diff options
Diffstat (limited to 'pkgs/test/nixpkgs-check-by-name/src')
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/src/eval.rs | 12 | ||||
-rw-r--r-- | pkgs/test/nixpkgs-check-by-name/src/main.rs | 36 |
2 files changed, 45 insertions, 3 deletions
diff --git a/pkgs/test/nixpkgs-check-by-name/src/eval.rs b/pkgs/test/nixpkgs-check-by-name/src/eval.rs index d084642ffe7..17e22495b22 100644 --- a/pkgs/test/nixpkgs-check-by-name/src/eval.rs +++ b/pkgs/test/nixpkgs-check-by-name/src/eval.rs @@ -30,9 +30,15 @@ pub fn check_values<W: io::Write>( // Write the list of packages we need to check into a temporary JSON file. // This can then get read by the Nix evaluation. let attrs_file = NamedTempFile::new().context("Failed to create a temporary file")?; + // We need to canonicalise this path because if it's a symlink (which can be the case on + // Darwin), Nix would need to read both the symlink and the target path, therefore need 2 + // NIX_PATH entries for restrict-eval. But if we resolve the symlinks then only one predictable + // entry is needed. + let attrs_file_path = attrs_file.path().canonicalize()?; + serde_json::to_writer(&attrs_file, &nixpkgs.package_names).context(format!( "Failed to serialise the package names to the temporary path {}", - attrs_file.path().display() + attrs_file_path.display() ))?; // With restrict-eval, only paths in NIX_PATH can be accessed, so we explicitly specify the @@ -57,9 +63,9 @@ pub fn check_values<W: io::Write>( // Pass the path to the attrs_file as an argument and add it to the NIX_PATH so it can be // accessed in restrict-eval mode .args(["--arg", "attrsPath"]) - .arg(attrs_file.path()) + .arg(&attrs_file_path) .arg("-I") - .arg(attrs_file.path()) + .arg(&attrs_file_path) // Same for the nixpkgs to test .args(["--arg", "nixpkgsPath"]) .arg(&nixpkgs.path) diff --git a/pkgs/test/nixpkgs-check-by-name/src/main.rs b/pkgs/test/nixpkgs-check-by-name/src/main.rs index db22e524553..751b5dbd024 100644 --- a/pkgs/test/nixpkgs-check-by-name/src/main.rs +++ b/pkgs/test/nixpkgs-check-by-name/src/main.rs @@ -140,6 +140,42 @@ mod tests { Ok(()) } + /// Tests symlinked temporary directories. + /// This is needed because on darwin, `/tmp` is a symlink to `/private/tmp`, and Nix's + /// restrict-eval doesn't also allow access to the canonical path when you allow the + /// non-canonical one. + /// + /// The error if we didn't do this would look like this: + /// error: access to canonical path '/private/var/folders/[...]/.tmpFbcNO0' is forbidden in restricted mode + #[test] + fn test_symlinked_tmpdir() -> anyhow::Result<()> { + // Create a directory with two entries: + // - actual (dir) + // - symlinked -> actual (symlink) + let temp_root = tempdir()?; + fs::create_dir(temp_root.path().join("actual"))?; + std::os::unix::fs::symlink("actual", temp_root.path().join("symlinked"))?; + let tmpdir = temp_root.path().join("symlinked"); + + // Then set TMPDIR to the symlinked directory + // Make sure to persist the old value so we can undo this later + let old_tmpdir = env::var("TMPDIR").ok(); + env::set_var("TMPDIR", &tmpdir); + + // Then run a simple test with this symlinked temporary directory + // This should be successful + test_nixpkgs("symlinked_tmpdir", Path::new("tests/success"), "")?; + + // Undo the env variable change + if let Some(old) = old_tmpdir { + env::set_var("TMPDIR", old); + } else { + env::remove_var("TMPDIR"); + } + + Ok(()) + } + fn test_nixpkgs(name: &str, path: &Path, expected_errors: &str) -> anyhow::Result<()> { let extra_nix_path = Path::new("tests/mock-nixpkgs.nix"); |