]> git.scottworley.com Git - pinch/blobdiff - pinch.py
Support restricted mode: Allow manifest access with search paths.
[pinch] / pinch.py
index 5eb76018e710025a01bf632b1ab3234a79153815..f95323f68edc611ead3c3e85de9ec814dc785e09 100644 (file)
--- a/pinch.py
+++ b/pinch.py
@@ -247,7 +247,7 @@ def compare(a: str, b: str) -> Tuple[List[str], List[str], List[str]]:
 
 def fetch_channel(
         v: Verification, channel: ChannelSearchPath) -> Tuple[str, str]:
-    v.status('Fetching channel')
+    v.status('Fetching channel from %s' % channel.channel_url)
     request = urllib.request.urlopen(channel.channel_url, timeout=10)
     channel_html = request.read().decode()
     forwarded_url = request.geturl()
@@ -302,18 +302,39 @@ def digest_file(filename: str) -> Digest16:
     return Digest16(hasher.hexdigest())
 
 
+@functools.lru_cache
+def _experimental_flag_needed(v: Verification) -> bool:
+    v.status('Checking Nix version')
+    process = subprocess.run(['nix', '--help'], stdout=subprocess.PIPE)
+    v.result(process.returncode == 0)
+    return b'--experimental-features' in process.stdout
+
+
+def _nix_command(v: Verification) -> List[str]:
+    return ['nix', '--experimental-features',
+            'nix-command'] if _experimental_flag_needed(v) else ['nix']
+
+
 def to_Digest16(v: Verification, digest32: Digest32) -> Digest16:
     v.status('Converting digest to base16')
-    process = subprocess.run(
-        ['nix', 'to-base16', '--type', 'sha256', digest32], stdout=subprocess.PIPE)
+    process = subprocess.run(_nix_command(v) + [
+        'to-base16',
+        '--type',
+        'sha256',
+        digest32],
+        stdout=subprocess.PIPE)
     v.result(process.returncode == 0)
     return Digest16(process.stdout.decode().strip())
 
 
 def to_Digest32(v: Verification, digest16: Digest16) -> Digest32:
     v.status('Converting digest to base32')
-    process = subprocess.run(
-        ['nix', 'to-base32', '--type', 'sha256', digest16], stdout=subprocess.PIPE)
+    process = subprocess.run(_nix_command(v) + [
+        'to-base32',
+        '--type',
+        'sha256',
+        digest16],
+        stdout=subprocess.PIPE)
     v.result(process.returncode == 0)
     return Digest32(process.stdout.decode().strip())
 
@@ -330,7 +351,7 @@ def fetch_with_nix_prefetch_url(
     assert empty == ''
     v.check("Verifying nix-prefetch-url's digest",
             to_Digest16(v, Digest32(prefetch_digest)) == digest)
-    v.status("Verifying file digest")
+    v.status("Verifying digest of %s" % path)
     file_digest = digest_file(path)
     v.result(file_digest == digest)
     return path  # type: ignore  # (for old mypy)
@@ -623,6 +644,11 @@ def pinCommand(args: argparse.Namespace) -> None:
 def updateCommand(args: argparse.Namespace) -> None:
     v = Verification()
     exprs: Dict[str, str] = {}
+    profile_manifest = os.path.join(args.profile, "manifest.nix")
+    search_paths: List[str] = [
+        "-I", "pinch_profile=" + args.profile,
+        "-I", "pinch_profile_manifest=" + os.readlink(profile_manifest)
+    ] if os.path.exists(profile_manifest) else []
     config = {
         section: read_pinned_config_section(section, conf) for section,
         conf in read_config_files(
@@ -630,10 +656,12 @@ def updateCommand(args: argparse.Namespace) -> None:
     alias, nonalias = partition_dict(
         lambda k, v: isinstance(v[0], AliasSearchPath), config)
 
-    for section, (sp, pin) in nonalias.items():
+    for section, (sp, pin) in sorted(nonalias.items()):
         assert not isinstance(sp, AliasSearchPath)  # mypy can't see through
         assert not isinstance(pin, AliasPin)        # partition_dict()
         tarball = sp.fetch(v, pin)
+        search_paths.extend(["-I", "pinch_tarball_for_%s=%s" %
+                            (pin.release_name, tarball)])
         exprs[section] = (
             'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' %
             (pin.release_name, tarball))
@@ -650,7 +678,8 @@ def updateCommand(args: argparse.Namespace) -> None:
         '--file',
         '<nix/unpack-channel.nix>',
         '--install',
-        '--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())]
+    ] + search_paths + ['--from-expression'] + [
+        exprs[name] % name for name in sorted(exprs.keys())]
     if args.dry_run:
         print(' '.join(map(shlex.quote, command)))
     else: