diff options
Diffstat (limited to 'tvix/store/src/pathinfoservice/nix_http.rs')
-rw-r--r-- | tvix/store/src/pathinfoservice/nix_http.rs | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/tvix/store/src/pathinfoservice/nix_http.rs b/tvix/store/src/pathinfoservice/nix_http.rs index 26e516a90d4f..08e01d2540f0 100644 --- a/tvix/store/src/pathinfoservice/nix_http.rs +++ b/tvix/store/src/pathinfoservice/nix_http.rs @@ -6,7 +6,10 @@ use std::{ use data_encoding::BASE64; use futures::{Stream, TryStreamExt}; -use nix_compat::{narinfo::NarInfo, nixbase32}; +use nix_compat::{ + narinfo::{self, NarInfo}, + nixbase32, +}; use reqwest::StatusCode; use sha2::{digest::FixedOutput, Digest, Sha256}; use tonic::async_trait; @@ -41,6 +44,10 @@ pub struct NixHTTPPathInfoService { blob_service: Arc<dyn BlobService>, directory_service: Arc<dyn DirectoryService>, + + /// An optional list of [narinfo::PubKey]. + /// If set, the .narinfo files received need to have correct signature by at least one of these. + public_keys: Option<Vec<narinfo::PubKey>>, } impl NixHTTPPathInfoService { @@ -54,8 +61,15 @@ impl NixHTTPPathInfoService { http_client: reqwest::Client::new(), blob_service, directory_service, + + public_keys: None, } } + + /// Configures [Self] to validate NARInfo fingerprints with the public keys passed. + pub fn set_public_keys(&mut self, public_keys: Vec<narinfo::PubKey>) { + self.public_keys = Some(public_keys); + } } #[async_trait] @@ -109,6 +123,24 @@ impl PathInfoService for NixHTTPPathInfoService { ) })?; + // if [self.public_keys] is set, ensure there's at least one valid signature. + if let Some(public_keys) = &self.public_keys { + let fingerprint = narinfo.fingerprint(); + + if !public_keys.iter().any(|pubkey| { + narinfo + .signatures + .iter() + .any(|sig| pubkey.verify(&fingerprint, sig)) + }) { + warn!("no valid signature found"); + Err(io::Error::new( + io::ErrorKind::InvalidData, + "no valid signature found", + ))?; + } + } + // Convert to a (sparse) PathInfo. We still need to populate the node field, // and for this we need to download the NAR file. // FUTUREWORK: Keep some database around mapping from narsha256 to |