From 703871af6f85f438b5a1409e61655ca3a852d2e3 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Sat, 3 Feb 2024 15:18:33 +0100 Subject: [PATCH] builtins:fetchurl: Only use the tunneled auth source --- src/libstore/auth-tunnel.cc | 4 +-- src/libstore/build/local-derivation-goal.cc | 15 ++++----- src/libstore/builtins.hh | 6 +++- src/libstore/builtins/fetchurl.cc | 5 ++- src/libstore/filetransfer.cc | 9 +++-- src/libstore/filetransfer.hh | 6 ++-- src/libutil/auth.cc | 37 +++++++++++---------- src/libutil/auth.hh | 4 ++- 8 files changed, 51 insertions(+), 35 deletions(-) diff --git a/src/libstore/auth-tunnel.cc b/src/libstore/auth-tunnel.cc index 0ed4e779bdce..e63af5579dfe 100644 --- a/src/libstore/auth-tunnel.cc +++ b/src/libstore/auth-tunnel.cc @@ -41,11 +41,11 @@ AuthTunnel::AuthTunnel( auto authRequest = WorkerProto::Serialise::read(storeConfig, from); bool required; from.from >> required; - printError("got auth request from daemon: %s", authRequest); + debug("tunneling auth request: %s", authRequest); // FIXME: handle exceptions auto authData = auth::getAuthenticator()->fill(authRequest, required); if (authData) - printError("returning auth to daemon: %s", *authData); + debug("tunneling auth response: %s", *authData); to.to << 1; WorkerProto::Serialise>::write(storeConfig, to, authData); toSource.flush(); diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 06bd25f5a3cd..d4bf89aac76f 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -2138,14 +2138,13 @@ void LocalDerivationGoal::runChild() e.second = rewriteStrings(e.second, inputRewrites); if (drv->builder == "builtin:fetchurl") { - if (authTunnel) - auth::getAuthenticator()->setAuthSource( - makeTunneledAuthSource( - ref(worker.store.shared_from_this()), - authTunnel->clientVersion, - std::move(authTunnel->clientFd))); - - builtinFetchurl(drv2); + auto authSource = + makeTunneledAuthSource( + ref(worker.store.shared_from_this()), + authTunnel->clientVersion, + std::move(authTunnel->clientFd)); + std::vector> authSources{authSource}; + builtinFetchurl(drv2, make_ref(authSources)); } else if (drv->builder == "builtin:buildenv") builtinBuildenv(drv2); diff --git a/src/libstore/builtins.hh b/src/libstore/builtins.hh index 55b7158a419a..5d6dc19bf423 100644 --- a/src/libstore/builtins.hh +++ b/src/libstore/builtins.hh @@ -5,8 +5,12 @@ namespace nix { +namespace auth { class Authenticator; } + // TODO: make pluggable. -void builtinFetchurl(const BasicDerivation & drv); +void builtinFetchurl( + const BasicDerivation & drv, + ref authenticator); void builtinUnpackChannel(const BasicDerivation & drv); } diff --git a/src/libstore/builtins/fetchurl.cc b/src/libstore/builtins/fetchurl.cc index 080a76f60c76..149e04ae9307 100644 --- a/src/libstore/builtins/fetchurl.cc +++ b/src/libstore/builtins/fetchurl.cc @@ -6,7 +6,9 @@ namespace nix { -void builtinFetchurl(const BasicDerivation & drv) +void builtinFetchurl( + const BasicDerivation & drv, + ref authenticator) { auto out = get(drv.outputs, "out"); if (!out) @@ -37,6 +39,7 @@ void builtinFetchurl(const BasicDerivation & drv) /* No need to do TLS verification, because we check the hash of the result anyway. */ FileTransferRequest request(url); + request.authenticator = authenticator; request.verifyTLS = false; request.decompress = false; diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc index fa55f1586e83..554c74dd16bd 100644 --- a/src/libstore/filetransfer.cc +++ b/src/libstore/filetransfer.cc @@ -36,6 +36,12 @@ FileTransferSettings fileTransferSettings; static GlobalConfig::Register rFileTransferSettings(&fileTransferSettings); +FileTransferRequest::FileTransferRequest(std::string_view uri) + : uri(uri) + , parentAct(getCurActivity()) + , authenticator(auth::getAuthenticator()) +{ } + struct curlFileTransfer : public FileTransfer { CURLM * curlm = 0; @@ -346,7 +352,6 @@ struct curlFileTransfer : public FileTransfer curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L); curl_easy_setopt(req, CURLOPT_LOW_SPEED_TIME, fileTransferSettings.stalledDownloadTimeout.get()); - auto authenticator = auth::getAuthenticator(); auto url = parseURL(request.uri); auth::AuthData authRequest = { .protocol = url.scheme, @@ -354,7 +359,7 @@ struct curlFileTransfer : public FileTransfer .path = url.path, // FIXME: add username }; - auto authData = authenticator->fill(authRequest, false); + auto authData = request.authenticator->fill(authRequest, false); if (authData) { if (authData->userName) diff --git a/src/libstore/filetransfer.hh b/src/libstore/filetransfer.hh index a3b0dde1f691..bb7cde772a7e 100644 --- a/src/libstore/filetransfer.hh +++ b/src/libstore/filetransfer.hh @@ -10,6 +10,8 @@ namespace nix { +namespace auth { class Authenticator; } + struct FileTransferSettings : Config { Setting enableHttp2{this, true, "http2", @@ -63,9 +65,9 @@ struct FileTransferRequest std::optional data; std::string mimeType; std::function dataCallback; + ref authenticator; - FileTransferRequest(std::string_view uri) - : uri(uri), parentAct(getCurActivity()) { } + FileTransferRequest(std::string_view uri); std::string verb() { diff --git a/src/libutil/auth.cc b/src/libutil/auth.cc index 06c3916ad895..6b819ec8aa99 100644 --- a/src/libutil/auth.cc +++ b/src/libutil/auth.cc @@ -249,23 +249,6 @@ struct ExternalAuthSource : AuthSource } }; -Authenticator::Authenticator() -{ - for (auto & s : authSettings.authSources.get()) { - if (hasPrefix(s, "builtin:")) { - if (s == "builtin:nix") - authSources.push_back(make_ref()); - else if (s == "builtin:netrc") { - if (authSettings.netrcFile != "") - authSources.push_back(make_ref(authSettings.netrcFile)); - } - else - warn("unknown authentication sources '%s'", s); - } else - authSources.push_back(make_ref(s)); - } -} - std::optional Authenticator::fill(const AuthData & request, bool required) { if (!request.protocol) @@ -295,7 +278,25 @@ void Authenticator::setAuthSource(ref authSource) ref getAuthenticator() { - static auto authenticator = make_ref(); + static auto authenticator = ({ + std::vector> authSources; + + for (auto & s : authSettings.authSources.get()) { + if (hasPrefix(s, "builtin:")) { + if (s == "builtin:nix") + authSources.push_back(make_ref()); + else if (s == "builtin:netrc") { + if (authSettings.netrcFile != "") + authSources.push_back(make_ref(authSettings.netrcFile)); + } + else + warn("unknown authentication sources '%s'", s); + } else + authSources.push_back(make_ref(s)); + } + + make_ref(authSources); + }); return authenticator; } diff --git a/src/libutil/auth.hh b/src/libutil/auth.hh index 10878bd266d5..fa4d9ed55e87 100644 --- a/src/libutil/auth.hh +++ b/src/libutil/auth.hh @@ -101,7 +101,9 @@ class Authenticator public: - Authenticator(); + Authenticator(std::vector> authSources = {}) + : authSources(std::move(authSources)) + { } std::optional fill(const AuthData & request, bool required);