builtins:fetchurl: Only use the tunneled auth source

NixOS · Feb 3, 2024 · 703871a · 703871a
1 parent f951676
commit 703871a
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 35 deletions.
diff --git a/src/libstore/auth-tunnel.cc b/src/libstore/auth-tunnel.cc
@@ -41,11 +41,11 @@ AuthTunnel::AuthTunnel(
                     auto authRequest = WorkerProto::Serialise<auth::AuthData>::read(storeConfig, from);
                     bool required;
                     from.from >> required;
-                    printError("got auth request from daemon: %s", authRequest);
+                    debug("tunneling auth request: %s", authRequest);
                     // FIXME: handle exceptions
                     auto authData = auth::getAuthenticator()->fill(authRequest, required);
                     if (authData)
-                        printError("returning auth to daemon: %s", *authData);
+                        debug("tunneling auth response: %s", *authData);
                     to.to << 1;
                     WorkerProto::Serialise<std::optional<auth::AuthData>>::write(storeConfig, to, authData);
                     toSource.flush();

diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
@@ -2138,14 +2138,13 @@ void LocalDerivationGoal::runChild()
                     e.second = rewriteStrings(e.second, inputRewrites);
 
                 if (drv->builder == "builtin:fetchurl") {
-                    if (authTunnel)
-                        auth::getAuthenticator()->setAuthSource(
-                            makeTunneledAuthSource(
-                                ref(worker.store.shared_from_this()),
-                                authTunnel->clientVersion,
-                                std::move(authTunnel->clientFd)));
-
-                    builtinFetchurl(drv2);
+                    auto authSource =
+                        makeTunneledAuthSource(
+                            ref(worker.store.shared_from_this()),
+                            authTunnel->clientVersion,
+                            std::move(authTunnel->clientFd));
+                    std::vector<ref<auth::AuthSource>> authSources{authSource};
+                    builtinFetchurl(drv2, make_ref<auth::Authenticator>(authSources));
                 }
                 else if (drv->builder == "builtin:buildenv")
                     builtinBuildenv(drv2);

diff --git a/src/libstore/builtins.hh b/src/libstore/builtins.hh
@@ -5,8 +5,12 @@
 
 namespace nix {
 
+namespace auth { class Authenticator; }
+
 // TODO: make pluggable.
-void builtinFetchurl(const BasicDerivation & drv);
+void builtinFetchurl(
+    const BasicDerivation & drv,
+    ref<auth::Authenticator> authenticator);
 void builtinUnpackChannel(const BasicDerivation & drv);
 
 }
diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc
@@ -6,7 +6,9 @@
 
 namespace nix {
 
-void builtinFetchurl(const BasicDerivation & drv)
+void builtinFetchurl(
+    const BasicDerivation & drv,
+    ref<auth::Authenticator> authenticator)
 {
     auto out = get(drv.outputs, "out");
     if (!out)
@@ -37,6 +39,7 @@ void builtinFetchurl(const BasicDerivation & drv)
             /* No need to do TLS verification, because we check the hash of
                the result anyway. */
             FileTransferRequest request(url);
+            request.authenticator = authenticator;
             request.verifyTLS = false;
             request.decompress = false;
 

diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
@@ -36,6 +36,12 @@ FileTransferSettings fileTransferSettings;
 
 static GlobalConfig::Register rFileTransferSettings(&fileTransferSettings);
 
+FileTransferRequest::FileTransferRequest(std::string_view uri)
+    : uri(uri)
+    , parentAct(getCurActivity())
+    , authenticator(auth::getAuthenticator())
+{ }
+
 struct curlFileTransfer : public FileTransfer
 {
     CURLM * curlm = 0;
@@ -346,15 +352,14 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L);
             curl_easy_setopt(req, CURLOPT_LOW_SPEED_TIME, fileTransferSettings.stalledDownloadTimeout.get());
 
-            auto authenticator = auth::getAuthenticator();
             auto url = parseURL(request.uri);
             auth::AuthData authRequest = {
                 .protocol = url.scheme,
                 .host = url.authority,
                 .path = url.path,
                 // FIXME: add username
             };
-            auto authData = authenticator->fill(authRequest, false);
+            auto authData = request.authenticator->fill(authRequest, false);
 
             if (authData) {
                 if (authData->userName)

diff --git a/src/libstore/filetransfer.hh b/src/libstore/filetransfer.hh
@@ -10,6 +10,8 @@
 
 namespace nix {
 
+namespace auth { class Authenticator; }
+
 struct FileTransferSettings : Config
 {
     Setting<bool> enableHttp2{this, true, "http2",
@@ -63,9 +65,9 @@ struct FileTransferRequest
     std::optional<std::string> data;
     std::string mimeType;
     std::function<void(std::string_view data)> dataCallback;
+    ref<auth::Authenticator> authenticator;
 
-    FileTransferRequest(std::string_view uri)
-        : uri(uri), parentAct(getCurActivity()) { }
+    FileTransferRequest(std::string_view uri);
 
     std::string verb()
     {

diff --git a/src/libutil/auth.cc b/src/libutil/auth.cc
@@ -249,23 +249,6 @@ struct ExternalAuthSource : AuthSource
     }
 };
 
-Authenticator::Authenticator()
-{
-    for (auto & s : authSettings.authSources.get()) {
-        if (hasPrefix(s, "builtin:")) {
-            if (s == "builtin:nix")
-                authSources.push_back(make_ref<NixAuthSource>());
-            else if (s == "builtin:netrc") {
-                if (authSettings.netrcFile != "")
-                    authSources.push_back(make_ref<NetrcAuthSource>(authSettings.netrcFile));
-            }
-            else
-                warn("unknown authentication sources '%s'", s);
-        } else
-            authSources.push_back(make_ref<ExternalAuthSource>(s));
-    }
-}
-
 std::optional<AuthData> Authenticator::fill(const AuthData & request, bool required)
 {
     if (!request.protocol)
@@ -295,7 +278,25 @@ void Authenticator::setAuthSource(ref<AuthSource> authSource)
 
 ref<Authenticator> getAuthenticator()
 {
-    static auto authenticator = make_ref<Authenticator>();
+    static auto authenticator = ({
+        std::vector<ref<AuthSource>> authSources;
+
+        for (auto & s : authSettings.authSources.get()) {
+            if (hasPrefix(s, "builtin:")) {
+                if (s == "builtin:nix")
+                    authSources.push_back(make_ref<NixAuthSource>());
+                else if (s == "builtin:netrc") {
+                    if (authSettings.netrcFile != "")
+                        authSources.push_back(make_ref<NetrcAuthSource>(authSettings.netrcFile));
+                }
+                else
+                    warn("unknown authentication sources '%s'", s);
+            } else
+                authSources.push_back(make_ref<ExternalAuthSource>(s));
+        }
+
+        make_ref<Authenticator>(authSources);
+    });
     return authenticator;
 }
 

diff --git a/src/libutil/auth.hh b/src/libutil/auth.hh
@@ -101,7 +101,9 @@ class Authenticator
 
 public:
 
-    Authenticator();
+    Authenticator(std::vector<ref<AuthSource>> authSources = {})
+        : authSources(std::move(authSources))
+    { }
 
     std::optional<AuthData> fill(const AuthData & request, bool required);