Generalize isFixedOutput in preparation for CA drvs

Today's fixed output derivations and regular derivations differ in a few
ways which are largely orthogonal. This replaces `isFixedOutput` with a
`type` that returns an enum of possible combinations.

src/libstore/build.cc

@@ -795,8 +795,8 @@ private:
     /* RAII object to delete the chroot directory. */
     std::shared_ptr<AutoDelete> autoDelChroot;
 
-    /* Whether this is a fixed-output derivation. */
+    /* The sort of derivation we are building. */
-    bool fixedOutput;
+    DerivationType derivationType;
 
     /* Whether to run the build in a private network namespace. */
     bool privateNetwork = false;
@@ -1369,12 +1369,12 @@ void DerivationGoal::inputsRealised()
 
     debug("added input paths %s", worker.store.showPaths(inputPaths));
 
-    /* Is this a fixed-output derivation? */
+    /* What type of derivation are we building? */
-    fixedOutput = drv->isFixedOutput();
+    derivationType = drv->type();
 
     /* Don't repeat fixed-output derivations since they're already
        verified by their output hash.*/
-    nrRounds = fixedOutput ? 1 : settings.buildRepeat + 1;
+    nrRounds = DtAxisFixed & derivationType ? 1 : settings.buildRepeat + 1;
 
     /* Okay, try to build.  Note that here we don't wait for a build
        slot to become available, since we don't need one if there is a
@@ -1724,7 +1724,7 @@ void DerivationGoal::buildDone()
             st =
                 dynamic_cast<NotDeterministic*>(&e) ? BuildResult::NotDeterministic :
                 statusOk(status) ? BuildResult::OutputRejected :
-                fixedOutput || diskFull ? BuildResult::TransientFailure :
+                DtAxisImpure & derivationType || diskFull ? BuildResult::TransientFailure :
                 BuildResult::PermanentFailure;
         }
 
@@ -1930,7 +1930,7 @@ void DerivationGoal::startBuilder()
         else if (settings.sandboxMode == smDisabled)
             useChroot = false;
         else if (settings.sandboxMode == smRelaxed)
-            useChroot = !fixedOutput && !noChroot;
+            useChroot = !(DtAxisImpure & derivationType) && !noChroot;
     }
 
     if (worker.store.storeDir != worker.store.realStoreDir) {
@@ -2112,7 +2112,7 @@ void DerivationGoal::startBuilder()
                 "nogroup:x:65534:\n") % sandboxGid).str());
 
         /* Create /etc/hosts with localhost entry. */
-        if (!fixedOutput)
+        if (!(DtAxisImpure & derivationType))
             writeFile(chrootRootDir + "/etc/hosts", "127.0.0.1 localhost\n::1 localhost\n");
 
         /* Make the closure of the inputs available in the chroot,
@@ -2318,7 +2318,7 @@ void DerivationGoal::startBuilder()
            us.
         */
 
-        if (!fixedOutput)
+        if (!(DtAxisImpure & derivationType))
             privateNetwork = true;
 
         userNamespaceSync.create();
@@ -2519,7 +2519,7 @@ void DerivationGoal::initEnv()
        derivation, tell the builder, so that for instance `fetchurl'
        can skip checking the output.  On older Nixes, this environment
        variable won't be set, so `fetchurl' will do the check. */
-    if (fixedOutput) env["NIX_OUTPUT_CHECKED"] = "1";
+    if (DtAxisFixed & derivationType) env["NIX_OUTPUT_CHECKED"] = "1";
 
     /* *Only* if this is a fixed-output derivation, propagate the
        values of the environment variables specified in the
@@ -2530,7 +2530,7 @@ void DerivationGoal::initEnv()
        to the builder is generally impure, but the output of
        fixed-output derivations is by definition pure (since we
        already know the cryptographic hash of the output). */
-    if (fixedOutput) {
+    if (derivationType & DtAxisImpure) {
         for (auto & i : parsedDrv->getStringsAttr("impureEnvVars").value_or(Strings()))
             env[i] = getEnv(i).value_or("");
     }
@@ -3144,7 +3144,7 @@ void DerivationGoal::runChild()
             /* Fixed-output derivations typically need to access the
                network, so give them access to /etc/resolv.conf and so
                on. */
-            if (fixedOutput) {
+            if (DtAxisImpure & derivationType) {
                 ss.push_back("/etc/resolv.conf");
 
                 // Only use nss functions to resolve hosts and
@@ -3385,7 +3385,7 @@ void DerivationGoal::runChild()
 
                 sandboxProfile += "(import \"sandbox-defaults.sb\")\n";
 
-                if (fixedOutput)
+                if (DtAxisImpure & derivationType)
                     sandboxProfile += "(import \"sandbox-network.sb\")\n";
 
                 /* Our rwx outputs */
@@ -3644,10 +3644,10 @@ void DerivationGoal::registerOutputs()
            hash). */
         std::string ca;
 
-        if (fixedOutput) {
+        if (i.second.hashAlgo != "") {
 
-            bool recursive; Hash h;
+            bool recursive; HashType ht;
-            i.second.parseHashInfo(recursive, h);
+            i.second.parseHashType(recursive, ht);
 
             if (!recursive) {
                 /* The output path should be a regular file without execute permission. */
@@ -3658,11 +3658,16 @@ void DerivationGoal::registerOutputs()
 
             /* Check the hash. In hash mode, move the path produced by
                the derivation to its content-addressed location. */
-            Hash h2 = recursive ? hashPath(h.type, actualPath).first : hashFile(h.type, actualPath);
+            Hash h2 = recursive ? hashPath(ht, actualPath).first : hashFile(ht, actualPath);
 
             auto dest = worker.store.makeFixedOutputPath(recursive, h2, i.second.path.name());
 
-            if (h != h2) {
+            // true if ither floating CA, or incorrect fixed hash.
+            bool needsMove = true;
+
+            if (i.second.hash != "") {
+              Hash h = Hash(i.second.hash, ht);
+              if (h != h2) {
 
                 /* Throw an error after registering the path as
                    valid. */
@@ -3670,7 +3675,13 @@ void DerivationGoal::registerOutputs()
                 delayedException = std::make_exception_ptr(
                     BuildError("hash mismatch in fixed-output derivation '%s':\n  wanted: %s\n  got:    %s",
                         worker.store.printStorePath(dest), h.to_string(SRI), h2.to_string(SRI)));
+              } else {
+                  // matched the fixed hash, so no move needed.
+                  needsMove = false;
+              }
+            }
 
+            if (needsMove) {
                 Path actualDest = worker.store.toRealPath(worker.store.printStorePath(dest));
 
                 if (worker.store.isValidPath(dest))

src/libstore/derivations.cc

@@ -8,8 +8,12 @@
 
 namespace nix {
 
+// Avoid shadow
+HashType parseHashAlgo(const string & s) {
+    return parseHashType(s);
+}
 
-void DerivationOutput::parseHashInfo(bool & recursive, Hash & hash) const
+void DerivationOutput::parseHashType(bool & recursive, HashType & hashType) const
 {
     recursive = false;
     string algo = hashAlgo;
@@ -19,10 +23,16 @@ void DerivationOutput::parseHashInfo(bool & recursive, Hash & hash) const
         algo = string(algo, 2);
     }
 
-    HashType hashType = parseHashType(algo);
+    HashType hashType_loc = parseHashAlgo(algo);
-    if (hashType == htUnknown)
+    if (hashType_loc == htUnknown)
         throw Error("unknown hash algorithm '%s'", algo);
+    hashType = hashType_loc;
+}
 
+void DerivationOutput::parseHashInfo(bool & recursive, Hash & hash) const
+{
+    HashType hashType;
+    parseHashType(recursive, hashType);
     hash = Hash(this->hash, hashType);
 }
 
@@ -328,11 +338,28 @@ bool isDerivation(const string & fileName)
 }
 
 
-bool BasicDerivation::isFixedOutput() const
+DerivationType BasicDerivation::type() const
 {
-    return outputs.size() == 1 &&
+    if (outputs.size() == 1 &&
         outputs.begin()->first == "out" &&
-        outputs.begin()->second.hash != "";
+        outputs.begin()->second.hash != "")
+    {
+        return DtCAFixed;
+    }
+
+    auto const algo = outputs.begin()->second.hashAlgo;
+    if (algo != "") {
+        throw Error("Invalid mix of CA and regular outputs");
+    }
+    for (auto & i : outputs) {
+        if (i.second.hash != "") {
+            throw Error("Non-fixed-output derivation has fixed output");
+        }
+        if (i.second.hashAlgo != "") {
+            throw Error("Invalid mix of CA and regular outputs");
+        }
+    }
+    return DtRegular;
 }
 
 
@@ -362,13 +389,17 @@ DrvHashes drvHashes;
 Hash hashDerivationModulo(Store & store, const Derivation & drv, bool maskOutputs)
 {
     /* Return a fixed hash for fixed-output derivations. */
-    if (drv.isFixedOutput()) {
+    switch (drv.type()) {
+    case DtCAFixed: {
         DerivationOutputs::const_iterator i = drv.outputs.begin();
         return hashString(htSHA256, "fixed:out:"
             + i->second.hashAlgo + ":"
             + i->second.hash + ":"
             + store.printStorePath(i->second.path));
     }
+    default:
+        break;
+    }
 
     /* For other derivations, replace the inputs paths with recursive
        calls to this function.*/

src/libstore/derivations.hh

@@ -22,6 +22,7 @@ struct DerivationOutput
         , hashAlgo(std::move(hashAlgo))
         , hash(std::move(hash))
     { }
+    void parseHashType(bool & recursive, HashType & hashType) const;
     void parseHashInfo(bool & recursive, Hash & hash) const;
 };
 
@@ -33,6 +34,21 @@ typedef std::map<StorePath, StringSet> DerivationInputs;
 
 typedef std::map<string, string> StringPairs;
 
+// Bit:
+//  7: regular vs ca
+//  6: floating vs fixed hash if ca, regular always floating
+//  5: pure vs impure if ca, regular always pure
+//  _: Unassigned
+enum DerivationTypeAxis : uint8_t {
+    DtAxisCA = 0b10000000,
+    DtAxisFixed = 0b01000000,
+    DtAxisImpure = 0b00100000,
+};
+enum DerivationType : uint8_t {
+    DtRegular = 0b0000000,
+    DtCAFixed = 0b11100000,
+};
+
 struct BasicDerivation
 {
     DerivationOutputs outputs; /* keyed on symbolic IDs */
@@ -53,7 +69,7 @@ struct BasicDerivation
     bool isBuiltin() const;
 
     /* Return true iff this is a fixed-output derivation. */
-    bool isFixedOutput() const;
+    DerivationType type() const;
 
     /* Return the output paths of a derivation. */
     StorePathSet outputPaths() const;

src/libstore/local-store.cc

@@ -559,21 +559,29 @@ void LocalStore::checkDerivationOutputs(const StorePath & drvPath, const Derivat
     };
 
 
-    if (drv.isFixedOutput()) {
+    // Don't need the answer, but do this anways to assert is proper
-        DerivationOutputs::const_iterator out = drv.outputs.find("out");
+    // combination. The code below is more general and naturally allows
-        if (out == drv.outputs.end())
+    // combinations that currently prohibited.
-            throw Error("derivation '%s' does not have an output named 'out'", printStorePath(drvPath));
+    drv.type();
 
-        bool recursive; Hash h;
+    std::optional<Hash> h;
-        out->second.parseHashInfo(recursive, h);
+    for (auto & i : drv.outputs) {
-
+        if (i.second.hashAlgo == "") {
-        check(makeFixedOutputPath(recursive, h, drvName), out->second.path, "out");
+            if (!h) {
-    }
+                // somewhat expensive so we do lazily
-
+                h = hashDerivationModulo(*this, drv, true);
-    else {
+            }
-        Hash h = hashDerivationModulo(*this, drv, true);
+            StorePath path = makeOutputPath(i.first, *h, drvName);
-        for (auto & i : drv.outputs)
+            check(path, i.second.path, i.first);
-            check(makeOutputPath(i.first, h, drvName), i.second.path, i.first);
+        } else {
+            if (i.second.hash == "") {
+                throw Error("Fixed output derivation needs hash");
+            }
+            bool recursive; Hash h;
+            i.second.parseHashInfo(recursive, h);
+            StorePath path = makeFixedOutputPath(recursive, h, drvName);
+            check(path, i.second.path, i.first);
+        }
     }
 }