From e1f83cc08615ca011fc4a177e831efd1dd49e687 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Thu, 26 Aug 2021 20:00:03 +0300 Subject: feat(depot): Disallow access to //users from outside of it Code under this depot path is essentially unstable and potentially unreviewed - this is a good thing (people can play around with cursed stuff all they want), but we should not make the rest of the repository depend on any of it. Any cursed things that are required outside of users can be moved to a different depot path if people agree with that. Change-Id: I46a34a0e9662069c01b43d9a653e5545e325e587 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3434 Tested-by: BuildkiteCI Reviewed-by: grfn --- default.nix | 45 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) (limited to 'default.nix') diff --git a/default.nix b/default.nix index d8b9b08b69..04bf9ace8f 100644 --- a/default.nix +++ b/default.nix @@ -8,13 +8,56 @@ let inherit (builtins) attrValues concatMap + elem + elemAt filter ; # This definition of fix is identical to .lib.fix, but the global # package set is not available here. fix = f: let x = f x; in x; - readTree' = import ./nix/readTree {}; + + # readTree argument filter to generally disallow access to //users + # from other depot parts. Exceptions can be added for specific + # (full) paths. + depotArgsFilter = args: parts: + if (elemAt parts 0) == "users" || elem parts [ + # whitby is allowed to access //users for two reasons: + # + # 1. Users host their SSH key sets in //users. + # 2. tazjin's website is currently hosted on whitby because + # camden is in storage. + # + # Due to evaluation order this also affects //ops/nixos.nix. + [ "ops" "machines" "whitby" ] + + # TODO(tazjin): Can this one be removed somehow? + [ "ops" "nixos" ] + + # //web/bubblegum has examples using //users/sterni, they should + # probably be in the user folder instead with a link there. + # TODO(sterni): Clean this up. + [ "web" "bubblegum" ] + ] + then args + else args // { + depot = args.depot // { + users = throw '' + Access to items from the //users folder is not permitted from + other depot paths. Code under //users is not considered stable + or dependable in the wider depot context. + + If a project under //users is required by something else, + please move it to a different depot path. + + At location: [ ${toString parts} ] + ''; + }; + }; + + readTree' = import ./nix/readTree { + argsFilter = depotArgsFilter; + }; # To determine build targets, we walk through the depot tree and # fetch attributes that were imported by readTree and are buildable. -- cgit 1.4.1