use crate::nixbase32; use crate::nixhash::{CAHash, NixHash}; use crate::store_path::{Error, StorePathRef, DIGEST_SIZE, STORE_DIR}; use sha2::{Digest, Sha256}; use std::io::Write; use thiserror; /// Errors that can occur when creating a content-addressed store path. /// /// This wraps the main [crate::store_path::Error].. #[derive(Debug, PartialEq, Eq, thiserror::Error)] pub enum BuildStorePathError { #[error("Invalid Store Path: {0}")] InvalidStorePath(Error), /// This error occurs when we have references outside the SHA-256 + /// Recursive case. The restriction comes from upstream Nix. It may be /// lifted at some point but there isn't a pressing need to anticipate that. #[error("References were not supported as much as requested")] InvalidReference(), } /// compress_hash takes an arbitrarily long sequence of bytes (usually /// a hash digest), and returns a sequence of bytes of length /// OUTPUT_SIZE. /// /// It's calculated by rotating through the bytes in the output buffer /// (zero- initialized), and XOR'ing with each byte of the passed /// input. It consumes 1 byte at a time, and XOR's it with the current /// value in the output buffer. /// /// This mimics equivalent functionality in C++ Nix. pub fn compress_hash<const OUTPUT_SIZE: usize>(input: &[u8]) -> [u8; OUTPUT_SIZE] { let mut output = [0; OUTPUT_SIZE]; for (ii, ch) in input.iter().enumerate() { output[ii % OUTPUT_SIZE] ^= ch; } output } /// This builds a store path, by calculating the text_hash_string of either a /// derivation or a literal text file that may contain references. /// If you don't want to have to pass the entire contents, you might want to use /// [build_ca_path] instead. pub fn build_text_path<S: AsRef<str>, I: IntoIterator<Item = S>, C: AsRef<[u8]>>( name: &str, content: C, references: I, ) -> Result<StorePathRef<'_>, BuildStorePathError> { // produce the sha256 digest of the contents let content_digest = Sha256::new_with_prefix(content).finalize().into(); build_ca_path(name, &CAHash::Text(content_digest), references, false) } /// This builds a store path from a [CAHash] and a list of references. pub fn build_ca_path<'a, S: AsRef<str>, I: IntoIterator<Item = S>>( name: &'a str, ca_hash: &CAHash, references: I, self_reference: bool, ) -> Result<StorePathRef<'a>, BuildStorePathError> { // self references are only allowed for CAHash::Nar(NixHash::Sha256(_)). if self_reference && matches!(ca_hash, CAHash::Nar(NixHash::Sha256(_))) { return Err(BuildStorePathError::InvalidReference()); } let (ty, hash) = match &ca_hash { CAHash::Text(ref digest) => ( make_references_string("text", references, false), NixHash::Sha256(*digest), ), CAHash::Nar(NixHash::Sha256(ref digest)) => ( make_references_string("source", references, self_reference), NixHash::Sha256(*digest), ), // for all other CAHash::Nar, another custom scheme is used. CAHash::Nar(ref hash) => { if references.into_iter().next().is_some() { return Err(BuildStorePathError::InvalidReference()); } ( "output:out".to_string(), NixHash::Sha256(fixed_out_digest("fixed:out:r", hash)), ) } // CaHash::Flat is using something very similar, except the `r:` prefix. CAHash::Flat(ref hash) => { if references.into_iter().next().is_some() { return Err(BuildStorePathError::InvalidReference()); } ( "output:out".to_string(), NixHash::Sha256(fixed_out_digest("fixed:out", hash)), ) } }; build_store_path_from_fingerprint_parts(&ty, &hash, name) .map_err(BuildStorePathError::InvalidStorePath) } /// Helper function, used in [build_ca_path] for the non-sha256 [CAHash::Nar] /// and [CAHash::Flat]. fn fixed_out_digest(prefix: &str, hash: &NixHash) -> [u8; 32] { Sha256::new_with_prefix(format!("{}:{}:", prefix, hash.to_nix_hex_string())) .finalize() .into() } /// For given NAR sha256 digest and name, return the new [StorePathRef] this /// would have, or an error, in case the name is invalid. pub fn build_nar_based_store_path<'a>( nar_sha256_digest: &[u8; 32], name: &'a str, ) -> Result<StorePathRef<'a>, BuildStorePathError> { let nar_hash_with_mode = CAHash::Nar(NixHash::Sha256(nar_sha256_digest.to_owned())); build_ca_path(name, &nar_hash_with_mode, Vec::<String>::new(), false) } /// This builds an input-addressed store path. /// /// Input-addresed store paths are always derivation outputs, the "input" in question is the /// derivation and its closure. pub fn build_output_path<'a>( drv_hash: &NixHash, output_name: &str, output_path_name: &'a str, ) -> Result<StorePathRef<'a>, Error> { build_store_path_from_fingerprint_parts( &(String::from("output:") + output_name), drv_hash, output_path_name, ) } /// This builds a store path from fingerprint parts. /// Usually, that function is used from [build_text_path] and /// passed a "text hash string" (starting with "text:" as fingerprint), /// but other fingerprints starting with "output:" are also used in Derivation /// output path calculation. /// /// The fingerprint is hashed with sha256, its digest is compressed to 20 bytes, /// and nixbase32-encoded (32 characters). fn build_store_path_from_fingerprint_parts<'a>( ty: &str, hash: &NixHash, name: &'a str, ) -> Result<StorePathRef<'a>, Error> { let digest: [u8; DIGEST_SIZE] = compress_hash(&{ let mut h = Sha256::new(); write!(h, "{ty}:{}:{STORE_DIR}:{name}", hash.to_nix_hex_string()).unwrap(); h.finalize() }); // name validation happens in here. StorePathRef::from_name_and_digest(name, &digest) } /// This contains the Nix logic to create "text hash strings", which are used /// in `builtins.toFile`, as well as in Derivation Path calculation. /// /// A text hash is calculated by concatenating the following fields, separated by a `:`: /// /// - text /// - references, individually joined by `:` /// - the nix_hash_string representation of the sha256 digest of some contents /// - the value of `storeDir` /// - the name fn make_references_string<S: AsRef<str>, I: IntoIterator<Item = S>>( ty: &str, references: I, self_ref: bool, ) -> String { let mut s = String::from(ty); for reference in references { s.push(':'); s.push_str(reference.as_ref()); } if self_ref { s.push_str(":self"); } s } /// Nix placeholders (i.e. values returned by `builtins.placeholder`) /// are used to populate outputs with paths that must be /// string-replaced with the actual placeholders later, at runtime. /// /// The actual placeholder is basically just a SHA256 hash encoded in /// cppnix format. pub fn hash_placeholder(name: &str) -> String { let digest = Sha256::new_with_prefix(format!("nix-output:{}", name)).finalize(); format!("/{}", nixbase32::encode(&digest)) } #[cfg(test)] mod test { use hex_literal::hex; use super::*; use crate::nixhash::{CAHash, NixHash}; #[test] fn build_text_path_with_zero_references() { // This hash should match `builtins.toFile`, e.g.: // // nix-repl> builtins.toFile "foo" "bar" // "/nix/store/vxjiwkjkn7x4079qvh1jkl5pn05j2aw0-foo" let store_path = build_text_path("foo", "bar", Vec::<String>::new()) .expect("build_store_path() should succeed"); assert_eq!( store_path.to_absolute_path().as_str(), "/nix/store/vxjiwkjkn7x4079qvh1jkl5pn05j2aw0-foo" ); } #[test] fn build_text_path_with_non_zero_references() { // This hash should match: // // nix-repl> builtins.toFile "baz" "${builtins.toFile "foo" "bar"}" // "/nix/store/5xd714cbfnkz02h2vbsj4fm03x3f15nf-baz" let inner = build_text_path("foo", "bar", Vec::<String>::new()) .expect("path_with_references() should succeed"); let inner_path = inner.to_absolute_path(); let outer = build_text_path("baz", &inner_path, vec![inner_path.as_str()]) .expect("path_with_references() should succeed"); assert_eq!( outer.to_absolute_path().as_str(), "/nix/store/5xd714cbfnkz02h2vbsj4fm03x3f15nf-baz" ); } #[test] fn build_sha1_path() { let outer = build_ca_path( "bar", &CAHash::Nar(NixHash::Sha1(hex!( "0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" ))), Vec::<String>::new(), false, ) .expect("path_with_references() should succeed"); assert_eq!( outer.to_absolute_path().as_str(), "/nix/store/mp57d33657rf34lzvlbpfa1gjfv5gmpg-bar" ); } #[test] fn build_store_path_with_non_zero_references() { // This hash should match: // // nix-repl> builtins.toFile "baz" "${builtins.toFile "foo" "bar"}" // "/nix/store/5xd714cbfnkz02h2vbsj4fm03x3f15nf-baz" // // $ nix store make-content-addressed /nix/store/5xd714cbfnkz02h2vbsj4fm03x3f15nf-baz // rewrote '/nix/store/5xd714cbfnkz02h2vbsj4fm03x3f15nf-baz' to '/nix/store/s89y431zzhmdn3k8r96rvakryddkpv2v-baz' let outer = build_ca_path( "baz", &CAHash::Nar(NixHash::Sha256( nixbase32::decode(b"1xqkzcb3909fp07qngljr4wcdnrh1gdam1m2n29i6hhrxlmkgkv1") .expect("nixbase32 should decode") .try_into() .expect("should have right len"), )), vec!["/nix/store/dxwkwjzdaq7ka55pkk252gh32bgpmql4-foo"], false, ) .expect("path_with_references() should succeed"); assert_eq!( outer.to_absolute_path().as_str(), "/nix/store/s89y431zzhmdn3k8r96rvakryddkpv2v-baz" ); } }