it-infra/nixbld-etc-nixos/hydra-sign-narinfo.patch

From c6185b4dc1fe87018d6129fc908791c0d2b37f82 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Tue, 20 Oct 2020 16:05:33 +0200
Subject: [PATCH 2/2] sign narinfo on the fly

---
 src/lib/Hydra/Controller/Root.pm | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/lib/Hydra/Controller/Root.pm b/src/lib/Hydra/Controller/Root.pm
index 2df4323a..251800b2 100644
--- a/src/lib/Hydra/Controller/Root.pm
+++ b/src/lib/Hydra/Controller/Root.pm
@@ -10,12 +10,13 @@ use Hydra::View::TT;
 use Digest::SHA1 qw(sha1_hex);
 use Nix::Store;
 use Nix::Config;
+use Nix::Utils;
+use Nix::Manifest;
 use Encode;
 use File::Basename;
 use JSON;
 use List::MoreUtils qw{any};
 use Net::Prometheus;
-use IO::Handle;
 
 # Put this controller at top-level.
 __PACKAGE__->config->{namespace} = '';
@@ -321,7 +322,7 @@ sub nar :Local :Args(1) {
         $c->stash->{storePath} = $path;
     }
 
-    elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+(.+)") {
+    elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+([^\?]+)") {
         $c->response->content_type('application/x-nix-archive');
 
         $path = "/" . $1 . "/nar/$path";
@@ -380,13 +381,32 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {
         $c->forward('Hydra::View::NARInfo');
     }
 
-    elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+(.+)") {
+    elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+([^\?]+)") {
         $c->response->content_type('application/x-nix-archive');
+        setCacheHeaders($c, 24 * 60 * 60);
 
         my $path = "/" . $1 . "/" . $hash . ".narinfo";
-        my $fh = new IO::Handle;
-        open $fh, "<", $path;
-        $c->response->body($fh);
+        my $secretKeyFile = $c->config->{binary_cache_secret_key_file};
+        if (! defined $secretKeyFile && getStoreUri =~ "[\?\&]secret-key=([^\?\&]+)") {
+            $secretKeyFile = $1;
+        }
+        if (defined $secretKeyFile) {
+            # Optionally, sign the NAR info file
+            my $secretKey = readFile $secretKeyFile;
+            my $storePath = queryPathFromHashPart($hash);
+            my ($deriver, $narHash, $time, $narSize, $refs) = queryPathInfo($storePath, 1);
+            my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);
+            my $sig = signString($secretKey, $fingerprint);
+
+            my $info = readFile $path;
+            $info .= "Sig: $sig\n";
+            $c->response->body($info);
+        }
+        else {
+            my $fh = new IO::Handle;
+            open $fh, "<", $path;
+            $c->response->body($fh);
+        }
     }
 
     else {
-- 
2.28.0
hydra: add patches to serve from local binary cache store 2020-10-20 22:48:08 +08:00			`From c6185b4dc1fe87018d6129fc908791c0d2b37f82 Mon Sep 17 00:00:00 2001`
			`From: Astro <astro@spaceboyz.net>`
			`Date: Tue, 20 Oct 2020 16:05:33 +0200`
			`Subject: [PATCH 2/2] sign narinfo on the fly`

			`---`
			`src/lib/Hydra/Controller/Root.pm \| 32 ++++++++++++++++++++++++++------`
			`1 file changed, 26 insertions(+), 6 deletions(-)`

			`diff --git a/src/lib/Hydra/Controller/Root.pm b/src/lib/Hydra/Controller/Root.pm`
			`index 2df4323a..251800b2 100644`
			`--- a/src/lib/Hydra/Controller/Root.pm`
			`+++ b/src/lib/Hydra/Controller/Root.pm`
			`@@ -10,12 +10,13 @@ use Hydra::View::TT;`
			`use Digest::SHA1 qw(sha1_hex);`
			`use Nix::Store;`
			`use Nix::Config;`
			`+use Nix::Utils;`
			`+use Nix::Manifest;`
			`use Encode;`
			`use File::Basename;`
			`use JSON;`
			`use List::MoreUtils qw{any};`
			`use Net::Prometheus;`
			`-use IO::Handle;`

			`# Put this controller at top-level.`
			`__PACKAGE__->config->{namespace} = '';`
			`@@ -321,7 +322,7 @@ sub nar :Local :Args(1) {`
			`$c->stash->{storePath} = $path;`
			`}`

			`- elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+(.+)") {`
			`+ elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+([^\?]+)") {`
			`$c->response->content_type('application/x-nix-archive');`

			`$path = "/" . $1 . "/nar/$path";`
			`@@ -380,13 +381,32 @@ sub narinfo :LocalRegex('^([a-z0-9]+).narinfo$') :Args(0) {`
			`$c->forward('Hydra::View::NARInfo');`
			`}`

			`- elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+(.+)") {`
			`+ elsif (isLocalBinaryCacheStore && getStoreUri =~ "^file:/+([^\?]+)") {`
			`$c->response->content_type('application/x-nix-archive');`
			`+ setCacheHeaders($c, 24 * 60 * 60);`

			`my $path = "/" . $1 . "/" . $hash . ".narinfo";`
			`- my $fh = new IO::Handle;`
			`- open $fh, "<", $path;`
			`- $c->response->body($fh);`
			`+ my $secretKeyFile = $c->config->{binary_cache_secret_key_file};`
			`+ if (! defined $secretKeyFile && getStoreUri =~ "[\?\&]secret-key=([^\?\&]+)") {`
			`+ $secretKeyFile = $1;`
			`+ }`
			`+ if (defined $secretKeyFile) {`
			`+ # Optionally, sign the NAR info file`
			`+ my $secretKey = readFile $secretKeyFile;`
			`+ my $storePath = queryPathFromHashPart($hash);`
			`+ my ($deriver, $narHash, $time, $narSize, $refs) = queryPathInfo($storePath, 1);`
			`+ my $fingerprint = fingerprintPath($storePath, $narHash, $narSize, $refs);`
			`+ my $sig = signString($secretKey, $fingerprint);`
			`+`
			`+ my $info = readFile $path;`
			`+ $info .= "Sig: $sig\n";`
			`+ $c->response->body($info);`
			`+ }`
			`+ else {`
			`+ my $fh = new IO::Handle;`
			`+ open $fh, "<", $path;`
			`+ $c->response->body($fh);`
			`+ }`
			`}`

			`else {`
			`--`
			`2.28.0`