)
	369	shutil.unpack_archive(
	370	channel.table['nixexprs.tar.xz'].file,
	371	dest)
	372	v.ok()
	373
	374
	375	def git_checkout(v: Verification, channel: Channel, dest: str) -> None:
	376	v.status('Checking out corresponding git revision')
	377	git = subprocess.Popen(['git',
	378	'-C',
9836141c	379	git_cachedir(channel.git_repo),
925c801b	380	'archive',
61aaf799	381	channel.git_revision],
925c801b SW	382	stdout=subprocess.PIPE)
	383	tar = subprocess.Popen(
	384	['tar', 'x', '-C', dest, '-f', '-'], stdin=git.stdout)
de68382a SW	385	if git.stdout:
de68382a SW	386	git.stdout.close()
925c801b SW	387	tar.wait()
	388	git.wait()
	389	v.result(git.returncode == 0 and tar.returncode == 0)
	390
	391
736c25eb	392	def git_get_tarball(v: Verification, channel: Channel) -> str:
eb0c6f1b SW	393	cache_file = tarball_cache_file(channel)
	394	if os.path.exists(cache_file):
	395	cached_tarball = open(cache_file).read(9999)
	396	if os.path.exists(cached_tarball):
	397	return cached_tarball
	398
736c25eb SW	399	with tempfile.TemporaryDirectory() as output_dir:
	400	output_filename = os.path.join(
	401	output_dir, channel.release_name + '.tar.xz')
	402	with open(output_filename, 'w') as output_file:
	403	v.status(
	404	'Generating tarball for git revision %s' %
	405	channel.git_revision)
	406	git = subprocess.Popen(['git',
	407	'-C',
	408	git_cachedir(channel.git_repo),
	409	'archive',
	410	'--prefix=%s/' % channel.release_name,
	411	channel.git_revision],
	412	stdout=subprocess.PIPE)
	413	xz = subprocess.Popen(['xz'], stdin=git.stdout, stdout=output_file)
	414	xz.wait()
	415	git.wait()
	416	v.result(git.returncode == 0 and xz.returncode == 0)
	417
	418	v.status('Putting tarball in Nix store')
	419	process = subprocess.run(
ba596fc0	420	['nix-store', '--add', output_filename], stdout=subprocess.PIPE)
736c25eb	421	v.result(process.returncode == 0)
eb0c6f1b SW	422	store_tarball = process.stdout.decode().strip()
	423
	424	os.makedirs(os.path.dirname(cache_file), exist_ok=True)
	425	open(cache_file, 'w').write(store_tarball)
	426	return store_tarball
736c25eb SW	427
736c25eb SW	428
f9cd7bdc SW	429	def check_channel_metadata(
	430	v: Verification,
	431	channel: Channel,
	432	channel_contents: str) -> None:
	433	v.status('Verifying git commit in channel tarball')
	434	v.result(
	435	open(
	436	os.path.join(
	437	channel_contents,
	438	channel.release_name,
61aaf799	439	'.git-revision')).read(999) == channel.git_revision)
f9cd7bdc SW	440
	441	v.status(
	442	'Verifying version-suffix is a suffix of release name %s:' %
	443	channel.release_name)
	444	version_suffix = open(
	445	os.path.join(
	446	channel_contents,
	447	channel.release_name,
	448	'.version-suffix')).read(999)
	449	v.status(version_suffix)
	450	v.result(channel.release_name.endswith(version_suffix))
	451
	452
72d3478a	453	def check_channel_contents(v: Verification, channel: Channel) -> None:
dc038df0 SW	454	with tempfile.TemporaryDirectory() as channel_contents, \
dc038df0 SW	455	tempfile.TemporaryDirectory() as git_contents:
925c801b SW	456
925c801b SW	457	extract_tarball(v, channel, channel_contents)
f9cd7bdc SW	458	check_channel_metadata(v, channel, channel_contents)
f9cd7bdc SW	459
925c801b SW	460	git_checkout(v, channel, git_contents)
	461
	462	compare_tarball_and_git(v, channel, channel_contents, git_contents)
	463
dc038df0	464	v.status('Removing temporary directories')
2f96f32a SW	465	v.ok()
	466
	467
8fca6c28 SW	468	def pin_channel(v: Verification, channel: Channel) -> None:
	469	fetch(v, channel)
	470	parse_channel(v, channel)
	471	fetch_resources(v, channel)
971d3659	472	ensure_git_rev_available(v, channel)
8fca6c28 SW	473	check_channel_contents(v, channel)
	474
	475
e3cae769 SW	476	def git_revision_name(v: Verification, channel: Channel) -> str:
	477	v.status('Getting commit date')
	478	process = subprocess.run(['git',
	479	'-C',
9836141c	480	git_cachedir(channel.git_repo),
bed32182	481	'log',
e3cae769 SW	482	'-n1',
	483	'--format=%ct-%h',
	484	'--abbrev=11',
88af5903	485	'--no-show-signature',
e3cae769	486	channel.git_revision],
ba596fc0	487	stdout=subprocess.PIPE)
de68382a	488	v.result(process.returncode == 0 and process.stdout != b'')
e3cae769 SW	489	return '%s-%s' % (os.path.basename(channel.git_repo),
	490	process.stdout.decode().strip())
	491
	492
01ba0eb2 SW	493	def read_config(filename: str) -> configparser.ConfigParser:
	494	config = configparser.ConfigParser()
	495	config.read_file(open(filename), filename)
	496	return config
	497
	498
0e5e611d	499	def pin(args: argparse.Namespace) -> None:
2f96f32a	500	v = Verification()
01ba0eb2	501	config = read_config(args.channels_file)
5cfa8e11	502	for section in config.sections():
98853153 SW	503	if args.channels and section not in args.channels:
98853153 SW	504	continue
736c25eb SW	505
736c25eb SW	506	channel = Channel(**dict(config[section].items()))
17906b27 SW	507
	508	if hasattr(channel, 'alias_of'):
	509	assert not hasattr(channel, 'git_repo')
	510	continue
	511
736c25eb SW	512	if hasattr(channel, 'git_revision'):
	513	channel.old_git_revision = channel.git_revision
	514	del channel.git_revision
	515
8fca6c28 SW	516	if 'channel_url' in config[section]:
8fca6c28 SW	517	pin_channel(v, channel)
736c25eb	518	config[section]['release_name'] = channel.release_name
8fca6c28 SW	519	config[section]['tarball_url'] = channel.table['nixexprs.tar.xz'].absolute_url
	520	config[section]['tarball_sha256'] = channel.table['nixexprs.tar.xz'].digest
	521	else:
	522	git_fetch(v, channel)
736c25eb	523	config[section]['release_name'] = git_revision_name(v, channel)
8fca6c28 SW	524	config[section]['git_revision'] = channel.git_revision
8fca6c28 SW	525
0e5e611d	526	with open(args.channels_file, 'w') as configfile:
e434d96d	527	config.write(configfile)
2f96f32a SW	528
2f96f32a SW	529
10ddbaff SW	530	def fetch_channel(
	531	v: Verification,
	532	section: str,
	533	conf: configparser.SectionProxy) -> str:
	534	if 'git_repo' not in conf or 'release_name' not in conf:
	535	raise Exception(
	536	'Cannot update unpinned channel "%s" (Run "pin" before "update")' %
	537	section)
	538
	539	if 'channel_url' in conf:
	540	return fetch_with_nix_prefetch_url(
	541	v, conf['tarball_url'], Digest16(
	542	conf['tarball_sha256']))
	543
	544	channel = Channel(**dict(conf.items()))
	545	ensure_git_rev_available(v, channel)
	546	return git_get_tarball(v, channel)
	547
	548
736c25eb SW	549	def update(args: argparse.Namespace) -> None:
	550	v = Verification()
	551	config = configparser.ConfigParser()
da135b07	552	exprs: Dict[str, str] = {}
01ba0eb2 SW	553	configs = [read_config(filename) for filename in args.channels_file]
	554	for config in configs:
	555	for section in config.sections():
01ba0eb2 SW	556	if 'alias_of' in config[section]:
	557	assert 'git_repo' not in config[section]
	558	continue
10ddbaff	559	tarball = fetch_channel(v, section, config[section])
ab7ebb2f SW	560	if section in exprs:
ab7ebb2f SW	561	raise Exception('Duplicate channel "%s"' % section)
01ba0eb2 SW	562	exprs[section] = (
	563	'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' %
	564	(config[section]['release_name'], tarball))
	565
	566	for config in configs:
	567	for section in config.sections():
	568	if 'alias_of' in config[section]:
ab7ebb2f SW	569	if section in exprs:
ab7ebb2f SW	570	raise Exception('Duplicate channel "%s"' % section)
01ba0eb2	571	exprs[section] = exprs[str(config[section]['alias_of'])]
17906b27	572
9a78329e SW	573	command = [
	574	'nix-env',
	575	'--profile',
	576	'/nix/var/nix/profiles/per-user/%s/channels' %
	577	getpass.getuser(),
	578	'--show-trace',
	579	'--file',
	580	'<nix/unpack-channel.nix>',
	581	'--install',
17906b27	582	'--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())]
9a78329e SW	583	if args.dry_run:
	584	print(' '.join(map(shlex.quote, command)))
	585	else:
	586	v.status('Installing channels with nix-env')
	587	process = subprocess.run(command)
	588	v.result(process.returncode == 0)
736c25eb SW	589
736c25eb SW	590
0e5e611d SW	591	def main() -> None:
	592	parser = argparse.ArgumentParser(prog='pinch')
	593	subparsers = parser.add_subparsers(dest='mode', required=True)
	594	parser_pin = subparsers.add_parser('pin')
	595	parser_pin.add_argument('channels_file', type=str)
98853153	596	parser_pin.add_argument('channels', type=str, nargs='*')
0e5e611d	597	parser_pin.set_defaults(func=pin)
736c25eb	598	parser_update = subparsers.add_parser('update')
9a78329e	599	parser_update.add_argument('--dry-run', action='store_true')
01ba0eb2	600	parser_update.add_argument('channels_file', type=str, nargs='+')
736c25eb	601	parser_update.set_defaults(func=update)
0e5e611d SW	602	args = parser.parse_args()
	603	args.func(args)
	604
	605
b5964ec3 SW	606	if __name__ == '__main__':
b5964ec3 SW	607	main()