fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used

nixpkgs mirror (for testing) github.com/NixOS/nixpkgs

nix

The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility.

See https://github.com/nix-community/poetry2nix/issues/1740

adisbladis 2 years ago bed19bdf 6aad68f7

+49 -41

1 changed file

expand all

pkgs

build-support

fetchpypilegacy

default.nix

+49 -41

pkgs/build-support/fetchpypilegacy/default.nix

··· 3 3 runCommand, 4 4 lib, 5 5 python3, 6 - }: 6 + cacert, 7 + }@pkgs: 7 8 let 8 9 inherit (lib) 9 10 optionalAttrs ··· 19 18 20 19 impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC"; 21 20 in 22 - { 23 - # package name 24 - pname, 25 - # Package index 26 - url ? null, 27 - # Multiple package indices to consider 28 - urls ? [ ], 29 - # filename including extension 30 - file, 31 - # SRI hash 32 - hash, 33 - # allow overriding the derivation name 34 - name ? null, 35 - }: 36 - let 37 - urls' = urls ++ optional (url != null) url; 21 + lib.makeOverridable ( 22 + { 23 + # package name 24 + pname, 25 + # Package index 26 + url ? null, 27 + # Multiple package indices to consider 28 + urls ? [ ], 29 + # filename including extension 30 + file, 31 + # SRI hash 32 + hash, 33 + # allow overriding the derivation name 34 + name ? null, 35 + # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; } 36 + cacert ? pkgs.cacert, 37 + }: 38 + let 39 + urls' = urls ++ optional (url != null) url; 38 40 39 - pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath; 40 - netrc_file = if (pathParts != [ ]) then (head pathParts).path else ""; 41 + pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath; 42 + netrc_file = if (pathParts != [ ]) then (head pathParts).path else ""; 41 43 42 - in 43 - # Assert that we have at least one URL 44 - assert urls' != [ ]; 45 - runCommand file 46 - ( 47 - { 48 - nativeBuildInputs = [ python3 ]; 49 - inherit impureEnvVars; 50 - outputHashMode = "flat"; 51 - # if hash is empty select a default algo to let nix propose the actual hash. 52 - outputHashAlgo = if hash == "" then "sha256" else null; 53 - outputHash = hash; 54 - } 55 - // optionalAttrs (name != null) { inherit name; } 56 - // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; } 57 - ) 58 - '' 59 - python ${./fetch-legacy.py} ${ 60 - concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls') 61 - } --pname ${pname} --filename ${file} 62 - mv ${file} $out 63 - '' 44 + in 45 + # Assert that we have at least one URL 46 + assert urls' != [ ]; 47 + runCommand file 48 + ( 49 + { 50 + nativeBuildInputs = [ 51 + python3 52 + cacert 53 + ]; 54 + inherit impureEnvVars; 55 + outputHashMode = "flat"; 56 + # if hash is empty select a default algo to let nix propose the actual hash. 57 + outputHashAlgo = if hash == "" then "sha256" else null; 58 + outputHash = hash; 59 + } 60 + // optionalAttrs (name != null) { inherit name; } 61 + // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; } 62 + ) 63 + '' 64 + python ${./fetch-legacy.py} ${ 65 + concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls') 66 + } --pname ${pname} --filename ${file} 67 + mv ${file} $out 68 + '' 69 + )