cachix 0.5.0 → 0.5.1
raw patch · 7 files changed
+45/−44 lines, 7 filesdep ~servant-auth-client
Dependency ranges changed: servant-auth-client
Files
- CHANGELOG.md +7/−0
- cachix.cabal +3/−2
- src/Cachix/Client/Config.hs +4/−2
- src/Cachix/Client/InstallationMode.hs +5/−7
- src/Cachix/Client/NetRc.hs +10/−13
- src/Cachix/Client/Push.hs +14/−15
- test/NetRcSpec.hs +2/−5
CHANGELOG.md view
@@ -7,6 +7,13 @@ ## Unreleased +## [0.5.1] - 2020-11-09++### Fixed++- Regression: use auth token when using signing key with private caches +- Configure netrc even if cachix config doesn't exist+ ## [0.5.0] - 2020-11-06 ### Added
cachix.cabal view
@@ -1,6 +1,6 @@ cabal-version: 2.2 name: cachix-version: 0.5.0+version: 0.5.1 license: Apache-2.0 license-file: LICENSE copyright: 2018 Domen Kožar@@ -151,11 +151,12 @@ Spec build-depends:- , base >=4.7 && <5+ , base >=4.7 && <5 , cachix , cachix-api , directory , here , hspec , protolude+ , servant-auth-client , temporary
src/Cachix/Client/Config.hs view
@@ -112,13 +112,15 @@ noAuthTokenError :: Text noAuthTokenError = [iTrim|-Start by visiting https://app.cachix.org and either:+Start by visiting https://app.cachix.org and create a personal/cache auth token. +To configure the token:+ a) Via environment variable: $ export CACHIX_AUTH_TOKEN=<token...> -b) Running:+b) Via configuration file: $ cachix authtoken <token...> |]
src/Cachix/Client/InstallationMode.hs view
@@ -218,13 +218,11 @@ addPrivateBinaryCacheNetRC :: Maybe Config -> BinaryCache.BinaryCache -> NixConf.NixConfLoc -> IO FilePath addPrivateBinaryCacheNetRC maybeConfig bc nixconf = do filename <- (`replaceFileName` "netrc") <$> NixConf.getFilename nixconf- case maybeConfig of- Nothing -> throwIO $ NoConfig Config.noAuthTokenError- Just config -> do- let netrcfile = fromMaybe filename Nothing -- TODO: get netrc from nixconf- NetRc.add config [bc] netrcfile- putErrText $ "Configured private read access credentials in " <> toS filename- pure filename+ authToken <- Config.getAuthTokenRequired maybeConfig+ let netrcfile = fromMaybe filename Nothing -- TODO: get netrc from nixconf+ NetRc.add authToken [bc] netrcfile+ putErrText $ "Configured private read access credentials in " <> toS filename+ pure filename isTrustedUser :: [Text] -> IO Bool isTrustedUser users = do
src/Cachix/Client/NetRc.hs view
@@ -5,8 +5,6 @@ where import Cachix.API.Error (escalateAs)-import Cachix.Client.Config (Config)-import qualified Cachix.Client.Config as Config import Cachix.Client.Exception (CachixException (NetRcParseError)) import qualified Cachix.Types.BinaryCache as BinaryCache import qualified Data.ByteString as BS@@ -22,32 +20,31 @@ -- Makes sure there are no duplicate entries (using domain as a key). -- If file under filename doesn't exist it's created. add ::- Config ->+ Token -> [BinaryCache.BinaryCache] -> FilePath -> IO ()-add config binarycaches filename = do+add cachixAuthToken binarycaches filename = do doesExist <- doesFileExist filename- cachixAuthToken <- Config.getAuthTokenRequired (Just config) netrc <- if doesExist then BS.readFile filename >>= parse else return $ NetRc [] [] createDirectoryIfMissing True (takeDirectory filename)- BS.writeFile filename $ netRcToByteString $ uniqueAppend cachixAuthToken netrc+ BS.writeFile filename $ netRcToByteString $ uniqueAppend netrc where parse :: ByteString -> IO NetRc parse contents = escalateAs (NetRcParseError . show) $ parseNetRc filename contents -- O(n^2) but who cares?- uniqueAppend :: Token -> NetRc -> NetRc- uniqueAppend cachixAuthToken (NetRc hosts macdefs) =+ uniqueAppend :: NetRc -> NetRc+ uniqueAppend (NetRc hosts macdefs) = let f :: NetRcHost -> NetRcHost -> Bool f x y = nrhName x == nrhName y- in NetRc (nubBy f (new cachixAuthToken ++ hosts)) macdefs- new :: Token -> [NetRcHost]- new cachixAuthToken = map (mkHost cachixAuthToken) $ filter (not . BinaryCache.isPublic) binarycaches- mkHost :: Token -> BinaryCache.BinaryCache -> NetRcHost- mkHost cachixAuthToken bc =+ in NetRc (nubBy f (new ++ hosts)) macdefs+ new :: [NetRcHost]+ new = map mkHost $ filter (not . BinaryCache.isPublic) binarycaches+ mkHost :: BinaryCache.BinaryCache -> NetRcHost+ mkHost bc = NetRcHost { nrhName = toS $ stripPrefix "http://" $ stripPrefix "https://" (BinaryCache.uri bc), nrhLogin = "",
src/Cachix/Client/Push.hs view
@@ -60,7 +60,7 @@ data PushSecret = PushToken Token- | PushSigningKey SigningKey+ | PushSigningKey Token SigningKey data PushCache = PushCache@@ -120,7 +120,7 @@ getCacheAuthToken :: PushCache -> Token getCacheAuthToken cache = case pushCacheSecret cache of PushToken token -> token- PushSigningKey _ -> Token ""+ PushSigningKey token _ -> token uploadStorePath :: (MonadMask m, MonadIO m) =>@@ -193,7 +193,7 @@ let fp = fingerprint storePath narHash narSize references (sig, authToken) = case pushCacheSecret cache of PushToken token -> (Nothing, token)- PushSigningKey signKey -> (Just $ toS $ B64.encode $ unSignature $ dsign (signingSecretKey signKey) fp, Token "")+ PushSigningKey token signKey -> (Just $ toS $ B64.encode $ unSignature $ dsign (signingSecretKey signKey) fp, token) nic = Api.NarInfoCreate { Api.cStoreHash = storeHash,@@ -282,20 +282,19 @@ -- | Secret key or exception IO PushSecret findPushSecret config name = do- maybeEnvSK <- lookupEnv "CACHIX_SIGNING_KEY"- -- we reverse list of caches to prioritize keys added as last- let matches c = filter (\bc -> Config.name bc == name) $ reverse $ Config.binaryCaches c- maybeBCSK = case config of+ maybeSigningKeyEnv <- toS <<$>> lookupEnv "CACHIX_SIGNING_KEY"+ maybeAuthToken <- Config.getAuthTokenMaybe config+ let maybeSigningKeyConfig = case config of Nothing -> Nothing- Just c -> Config.secretKey <$> head (matches c)- case maybeBCSK <|> toS <$> maybeEnvSK of- Just signingKey -> escalateAs FatalError $ PushSigningKey <$> parseSigningKeyLenient signingKey- Nothing -> do- authtoken <- Config.getAuthTokenMaybe config- case authtoken of- Just at -> return $ PushToken at- Nothing -> throwIO $ NoSigningKey msg+ Just cfg -> Config.secretKey <$> head (getBinaryCache cfg)+ case maybeSigningKeyEnv <|> maybeSigningKeyConfig of+ Just signingKey -> escalateAs FatalError $ PushSigningKey (fromMaybe (Token "") maybeAuthToken) <$> parseSigningKeyLenient signingKey+ Nothing -> case maybeAuthToken of+ Just authToken -> return $ PushToken authToken+ Nothing -> throwIO $ NoSigningKey msg where+ -- we reverse list of caches to prioritize keys added as last+ getBinaryCache c = filter (\bc -> Config.name bc == name) $ reverse $ Config.binaryCaches c msg :: Text msg = [iTrim|
test/NetRcSpec.hs view
@@ -1,10 +1,10 @@ module NetRcSpec where -import Cachix.Client.Config (Config, mkConfig) import qualified Cachix.Client.NetRc as NetRc import Cachix.Types.BinaryCache (BinaryCache (..)) import Cachix.Types.Permission (Permission (..)) import Protolude+import Servant.Auth.Client (Token (..)) import System.Directory (copyFile) import System.IO.Temp (withSystemTempFile) import Test.Hspec@@ -31,16 +31,13 @@ permission = Read } -config :: Config-config = mkConfig "token123"- -- TODO: poor man's golden tests, use https://github.com/stackbuilders/hspec-golden test :: [BinaryCache] -> Text -> Expectation test caches goldenName = withSystemTempFile "hspec-netrc" $ \filepath _ -> do let input = "test/data/" <> toS goldenName <> ".input" output = "test/data/" <> toS goldenName <> ".output" copyFile input filepath- NetRc.add config caches filepath+ NetRc.add (Token "token123") caches filepath real <- readFile filepath expected <- readFile output real `shouldBe` expected