tvix_glue/builtins/derivation.rs
1//! Implements `builtins.derivation`, the core of what makes Nix build packages.
2use crate::builtins::DerivationError;
3use crate::known_paths::KnownPaths;
4use crate::tvix_store_io::TvixStoreIO;
5use bstr::BString;
6use nix_compat::derivation::{Derivation, Output};
7use nix_compat::nixhash;
8use nix_compat::store_path::{StorePath, StorePathRef};
9use std::collections::{btree_map, BTreeSet};
10use std::rc::Rc;
11use tvix_eval::builtin_macros::builtins;
12use tvix_eval::generators::{self, emit_warning_kind, GenCo};
13use tvix_eval::{
14 AddContext, ErrorKind, NixAttrs, NixContext, NixContextElement, Value, WarningKind,
15};
16
17// Constants used for strangely named fields in derivation inputs.
18const STRUCTURED_ATTRS: &str = "__structuredAttrs";
19const IGNORE_NULLS: &str = "__ignoreNulls";
20
21/// Populate the inputs of a derivation from the build references
22/// found when scanning the derivation's parameters and extracting their contexts.
23fn populate_inputs(drv: &mut Derivation, full_context: NixContext, known_paths: &KnownPaths) {
24 for element in full_context.iter() {
25 match element {
26 NixContextElement::Plain(source) => {
27 let sp = StorePathRef::from_absolute_path(source.as_bytes())
28 .expect("invalid store path")
29 .to_owned();
30 drv.input_sources.insert(sp);
31 }
32
33 NixContextElement::Single {
34 name,
35 derivation: derivation_str,
36 } => {
37 // TODO: b/264
38 // We assume derivations to be passed validated, so ignoring rest
39 // and expecting parsing is ok.
40 let (derivation, _rest) =
41 StorePath::from_absolute_path_full(derivation_str).expect("valid store path");
42
43 #[cfg(debug_assertions)]
44 assert!(
45 _rest.iter().next().is_none(),
46 "Extra path not empty for {derivation_str}"
47 );
48
49 match drv.input_derivations.entry(derivation.clone()) {
50 btree_map::Entry::Vacant(entry) => {
51 entry.insert(BTreeSet::from([name.clone()]));
52 }
53
54 btree_map::Entry::Occupied(mut entry) => {
55 entry.get_mut().insert(name.clone());
56 }
57 }
58 }
59
60 NixContextElement::Derivation(drv_path) => {
61 let (derivation, _rest) =
62 StorePath::from_absolute_path_full(drv_path).expect("valid store path");
63
64 #[cfg(debug_assertions)]
65 assert!(
66 _rest.iter().next().is_none(),
67 "Extra path not empty for {drv_path}"
68 );
69
70 // We need to know all the outputs *names* of that derivation.
71 let output_names = known_paths
72 .get_drv_by_drvpath(&derivation)
73 .expect("no known derivation associated to that derivation path")
74 .outputs
75 .keys();
76
77 // FUTUREWORK(performance): ideally, we should be able to clone
78 // cheaply those outputs rather than duplicate them all around.
79 match drv.input_derivations.entry(derivation.clone()) {
80 btree_map::Entry::Vacant(entry) => {
81 entry.insert(output_names.cloned().collect());
82 }
83
84 btree_map::Entry::Occupied(mut entry) => {
85 entry.get_mut().extend(output_names.cloned());
86 }
87 }
88
89 drv.input_sources.insert(derivation);
90 }
91 }
92 }
93}
94
95/// Populate the output configuration of a derivation based on the
96/// parameters passed to the call, configuring a fixed-output derivation output
97/// if necessary.
98///
99/// This function handles all possible combinations of the
100/// parameters, including invalid ones.
101///
102/// Due to the support for SRI hashes, and how these are passed along to
103/// builtins.derivation, outputHash and outputHashAlgo can have values which
104/// need to be further modified before constructing the Derivation struct.
105///
106/// If outputHashAlgo is an SRI hash, outputHashAlgo must either be an empty
107/// string, or the hash algorithm as specified in the (single) SRI (entry).
108/// SRI strings with multiple hash algorithms are not supported.
109///
110/// In case an SRI string was used, the (single) fixed output is populated
111/// with the hash algo name, and the hash digest is populated with the
112/// (lowercase) hex encoding of the digest.
113///
114/// These values are only rewritten for the outputs, not what's passed to env.
115///
116/// The return value may optionally contain a warning.
117fn handle_fixed_output(
118 drv: &mut Derivation,
119 hash_str: Option<String>, // in nix: outputHash
120 hash_algo_str: Option<String>, // in nix: outputHashAlgo
121 hash_mode_str: Option<String>, // in nix: outputHashmode
122) -> Result<Option<WarningKind>, ErrorKind> {
123 // If outputHash is provided, ensure hash_algo_str is compatible.
124 // If outputHash is not provided, do nothing.
125 if let Some(hash_str) = hash_str {
126 // treat an empty algo as None
127 let hash_algo_str = match hash_algo_str {
128 Some(s) if s.is_empty() => None,
129 Some(s) => Some(s),
130 None => None,
131 };
132
133 // construct a NixHash.
134 let nixhash = nixhash::from_str(&hash_str, hash_algo_str.as_deref())
135 .map_err(DerivationError::InvalidOutputHash)?;
136 let algo = nixhash.algo();
137
138 // construct the fixed output.
139 drv.outputs.insert(
140 "out".to_string(),
141 Output {
142 path: None,
143 ca_hash: match hash_mode_str.as_deref() {
144 None | Some("flat") => Some(nixhash::CAHash::Flat(nixhash)),
145 Some("recursive") => Some(nixhash::CAHash::Nar(nixhash)),
146 Some(other) => {
147 return Err(DerivationError::InvalidOutputHashMode(other.to_string()))?
148 }
149 },
150 },
151 );
152
153 // Peek at hash_str once more.
154 // If it was a SRI hash, but is not using the correct length, this means
155 // the padding was wrong. Emit a warning in that case.
156 let sri_prefix = format!("{algo}-");
157 if let Some(rest) = hash_str.strip_prefix(&sri_prefix) {
158 if data_encoding::BASE64.encode_len(algo.digest_length()) != rest.len() {
159 return Ok(Some(WarningKind::SRIHashWrongPadding));
160 }
161 }
162 }
163 Ok(None)
164}
165
166#[builtins(state = "Rc<TvixStoreIO>")]
167pub(crate) mod derivation_builtins {
168 use std::collections::BTreeMap;
169
170 use bstr::ByteSlice;
171
172 use nix_compat::store_path::hash_placeholder;
173 use tvix_eval::generators::Gen;
174 use tvix_eval::{NixContext, NixContextElement, NixString};
175
176 use crate::builtins::utils::{select_string, strong_importing_coerce_to_string};
177 // use crate::fetchurl::fetchurl_derivation_to_fetch;
178
179 use super::*;
180
181 #[builtin("placeholder")]
182 async fn builtin_placeholder(co: GenCo, input: Value) -> Result<Value, ErrorKind> {
183 if input.is_catchable() {
184 return Ok(input);
185 }
186
187 let placeholder = hash_placeholder(
188 input
189 .to_str()
190 .context("looking at output name in builtins.placeholder")?
191 .to_str()?,
192 );
193
194 Ok(placeholder.into())
195 }
196
197 /// Strictly construct a Nix derivation from the supplied arguments.
198 ///
199 /// This is considered an internal function, users usually want to
200 /// use the higher-level `builtins.derivation` instead.
201 #[builtin("derivationStrict")]
202 async fn builtin_derivation_strict(
203 state: Rc<TvixStoreIO>,
204 co: GenCo,
205 input: Value,
206 ) -> Result<Value, ErrorKind> {
207 if input.is_catchable() {
208 return Ok(input);
209 }
210
211 let input = input.to_attrs()?;
212 let name = generators::request_force(&co, input.select_required("name")?.clone()).await;
213
214 if name.is_catchable() {
215 return Ok(name);
216 }
217
218 let name = name.to_str().context("determining derivation name")?;
219 if name.is_empty() {
220 return Err(ErrorKind::Abort("derivation has empty name".to_string()));
221 }
222 let name = name.to_str()?;
223
224 let mut drv = Derivation::default();
225 drv.outputs.insert("out".to_string(), Default::default());
226 let mut input_context = NixContext::new();
227
228 /// Inserts a key and value into the drv.environment BTreeMap, and fails if the
229 /// key did already exist before.
230 fn insert_env(
231 drv: &mut Derivation,
232 k: &str, /* TODO: non-utf8 env keys */
233 v: BString,
234 ) -> Result<(), DerivationError> {
235 if drv.environment.insert(k.into(), v).is_some() {
236 return Err(DerivationError::DuplicateEnvVar(k.into()));
237 }
238 Ok(())
239 }
240
241 // Check whether null attributes should be ignored or passed through.
242 let ignore_nulls = match input.select_str(IGNORE_NULLS) {
243 Some(b) => generators::request_force(&co, b.clone()).await.as_bool()?,
244 None => false,
245 };
246
247 // peek at the STRUCTURED_ATTRS argument.
248 // If it's set and true, provide a BTreeMap that gets populated while looking at the arguments.
249 // We need it to be a BTreeMap, so iteration order of keys is reproducible.
250 let mut structured_attrs: Option<BTreeMap<String, serde_json::Value>> =
251 match input.select_str(STRUCTURED_ATTRS) {
252 Some(b) => generators::request_force(&co, b.clone())
253 .await
254 .as_bool()?
255 .then_some(Default::default()),
256 None => None,
257 };
258
259 // Look at the arguments passed to builtins.derivationStrict.
260 // Some set special fields in the Derivation struct, some change
261 // behaviour of other functionality.
262 for (arg_name, arg_value) in input.clone().into_iter_sorted() {
263 let arg_name = arg_name.to_str()?;
264 // force the current value.
265 let value = generators::request_force(&co, arg_value).await;
266
267 // filter out nulls if ignore_nulls is set.
268 if ignore_nulls && matches!(value, Value::Null) {
269 continue;
270 }
271
272 match arg_name {
273 // Command line arguments to the builder.
274 // These are only set in drv.arguments.
275 "args" => {
276 for arg in value.to_list()? {
277 match strong_importing_coerce_to_string(&co, arg).await {
278 Err(cek) => return Ok(Value::from(cek)),
279 Ok(s) => {
280 input_context.mimic(&s);
281 drv.arguments.push(s.to_str()?.to_owned())
282 }
283 }
284 }
285 }
286
287 // If outputs is set, remove the original default `out` output,
288 // and replace it with the list of outputs.
289 "outputs" => {
290 let outputs = value
291 .to_list()
292 .context("looking at the `outputs` parameter of the derivation")?;
293
294 // Remove the original default `out` output.
295 drv.outputs.clear();
296
297 let mut output_names = Vec::with_capacity(outputs.len());
298
299 for output in outputs {
300 let output_name = generators::request_force(&co, output)
301 .await
302 .to_str()
303 .context("determining output name")?;
304
305 input_context.mimic(&output_name);
306
307 // Populate drv.outputs
308 if drv
309 .outputs
310 .insert(output_name.to_str()?.to_owned(), Default::default())
311 .is_some()
312 {
313 Err(DerivationError::DuplicateOutput(
314 output_name.to_str_lossy().into_owned(),
315 ))?
316 }
317 output_names.push(output_name.to_str()?.to_owned());
318 }
319
320 match structured_attrs.as_mut() {
321 // add outputs to the json itself (as a list of strings)
322 Some(structured_attrs) => {
323 structured_attrs.insert(arg_name.into(), output_names.into());
324 }
325 // add drv.environment["outputs"] as a space-separated list
326 None => {
327 insert_env(&mut drv, arg_name, output_names.join(" ").into())?;
328 }
329 }
330 // drv.environment[$output_name] is added after the loop,
331 // with whatever is in drv.outputs[$output_name].
332 }
333
334 // handle builder and system.
335 "builder" | "system" => {
336 match strong_importing_coerce_to_string(&co, value).await {
337 Err(cek) => return Ok(Value::from(cek)),
338 Ok(val_str) => {
339 input_context.mimic(&val_str);
340
341 if arg_name == "builder" {
342 val_str.to_str()?.clone_into(&mut drv.builder);
343 } else {
344 val_str.to_str()?.clone_into(&mut drv.system);
345 }
346
347 // Either populate drv.environment or structured_attrs.
348 if let Some(ref mut structured_attrs) = structured_attrs {
349 // No need to check for dups, we only iterate over every attribute name once
350 structured_attrs.insert(
351 arg_name.to_owned(),
352 val_str.to_str()?.to_owned().into(),
353 );
354 } else {
355 insert_env(&mut drv, arg_name, val_str.as_bytes().into())?;
356 }
357 }
358 }
359 }
360
361 // Don't add STRUCTURED_ATTRS if enabled.
362 STRUCTURED_ATTRS if structured_attrs.is_some() => continue,
363 // IGNORE_NULLS is always skipped, even if it's not set to true.
364 IGNORE_NULLS => continue,
365
366 // all other args.
367 _ => {
368 // In SA case, force and add to structured attrs.
369 // In non-SA case, coerce to string and add to env.
370 if let Some(ref mut structured_attrs) = structured_attrs {
371 let val = generators::request_force(&co, value).await;
372 if val.is_catchable() {
373 return Ok(val);
374 }
375
376 let (val_json, context) = val.into_contextful_json(&co).await?;
377 input_context.extend(context.into_iter());
378
379 // No need to check for dups, we only iterate over every attribute name once
380 structured_attrs.insert(arg_name.to_owned(), val_json);
381 } else {
382 match strong_importing_coerce_to_string(&co, value).await {
383 Err(cek) => return Ok(Value::from(cek)),
384 Ok(val_str) => {
385 input_context.mimic(&val_str);
386
387 insert_env(&mut drv, arg_name, val_str.as_bytes().into())?;
388 }
389 }
390 }
391 }
392 }
393 }
394 // end of per-argument loop
395
396 // Configure fixed-output derivations if required.
397 {
398 let output_hash = match select_string(&co, &input, "outputHash")
399 .await
400 .context("evaluating the `outputHash` parameter")?
401 {
402 Err(cek) => return Ok(Value::from(cek)),
403 Ok(s) => s,
404 };
405 let output_hash_algo = match select_string(&co, &input, "outputHashAlgo")
406 .await
407 .context("evaluating the `outputHashAlgo` parameter")?
408 {
409 Err(cek) => return Ok(Value::from(cek)),
410 Ok(s) => s,
411 };
412 let output_hash_mode = match select_string(&co, &input, "outputHashMode")
413 .await
414 .context("evaluating the `outputHashMode` parameter")?
415 {
416 Err(cek) => return Ok(Value::from(cek)),
417 Ok(s) => s,
418 };
419
420 if let Some(warning) =
421 handle_fixed_output(&mut drv, output_hash, output_hash_algo, output_hash_mode)?
422 {
423 emit_warning_kind(&co, warning).await;
424 }
425 }
426
427 // Each output name needs to exist in the environment, at this
428 // point initialised as an empty string, as the ATerm serialization of that is later
429 // used for the output path calculation (which will also update output
430 // paths post-calculation, both in drv.environment and drv.outputs)
431 for output in drv.outputs.keys() {
432 if drv
433 .environment
434 .insert(output.to_string(), String::new().into())
435 .is_some()
436 {
437 emit_warning_kind(&co, WarningKind::ShadowedOutput(output.to_string())).await;
438 }
439 }
440
441 if let Some(structured_attrs) = structured_attrs {
442 // configure __json
443 drv.environment.insert(
444 "__json".to_string(),
445 BString::from(serde_json::to_string(&structured_attrs)?),
446 );
447 }
448
449 let mut known_paths = state.as_ref().known_paths.borrow_mut();
450 populate_inputs(&mut drv, input_context, &known_paths);
451
452 // At this point, derivation fields are fully populated from
453 // eval data structures.
454 drv.validate(false)
455 .map_err(DerivationError::InvalidDerivation)?;
456
457 // Calculate the hash_derivation_modulo for the current derivation..
458 debug_assert!(
459 drv.outputs.values().all(|output| { output.path.is_none() }),
460 "outputs should still be unset"
461 );
462
463 // Mutate the Derivation struct and set output paths
464 drv.calculate_output_paths(
465 name,
466 // This one is still intermediate (so not added to known_paths),
467 // as the outputs are still unset.
468 &drv.hash_derivation_modulo(|drv_path| {
469 *known_paths
470 .get_hash_derivation_modulo(&drv_path.to_owned())
471 .unwrap_or_else(|| panic!("{drv_path} not found"))
472 }),
473 )
474 .map_err(DerivationError::InvalidDerivation)?;
475
476 let drv_path = drv
477 .calculate_derivation_path(name)
478 .map_err(DerivationError::InvalidDerivation)?;
479
480 // Assemble the attrset to return from this builtin.
481 let out = Value::Attrs(Box::new(NixAttrs::from_iter(
482 drv.outputs
483 .iter()
484 .map(|(name, output)| {
485 (
486 name.clone(),
487 NixString::new_context_from(
488 NixContextElement::Single {
489 name: name.clone(),
490 derivation: drv_path.to_absolute_path(),
491 }
492 .into(),
493 output.path.as_ref().unwrap().to_absolute_path(),
494 ),
495 )
496 })
497 .chain(std::iter::once((
498 "drvPath".to_owned(),
499 NixString::new_context_from(
500 NixContextElement::Derivation(drv_path.to_absolute_path()).into(),
501 drv_path.to_absolute_path(),
502 ),
503 ))),
504 )));
505
506 /*
507 // If the derivation is a fake derivation (builtin:fetchurl),
508 // synthesize a [Fetch] and add it there, too.
509 if drv.builder == "builtin:fetchurl" {
510 let (name, fetch) =
511 fetchurl_derivation_to_fetch(&drv).map_err(|e| ErrorKind::TvixError(Rc::new(e)))?;
512
513 known_paths
514 .add_fetch(fetch, &name)
515 .map_err(|e| ErrorKind::TvixError(Rc::new(e)))?;
516 }
517 */
518
519 // Register the Derivation in known_paths.
520 known_paths.add_derivation(drv_path, drv);
521
522 Ok(out)
523 }
524}