feat(depot): Disallow access to //users from outside of it
Code under this depot path is essentially unstable and potentially unreviewed - this is a good thing (people can play around with cursed stuff all they want), but we should not make the rest of the repository depend on any of it. Any cursed things that are required outside of users can be moved to a different depot path if people agree with that. Change-Id: I46a34a0e9662069c01b43d9a653e5545e325e587 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3434 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
		
							parent
							
								
									8b851956ad
								
							
						
					
					
						commit
						e1f83cc086
					
				
					 1 changed files with 44 additions and 1 deletions
				
			
		
							
								
								
									
										45
									
								
								default.nix
									
										
									
									
									
								
							
							
						
						
									
										45
									
								
								default.nix
									
										
									
									
									
								
							|  | @ -8,13 +8,56 @@ let | |||
|   inherit (builtins) | ||||
|     attrValues | ||||
|     concatMap | ||||
|     elem | ||||
|     elemAt | ||||
|     filter | ||||
|     ; | ||||
| 
 | ||||
|   # This definition of fix is identical to <nixpkgs>.lib.fix, but the global | ||||
|   # package set is not available here. | ||||
|   fix = f: let x = f x; in x; | ||||
|   readTree' = import ./nix/readTree {}; | ||||
| 
 | ||||
|   # readTree argument filter to generally disallow access to //users | ||||
|   # from other depot parts. Exceptions can be added for specific | ||||
|   # (full) paths. | ||||
|   depotArgsFilter = args: parts: | ||||
|     if (elemAt parts 0) == "users" || elem parts [ | ||||
|       # whitby is allowed to access //users for two reasons: | ||||
|       # | ||||
|       # 1. Users host their SSH key sets in //users. | ||||
|       # 2. tazjin's website is currently hosted on whitby because | ||||
|       #    camden is in storage. | ||||
|       # | ||||
|       # Due to evaluation order this also affects //ops/nixos.nix. | ||||
|       [ "ops" "machines" "whitby" ] | ||||
| 
 | ||||
|       # TODO(tazjin): Can this one be removed somehow? | ||||
|       [ "ops" "nixos" ] | ||||
| 
 | ||||
|       # //web/bubblegum has examples using //users/sterni, they should | ||||
|       # probably be in the user folder instead with a link there. | ||||
|       # TODO(sterni): Clean this up. | ||||
|       [ "web" "bubblegum" ] | ||||
|     ] | ||||
|     then args | ||||
|     else args // { | ||||
|       depot = args.depot // { | ||||
|         users = throw '' | ||||
|           Access to items from the //users folder is not permitted from | ||||
|           other depot paths. Code under //users is not considered stable | ||||
|           or dependable in the wider depot context. | ||||
| 
 | ||||
|           If a project under //users is required by something else, | ||||
|           please move it to a different depot path. | ||||
| 
 | ||||
|           At location: [ ${toString parts} ] | ||||
|         ''; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     readTree' = import ./nix/readTree { | ||||
|       argsFilter = depotArgsFilter; | ||||
|     }; | ||||
| 
 | ||||
|   # To determine build targets, we walk through the depot tree and | ||||
|   # fetch attributes that were imported by readTree and are buildable. | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue