aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/libexpr/primops/flake.cc2
-rw-r--r--src/nix/installables.cc7
-rw-r--r--tests/fetchGit.sh38
-rw-r--r--tests/fetchMercurial.sh24
-rw-r--r--tests/pure-eval.sh4
-rw-r--r--tests/restricted.sh16
6 files changed, 49 insertions, 42 deletions
diff --git a/src/libexpr/primops/flake.cc b/src/libexpr/primops/flake.cc
index f068569a6..7cfb2038c 100644
--- a/src/libexpr/primops/flake.cc
+++ b/src/libexpr/primops/flake.cc
@@ -289,7 +289,7 @@ static std::tuple<FlakeId, std::map<FlakeId, Flake>> resolveFlake(EvalState & st
#if 0
if (evalSettings.pureEval && !flakeRef.isImmutable() && (!toplevel || !impureTopRef))
- throw Error("mutable flake '%s' is not allowed in pure mode; use --no-pure-eval to disable", flakeRef.to_string());
+ throw Error("mutable flake '%s' is not allowed in pure mode; use --impure to disable", flakeRef.to_string());
#endif
auto flake = getFlake(state, flakeRef);
diff --git a/src/nix/installables.cc b/src/nix/installables.cc
index 6d3969e95..631a849cd 100644
--- a/src/nix/installables.cc
+++ b/src/nix/installables.cc
@@ -21,6 +21,13 @@ SourceExprCommand::SourceExprCommand()
.label("file")
.description("evaluate a set of attributes from FILE (deprecated)")
.dest(&file);
+
+ mkFlag()
+ .longName("impure")
+ .description("allow access to mutable paths and repositories")
+ .handler([&](std::vector<std::string> ss) {
+ evalSettings.pureEval = false;
+ });
}
ref<EvalState> SourceExprCommand::getEvalState()
diff --git a/tests/fetchGit.sh b/tests/fetchGit.sh
index 301bf3022..51fd49e9f 100644
--- a/tests/fetchGit.sh
+++ b/tests/fetchGit.sh
@@ -26,11 +26,11 @@ git -C $repo commit -m 'Bla2' -a
rev2=$(git -C $repo rev-parse HEAD)
# Fetch the default branch.
-path=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath")
+path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
[[ $(cat $path/hello) = world ]]
# In pure eval mode, fetchGit without a revision should fail.
-[[ $(nix eval --no-pure-eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") = world ]]
+[[ $(nix eval --impure --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))") = world ]]
(! nix eval --raw "(builtins.readFile (fetchGit file://$repo + \"/hello\"))")
# Fetch using an explicit revision hash.
@@ -42,14 +42,14 @@ path2=$(nix eval --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"
# Fetch again. This should be cached.
mv $repo ${repo}-tmp
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
[[ $path = $path2 ]]
-[[ $(nix eval --no-pure-eval "(builtins.fetchGit file://$repo).revCount") = 2 ]]
-[[ $(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
+[[ $(nix eval --impure "(builtins.fetchGit file://$repo).revCount") = 2 ]]
+[[ $(nix eval --impure --raw "(builtins.fetchGit file://$repo).rev") = $rev2 ]]
# But with TTL 0, it should fail.
-(! nix eval --no-pure-eval --tarball-ttl 0 "(builtins.fetchGit file://$repo)" -vvvvv)
+(! nix eval --impure --tarball-ttl 0 "(builtins.fetchGit file://$repo)" -vvvvv)
# Fetching with a explicit hash should succeed.
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo; rev = \"$rev2\"; }).outPath")
@@ -61,7 +61,7 @@ path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchGit { url = file://$repo;
mv ${repo}-tmp $repo
# Using a clean working tree should produce the same result.
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
[[ $path = $path2 ]]
# Using an unclean tree should yield the tracked but uncommitted changes.
@@ -72,17 +72,17 @@ echo bar > $repo/dir2/bar
git -C $repo add dir1/foo
git -C $repo rm hello
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
[ ! -e $path2/hello ]
[ ! -e $path2/bar ]
[ ! -e $path2/dir2/bar ]
[ ! -e $path2/.git ]
[[ $(cat $path2/dir1/foo) = foo ]]
-[[ $(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
+[[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
# ... unless we're using an explicit ref or rev.
-path3=$(nix eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
+path3=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"master\"; }).outPath")
[[ $path = $path3 ]]
path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).outPath")
@@ -91,7 +91,7 @@ path3=$(nix eval --raw "(builtins.fetchGit { url = $repo; rev = \"$rev2\"; }).ou
# Committing should not affect the store path.
git -C $repo commit -m 'Bla3' -a
-path4=$(nix eval --no-pure-eval --tarball-ttl 0 --raw "(builtins.fetchGit file://$repo).outPath")
+path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchGit file://$repo).outPath")
[[ $path2 = $path4 ]]
# tarball-ttl should be ignored if we specify a rev
@@ -102,29 +102,29 @@ rev3=$(git -C $repo rev-parse HEAD)
nix eval --tarball-ttl 3600 "(builtins.fetchGit { url = $repo; rev = \"$rev3\"; })" >/dev/null
# Update 'path' to reflect latest master
-path=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath")
+path=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
# Check behavior when non-master branch is used
git -C $repo checkout $rev2 -b dev
echo dev > $repo/hello
# File URI uses 'master' unless specified otherwise
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchGit file://$repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchGit file://$repo).outPath")
[[ $path = $path2 ]]
# Using local path with branch other than 'master' should work when clean or dirty
-path3=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath")
+path3=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
# (check dirty-tree handling was used)
-[[ $(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
+[[ $(nix eval --impure --raw "(builtins.fetchGit $repo).rev") = 0000000000000000000000000000000000000000 ]]
# Committing shouldn't change store path, or switch to using 'master'
git -C $repo commit -m 'Bla5' -a
-path4=$(nix eval --no-pure-eval --raw "(builtins.fetchGit $repo).outPath")
+path4=$(nix eval --impure --raw "(builtins.fetchGit $repo).outPath")
[[ $(cat $path4/hello) = dev ]]
[[ $path3 = $path4 ]]
# Confirm same as 'dev' branch
-path5=$(nix eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
+path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
[[ $path3 = $path5 ]]
@@ -134,8 +134,8 @@ rm -rf $TEST_HOME/.cache/nix/gitv2
# Try again, but without 'git' on PATH
NIX=$(command -v nix)
# This should fail
-(! PATH= $NIX eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
+(! PATH= $NIX eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
# Try again, with 'git' available. This should work.
-path5=$(nix eval --no-pure-eval --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
+path5=$(nix eval --impure --raw "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
[[ $path3 = $path5 ]]
diff --git a/tests/fetchMercurial.sh b/tests/fetchMercurial.sh
index d0735a381..a0f792612 100644
--- a/tests/fetchMercurial.sh
+++ b/tests/fetchMercurial.sh
@@ -26,15 +26,15 @@ hg commit --cwd $repo -m 'Bla2'
rev2=$(hg log --cwd $repo -r tip --template '{node}')
# Fetch the default branch.
-path=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).outPath")
+path=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath")
[[ $(cat $path/hello) = world ]]
# In pure eval mode, fetchGit without a revision should fail.
-[[ $(nix eval --no-pure-eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
+[[ $(nix eval --impure --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
(! nix eval --raw "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))")
# Fetch using an explicit revision hash.
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
[[ $path = $path2 ]]
# In pure eval mode, fetchGit with a revision should succeed.
@@ -42,15 +42,15 @@ path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial { url = file://$
# Fetch again. This should be cached.
mv $repo ${repo}-tmp
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).outPath")
[[ $path = $path2 ]]
-[[ $(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).branch") = default ]]
-[[ $(nix eval --no-pure-eval "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
-[[ $(nix eval --no-pure-eval --raw "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
+[[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).branch") = default ]]
+[[ $(nix eval --impure "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
+[[ $(nix eval --impure --raw "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
# But with TTL 0, it should fail.
-(! nix eval --no-pure-eval --tarball-ttl 0 "(builtins.fetchMercurial file://$repo)")
+(! nix eval --impure --tarball-ttl 0 "(builtins.fetchMercurial file://$repo)")
# Fetching with a explicit hash should succeed.
path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
@@ -62,7 +62,7 @@ path2=$(nix eval --tarball-ttl 0 --raw "(builtins.fetchMercurial { url = file://
mv ${repo}-tmp $repo
# Using a clean working tree should produce the same result.
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial $repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath")
[[ $path = $path2 ]]
# Using an unclean tree should yield the tracked but uncommitted changes.
@@ -73,14 +73,14 @@ echo bar > $repo/dir2/bar
hg add --cwd $repo dir1/foo
hg rm --cwd $repo hello
-path2=$(nix eval --no-pure-eval --raw "(builtins.fetchMercurial $repo).outPath")
+path2=$(nix eval --impure --raw "(builtins.fetchMercurial $repo).outPath")
[ ! -e $path2/hello ]
[ ! -e $path2/bar ]
[ ! -e $path2/dir2/bar ]
[ ! -e $path2/.hg ]
[[ $(cat $path2/dir1/foo) = foo ]]
-[[ $(nix eval --no-pure-eval --raw "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
+[[ $(nix eval --impure --raw "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
# ... unless we're using an explicit rev.
path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath")
@@ -89,5 +89,5 @@ path3=$(nix eval --raw "(builtins.fetchMercurial { url = $repo; rev = \"default\
# Committing should not affect the store path.
hg commit --cwd $repo -m 'Bla3'
-path4=$(nix eval --no-pure-eval --tarball-ttl 0 --raw "(builtins.fetchMercurial file://$repo).outPath")
+path4=$(nix eval --impure --tarball-ttl 0 --raw "(builtins.fetchMercurial file://$repo).outPath")
[[ $path2 = $path4 ]]
diff --git a/tests/pure-eval.sh b/tests/pure-eval.sh
index 307942940..6e2c6962d 100644
--- a/tests/pure-eval.sh
+++ b/tests/pure-eval.sh
@@ -4,7 +4,7 @@ clearStore
nix eval '(assert 1 + 2 == 3; true)'
-[[ $(nix eval --no-pure-eval '(builtins.readFile ./pure-eval.sh)') =~ clearStore ]]
+[[ $(nix eval --impure '(builtins.readFile ./pure-eval.sh)') =~ clearStore ]]
(! nix eval '(builtins.readFile ./pure-eval.sh)')
@@ -13,6 +13,6 @@ nix eval '(assert 1 + 2 == 3; true)'
(! nix-instantiate --pure-eval ./simple.nix)
-[[ $(nix eval --no-pure-eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") == 123 ]]
+[[ $(nix eval --impure "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)") == 123 ]]
(! nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; })).x)")
nix eval "((import (builtins.fetchurl { url = file://$(pwd)/pure-eval.nix; sha256 = \"$(nix hash-file pure-eval.nix --type sha256)\"; })).x)"
diff --git a/tests/restricted.sh b/tests/restricted.sh
index 68913cd36..e660de127 100644
--- a/tests/restricted.sh
+++ b/tests/restricted.sh
@@ -17,18 +17,18 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../src/nix-channel'
(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
-p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval --allowed-uris "file://$(pwd)")
+p=$(nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)")
cmp $p restricted.sh
-(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval)
+(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval)
-(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
+(! nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh/")
-nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --no-pure-eval --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
+nix eval --raw "(builtins.fetchurl file://$(pwd)/restricted.sh)" --impure --restrict-eval --allowed-uris "file://$(pwd)/restricted.sh"
-(! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --no-pure-eval --restrict-eval)
-(! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --no-pure-eval --restrict-eval)
-(! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --no-pure-eval --restrict-eval)
+(! nix eval --raw "(builtins.fetchurl https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval)
+(! nix eval --raw "(builtins.fetchTarball https://github.com/NixOS/patchelf/archive/master.tar.gz)" --impure --restrict-eval)
+(! nix eval --raw "(fetchGit git://github.com/NixOS/patchelf.git)" --impure --restrict-eval)
ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
[[ $(nix-instantiate --eval $TEST_ROOT/restricted.nix) == 3 ]]
@@ -37,7 +37,7 @@ ln -sfn $(pwd)/restricted.nix $TEST_ROOT/restricted.nix
(! nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I .)
nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -I .
-[[ $(nix eval --raw --no-pure-eval --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]]
+[[ $(nix eval --raw --impure --restrict-eval -I . '(builtins.readFile "${import ./simple.nix}/hello")') == 'Hello World!' ]]
# Check whether we can leak symlink information through directory traversal.
traverseDir="$(pwd)/restricted-traverse-me"