[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
165/376: Add disallowedReferences / disallowedRequisites
|
From: |
Ludovic Courtès |
|
Subject: |
165/376: Add disallowedReferences / disallowedRequisites |
|
Date: |
Wed, 28 Jan 2015 22:04:46 +0000 |
civodul pushed a commit to tag 1.8
in repository guix.
commit b72e93bca8fc045b37b1e863c423cf0e91e8c479
Author: Eelco Dolstra <address@hidden>
Date: Thu Aug 28 18:57:13 2014 +0200
Add disallowedReferences / disallowedRequisites
For the "stdenv accidentally referring to bootstrap-tools", it seems
easier to specify the path that we don't want to depend on, e.g.
disallowedRequisites = [ bootstrapTools ];
---
src/libstore/build.cc | 55 +++++++++++++++++++++++++-----------------------
tests/check-refs.nix | 12 ++++++++++
tests/check-refs.sh | 6 +++++
tests/check-reqs.nix | 14 ++++++++++++
tests/check-reqs.sh | 5 ++-
5 files changed, 64 insertions(+), 28 deletions(-)
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 6390a74..0d290d7 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -2318,33 +2318,36 @@ void DerivationGoal::registerOutputs()
debug(format("referenced input: ‘%1%’") % *i);
}
- /* If the derivation specifies an `allowedReferences'
- attribute (containing a list of paths that the output may
- refer to), check that all references are in that list. !!!
- allowedReferences should really be per-output. */
- if (drv.env.find("allowedReferences") != drv.env.end()) {
- PathSet allowed = parseReferenceSpecifiers(drv, get(drv.env,
"allowedReferences"));
- foreach (PathSet::iterator, i, references)
- if (allowed.find(*i) == allowed.end())
- throw BuildError(format("output (‘%1%’) is not allowed to
refer to path ‘%2%’") % actualPath % *i);
- }
+ /* Enforce `allowedReferences' and friends. */
+ auto checkRefs = [&](const string & attrName, bool allowed, bool
recursive) {
+ if (drv.env.find(attrName) == drv.env.end()) return;
+
+ PathSet spec = parseReferenceSpecifiers(drv, get(drv.env,
attrName));
+
+ PathSet used;
+ if (recursive) {
+ /* Our requisites are the union of the closures of our
references. */
+ for (auto & i : references)
+ /* Don't call computeFSClosure on ourselves. */
+ if (actualPath != i)
+ computeFSClosure(worker.store, i, used);
+ } else
+ used = references;
+
+ for (auto & i : used)
+ if (allowed) {
+ if (spec.find(i) == spec.end())
+ throw BuildError(format("output (‘%1%’) is not allowed
to refer to path ‘%2%’") % actualPath % i);
+ } else {
+ if (spec.find(i) != spec.end())
+ throw BuildError(format("output (‘%1%’) is not allowed
to refer to path ‘%2%’") % actualPath % i);
+ }
+ };
- /* If the derivation specifies an `allowedRequisites'
- attribute (containing a list of paths that the output may
- refer to), check that all requisites are in that list. !!!
- allowedRequisites should really be per-output. */
- if (drv.env.find("allowedRequisites") != drv.env.end()) {
- PathSet allowed = parseReferenceSpecifiers(drv, get(drv.env,
"allowedRequisites"));
- PathSet requisites;
- /* Our requisites are the union of the closures of our references.
*/
- foreach (PathSet::iterator, i, references)
- /* Don't call computeFSClosure on ourselves. */
- if (actualPath != *i)
- computeFSClosure(worker.store, *i, requisites);
- foreach (PathSet::iterator, i, requisites)
- if (allowed.find(*i) == allowed.end())
- throw BuildError(format("output (‘%1%’) is not allowed to
refer to requisite path ‘%2%’") % actualPath % *i);
- }
+ checkRefs("allowedReferences", true, false);
+ checkRefs("allowedRequisites", true, true);
+ checkRefs("disallowedReferences", false, false);
+ checkRefs("disallowedRequisites", false, true);
worker.store.optimisePath(path); // FIXME: combine with
scanForReferences()
diff --git a/tests/check-refs.nix b/tests/check-refs.nix
index 63791fe..9d90b09 100644
--- a/tests/check-refs.nix
+++ b/tests/check-refs.nix
@@ -55,4 +55,16 @@ rec {
inherit dep;
};
+ test9 = makeTest 9 {
+ builder = builtins.toFile "builder.sh" "mkdir $out; ln -s $dep $out/link";
+ inherit dep;
+ disallowedReferences = [dep];
+ };
+
+ test10 = makeTest 10 {
+ builder = builtins.toFile "builder.sh" "mkdir $out; echo $test5; ln -s
$dep $out/link";
+ inherit dep test5;
+ disallowedReferences = [test5];
+ };
+
}
diff --git a/tests/check-refs.sh b/tests/check-refs.sh
index 9e10366..34ee22c 100644
--- a/tests/check-refs.sh
+++ b/tests/check-refs.sh
@@ -32,3 +32,9 @@ nix-build -o $RESULT check-refs.nix -A test7
# test8 should fail (toFile depending on derivation output).
(! nix-build -o $RESULT check-refs.nix -A test8)
+
+# test9 should fail (disallowed reference).
+(! nix-build -o $RESULT check-refs.nix -A test9)
+
+# test10 should succeed (no disallowed references).
+nix-build -o $RESULT check-refs.nix -A test10
diff --git a/tests/check-reqs.nix b/tests/check-reqs.nix
index 5af8ea6..41436cb 100644
--- a/tests/check-reqs.nix
+++ b/tests/check-reqs.nix
@@ -40,4 +40,18 @@ rec {
test3 = makeTest 3 [ dep1 deps ];
test4 = makeTest 4 [ deps ];
test5 = makeTest 5 [];
+
+ test6 = mkDerivation {
+ name = "check-reqs";
+ inherit deps;
+ builder = builtins.toFile "builder.sh" "mkdir $out; ln -s $deps
$out/depdir1";
+ disallowedRequisites = [dep1];
+ };
+
+ test7 = mkDerivation {
+ name = "check-reqs";
+ inherit deps;
+ builder = builtins.toFile "builder.sh" "mkdir $out; ln -s $deps
$out/depdir1";
+ disallowedRequisites = [test1];
+ };
}
diff --git a/tests/check-reqs.sh b/tests/check-reqs.sh
index 643c2d0..8b24549 100644
--- a/tests/check-reqs.sh
+++ b/tests/check-reqs.sh
@@ -2,11 +2,12 @@ source common.sh
RESULT=$TEST_ROOT/result
-# test1 should succeed.
nix-build -o $RESULT check-reqs.nix -A test1
-# test{2,3,4,5} should fail.
(! nix-build -o $RESULT check-reqs.nix -A test2)
(! nix-build -o $RESULT check-reqs.nix -A test3)
(! nix-build -o $RESULT check-reqs.nix -A test4)
(! nix-build -o $RESULT check-reqs.nix -A test5)
+(! nix-build -o $RESULT check-reqs.nix -A test6)
+
+nix-build -o $RESULT check-reqs.nix -A test7
- 160/376: Fix building with Clang, (continued)
- 160/376: Fix building with Clang, Ludovic Courtès, 2015/01/28
- 170/376: Fix dependency ordering, Ludovic Courtès, 2015/01/28
- 169/376: Hack for supporting Boost on Homebrew, Ludovic Courtès, 2015/01/28
- 166/376: Shut up "Wide character" warnings in Perl scripts, Ludovic Courtès, 2015/01/28
- 167/376: Add an 'optimiseStore' remote procedure call., Ludovic Courtès, 2015/01/28
- 171/376: Fix build-remote.pl, Ludovic Courtès, 2015/01/28
- 172/376: tests/remote-builds.nix: Time out faster, Ludovic Courtès, 2015/01/28
- 176/376: Add support for using a build directory, Ludovic Courtès, 2015/01/28
- 178/376: Support specifying a JAR manifest, Ludovic Courtès, 2015/01/28
- 181/376: Add some hyperlinks between NIXPATH and -I, Ludovic Courtès, 2015/01/28
- 165/376: Add disallowedReferences / disallowedRequisites,
Ludovic Courtès <=
- 173/376: Tweak, Ludovic Courtès, 2015/01/28
- 168/376: Fix boost::too_many_args error, Ludovic Courtès, 2015/01/28
- 174/376: build-remote.pl: UTF-8-decode errors, Ludovic Courtès, 2015/01/28
- 180/376: Don't rely on process substitution, Ludovic Courtès, 2015/01/28
- 177/376: Improved support for building JARs, Ludovic Courtès, 2015/01/28
- 187/376: Drop reference to FreeBSD, Ludovic Courtès, 2015/01/28
- 189/376: Tweak some chapter titles, Ludovic Courtès, 2015/01/28
- 175/376: Hack to prevent Makefile.config from being regenerated by "make clean", Ludovic Courtès, 2015/01/28
- 186/376: Remove pointless "license" section, Ludovic Courtès, 2015/01/28
- 190/376: Undocument NIX_OTHER_STORES, Ludovic Courtès, 2015/01/28