refactor(depot): Generalise folder restriction readTree filter r/3069

This refactors the readTree filter which disallows access to //users
from outside of //users into a reusable function.

The only change in functionality is that the error message has changed
slightly. I thought it is useful to keep the message consistent (i.e.
always including a path), thus only a part of the error is templated
in (describing the reason for why a specific sub path is unavailable).

Change-Id: I30ad38b2677be5aa502c753c8c71e7ba3efc87be
Reviewed-on: https://cl.tvl.fyi/c/depot/+/3872
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>

1 files changed, 40 insertions, 32 deletions

diff --git a/default.nix b/default.nix
index dcf3e9fda9..5c93e9501e 100644
--- a/default.nix
+++ b/default.nix
@@ -17,48 +17,56 @@ let
   # package set is not available here.
   fix = f: let x = f x; in x;
 
-  # readTree argument filter to generally disallow access to //users
-  # from other depot parts. Exceptions can be added for specific
-  # (full) paths.
-  depotArgsFilter = args: parts:
-    if (elemAt parts 0) == "users" || elem parts [
-      # whitby is allowed to access //users for two reasons:
-      #
-      # 1. Users host their SSH key sets in //users.
-      # 2. tazjin's website is currently hosted on whitby because
-      #    camden is in storage.
-      #
-      [ "ops" "machines" "whitby" ]
-
-      # Due to evaluation order this also affects these targets.
-      # TODO(tazjin): Can this one be removed somehow?
-      [ "ops" "nixos" ]
-      [ "ops" "machines" "all-systems" ]
-    ]
+  # Create a readTree filter disallowing access to the specified
+  # top-level folder in other parts of the depot, except for specific
+  # exceptions specified by their (full) paths.
+  restrictFolder = { folder, exceptions ? [], reason }: args: parts:
+    if (elemAt parts 0) == folder || elem parts exceptions
     then args
     else args // {
       depot = args.depot // {
-        users = throw ''
-          Access to items from the //users folder is not permitted from
-          other depot paths. Code under //users is not considered stable
-          or dependable in the wider depot context.
-
-          If a project under //users is required by something else,
-          please move it to a different depot path.
+        "${folder}" = throw ''
+          Access to targets under //${folder} is not permitted from
+          other depot paths. Specific exceptions are configured at the
+          top-level.
 
+          ${reason}
           At location: //${builtins.concatStringsSep "/" parts}
         '';
       };
     };
 
-    readDepot = depotArgs: import ./nix/readTree {} {
-      args = depotArgs;
-      path = ./.;
-      filter = depotArgsFilter;
-      scopedArgs = {
-        __findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
-      };
+  # Disallow access to //users from other depot parts.
+  usersFilter = restrictFolder {
+    folder = "users";
+    reason = ''
+      Code under //users is not considered stable or dependable in the
+      wider depot context. If a project under //users is required by
+      something else, please move it to a different depot path.
+    '';
+
+    exceptions = [
+      # whitby is allowed to access //users for several reasons:
+      #
+      # 1. User SSH keys are set in //users.
+      # 2. Some personal websites or demo projects are served from it.
+      [ "ops" "machines" "whitby" ]
+
+      # Due to evaluation order this also affects these targets.
+      # TODO(tazjin): Can this one be removed somehow?
+      [ "ops" "nixos" ]
+      [ "ops" "machines" "all-systems" ]
+    ];
+  };
+
+  readDepot = depotArgs: import ./nix/readTree {} {
+    args = depotArgs;
+    path = ./.;
+    filter = usersFilter;
+    scopedArgs = {
+      __findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
     };
+  };
 
   # To determine build targets, we walk through the depot tree and
   # fetch attributes that were imported by readTree and are buildable.