diff options
| -rw-r--r-- | default.nix | 28 | ||||
| -rw-r--r-- | nix/readTree/default.nix | 35 |
2 files changed, 37 insertions, 26 deletions
diff --git a/default.nix b/default.nix index 2327830850..245e76e304 100644 --- a/default.nix +++ b/default.nix @@ -6,10 +6,7 @@ let inherit (builtins) - attrValues concatMap - elem - elemAt filter ; @@ -17,27 +14,10 @@ let # package set is not available here. fix = f: let x = f x; in x; - # Create a readTree filter disallowing access to the specified - # top-level folder in other parts of the depot, except for specific - # exceptions specified by their (full) paths. - restrictFolder = { folder, exceptions ? [], reason }: parts: args: - if (elemAt parts 0) == folder || elem parts exceptions - then args - else args // { - depot = args.depot // { - "${folder}" = throw '' - Access to targets under //${folder} is not permitted from - other depot paths. Specific exceptions are configured at the - top-level. - - ${reason} - At location: //${builtins.concatStringsSep "/" parts} - ''; - }; - }; + readTree = import ./nix/readTree {}; # Disallow access to //users from other depot parts. - usersFilter = restrictFolder { + usersFilter = readTree.restrictFolder { folder = "users"; reason = '' Code under //users is not considered stable or dependable in the @@ -60,7 +40,7 @@ let }; # Disallow access to //corp from other depot parts. - corpFilter = restrictFolder { + corpFilter = readTree.restrictFolder { folder = "corp"; reason = '' Code under //corp may use incompatible licensing terms with @@ -76,7 +56,7 @@ let ]; }; - readDepot = depotArgs: import ./nix/readTree {} { + readDepot = depotArgs: readTree { args = depotArgs; path = ./.; filter = parts: args: corpFilter parts (usersFilter parts args); diff --git a/nix/readTree/default.nix b/nix/readTree/default.nix index c3955c6c88..e34c4f39f1 100644 --- a/nix/readTree/default.nix +++ b/nix/readTree/default.nix @@ -20,13 +20,13 @@ let inherit (builtins) attrNames - baseNameOf concatStringsSep + elem + elemAt filter hasAttr head isAttrs - length listToAttrs map match @@ -138,4 +138,35 @@ in { rootDir = true; parts = []; }; + + # In addition to readTree itself, some functionality is exposed that + # is useful for users of readTree. + + # Create a readTree filter disallowing access to the specified + # top-level folder in the repository, except for specific exceptions + # specified by their (full) paths. + # + # Called with the arguments: + # + # folder: Name of the restricted top-level folder (e.g. 'experimental') + # + # exceptions: List of readTree parts (e.g. [ [ "services" "some-app" ] ]), + # which should be able to access the restricted folder. + # + # reason: Textual explanation for the restriction (included in errors) + restrictFolder = { folder, exceptions ? [], reason }: parts: args: + if (elemAt parts 0) == folder || elem parts exceptions + then args + else args // { + depot = args.depot // { + "${folder}" = throw '' + Access to targets under //${folder} is not permitted from + other repository paths. Specific exceptions are configured + at the top-level. + + ${reason} + At location: ${builtins.concatStringsSep "." parts} + ''; + }; + }; } |