From 436195f097c503546a7d1d80f4e82964bcdc7392 Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Thu, 13 Jan 2022 21:55:09 -0800 Subject: [PATCH 1/1] Support restricted mode: Allow tarball access with search paths. This allows 'pinch update' to create a new profile. Updating an existing profile still doesn't work because nix-env can't read the existing manifest. Also, the search path names aren't the best. Multiple links probably don't work in restricted mode. (This tool is deprecated & is receiving minimal maintenance; patches welcome.) --- Changelog | 1 + pinch.py | 8 ++++++-- tests/alias.sh | 2 +- tests/core.sh | 2 +- tests/multi-update.sh | 2 +- tests/pin-twice.sh | 2 +- tests/profile.sh | 2 +- tests/symlink.sh | 2 +- 8 files changed, 13 insertions(+), 8 deletions(-) diff --git a/Changelog b/Changelog index f6943ec..1bd1d9c 100644 --- a/Changelog +++ b/Changelog @@ -3,6 +3,7 @@ - Deprecate pinch. - Show the channel URL being fetched. - Use nix 2.3 because 2.4 broke . +- Support restricted mode: Allow tarball access with search paths. ## [3.0.5] - 2021-07-09 diff --git a/pinch.py b/pinch.py index 130f69a..2ba47b2 100644 --- a/pinch.py +++ b/pinch.py @@ -644,6 +644,7 @@ def pinCommand(args: argparse.Namespace) -> None: def updateCommand(args: argparse.Namespace) -> None: v = Verification() exprs: Dict[str, str] = {} + search_paths: List[str] = [] config = { section: read_pinned_config_section(section, conf) for section, conf in read_config_files( @@ -651,10 +652,12 @@ def updateCommand(args: argparse.Namespace) -> None: alias, nonalias = partition_dict( lambda k, v: isinstance(v[0], AliasSearchPath), config) - for section, (sp, pin) in nonalias.items(): + for section, (sp, pin) in sorted(nonalias.items()): assert not isinstance(sp, AliasSearchPath) # mypy can't see through assert not isinstance(pin, AliasPin) # partition_dict() tarball = sp.fetch(v, pin) + search_paths.extend(["-I", "pinch_tarball_for_%s=%s" % + (pin.release_name, tarball)]) exprs[section] = ( 'f: f { name = "%s"; channelName = "%%s"; src = builtins.storePath "%s"; }' % (pin.release_name, tarball)) @@ -671,7 +674,8 @@ def updateCommand(args: argparse.Namespace) -> None: '--file', '', '--install', - '--from-expression'] + [exprs[name] % name for name in sorted(exprs.keys())] + ] + search_paths + ['--from-expression'] + [ + exprs[name] % name for name in sorted(exprs.keys())] if args.dry_run: print(' '.join(map(shlex.quote, command))) else: diff --git a/tests/alias.sh b/tests/alias.sh index dce5747..bf63baa 100755 --- a/tests/alias.sh +++ b/tests/alias.sh @@ -14,7 +14,7 @@ python3 ./pinch.py pin "$conf" actual_env_command=`python3 ./pinch.py update --dry-run "$conf"` -expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install --from-expression '\''f: f \{ name = "(repo-[0-9]{10}-[0-9a-f]{11})"; channelName = "bar"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\'' '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\''$' +expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install -I pinch_tarball_for_(repo-[0-9]{10}-[0-9a-f]{11})=('"$NIX_STORE_DIR"'/.{32}-\1.tar.xz) --from-expression '\''f: f \{ name = "\1"; channelName = "bar"; src = builtins.storePath "\2"; \}'\'' '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "\2"; \}'\''$' if echo "$actual_env_command" | egrep "$expected_env_command_RE" > /dev/null;then echo PASS diff --git a/tests/core.sh b/tests/core.sh index 5d11707..60ac99f 100755 --- a/tests/core.sh +++ b/tests/core.sh @@ -8,7 +8,7 @@ python3 ./pinch.py pin "$conf" actual_env_command=`python3 ./pinch.py update --dry-run "$conf"` -expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install --from-expression '\''f: f \{ name = "(repo-[0-9]{10}-[0-9a-f]{11})"; channelName = "foo"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\''$' +expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install -I pinch_tarball_for_(repo-[0-9]{10}-[0-9a-f]{11})=('"$NIX_STORE_DIR"'/.{32}-\1.tar.xz) --from-expression '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "\2"; \}'\''$' if echo "$actual_env_command" | egrep "$expected_env_command_RE" > /dev/null;then echo PASS diff --git a/tests/multi-update.sh b/tests/multi-update.sh index aa617c8..87bf636 100755 --- a/tests/multi-update.sh +++ b/tests/multi-update.sh @@ -18,7 +18,7 @@ actual_env_command=`python3 ./pinch.py update --dry-run "$conf" "$conf2"` rm -rf "$conf2" -expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install --from-expression '\''f: f \{ name = "(repo-[0-9]{10}-[0-9a-f]{11})"; channelName = "bar"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\'' '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\''$' +expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install -I pinch_tarball_for_(repo-[0-9]{10}-[0-9a-f]{11})=('"$NIX_STORE_DIR"'/.{32}-\1.tar.xz) --from-expression '\''f: f \{ name = "\1"; channelName = "bar"; src = builtins.storePath "\2"; \}'\'' '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "\2"; \}'\''$' if echo "$actual_env_command" | egrep "$expected_env_command_RE" > /dev/null;then echo PASS diff --git a/tests/pin-twice.sh b/tests/pin-twice.sh index ee50174..12d4646 100755 --- a/tests/pin-twice.sh +++ b/tests/pin-twice.sh @@ -17,7 +17,7 @@ python3 ./pinch.py pin "$conf" actual_env_command=`python3 ./pinch.py update --dry-run "$conf"` -expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install --from-expression '\''f: f \{ name = "(repo-[0-9]{10}-[0-9a-f]{11})"; channelName = "foo"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\''$' +expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install -I pinch_tarball_for_(repo-[0-9]{10}-[0-9a-f]{11})=('"$NIX_STORE_DIR"'/.{32}-\1.tar.xz) --from-expression '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "\2"; \}'\''$' if echo "$actual_env_command" | egrep "$expected_env_command_RE" > /dev/null;then echo PASS diff --git a/tests/profile.sh b/tests/profile.sh index 00ceb27..08cf5b3 100755 --- a/tests/profile.sh +++ b/tests/profile.sh @@ -8,7 +8,7 @@ python3 ./pinch.py pin "$conf" actual_env_command=`python3 ./pinch.py update --dry-run --profile /path/to/profile "$conf"` -expected_env_command_RE='^nix-env --profile /path/to/profile --show-trace --file '\'''\'' --install --from-expression '\''f: f \{ name = "(repo-[0-9]{10}-[0-9a-f]{11})"; channelName = "foo"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\''$' +expected_env_command_RE='^nix-env --profile /path/to/profile --show-trace --file '\'''\'' --install -I pinch_tarball_for_(repo-[0-9]{10}-[0-9a-f]{11})=('"$NIX_STORE_DIR"'/.{32}-\1.tar.xz) --from-expression '\''f: f \{ name = "\1"; channelName = "foo"; src = builtins.storePath "\2"; \}'\''$' if echo "$actual_env_command" | egrep "$expected_env_command_RE" > /dev/null;then echo PASS diff --git a/tests/symlink.sh b/tests/symlink.sh index 7f4c354..e5ef8c3 100755 --- a/tests/symlink.sh +++ b/tests/symlink.sh @@ -14,7 +14,7 @@ python3 ./pinch.py pin "$conf" actual_env_command=`python3 ./pinch.py update --dry-run "$conf"` -expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install --from-expression '\''f: f \{ name = "link"; channelName = "bar"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-link.tar.gz"; \}'\'' '\''f: f \{ name = "(repo-[0-9]{10}-[0-9a-f]{11})"; channelName = "foo"; src = builtins.storePath "'"$NIX_STORE_DIR"'/.{32}-\1.tar.xz"; \}'\''$' +expected_env_command_RE='^nix-env --profile /nix/var/nix/profiles/per-user/[^/]+/channels --show-trace --file '\'''\'' --install -I pinch_tarball_for_link=('"$NIX_STORE_DIR"'/.{32}-link.tar.gz) -I pinch_tarball_for_(repo-[0-9]{10}-[0-9a-f]{11})=('"$NIX_STORE_DIR"'/.{32}-\2.tar.xz) --from-expression '\''f: f \{ name = "link"; channelName = "bar"; src = builtins.storePath "\1"; \}'\'' '\''f: f \{ name = "\2"; channelName = "foo"; src = builtins.storePath "\3"; \}'\''$' if echo "$actual_env_command" | egrep "$expected_env_command_RE" > /dev/null;then echo PASS -- 2.44.1