feat(depot): Disallow access to //users from outside of it
Code under this depot path is essentially unstable and potentially unreviewed - this is a good thing (people can play around with cursed stuff all they want), but we should not make the rest of the repository depend on any of it. Any cursed things that are required outside of users can be moved to a different depot path if people agree with that. Change-Id: I46a34a0e9662069c01b43d9a653e5545e325e587 Reviewed-on: https://cl.tvl.fyi/c/depot/+/3434 Tested-by: BuildkiteCI Reviewed-by: grfn <grfn@gws.fyi>
This commit is contained in:
Vincent Ambo
tazjin
parent
8b851956ad
commit
e1f83cc086
1 changed files with 44 additions and 1 deletions
45
default.nix
45
default.nix
|
|
@ -8,13 +8,56 @@ let
|
||||||
inherit (builtins)
|
inherit (builtins)
|
||||||
attrValues
|
attrValues
|
||||||
concatMap
|
concatMap
|
||||||
|
elem
|
||||||
|
elemAt
|
||||||
filter
|
filter
|
||||||
;
|
;
|
||||||
|
|
||||||
# This definition of fix is identical to <nixpkgs>.lib.fix, but the global
|
# This definition of fix is identical to <nixpkgs>.lib.fix, but the global
|
||||||
# package set is not available here.
|
# package set is not available here.
|
||||||
fix = f: let x = f x; in x;
|
fix = f: let x = f x; in x;
|
||||||
readTree' = import ./nix/readTree {};
|
|
||||||
|
# readTree argument filter to generally disallow access to //users
|
||||||
|
# from other depot parts. Exceptions can be added for specific
|
||||||
|
# (full) paths.
|
||||||
|
depotArgsFilter = args: parts:
|
||||||
|
if (elemAt parts 0) == "users" || elem parts [
|
||||||
|
# whitby is allowed to access //users for two reasons:
|
||||||
|
#
|
||||||
|
# 1. Users host their SSH key sets in //users.
|
||||||
|
# 2. tazjin's website is currently hosted on whitby because
|
||||||
|
# camden is in storage.
|
||||||
|
#
|
||||||
|
# Due to evaluation order this also affects //ops/nixos.nix.
|
||||||
|
[ "ops" "machines" "whitby" ]
|
||||||
|
|
||||||
|
# TODO(tazjin): Can this one be removed somehow?
|
||||||
|
[ "ops" "nixos" ]
|
||||||
|
|
||||||
|
# //web/bubblegum has examples using //users/sterni, they should
|
||||||
|
# probably be in the user folder instead with a link there.
|
||||||
|
# TODO(sterni): Clean this up.
|
||||||
|
[ "web" "bubblegum" ]
|
||||||
|
]
|
||||||
|
then args
|
||||||
|
else args // {
|
||||||
|
depot = args.depot // {
|
||||||
|
users = throw ''
|
||||||
|
Access to items from the //users folder is not permitted from
|
||||||
|
other depot paths. Code under //users is not considered stable
|
||||||
|
or dependable in the wider depot context.
|
||||||
|
|
||||||
|
If a project under //users is required by something else,
|
||||||
|
please move it to a different depot path.
|
||||||
|
|
||||||
|
At location: [ ${toString parts} ]
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
readTree' = import ./nix/readTree {
|
||||||
|
argsFilter = depotArgsFilter;
|
||||||
|
};
|
||||||
|
|
||||||
# To determine build targets, we walk through the depot tree and
|
# To determine build targets, we walk through the depot tree and
|
||||||
# fetch attributes that were imported by readTree and are buildable.
|
# fetch attributes that were imported by readTree and are buildable.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue