diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-31T22·56-0400 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2012-07-31T22·56-0400 |
commit | 4d1b64f118cf6ebcbf530bea4a3c531704d7d6ba (patch) | |
tree | 07a51356c5c580d76aec2e8c7edef26f8fcc1359 /scripts/download-from-binary-cache.pl.in | |
parent | eb7849e3a281511a59abf72ae5c3133f903bbaab (diff) |
Allow daemon users to override ‘binary-caches’
For security reasons, daemon users can only specify caches that appear in the ‘binary-caches’ and ‘trusted-binary-caches’ options in nix.conf.
Diffstat (limited to 'scripts/download-from-binary-cache.pl.in')
-rw-r--r-- | scripts/download-from-binary-cache.pl.in | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 5d65e664e564..3f7d3ef45f4a 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -8,6 +8,7 @@ use Nix::Store; use Nix::Utils; use WWW::Curl::Easy; use WWW::Curl::Multi; +use List::MoreUtils qw(any); use strict; @@ -166,9 +167,32 @@ sub getAvailableCaches { return if $gotCaches; $gotCaches = 1; - my @urls = map { s/\/+$//; $_ } split(/ /, - $Nix::Config::config{"binary-caches"} - // ($Nix::Config::storeDir eq "/nix/store" ? "http://nixos.org/binary-cache" : "")); + sub strToList { + my ($s) = @_; + return map { s/\/+$//; $_ } split(/ /, $s); + } + + my @urls = strToList + ($Nix::Config::config{"binary-caches"} + // ($Nix::Config::storeDir eq "/nix/store" ? "http://nixos.org/binary-cache" : "")); + + # Allow Nix daemon users to override the binary caches to a subset + # of those listed in the config file. Note that ‘untrusted-*’ + # denotes options passed by the client. + if (defined $Nix::Config::config{"untrusted-binary-caches"}) { + my @untrustedUrls = strToList $Nix::Config::config{"untrusted-binary-caches"}; + my @trustedUrls = (@urls, strToList($Nix::Config::config{"trusted-binary-caches"} // "")); + @urls = (); + foreach my $url (@untrustedUrls) { + if (any { $url eq $_ } @trustedUrls) { + push @urls, $url; + } else { + # FIXME: should die here, but we currently can't + # deliver error messages to clients. + warn "warning: binary cache ‘$url’ is not trusted (please add it to ‘trusted-binary-caches’ in $Nix::Config::confDir/nix.conf)\n"; + } + } + } foreach my $url (@urls) { |