mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-22 05:56:15 +02:00
nix: Add --expr flag
This replaces the '(...)' installable syntax, which is not very discoverable. The downside is that you can't have multiple expressions or mix expressions and other installables.
This commit is contained in:
parent
2c6dbcd5e7
commit
ca8caaec5e
9 changed files with 86 additions and 76 deletions
|
@ -56,6 +56,7 @@ struct MixFlakeOptions : virtual Args
|
|||
struct SourceExprCommand : virtual Args, EvalCommand, MixFlakeOptions
|
||||
{
|
||||
std::optional<Path> file;
|
||||
std::optional<std::string> expr;
|
||||
|
||||
SourceExprCommand();
|
||||
|
||||
|
@ -106,7 +107,7 @@ struct InstallableCommand : virtual Args, SourceExprCommand
|
|||
|
||||
private:
|
||||
|
||||
std::string _installable{"."};
|
||||
std::string _installable{""};
|
||||
};
|
||||
|
||||
/* A command that operates on zero or more store paths. */
|
||||
|
|
|
@ -28,7 +28,7 @@ struct CmdEval : MixJSON, InstallableCommand
|
|||
return {
|
||||
Example{
|
||||
"To evaluate a Nix expression given on the command line:",
|
||||
"nix eval '(1 + 2)'"
|
||||
"nix eval --expr '1 + 2'"
|
||||
},
|
||||
Example{
|
||||
"To evaluate a Nix expression from a file or URI:",
|
||||
|
|
|
@ -51,8 +51,14 @@ SourceExprCommand::SourceExprCommand()
|
|||
.shortName('f')
|
||||
.longName("file")
|
||||
.label("file")
|
||||
.description("evaluate a set of attributes from FILE (deprecated)")
|
||||
.description("evaluate attributes from FILE")
|
||||
.dest(&file);
|
||||
|
||||
mkFlag()
|
||||
.longName("expr")
|
||||
.label("expr")
|
||||
.description("evaluate attributes from EXPR")
|
||||
.dest(&expr);
|
||||
}
|
||||
|
||||
Strings SourceExprCommand::getDefaultFlakeAttrPaths()
|
||||
|
@ -378,19 +384,25 @@ std::vector<std::shared_ptr<Installable>> SourceExprCommand::parseInstallables(
|
|||
{
|
||||
std::vector<std::shared_ptr<Installable>> result;
|
||||
|
||||
if (file) {
|
||||
if (file || expr) {
|
||||
if (file && expr)
|
||||
throw UsageError("'--file' and '--expr' are exclusive");
|
||||
|
||||
// FIXME: backward compatibility hack
|
||||
evalSettings.pureEval = false;
|
||||
if (file) evalSettings.pureEval = false;
|
||||
|
||||
auto state = getEvalState();
|
||||
auto vFile = state->allocValue();
|
||||
state->evalFile(lookupFileArg(*state, *file), *vFile);
|
||||
|
||||
if (ss.empty())
|
||||
ss = {""};
|
||||
if (file)
|
||||
state->evalFile(lookupFileArg(*state, *file), *vFile);
|
||||
else {
|
||||
auto e = state->parseExprFromString(*expr, absPath("."));
|
||||
state->eval(e, *vFile);
|
||||
}
|
||||
|
||||
for (auto & s : ss)
|
||||
result.push_back(std::make_shared<InstallableAttrPath>(*this, vFile, s));
|
||||
result.push_back(std::make_shared<InstallableAttrPath>(*this, vFile, s == "." ? "" : s));
|
||||
|
||||
} else {
|
||||
|
||||
|
@ -407,10 +419,7 @@ std::vector<std::shared_ptr<Installable>> SourceExprCommand::parseInstallables(
|
|||
size_t hash;
|
||||
std::optional<Path> storePath;
|
||||
|
||||
if (s.compare(0, 1, "(") == 0)
|
||||
result.push_back(std::make_shared<InstallableExpr>(*this, s));
|
||||
|
||||
else if (hasPrefix(s, "nixpkgs.")) {
|
||||
if (hasPrefix(s, "nixpkgs.")) {
|
||||
bool static warned;
|
||||
warnOnce(warned, "the syntax 'nixpkgs.<attr>' is deprecated; use 'nixpkgs:<attr>' instead");
|
||||
result.push_back(std::make_shared<InstallableFlake>(*this, FlakeRef("nixpkgs"),
|
||||
|
@ -532,7 +541,7 @@ PathSet toDerivations(ref<Store> store,
|
|||
|
||||
void InstallablesCommand::prepare()
|
||||
{
|
||||
if (_installables.empty() && !file && useDefaultInstallables())
|
||||
if (_installables.empty() && useDefaultInstallables())
|
||||
// FIXME: commands like "nix install" should not have a
|
||||
// default, probably.
|
||||
_installables.push_back(".");
|
||||
|
|
|
@ -28,39 +28,39 @@ git -C $repo commit -m 'Bla2' -a
|
|||
rev2=$(git -C $repo rev-parse HEAD)
|
||||
|
||||
# Fetch the default branch.
|
||||
path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
|
||||
path=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
|
||||
[[ $(cat $path/hello) = world ]]
|
||||
|
||||
# In pure eval mode, fetchGit without a revision should fail.
|
||||
[[ $(nix eval --impure --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") = world ]]
|
||||
(! nix eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))")
|
||||
[[ $(nix eval --impure --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")") = world ]]
|
||||
(! nix eval --raw --expr "builtins.readFile (fetchGit file://$repo + \"/hello\")")
|
||||
|
||||
# Fetch using an explicit revision hash.
|
||||
path2=$(nix eval --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
path2=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
# In pure eval mode, fetchGit with a revision should succeed.
|
||||
[[ $(nix eval --raw "(builtins.readFile (fetchGit { url = file://$repo; rev = \"$rev2\"; } + \"/hello\"))") = world ]]
|
||||
[[ $(nix eval --raw --expr "builtins.readFile (fetchGit { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]]
|
||||
|
||||
# Fetch again. This should be cached.
|
||||
mv $repo ${repo}-tmp
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
[[ $(nix eval --impure "(builtins.fetchGit file://$repo).revCount") = 2 ]]
|
||||
[[ $(nix eval --impure --raw "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
|
||||
[[ $(nix eval --impure --expr "(builtins.fetchGit file://$repo).revCount") = 2 ]]
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
|
||||
|
||||
# Fetching with a explicit hash should succeed.
|
||||
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev1\"; }).outPath")
|
||||
path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"$rev1\"; }).outPath")
|
||||
[[ $(cat $path2/hello) = utrecht ]]
|
||||
|
||||
mv ${repo}-tmp $repo
|
||||
|
||||
# Using a clean working tree should produce the same result.
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
# Using an unclean tree should yield the tracked but uncommitted changes.
|
||||
|
@ -71,26 +71,26 @@ echo bar > $repo/dir2/bar
|
|||
git -C $repo add dir1/foo
|
||||
git -C $repo rm hello
|
||||
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
|
||||
[ ! -e $path2/hello ]
|
||||
[ ! -e $path2/bar ]
|
||||
[ ! -e $path2/dir2/bar ]
|
||||
[ ! -e $path2/.git ]
|
||||
[[ $(cat $path2/dir1/foo) = foo ]]
|
||||
|
||||
[[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
|
||||
|
||||
# ... unless we're using an explicit ref or rev.
|
||||
path3=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
|
||||
path3=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
|
||||
[[ $path = $path3 ]]
|
||||
|
||||
path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath")
|
||||
path3=$(nix eval --raw --expr "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath")
|
||||
[[ $path = $path3 ]]
|
||||
|
||||
# Committing should not affect the store path.
|
||||
git -C $repo commit -m 'Bla3' -a
|
||||
|
||||
path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchGit file://$repo).outPath")
|
||||
path4=$(nix eval --impure --tarball-ttl 0 --raw --expr "(builtins.fetchGit file://$repo).outPath")
|
||||
[[ $path2 = $path4 ]]
|
||||
|
||||
# tarball-ttl should be ignored if we specify a rev
|
||||
|
@ -98,32 +98,32 @@ echo delft > $repo/hello
|
|||
git -C $repo add hello
|
||||
git -C $repo commit -m 'Bla4'
|
||||
rev3=$(git -C $repo rev-parse HEAD)
|
||||
nix eval --tarball-ttl 3600 "(builtins.fetchGit { url = $repo; rev = \"$rev3\"; })" >/dev/null
|
||||
nix eval --tarball-ttl 3600 --expr "builtins.fetchGit { url = $repo; rev = \"$rev3\"; }" >/dev/null
|
||||
|
||||
# Update 'path' to reflect latest master
|
||||
path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
|
||||
path=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
|
||||
|
||||
# Check behavior when non-master branch is used
|
||||
git -C $repo checkout $rev2 -b dev
|
||||
echo dev > $repo/hello
|
||||
|
||||
# File URI uses 'master' unless specified otherwise
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchGit file://$repo).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
# Using local path with branch other than 'master' should work when clean or dirty
|
||||
path3=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
|
||||
path3=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
|
||||
# (check dirty-tree handling was used)
|
||||
[[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
|
||||
|
||||
# Committing shouldn't change store path, or switch to using 'master'
|
||||
git -C $repo commit -m 'Bla5' -a
|
||||
path4=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
|
||||
path4=$(nix eval --impure --raw --expr "(builtins.fetchGit $repo).outPath")
|
||||
[[ $(cat $path4/hello) = dev ]]
|
||||
[[ $path3 = $path4 ]]
|
||||
|
||||
# Confirm same as 'dev' branch
|
||||
path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
|
||||
path5=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
|
||||
[[ $path3 = $path5 ]]
|
||||
|
||||
|
||||
|
@ -133,8 +133,8 @@ rm -rf $TEST_HOME/.cache/nix/gitv2
|
|||
# Try again, but without 'git' on PATH
|
||||
NIX=$(command -v nix)
|
||||
# This should fail
|
||||
(! PATH= $NIX eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
|
||||
(! PATH= $NIX eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
|
||||
|
||||
# Try again, with 'git' available. This should work.
|
||||
path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
|
||||
path5=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
|
||||
[[ $path3 = $path5 ]]
|
||||
|
|
|
@ -26,43 +26,43 @@ hg commit --cwd $repo -m 'Bla2'
|
|||
rev2=$(hg log --cwd $repo -r tip --template '{node}')
|
||||
|
||||
# Fetch the default branch.
|
||||
path=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath")
|
||||
path=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
|
||||
[[ $(cat $path/hello) = world ]]
|
||||
|
||||
# In pure eval mode, fetchGit without a revision should fail.
|
||||
[[ $(nix eval --impure --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
|
||||
(! nix eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))")
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
|
||||
(! nix eval --raw --expr "builtins.readFile (fetchMercurial file://$repo + \"/hello\")")
|
||||
|
||||
# Fetch using an explicit revision hash.
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
# In pure eval mode, fetchGit with a revision should succeed.
|
||||
[[ $(nix eval --raw "(builtins.readFile (fetchMercurial { url = file://$repo; rev = \"$rev2\"; } + \"/hello\"))") = world ]]
|
||||
[[ $(nix eval --raw --expr "builtins.readFile (fetchMercurial { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]]
|
||||
|
||||
# Fetch again. This should be cached.
|
||||
mv $repo ${repo}-tmp
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
[[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).branch") = default ]]
|
||||
[[ $(nix eval --impure "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
|
||||
[[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).branch") = default ]]
|
||||
[[ $(nix eval --impure --expr "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
|
||||
|
||||
# But with TTL 0, it should fail.
|
||||
(! nix eval --impure --tarball-ttl 0 "(builtins.fetchMercurial file://$repo)")
|
||||
(! nix eval --impure --tarball-ttl 0 --expr "builtins.fetchMercurial file://$repo")
|
||||
|
||||
# Fetching with a explicit hash should succeed.
|
||||
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev1\"; }).outPath")
|
||||
path2=$(nix eval --tarball-ttl 0 --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev1\"; }).outPath")
|
||||
[[ $(cat $path2/hello) = utrecht ]]
|
||||
|
||||
mv ${repo}-tmp $repo
|
||||
|
||||
# Using a clean working tree should produce the same result.
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).outPath")
|
||||
[[ $path = $path2 ]]
|
||||
|
||||
# Using an unclean tree should yield the tracked but uncommitted changes.
|
||||
|
@ -73,21 +73,21 @@ echo bar > $repo/dir2/bar
|
|||
hg add --cwd $repo dir1/foo
|
||||
hg rm --cwd $repo hello
|
||||
|
||||
path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath")
|
||||
path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).outPath")
|
||||
[ ! -e $path2/hello ]
|
||||
[ ! -e $path2/bar ]
|
||||
[ ! -e $path2/dir2/bar ]
|
||||
[ ! -e $path2/.hg ]
|
||||
[[ $(cat $path2/dir1/foo) = foo ]]
|
||||
|
||||
[[ $(nix eval --impure --raw "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
|
||||
[[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
|
||||
|
||||
# ... unless we're using an explicit rev.
|
||||
path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath")
|
||||
path3=$(nix eval --raw --expr "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath")
|
||||
[[ $path = $path3 ]]
|
||||
|
||||
# Committing should not affect the store path.
|
||||
hg commit --cwd $repo -m 'Bla3'
|
||||
|
||||
path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchMercurial file://$repo).outPath")
|
||||
path4=$(nix eval --impure --tarball-ttl 0 --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
|
||||
[[ $path2 = $path4 ]]
|
||||
|
|
|
@ -57,11 +57,11 @@ with import ./config.nix; mkDerivation {
|
|||
EOF
|
||||
)
|
||||
|
||||
nix build --impure -v -o $TEST_ROOT/result-A -L "($expr)" \
|
||||
nix build --impure -v -o $TEST_ROOT/result-A -L --expr "$expr" \
|
||||
--min-free 1000 --max-free 2000 --min-free-check-interval 1 &
|
||||
pid=$!
|
||||
|
||||
nix build --impure -v -o $TEST_ROOT/result-B -L "($expr2)" \
|
||||
nix build --impure -v -o $TEST_ROOT/result-B -L --expr "$expr2" \
|
||||
--min-free 1000 --max-free 2000 --min-free-check-interval 1
|
||||
|
||||
wait "$pid"
|
||||
|
|
|
@ -2,6 +2,6 @@ source common.sh
|
|||
|
||||
set -o pipefail
|
||||
|
||||
res=$(nix eval '(builtins.anotherNull)' --option setting-set true --option plugin-files $PWD/plugins/libplugintest*)
|
||||
res=$(nix eval --expr builtins.anotherNull --option setting-set true --option plugin-files $PWD/plugins/libplugintest*)
|
||||
|
||||
[ "$res"x = "nullx" ]
|
||||
|
|
|
@ -2,17 +2,17 @@ source common.sh
|
|||
|
||||
clearStore
|
||||
|
||||
nix eval '(assert 1 + 2 == 3; true)'
|
||||
nix eval --expr 'assert 1 + 2 == 3; true'
|
||||
|
||||
[[ $(nix eval --impure '(builtins.readFile ./pure-eval.sh)') =~ clearStore ]]
|
||||
[[ $(nix eval --impure --expr 'builtins.readFile ./pure-eval.sh') =~ clearStore ]]
|
||||
|
||||
(! nix eval '(builtins.readFile ./pure-eval.sh)')
|
||||
(! nix eval --expr 'builtins.readFile ./pure-eval.sh')
|
||||
|
||||
(! nix eval '(builtins.currentTime)')
|
||||
(! nix eval '(builtins.currentSystem)')
|
||||
(! nix eval --expr builtins.currentTime)
|
||||
(! nix eval --expr builtins.currentSystem)
|
||||
|
||||
(! nix-instantiate --pure-eval ./simple.nix)
|
||||
|
||||
[[ $(nix eval --impure "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") == 123 ]]
|
||||
(! nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)")
|
||||
nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x)"
|
||||
[[ $(nix eval --impure --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x") == 123 ]]
|
||||
(! nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x")
|
||||
nix eval --expr "(import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x"
|
||||
|
|
|
@ -17,18 +17,18 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/nix-channel'
|
|||
(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
|
||||
nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
|
||||
|
||||
p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)")
|
||||
p=$(nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)")
|
||||
cmp $p restricted.sh
|
||||
|
||||
(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval)
|
||||
(! nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval)
|
||||
|
||||
(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
|
||||
(! nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
|
||||
|
||||
nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
|
||||
nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
|
||||
|
||||
(! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval)
|
||||
(! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval)
|
||||
(! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --impure --restrict-eval)
|
||||
(! nix eval --raw --expr "builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz" --impure --restrict-eval)
|
||||
(! nix eval --raw --expr "builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz" --impure --restrict-eval)
|
||||
(! nix eval --raw --expr "fetchGit git://github.com/NixOS/patchelf.git" --impure --restrict-eval)
|
||||
|
||||
ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
|
||||
[[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]]
|
||||
|
@ -37,7 +37,7 @@ ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
|
|||
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
|
||||
nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
|
||||
|
||||
[[ $(nix eval --raw --impure --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]]
|
||||
[[ $(nix eval --raw --impure --restrict-eval -I . --expr 'builtins.readFile "${import ./simple.nix}/hello"') == 'Hello World!' ]]
|
||||
|
||||
# Check whether we can leak symlink information through directory traversal.
|
||||
traverseDir="$(pwd)/restricted-traverse-me"
|
||||
|
@ -45,7 +45,7 @@ ln -sfn "$(pwd)/restricted-secret" "$(pwd)/restricted-innocent"
|
|||
mkdir -p "$traverseDir"
|
||||
goUp="..$(echo "$traverseDir" | sed -e 's,[^/]\+,..,g')"
|
||||
output="$(nix eval --raw --restrict-eval -I "$traverseDir" \
|
||||
"(builtins.readFile \"$traverseDir/$goUp$(pwd)/restricted-innocent\")" \
|
||||
--expr "builtins.readFile \"$traverseDir/$goUp$(pwd)/restricted-innocent\"" \
|
||||
2>&1 || :)"
|
||||
echo "$output" | grep "is forbidden"
|
||||
! echo "$output" | grep -F restricted-secret
|
||||
|
|
Loading…
Reference in a new issue