Merge remote-tracking branch 'origin/master' into lazy-trees

2025-11-29 13:41:00 +01:00 · 2023-02-17 12:02:52 +01:00 · 2023-02-17 12:02:52 +01:00 · 12f141391c
commit 12f141391c
parent bb421ac80b a88ae62bc0
63 changed files with 819 additions and 312 deletions
--- a/tests/build-delete.sh
+++ b/tests/build-delete.sh
@ -0,0 +1,56 @@
+source common.sh
+
+clearStore
+
+set -o pipefail
+
+# https://github.com/NixOS/nix/issues/6572
+issue_6572_independent_outputs() {
+    nix build -f multiple-outputs.nix --json independent --no-link > $TEST_ROOT/independent.json
+
+    # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
+    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
+    nix-store --delete "$p" # Clean up for next test
+
+    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
+    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.first)"
+    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
+    cmp $p <<EOF
+first
+second
+EOF
+    nix-store --delete "$p" # Clean up for next test
+
+    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
+    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.second)"
+    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
+    cmp $p <<EOF
+first
+second
+EOF
+    nix-store --delete "$p" # Clean up for next test
+}
+issue_6572_independent_outputs
+
+
+# https://github.com/NixOS/nix/issues/6572
+issue_6572_dependent_outputs() {
+
+    nix build -f multiple-outputs.nix --json a --no-link > $TEST_ROOT/a.json
+
+    # # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
+    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
+    nix-store --delete "$p" # Clean up for next test
+
+    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
+    nix-store --delete "$(jq -r <$TEST_ROOT/a.json .[0].outputs.second)"
+    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
+    cmp $p <<EOF
+first
+second
+EOF
+    nix-store --delete "$p" # Clean up for next test
+}
+if isDaemonNewer "2.12pre0"; then
+    issue_6572_dependent_outputs
+fi
--- a/tests/build.sh
+++ b/tests/build.sh
@ -107,62 +107,3 @@ nix build --impure -f multiple-outputs.nix --json e --no-link | jq --exit-status
    (.drvPath | match(".*multiple-outputs-e.drv")) and
    (.outputs | keys == ["a_a", "b"]))
 '
-
-testNormalization () {
-    clearStore
-    outPath=$(nix-build ./simple.nix --no-out-link)
-    test "$(stat -c %Y $outPath)" -eq 1
-}
-
-testNormalization
-
-# https://github.com/NixOS/nix/issues/6572
-issue_6572_independent_outputs() {
-    nix build -f multiple-outputs.nix --json independent --no-link > $TEST_ROOT/independent.json
-
-    # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
-    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
-    nix-store --delete "$p" # Clean up for next test
-
-    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
-    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.first)"
-    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
-    cmp $p <<EOF
-first
-second
-EOF
-    nix-store --delete "$p" # Clean up for next test
-
-    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
-    nix-store --delete "$(jq -r <$TEST_ROOT/independent.json .[0].outputs.second)"
-    p=$(nix build -f multiple-outputs.nix use-independent --no-link --print-out-paths)
-    cmp $p <<EOF
-first
-second
-EOF
-    nix-store --delete "$p" # Clean up for next test
-}
-issue_6572_independent_outputs
-
-
-# https://github.com/NixOS/nix/issues/6572
-issue_6572_dependent_outputs() {
-
-    nix build -f multiple-outputs.nix --json a --no-link > $TEST_ROOT/a.json
-
-    # # Make sure that 'nix build' can build a derivation that depends on both outputs of another derivation.
-    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
-    nix-store --delete "$p" # Clean up for next test
-
-    # Make sure that 'nix build' tracks input-outputs correctly when a single output is already present.
-    nix-store --delete "$(jq -r <$TEST_ROOT/a.json .[0].outputs.second)"
-    p=$(nix build -f multiple-outputs.nix use-a --no-link --print-out-paths)
-    cmp $p <<EOF
-first
-second
-EOF
-    nix-store --delete "$p" # Clean up for next test
-}
-if isDaemonNewer "2.12pre0"; then
-    issue_6572_dependent_outputs
-fi
--- a/tests/ca/build.sh
+++ b/tests/ca/build.sh
@ -3,7 +3,7 @@
 source common.sh

 drv=$(nix-instantiate --experimental-features ca-derivations ./content-addressed.nix -A rootCA --arg seed 1)
-nix --experimental-features 'nix-command ca-derivations' show-derivation --derivation "$drv" --arg seed 1
+nix --experimental-features 'nix-command ca-derivations' show-derivation "$drv" --arg seed 1

 buildAttr () {
    local derivationPath=$1
--- a/tests/ca/new-build-cmd.sh
+++ b/tests/ca/new-build-cmd.sh
@ -0,0 +1,5 @@
+source common.sh
+
+export NIX_TESTS_CA_BY_DEFAULT=1
+cd ..
+source ./build.sh
--- a/tests/ca/recursive.sh
+++ b/tests/ca/recursive.sh
@ -7,5 +7,3 @@ requireDaemonNewerThan "2.4pre20210623"
 export NIX_TESTS_CA_BY_DEFAULT=1
 cd ..
 source ./recursive.sh
-
-
--- a/tests/common.sh.in
+++ b/tests/common.sh.in
@ -4,6 +4,8 @@ if [[ -z "$COMMON_SH_SOURCED" ]]; then

 COMMON_SH_SOURCED=1

+export PS4='+(${BASH_SOURCE[0]}:$LINENO) '
+
 export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default}
 export NIX_STORE_DIR
 if ! NIX_STORE_DIR=$(readlink -f $TEST_ROOT/store 2> /dev/null); then
@ -27,6 +29,8 @@ export NIX_REMOTE=$NIX_REMOTE_
 unset NIX_PATH
 export TEST_HOME=$TEST_ROOT/test-home
 export HOME=$TEST_HOME
+unset XDG_STATE_HOME
+unset XDG_DATA_HOME
 unset XDG_CONFIG_HOME
 unset XDG_CONFIG_DIRS
 unset XDG_CACHE_HOME
@ -62,8 +66,8 @@ readLink() {
 }

 clearProfiles() {
-    profiles="$HOME"/.local/share/nix/profiles
-    rm -rf $profiles
+    profiles="$HOME"/.local/state/nix/profiles
+    rm -rf "$profiles"
 }

 clearStore() {
--- a/tests/fetchGitSubmodules.sh
+++ b/tests/fetchGitSubmodules.sh
@ -104,3 +104,28 @@ noSubmoduleRepoBaseline=$(nix eval --raw --expr "(builtins.fetchGit { url = file
 noSubmoduleRepo=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$subRepo; rev = \"$subRev\"; submodules = true; }).outPath")

 [[ $noSubmoduleRepoBaseline == $noSubmoduleRepo ]]
+
+# Test relative submodule URLs.
+rm $TEST_HOME/.cache/nix/fetcher-cache*
+rm -rf $rootRepo/.git $rootRepo/.gitmodules $rootRepo/sub
+initGitRepo $rootRepo
+git -C $rootRepo submodule add ../gitSubmodulesSub sub
+git -C $rootRepo commit -m "Add submodule"
+rev2=$(git -C $rootRepo rev-parse HEAD)
+pathWithRelative=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; rev = \"$rev2\"; submodules = true; }).outPath")
+diff -r -x .gitmodules $pathWithSubmodules $pathWithRelative
+
+# Test clones that have an upstream with relative submodule URLs.
+rm $TEST_HOME/.cache/nix/fetcher-cache*
+cloneRepo=$TEST_ROOT/a/b/gitSubmodulesClone # NB /a/b to make the relative path not work relative to $cloneRepo
+git clone $rootRepo $cloneRepo
+pathIndirect=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
+[[ $pathIndirect = $pathWithRelative ]]
+
+# Test that if the clone has the submodule already, we're not fetching
+# it again.
+git -C $cloneRepo submodule update --init
+rm $TEST_HOME/.cache/nix/fetcher-cache*
+rm -rf $subRepo
+pathSubmoduleGone=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
+[[ $pathSubmoduleGone = $pathWithRelative ]]
--- a/tests/linux-sandbox.sh
+++ b/tests/linux-sandbox.sh
@ -37,3 +37,6 @@ nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link
 (! nix-build check.nix -A nondeterministic --sandbox-paths /nix/store --no-out-link --check -K 2> $TEST_ROOT/log)
 if grep -q 'error: renaming' $TEST_ROOT/log; then false; fi
 grep -q 'may not be deterministic' $TEST_ROOT/log
+
+# Test that sandboxed builds cannot write to /etc easily
+(! nix-build -E 'with import ./config.nix; mkDerivation { name = "etc-write"; buildCommand = "echo > /etc/test"; }' --no-out-link --sandbox-paths /nix/store)
--- a/tests/local.mk
+++ b/tests/local.mk
@ -22,6 +22,7 @@ nix_tests = \
  binary-cache.sh \
  multiple-outputs.sh \
  ca/build.sh \
+  ca/new-build-cmd.sh \
  nix-build.sh \
  gc-concurrent.sh \
  repair.sh \
@ -104,6 +105,8 @@ nix_tests = \
  ssh-relay.sh \
  plugins.sh \
  build.sh \
+  build-delete.sh \
+  output-normalization.sh \
  ca/nix-run.sh \
  selfref-gc.sh ca/selfref-gc.sh \
  db-migration.sh \
--- a/tests/nix-channel.sh
+++ b/tests/nix-channel.sh
@ -12,6 +12,19 @@ nix-channel --remove xyzzy
 [ -e $TEST_HOME/.nix-channels ]
 [ "$(cat $TEST_HOME/.nix-channels)" = '' ]

+# Test the XDG Base Directories support
+
+export NIX_CONFIG="use-xdg-base-directories = true"
+
+nix-channel --add http://foo/bar xyzzy
+nix-channel --list | grep -q http://foo/bar
+nix-channel --remove xyzzy
+
+unset NIX_CONFIG
+
+[ -e $TEST_HOME/.local/state/nix/channels ]
+[ "$(cat $TEST_HOME/.local/state/nix/channels)" = '' ]
+
 # Create a channel.
 rm -rf $TEST_ROOT/foo
 mkdir -p $TEST_ROOT/foo
--- a/tests/nix-profile.sh
+++ b/tests/nix-profile.sh
@ -56,6 +56,14 @@ nix profile history
 nix profile history | grep "packages.$system.default: ∅ -> 1.0"
 nix profile diff-closures | grep 'env-manifest.nix: ε → ∅'

+# Test XDG Base Directories support
+
+export NIX_CONFIG="use-xdg-base-directories = true"
+nix profile remove 1
+nix profile install $flake1Dir
+[[ $($TEST_HOME/.local/state/nix/profile/bin/hello) = "Hello World" ]]
+unset NIX_CONFIG
+
 # Test upgrading a package.
 printf NixOS > $flake1Dir/who
 printf 2.0 > $flake1Dir/version
--- a/tests/nixos/authorization.nix
+++ b/tests/nixos/authorization.nix
@ -0,0 +1,79 @@
+{
+  name = "authorization";
+
+  nodes.machine = {
+    virtualisation.writableStore = true;
+    # TODO add a test without allowed-users setting. allowed-users is uncommon among NixOS users.
+    nix.settings.allowed-users = ["alice" "bob"];
+    nix.settings.trusted-users = ["alice"];
+
+    users.users.alice.isNormalUser = true;
+    users.users.bob.isNormalUser = true;
+    users.users.mallory.isNormalUser = true;
+
+    nix.settings.experimental-features = "nix-command";
+  };
+
+  testScript =
+  let
+    pathFour = "/nix/store/20xfy868aiic0r0flgzq4n5dq1yvmxkn-four";
+  in
+  ''
+    machine.wait_for_unit("multi-user.target")
+    machine.succeed("""
+      exec 1>&2
+      echo kSELDhobKaF8/VdxIxdP7EQe+Q > one
+      diff $(nix store add-file one) one
+    """)
+    machine.succeed("""
+      su --login alice -c '
+        set -x
+        cd ~
+        echo ehHtmfuULXYyBV6NBk6QUi8iE0 > two
+        ls
+        diff $(echo $(nix store add-file two)) two' 1>&2
+    """)
+    machine.succeed("""
+      su --login bob -c '
+        set -x
+        cd ~
+        echo 0Jw8RNp7cK0W2AdNbcquofcOVk > three
+        diff $(nix store add-file three) three
+      ' 1>&2
+    """)
+
+    # We're going to check that a path is not created
+    machine.succeed("""
+      ! [[ -e ${pathFour} ]]
+    """)
+    machine.succeed("""
+      su --login mallory -c '
+        set -x
+        cd ~
+        echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four;
+        (! nix store add-file four 2>&1) | grep -F "cannot open connection to remote store"
+        (! nix store add-file four 2>&1) | grep -F "Connection reset by peer"
+        ! [[ -e ${pathFour} ]]
+      ' 1>&2
+    """)
+
+    # Check that the file _can_ be added, and matches the expected path we were checking
+    machine.succeed("""
+      exec 1>&2
+      echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four
+      four="$(nix store add-file four)"
+      diff $four four
+      diff <(echo $four) <(echo ${pathFour})
+    """)
+
+    machine.succeed("""
+      su --login alice -c 'nix-store --verify --repair'
+    """)
+
+    machine.succeed("""
+      set -x
+      su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
+      grep -F "you are not privileged to repair paths" diag
+    """)
+  '';
+}
--- a/tests/nixos/containers/systemd-nspawn.nix
+++ b/tests/nixos/containers/systemd-nspawn.nix
@ -56,12 +56,12 @@ runCommand "test"
    # Make /run a tmpfs to shut up a systemd warning.
    mkdir /run
    mount -t tmpfs none /run
-    chmod 0700 /run

    mount -t cgroup2 none /sys/fs/cgroup

    mkdir -p $out

+    chmod +w /etc
    touch /etc/os-release
    echo a5ea3f98dedc0278b6f3cc8c37eeaeac > /etc/machine-id

--- a/tests/nixos/remote-builds.nix
+++ b/tests/nixos/remote-builds.nix
@ -11,6 +11,11 @@ let
    { services.openssh.enable = true;
      virtualisation.writableStore = true;
      nix.settings.sandbox = true;
+
+      # Regression test for use of PID namespaces when /proc has
+      # filesystems mounted on top of it
+      # (i.e. /proc/sys/fs/binfmt_misc).
+      boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
    };

  # Trivial Nix expression to build remotely.
--- a/tests/output-normalization.sh
+++ b/tests/output-normalization.sh
@ -0,0 +1,9 @@
+source common.sh
+
+testNormalization () {
+    clearStore
+    outPath=$(nix-build ./simple.nix --no-out-link)
+    test "$(stat -c %Y $outPath)" -eq 1
+}
+
+testNormalization