From dc8d3e869d30f59c128877933f916475554e71cc Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Sat, 13 Nov 2021 18:25:02 +0100 Subject: refactor(depot): Generalise folder restriction readTree filter This refactors the readTree filter which disallows access to //users from outside of //users into a reusable function. The only change in functionality is that the error message has changed slightly. I thought it is useful to keep the message consistent (i.e. always including a path), thus only a part of the error is templated in (describing the reason for why a specific sub path is unavailable). Change-Id: I30ad38b2677be5aa502c753c8c71e7ba3efc87be Reviewed-on: https://cl.tvl.fyi/c/depot/+/3872 Tested-by: BuildkiteCI Reviewed-by: sterni --- default.nix | 72 ++++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 40 insertions(+), 32 deletions(-) (limited to 'default.nix') diff --git a/default.nix b/default.nix index dcf3e9fda9..5c93e9501e 100644 --- a/default.nix +++ b/default.nix @@ -17,48 +17,56 @@ let # package set is not available here. fix = f: let x = f x; in x; - # readTree argument filter to generally disallow access to //users - # from other depot parts. Exceptions can be added for specific - # (full) paths. - depotArgsFilter = args: parts: - if (elemAt parts 0) == "users" || elem parts [ - # whitby is allowed to access //users for two reasons: - # - # 1. Users host their SSH key sets in //users. - # 2. tazjin's website is currently hosted on whitby because - # camden is in storage. - # - [ "ops" "machines" "whitby" ] - - # Due to evaluation order this also affects these targets. - # TODO(tazjin): Can this one be removed somehow? - [ "ops" "nixos" ] - [ "ops" "machines" "all-systems" ] - ] + # Create a readTree filter disallowing access to the specified + # top-level folder in other parts of the depot, except for specific + # exceptions specified by their (full) paths. + restrictFolder = { folder, exceptions ? [], reason }: args: parts: + if (elemAt parts 0) == folder || elem parts exceptions then args else args // { depot = args.depot // { - users = throw '' - Access to items from the //users folder is not permitted from - other depot paths. Code under //users is not considered stable - or dependable in the wider depot context. - - If a project under //users is required by something else, - please move it to a different depot path. + "${folder}" = throw '' + Access to targets under //${folder} is not permitted from + other depot paths. Specific exceptions are configured at the + top-level. + ${reason} At location: //${builtins.concatStringsSep "/" parts} ''; }; }; - readDepot = depotArgs: import ./nix/readTree {} { - args = depotArgs; - path = ./.; - filter = depotArgsFilter; - scopedArgs = { - __findFile = _: _: throw "Do not import from NIX_PATH in the depot!"; - }; + # Disallow access to //users from other depot parts. + usersFilter = restrictFolder { + folder = "users"; + reason = '' + Code under //users is not considered stable or dependable in the + wider depot context. If a project under //users is required by + something else, please move it to a different depot path. + ''; + + exceptions = [ + # whitby is allowed to access //users for several reasons: + # + # 1. User SSH keys are set in //users. + # 2. Some personal websites or demo projects are served from it. + [ "ops" "machines" "whitby" ] + + # Due to evaluation order this also affects these targets. + # TODO(tazjin): Can this one be removed somehow? + [ "ops" "nixos" ] + [ "ops" "machines" "all-systems" ] + ]; + }; + + readDepot = depotArgs: import ./nix/readTree {} { + args = depotArgs; + path = ./.; + filter = usersFilter; + scopedArgs = { + __findFile = _: _: throw "Do not import from NIX_PATH in the depot!"; }; + }; # To determine build targets, we walk through the depot tree and # fetch attributes that were imported by readTree and are buildable. -- cgit 1.4.1