Merge remote-tracking branch 'upstream/master' into source-path

12 files changed, 326 insertions, 72 deletions

diff --git a/src/nix/daemon.cc b/src/nix/daemon.cc
index 7e4a7ba86..7ae7b4ea6 100644
--- a/src/nix/daemon.cc
+++ b/src/nix/daemon.cc
@@ -1,3 +1,5 @@
+///@file
+
 #include "command.hh"
 #include "shared.hh"
 #include "local-store.hh"
@@ -34,6 +36,19 @@
 using namespace nix;
 using namespace nix::daemon;
 
+/**
+ * Settings related to authenticating clients for the Nix daemon.
+ *
+ * For pipes we have little good information about the client side, but
+ * for Unix domain sockets we do. So currently these options implemented
+ * mandatory access control based on user names and group names (looked
+ * up and translated to UID/GIDs in the CLI process that runs the code
+ * in this file).
+ *
+ * No code outside of this file knows about these settings (this is not
+ * exposed in a header); all authentication and authorization happens in
+ * `daemon.cc`.
+ */
 struct AuthorizationSettings : Config {
 
     Setting<Strings> trustedUsers{
@@ -54,7 +69,9 @@ struct AuthorizationSettings : Config {
           > directories that are otherwise inacessible to them.
         )"};
 
-    /* ?Who we trust to use the daemon in safe ways */
+    /**
+     * Who we trust to use the daemon in safe ways
+     */
     Setting<Strings> allowedUsers{
         this, {"*"}, "allowed-users",
         R"(
@@ -112,8 +129,36 @@ static void setSigChldAction(bool autoReap)
         throw SysError("setting SIGCHLD handler");
 }
 
+/**
+ * @return Is the given user a member of this group?
+ *
+ * @param user User specified by username.
+ *
+ * @param group Group the user might be a member of.
+ */
+static bool matchUser(std::string_view user, const struct group & gr)
+{
+    for (char * * mem = gr.gr_mem; *mem; mem++)
+        if (user == std::string_view(*mem)) return true;
+    return false;
+}
+
 
-bool matchUser(const std::string & user, const std::string & group, const Strings & users)
+/**
+ * Does the given user (specified by user name and primary group name)
+ * match the given user/group whitelist?
+ *
+ * If the list allows all users: Yes.
+ *
+ * If the username is in the set: Yes.
+ *
+ * If the groupname is in the set: Yes.
+ *
+ * If the user is in another group which is in the set: yes.
+ *
+ * Otherwise: No.
+ */
+static bool matchUser(const std::string & user, const std::string & group, const Strings & users)
 {
     if (find(users.begin(), users.end(), "*") != users.end())
         return true;
@@ -126,8 +171,7 @@ bool matchUser(const std::string & user, const std::string & group, const String
             if (group == i.substr(1)) return true;
             struct group * gr = getgrnam(i.c_str() + 1);
             if (!gr) continue;
-            for (char * * mem = gr->gr_mem; *mem; mem++)
-                if (user == std::string(*mem)) return true;
+            if (matchUser(user, *gr)) return true;
         }
 
     return false;
@@ -145,7 +189,9 @@ struct PeerInfo
 };
 
 
-//  Get the identity of the caller, if possible.
+/**
+ * Get the identity of the caller, if possible.
+ */
 static PeerInfo getPeerInfo(int remote)
 {
     PeerInfo peer = { false, 0, false, 0, false, 0 };
@@ -179,6 +225,9 @@ static PeerInfo getPeerInfo(int remote)
 #define SD_LISTEN_FDS_START 3
 
 
+/**
+ * Open a store without a path info cache.
+ */
 static ref<Store> openUncachedStore()
 {
     Store::Params params; // FIXME: get params from somewhere
@@ -187,7 +236,44 @@ static ref<Store> openUncachedStore()
     return openStore(settings.storeUri, params);
 }
 
+/**
+ * Authenticate a potential client
+ *
+ * @param peer Information about other end of the connection, the client which
+ * wants to communicate with us.
+ *
+ * @return A pair of a `TrustedFlag`, whether the potential client is trusted,
+ * and the name of the user (useful for printing messages).
+ *
+ * If the potential client is not allowed to talk to us, we throw an `Error`.
+ */
+static std::pair<TrustedFlag, std::string> authPeer(const PeerInfo & peer)
+{
+    TrustedFlag trusted = NotTrusted;
+
+    struct passwd * pw = peer.uidKnown ? getpwuid(peer.uid) : 0;
+    std::string user = pw ? pw->pw_name : std::to_string(peer.uid);
+
+    struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
+    std::string group = gr ? gr->gr_name : std::to_string(peer.gid);
+
+    const Strings & trustedUsers = authorizationSettings.trustedUsers;
+    const Strings & allowedUsers = authorizationSettings.allowedUsers;
+
+    if (matchUser(user, group, trustedUsers))
+        trusted = Trusted;
+
+    if ((!trusted && !matchUser(user, group, allowedUsers)) || group == settings.buildUsersGroup)
+        throw Error("user '%1%' is not allowed to connect to the Nix daemon", user);
+
+    return { trusted, std::move(user) };
+}
+
 
+/**
+ * Run a server. The loop opens a socket and accepts new connections from that
+ * socket.
+ */
 static void daemonLoop()
 {
     if (chdir("/") == -1)
@@ -231,23 +317,9 @@ static void daemonLoop()
 
             closeOnExec(remote.get());
 
-            TrustedFlag trusted = NotTrusted;
             PeerInfo peer = getPeerInfo(remote.get());
-
-            struct passwd * pw = peer.uidKnown ? getpwuid(peer.uid) : 0;
-            std::string user = pw ? pw->pw_name : std::to_string(peer.uid);
-
-            struct group * gr = peer.gidKnown ? getgrgid(peer.gid) : 0;
-            std::string group = gr ? gr->gr_name : std::to_string(peer.gid);
-
-            Strings trustedUsers = authorizationSettings.trustedUsers;
-            Strings allowedUsers = authorizationSettings.allowedUsers;
-
-            if (matchUser(user, group, trustedUsers))
-                trusted = Trusted;
-
-            if ((!trusted && !matchUser(user, group, allowedUsers)) || group == settings.buildUsersGroup)
-                throw Error("user '%1%' is not allowed to connect to the Nix daemon", user);
+            auto [_trusted, user] = authPeer(peer);
+            auto trusted = _trusted;
 
             printInfo((std::string) "accepted connection from pid %1%, user %2%" + (trusted ? " (trusted)" : ""),
                 peer.pidKnown ? std::to_string(peer.pid) : "<unknown>",
@@ -294,45 +366,74 @@ static void daemonLoop()
     }
 }
 
+/**
+ * Forward a standard IO connection to the given remote store.
+ *
+ * We just act as a middleman blindly ferry output between the standard
+ * input/output and the remote store connection, not processing anything.
+ *
+ * Loops until standard input disconnects, or an error is encountered.
+ */
+static void forwardStdioConnection(RemoteStore & store) {
+    auto conn = store.openConnectionWrapper();
+    int from = conn->from.fd;
+    int to = conn->to.fd;
+
+    auto nfds = std::max(from, STDIN_FILENO) + 1;
+    while (true) {
+        fd_set fds;
+        FD_ZERO(&fds);
+        FD_SET(from, &fds);
+        FD_SET(STDIN_FILENO, &fds);
+        if (select(nfds, &fds, nullptr, nullptr, nullptr) == -1)
+            throw SysError("waiting for data from client or server");
+        if (FD_ISSET(from, &fds)) {
+            auto res = splice(from, nullptr, STDOUT_FILENO, nullptr, SSIZE_MAX, SPLICE_F_MOVE);
+            if (res == -1)
+                throw SysError("splicing data from daemon socket to stdout");
+            else if (res == 0)
+                throw EndOfFile("unexpected EOF from daemon socket");
+        }
+        if (FD_ISSET(STDIN_FILENO, &fds)) {
+            auto res = splice(STDIN_FILENO, nullptr, to, nullptr, SSIZE_MAX, SPLICE_F_MOVE);
+            if (res == -1)
+                throw SysError("splicing data from stdin to daemon socket");
+            else if (res == 0)
+                return;
+        }
+    }
+}
+
+/**
+ * Process a client connecting to us via standard input/output
+ *
+ * Unlike `forwardStdioConnection()` we do process commands ourselves in
+ * this case, not delegating to another daemon.
+ *
+ * @note `Trusted` is unconditionally passed because in this mode we
+ * blindly trust the standard streams. Limiting access to those is
+ * explicitly not `nix-daemon`'s responsibility.
+ */
+static void processStdioConnection(ref<Store> store)
+{
+    FdSource from(STDIN_FILENO);
+    FdSink to(STDOUT_FILENO);
+    processConnection(store, from, to, Trusted, NotRecursive);
+}
+
+/**
+ * Entry point shared between the new CLI `nix daemon` and old CLI
+ * `nix-daemon`.
+ */
 static void runDaemon(bool stdio)
 {
     if (stdio) {
-        if (auto store = openUncachedStore().dynamic_pointer_cast<RemoteStore>()) {
-            auto conn = store->openConnectionWrapper();
-            int from = conn->from.fd;
-            int to = conn->to.fd;
-
-            auto nfds = std::max(from, STDIN_FILENO) + 1;
-            while (true) {
-                fd_set fds;
-                FD_ZERO(&fds);
-                FD_SET(from, &fds);
-                FD_SET(STDIN_FILENO, &fds);
-                if (select(nfds, &fds, nullptr, nullptr, nullptr) == -1)
-                    throw SysError("waiting for data from client or server");
-                if (FD_ISSET(from, &fds)) {
-                    auto res = splice(from, nullptr, STDOUT_FILENO, nullptr, SSIZE_MAX, SPLICE_F_MOVE);
-                    if (res == -1)
-                        throw SysError("splicing data from daemon socket to stdout");
-                    else if (res == 0)
-                        throw EndOfFile("unexpected EOF from daemon socket");
-                }
-                if (FD_ISSET(STDIN_FILENO, &fds)) {
-                    auto res = splice(STDIN_FILENO, nullptr, to, nullptr, SSIZE_MAX, SPLICE_F_MOVE);
-                    if (res == -1)
-                        throw SysError("splicing data from stdin to daemon socket");
-                    else if (res == 0)
-                        return;
-                }
-            }
-        } else {
-            FdSource from(STDIN_FILENO);
-            FdSink to(STDOUT_FILENO);
-            /* Auth hook is empty because in this mode we blindly trust the
-               standard streams. Limiting access to those is explicitly
-               not `nix-daemon`'s responsibility. */
-            processConnection(openUncachedStore(), from, to, Trusted, NotRecursive);
-        }
+        auto store = openUncachedStore();
+
+        if (auto remoteStore = store.dynamic_pointer_cast<RemoteStore>())
+            forwardStdioConnection(*remoteStore);
+        else
+            processStdioConnection(store);
     } else
         daemonLoop();
 }
diff --git a/src/nix/derivation-add.cc b/src/nix/derivation-add.cc
new file mode 100644
index 000000000..4d91d4538
--- /dev/null
+++ b/src/nix/derivation-add.cc
@@ -0,0 +1,45 @@
+// FIXME: rename to 'nix plan add' or 'nix derivation add'?
+
+#include "command.hh"
+#include "common-args.hh"
+#include "store-api.hh"
+#include "archive.hh"
+#include "derivations.hh"
+#include <nlohmann/json.hpp>
+
+using namespace nix;
+using json = nlohmann::json;
+
+struct CmdAddDerivation : MixDryRun, StoreCommand
+{
+    std::string description() override
+    {
+        return "Add a store derivation";
+    }
+
+    std::string doc() override
+    {
+        return
+          #include "derivation-add.md"
+          ;
+    }
+
+    Category category() override { return catUtility; }
+
+    void run(ref<Store> store) override
+    {
+        auto json = nlohmann::json::parse(drainFD(STDIN_FILENO));
+
+        auto drv = Derivation::fromJSON(*store, json);
+
+        auto drvPath = writeDerivation(*store, drv, NoRepair, /* read only */ dryRun);
+
+        drv.checkInvariants(*store, drvPath);
+
+        writeDerivation(*store, drv, NoRepair, dryRun);
+
+        logger->cout("%s", store->printStorePath(drvPath));
+    }
+};
+
+static auto rCmdAddDerivation = registerCommand2<CmdAddDerivation>({"derivation", "add"});
diff --git a/src/nix/derivation-add.md b/src/nix/derivation-add.md
new file mode 100644
index 000000000..f116681ab
--- /dev/null
+++ b/src/nix/derivation-add.md
@@ -0,0 +1,18 @@
+R""(
+
+# Description
+
+This command reads from standard input a JSON representation of a
+[store derivation] to which an [*installable*](./nix.md#installables) evaluates.
+
+Store derivations are used internally by Nix. They are store paths with
+extension `.drv` that represent the build-time dependency graph to which
+a Nix expression evaluates.
+
+[store derivation]: ../../glossary.md#gloss-store-derivation
+
+The JSON format is documented under the [`derivation show`] command.
+
+[`derivation show`]: ./nix3-derivation-show.md
+
+)""
diff --git a/src/nix/show-derivation.cc b/src/nix/derivation-show.cc
index 4a406ae08..bf637246d 100644
--- a/src/nix/show-derivation.cc
+++ b/src/nix/derivation-show.cc
@@ -1,5 +1,5 @@
 // FIXME: integrate this with nix path-info?
-// FIXME: rename to 'nix store show-derivation' or 'nix debug show-derivation'?
+// FIXME: rename to 'nix store derivation show' or 'nix debug derivation show'?
 
 #include "command.hh"
 #include "common-args.hh"
@@ -33,7 +33,7 @@ struct CmdShowDerivation : InstallablesCommand
     std::string doc() override
     {
         return
-          #include "show-derivation.md"
+          #include "derivation-show.md"
           ;
     }
 
@@ -61,4 +61,4 @@ struct CmdShowDerivation : InstallablesCommand
     }
 };
 
-static auto rCmdShowDerivation = registerCommand<CmdShowDerivation>("show-derivation");
+static auto rCmdShowDerivation = registerCommand2<CmdShowDerivation>({"derivation", "show"});
diff --git a/src/nix/show-derivation.md b/src/nix/derivation-show.md
index 1d37c6f5a..1296e2885 100644
--- a/src/nix/show-derivation.md
+++ b/src/nix/derivation-show.md
@@ -8,7 +8,7 @@ R""(
   [store derivation]: ../../glossary.md#gloss-store-derivation
 
   ```console
-  # nix show-derivation nixpkgs#hello
+  # nix derivation show nixpkgs#hello
   {
     "/nix/store/s6rn4jz1sin56rf4qj5b5v8jxjm32hlk-hello-2.10.drv": {
       …
@@ -20,14 +20,14 @@ R""(
   NixOS system:
 
   ```console
-  # nix show-derivation -r /run/current-system
+  # nix derivation show -r /run/current-system
   ```
 
 * Print all files fetched using `fetchurl` by Firefox's dependency
   graph:
 
   ```console
-  # nix show-derivation -r nixpkgs#firefox \
+  # nix derivation show -r nixpkgs#firefox \
     | jq -r '.[] | select(.outputs.out.hash and .env.urls) | .env.urls' \
     | uniq | sort
   ```
@@ -39,10 +39,11 @@ R""(
 # Description
 
 This command prints on standard output a JSON representation of the
-[store derivation]s to which [*installables*](./nix.md#installables) evaluate. Store derivations
-are used internally by Nix. They are store paths with extension `.drv`
-that represent the build-time dependency graph to which a Nix
-expression evaluates.
+[store derivation]s to which [*installables*](./nix.md#installables) evaluate.
+
+Store derivations are used internally by Nix. They are store paths with
+extension `.drv` that represent the build-time dependency graph to which
+a Nix expression evaluates.
 
 By default, this command only shows top-level derivations, but with
 `--recursive`, it also shows their dependencies.
@@ -51,6 +52,9 @@ The JSON output is a JSON object whose keys are the store paths of the
 derivations, and whose values are a JSON object with the following
 fields:
 
+* `name`: The name of the derivation. This is used when calculating the
+  store paths of the derivation's outputs.
+
 * `outputs`: Information about the output paths of the
   derivation. This is a JSON object with one member per output, where
   the key is the output name and the value is a JSON object with these
diff --git a/src/nix/derivation.cc b/src/nix/derivation.cc
new file mode 100644
index 000000000..cd3975a4f
--- /dev/null
+++ b/src/nix/derivation.cc
@@ -0,0 +1,25 @@
+#include "command.hh"
+
+using namespace nix;
+
+struct CmdDerivation : virtual NixMultiCommand
+{
+    CmdDerivation() : MultiCommand(RegisterCommand::getCommandsFor({"derivation"}))
+    { }
+
+    std::string description() override
+    {
+        return "Work with derivations, Nix's notion of a build plan.";
+    }
+
+    Category category() override { return catUtility; }
+
+    void run() override
+    {
+        if (!command)
+            throw UsageError("'nix derivation' requires a sub-command.");
+        command->second->run();
+    }
+};
+
+static auto rCmdDerivation = registerCommand<CmdDerivation>("derivation");
diff --git a/src/nix/doctor.cc b/src/nix/doctor.cc
index 7da4549a1..1aa6831d3 100644
--- a/src/nix/doctor.cc
+++ b/src/nix/doctor.cc
@@ -33,12 +33,24 @@ bool checkFail(const std::string & msg) {
     return false;
 }
 
+void checkInfo(const std::string & msg) {
+    notice(ANSI_BLUE "[INFO] " ANSI_NORMAL + msg);
+}
+
 }
 
 struct CmdDoctor : StoreCommand
 {
     bool success = true;
 
+    /**
+     * This command is stable before the others
+     */
+    std::optional<ExperimentalFeature> experimentalFeature() override
+    {
+        return std::nullopt;
+    }
+
     std::string description() override
     {
         return "check your system for potential problems and print a PASS or FAIL for each check";
@@ -55,6 +67,7 @@ struct CmdDoctor : StoreCommand
             success &= checkProfileRoots(store);
         }
         success &= checkStoreProtocol(store->getProtocol());
+        checkTrustedUser(store);
 
         if (!success)
             throw Exit(2);
@@ -130,6 +143,14 @@ struct CmdDoctor : StoreCommand
 
         return checkPass("Client protocol matches store protocol.");
     }
+
+    void checkTrustedUser(ref<Store> store)
+    {
+        std::string_view trusted = store->isTrustedClient()
+            ? "trusted"
+            : "not trusted";
+        checkInfo(fmt("You are %s by store uri: %s", trusted, store->getUri()));
+    }
 };
 
 static auto rCmdDoctor = registerCommand<CmdDoctor>("doctor");
diff --git a/src/nix/main.cc b/src/nix/main.cc
index df0a25214..ce0bed2a3 100644
--- a/src/nix/main.cc
+++ b/src/nix/main.cc
@@ -83,6 +83,7 @@ struct NixArgs : virtual MultiCommand, virtual MixCommonArgs
             .description = "Print full build logs on standard error.",
             .category = loggingCategory,
             .handler = {[&]() { logger->setPrintBuildLogs(true); }},
+            .experimentalFeature = Xp::NixCommand,
         });
 
         addFlag({
@@ -98,6 +99,7 @@ struct NixArgs : virtual MultiCommand, virtual MixCommonArgs
             .description = "Disable substituters and consider all previously downloaded files up-to-date.",
             .category = miscCategory,
             .handler = {[&]() { useNet = false; }},
+            .experimentalFeature = Xp::NixCommand,
         });
 
         addFlag({
@@ -105,6 +107,7 @@ struct NixArgs : virtual MultiCommand, virtual MixCommonArgs
             .description = "Consider all previously downloaded files out-of-date.",
             .category = miscCategory,
             .handler = {[&]() { refresh = true; }},
+            .experimentalFeature = Xp::NixCommand,
         });
     }
 
@@ -124,6 +127,7 @@ struct NixArgs : virtual MultiCommand, virtual MixCommonArgs
         {"optimise-store", {"store", "optimise"}},
         {"ping-store", {"store", "ping"}},
         {"sign-paths", {"store", "sign"}},
+        {"show-derivation", {"derivation", "show"}},
         {"to-base16", {"hash", "to-base16"}},
         {"to-base32", {"hash", "to-base32"}},
         {"to-base64", {"hash", "to-base64"}},
@@ -371,6 +375,11 @@ void mainWrapped(int argc, char * * argv)
         return;
     }
 
+    if (argc == 2 && std::string(argv[1]) == "__dump-xp-features") {
+        logger->cout(documentExperimentalFeatures().dump());
+        return;
+    }
+
     Finally printCompletions([&]()
     {
         if (completions) {
@@ -420,10 +429,8 @@ void mainWrapped(int argc, char * * argv)
     if (!args.command)
         throw UsageError("no subcommand specified");
 
-    if (args.command->first != "repl"
-        && args.command->first != "doctor"
-        && args.command->first != "upgrade-nix")
-        experimentalFeatureSettings.require(Xp::NixCommand);
+    experimentalFeatureSettings.require(
+        args.command->second->experimentalFeature());
 
     if (args.useNet && !haveInternet()) {
         warn("you don't have Internet access; disabling some network-dependent features");
diff --git a/src/nix/nix.md b/src/nix/nix.md
index e1865b31c..1ef6c7fcd 100644
--- a/src/nix/nix.md
+++ b/src/nix/nix.md
@@ -48,12 +48,17 @@ manual](https://nixos.org/manual/nix/stable/).
 
 # Installables
 
+> **Warning** \
+> Installables are part of the unstable
+> [`nix-command` experimental feature](@docroot@/contributing/experimental-features.md#xp-feature-nix-command),
+> and subject to change without notice.
+
 Many `nix` subcommands operate on one or more *installables*.
 These are command line arguments that represent something that can be realised in the Nix store.
 
 The following types of installable are supported by most commands:
 
-- [Flake output attribute](#flake-output-attribute)
+- [Flake output attribute](#flake-output-attribute) (experimental)
 - [Store path](#store-path)
 - [Nix file](#nix-file), optionally qualified by an attribute path
 - [Nix expression](#nix-expression), optionally qualified by an attribute path
@@ -63,6 +68,13 @@ That is, Nix will operate on the default flake output attribute of the flake in
 
 ### Flake output attribute
 
+> **Warning** \
+> Flake output attribute installables depend on both the
+> [`flakes`](@docroot@/contributing/experimental-features.md#xp-feature-flakes)
+> and
+> [`nix-command`](@docroot@/contributing/experimental-features.md#xp-feature-nix-command)
+> experimental features, and subject to change without notice.
+
 Example: `nixpkgs#hello`
 
 These have the form *flakeref*[`#`*attrpath*], where *flakeref* is a
diff --git a/src/nix/ping-store.cc b/src/nix/ping-store.cc
index 5c44510ab..ec450e8e0 100644
--- a/src/nix/ping-store.cc
+++ b/src/nix/ping-store.cc
@@ -28,15 +28,20 @@ struct CmdPingStore : StoreCommand, MixJSON
             store->connect();
             if (auto version = store->getVersion())
                 notice("Version: %s", *version);
+            if (auto trusted = store->isTrustedClient())
+                notice("Trusted: %s", *trusted);
         } else {
             nlohmann::json res;
             Finally printRes([&]() {
                 logger->cout("%s", res);
             });
+
             res["url"] = store->getUri();
             store->connect();
             if (auto version = store->getVersion())
                 res["version"] = *version;
+            if (auto trusted = store->isTrustedClient())
+                res["trusted"] = *trusted;
         }
     }
 };
diff --git a/src/nix/repl.cc b/src/nix/repl.cc
index 7aa8774e9..bb14f3f99 100644
--- a/src/nix/repl.cc
+++ b/src/nix/repl.cc
@@ -12,6 +12,14 @@ struct CmdRepl : RawInstallablesCommand
         evalSettings.pureEval = false;
     }
 
+    /**
+     * This command is stable before the others
+     */
+    std::optional<ExperimentalFeature> experimentalFeature() override
+    {
+        return std::nullopt;
+    }
+
     std::vector<std::string> files;
 
     Strings getDefaultFlakeAttrPaths() override
diff --git a/src/nix/upgrade-nix.cc b/src/nix/upgrade-nix.cc
index 9185ba407..3997c98bf 100644
--- a/src/nix/upgrade-nix.cc
+++ b/src/nix/upgrade-nix.cc
@@ -32,6 +32,14 @@ struct CmdUpgradeNix : MixDryRun, StoreCommand
         });
     }
 
+    /**
+     * This command is stable before the others
+     */
+    std::optional<ExperimentalFeature> experimentalFeature() override
+    {
+        return std::nullopt;
+    }
+
     std::string description() override
     {
         return "upgrade Nix to the stable version declared in Nixpkgs";