refactor(readTree): Move 'restrictFolder' function into readTree
This is generally useful for readTree users and should be part of readTree itself. This is a move towards exposing several readTree-related features from the library itself, in the future also including logic like 'gather'. Note that this has a small functional change: In error messages of the function, the notation for accessing Nix attributes is now used rather than the Perforce-style `//` notation common in TVL. For example, an error at `//web/tvl/logo` will produce `web.tvl.logo` in the error message (which corresponds to the readTree attribute itself). This makes more sense for non-TVL consumers of readTree, as the Perforce-style notation is custom to us specifically. Change-Id: I8e199e473843c40db40b404c20d2c71f48a0f658
This commit is contained in:
parent
95ee86225b
commit
bc51bd99d9
2 changed files with 37 additions and 26 deletions
28
default.nix
28
default.nix
|
@ -6,10 +6,7 @@
|
|||
|
||||
let
|
||||
inherit (builtins)
|
||||
attrValues
|
||||
concatMap
|
||||
elem
|
||||
elemAt
|
||||
filter
|
||||
;
|
||||
|
||||
|
@ -17,27 +14,10 @@ let
|
|||
# package set is not available here.
|
||||
fix = f: let x = f x; in x;
|
||||
|
||||
# Create a readTree filter disallowing access to the specified
|
||||
# top-level folder in other parts of the depot, except for specific
|
||||
# exceptions specified by their (full) paths.
|
||||
restrictFolder = { folder, exceptions ? [], reason }: parts: args:
|
||||
if (elemAt parts 0) == folder || elem parts exceptions
|
||||
then args
|
||||
else args // {
|
||||
depot = args.depot // {
|
||||
"${folder}" = throw ''
|
||||
Access to targets under //${folder} is not permitted from
|
||||
other depot paths. Specific exceptions are configured at the
|
||||
top-level.
|
||||
|
||||
${reason}
|
||||
At location: //${builtins.concatStringsSep "/" parts}
|
||||
'';
|
||||
};
|
||||
};
|
||||
readTree = import ./nix/readTree {};
|
||||
|
||||
# Disallow access to //users from other depot parts.
|
||||
usersFilter = restrictFolder {
|
||||
usersFilter = readTree.restrictFolder {
|
||||
folder = "users";
|
||||
reason = ''
|
||||
Code under //users is not considered stable or dependable in the
|
||||
|
@ -60,7 +40,7 @@ let
|
|||
};
|
||||
|
||||
# Disallow access to //corp from other depot parts.
|
||||
corpFilter = restrictFolder {
|
||||
corpFilter = readTree.restrictFolder {
|
||||
folder = "corp";
|
||||
reason = ''
|
||||
Code under //corp may use incompatible licensing terms with
|
||||
|
@ -76,7 +56,7 @@ let
|
|||
];
|
||||
};
|
||||
|
||||
readDepot = depotArgs: import ./nix/readTree {} {
|
||||
readDepot = depotArgs: readTree {
|
||||
args = depotArgs;
|
||||
path = ./.;
|
||||
filter = parts: args: corpFilter parts (usersFilter parts args);
|
||||
|
|
|
@ -20,13 +20,13 @@
|
|||
let
|
||||
inherit (builtins)
|
||||
attrNames
|
||||
baseNameOf
|
||||
concatStringsSep
|
||||
elem
|
||||
elemAt
|
||||
filter
|
||||
hasAttr
|
||||
head
|
||||
isAttrs
|
||||
length
|
||||
listToAttrs
|
||||
map
|
||||
match
|
||||
|
@ -138,4 +138,35 @@ in {
|
|||
rootDir = true;
|
||||
parts = [];
|
||||
};
|
||||
|
||||
# In addition to readTree itself, some functionality is exposed that
|
||||
# is useful for users of readTree.
|
||||
|
||||
# Create a readTree filter disallowing access to the specified
|
||||
# top-level folder in the repository, except for specific exceptions
|
||||
# specified by their (full) paths.
|
||||
#
|
||||
# Called with the arguments:
|
||||
#
|
||||
# folder: Name of the restricted top-level folder (e.g. 'experimental')
|
||||
#
|
||||
# exceptions: List of readTree parts (e.g. [ [ "services" "some-app" ] ]),
|
||||
# which should be able to access the restricted folder.
|
||||
#
|
||||
# reason: Textual explanation for the restriction (included in errors)
|
||||
restrictFolder = { folder, exceptions ? [], reason }: parts: args:
|
||||
if (elemAt parts 0) == folder || elem parts exceptions
|
||||
then args
|
||||
else args // {
|
||||
depot = args.depot // {
|
||||
"${folder}" = throw ''
|
||||
Access to targets under //${folder} is not permitted from
|
||||
other repository paths. Specific exceptions are configured
|
||||
at the top-level.
|
||||
|
||||
${reason}
|
||||
At location: ${builtins.concatStringsSep "." parts}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue