Add CLI commands to manipulate ACLs

NixOS · balsoft · Nov 1, 2023 · Nov 1, 2023 · Nov 1, 2023 · Nov 1, 2023
commit 552e4e529c40535b464315b094b9f7db4e20113b
@@ -1,4 +1,5 @@
 #include "globals.hh"
+#include "granular-access-store.hh"
 #include "installables.hh"
 #include "installable-derived-path.hh"
 #include "installable-attr-path.hh"
@@ -19,6 +20,8 @@
 #include "url.hh"
 #include "registry.hh"
 #include "build-result.hh"
+#include "store-cast.hh"
+#include "local-store.hh"
 
 #include <regex>
 #include <queue>
@@ -519,10 +522,11 @@ std::vector<BuiltPathWithResult> Installable::build(
  ref<Store> store,
  Realise mode,
  const Installables & installables,
- BuildMode bMode)
+ BuildMode bMode,
+ bool protect)
 {
  std::vector<BuiltPathWithResult> res;
- for (auto & [_, builtPathWithResult] : build2(evalStore, store, mode, installables, bMode))
+ for (auto & [_, builtPathWithResult] : build2(evalStore, store, mode, installables, bMode, protect))
  res.push_back(builtPathWithResult);
  return res;
 }
@@ -532,7 +536,8 @@ std::vector<std::pair<ref<Installable>, BuiltPathWithResult>> Installable::build
  ref<Store> store,
  Realise mode,
  const Installables & installables,
- BuildMode bMode)
+ BuildMode bMode,
+ bool protect)
 {
  if (mode == Realise::Nothing)
  settings.readOnlyMode = true;
@@ -550,6 +555,17 @@ std::vector<std::pair<ref<Installable>, BuiltPathWithResult>> Installable::build
  for (auto b : i->toDerivedPaths()) {
  pathsToBuild.push_back(b.path);
  backmap[b.path].push_back({.info = b.info, .installable = i});
+ if (protect) {
+ LocalStore::AccessStatus status {true, {ACL::User(getuid())}};
+ std::visit(overloaded {
+ [&](DerivedPath::Opaque p){
+ require<LocalGranularAccessStore>(*store).setAccessStatus(p.path, status);
+ },
+ [&](DerivedPath::Built b){
+ require<LocalGranularAccessStore>(*store).setAccessStatus(b, status);
+ }
+ }, b.path);
+ }
  }
  }
 

@@ -156,14 +156,16 @@ struct Installable
  ref<Store> store,
  Realise mode,
  const Installables & installables,
- BuildMode bMode = bmNormal);
+ BuildMode bMode = bmNormal,
+ bool protect = false);
 
  static std::vector<std::pair<ref<Installable>, BuiltPathWithResult>> build2(
  ref<Store> evalStore,
  ref<Store> store,
  Realise mode,
  const Installables & installables,
- BuildMode bMode = bmNormal);
+ BuildMode bMode = bmNormal,
+ bool protect = false);
 
  static std::set<StorePath> toStorePaths(
  ref<Store> evalStore,

@@ -35,6 +35,20 @@ struct MixDryRun : virtual Args
  }
 };
 
+struct MixProtect : virtual Args
+{
+ bool protect = false;
+
+ MixProtect()
+ {
+ addFlag({
+ .longName = "protect",
+ .description = "Protect the resulting paths in nix store upon addition.",
+ .handler = {&protect, true},
+ });
+ }
+};
+
 struct MixJSON : virtual Args
 {
  bool json = false;

@@ -1,11 +1,13 @@
 #include "command.hh"
 #include "common-args.hh"
+#include "granular-access-store.hh"
 #include "store-api.hh"
 #include "archive.hh"
+#include "store-cast.hh"
 
 using namespace nix;
 
-struct CmdAddToStore : MixDryRun, StoreCommand
+struct CmdAddToStore : MixDryRun, MixProtect, StoreCommand
 {
  Path path;
  std::optional<std::string> namePart;
@@ -56,6 +58,13 @@ struct CmdAddToStore : MixDryRun, StoreCommand
  info.narSize = sink.s.size();
 
  if (!dryRun) {
+ if (protect) {
+ LocalGranularAccessStore::AccessStatus status;
+ status.isProtected = true;
+ status.entities = {ACL::User(getuid())};
+ info.accessStatus = status;
+ }
+
  auto source = StringSource(sink.s);
  store->addToStore(info, source);
  }

@@ -65,7 +65,7 @@ static void createOutLinks(const Path& outLink, const std::vector<BuiltPathWithR
  }
 }
 
-struct CmdBuild : InstallablesCommand, MixDryRun, MixJSON, MixProfile
+struct CmdBuild : InstallablesCommand, MixDryRun, MixJSON, MixProfile, MixProtect
 {
  Path outLink = "result";
  bool printOutputPaths = false;
@@ -134,7 +134,8 @@ struct CmdBuild : InstallablesCommand, MixDryRun, MixJSON, MixProfile
  getEvalStore(), store,
  Realise::Outputs,
  installables,
- repair ? bmRepair : buildMode);
+ repair ? bmRepair : buildMode,
+ protect);
 
  if (json) logger->cout("%s", builtPathsWithResultToJSON(buildables, store).dump());
 

@@ -0,0 +1,64 @@
+#include "command.hh"
+#include "store-api.hh"
+#include "local-fs-store.hh"
+#include "store-cast.hh"
+
+using namespace nix;
+
+struct CmdStoreAccessGrant : StorePathsCommand
+{
+ std::set<std::string> users;
+ std::set<std::string> groups;
+ CmdStoreAccessGrant()
+ {
+ addFlag({
+ .longName = "user",
+ .shortName = 'u',
+ .description = "User to whom access should be granted",
+ .labels = {"user"},
+ .handler = {[&](std::string _user){
+ users.insert(_user);
+ }}
+ });
+ addFlag({
+ .longName = "group",
+ .shortName = 'g',
+ .description = "Group to which access should be granted",
+ .labels = {"group"},
+ .handler = {[&](std::string _group){
+ groups.insert(_group);
+ }}
+ });
+ }
+ std::string description() override
+ {
+ return "grant a user access to store paths";
+ }
+
+ std::string doc() override
+ {
+ return
+ #include "store-repair.md"
+ ;
+ }
+
+ void run(ref<Store> store, StorePaths && storePaths) override
+ {
+ if (users.empty() && groups.empty()) {
+ throw Error("At least one of either --user/-u or --group/-g is required");
+ } else {
+ auto & localStore = require<LocalGranularAccessStore>(*store);
+ for (auto & path : storePaths) {
+ auto status = localStore.getAccessStatus(path);
+ if (!status.isProtected) warn("Path '%s' is not protected; all users can access it regardless of permissions", store->printStorePath(path));
+ if (!localStore.isValidPath(path)) warn("Path %s does not exist yet; permissions will be applied as soon as it is added to the store", localStore.printStorePath(path));
+
+ for (auto user : users) status.entities.insert(*getpwnam(user.c_str()));
+ for (auto group : groups) status.entities.insert(*getgrnam(group.c_str()));
+ localStore.setAccessStatus(path, status);
+ }
+ }
+ }
+};
+
+static auto rStoreAccessGrant = registerCommand2<CmdStoreAccessGrant>({"store", "access", "grant"});
@@ -0,0 +1,24 @@
+R"(
+# Examples
+
+```console
+$ nix store access info /nix/store/fzn8agjb9qmikbf97h1a5wlf3iifjgqz-foo
+The path is protected
+The following users have access to the path:
+ alice
+$ nix store access grant /nix/store/fzn8agjb9qmikbf97h1a5wlf3iifjgqz-foo --user bob --user carol
+$ nix store access info /nix/store/fzn8agjb9qmikbf97h1a5wlf3iifjgqz-foo
+The path is protected
+The following users have access to the path:
+ alice
+ bob
+ carol
+```
+
+# Description
+
+`nix store access grant` grants users access to store paths.
+
+<!-- FIXME moar docs -->
+
+)"
@@ -0,0 +1,103 @@
+#include "ansicolor.hh"
+#include "command.hh"
+#include "store-api.hh"
+#include "local-store.hh"
+#include "store-cast.hh"
+
+using namespace nix;
+
+struct CmdStoreAccessInfo : StorePathCommand, MixJSON
+{
+ std::string description() override
+ {
+ return "get information about store path access";
+ }
+
+ std::string doc() override
+ {
+ return
+ #include "store-access-info.md"
+ ;
+ }
+
+ void run(ref<Store> store, const StorePath & path) override
+ {
+ auto & aclStore = require<LocalGranularAccessStore>(*store);
+ auto status = aclStore.getAccessStatus(path);
+ bool isValid = aclStore.isValidPath(path);
+ std::set<std::string> users;
+ std::set<std::string> groups;
+ for (auto entity : status.entities) {
+ std::visit(overloaded {
+ [&](ACL::User user) {
+ struct passwd * pw = getpwuid(user.uid);
+ users.insert(pw->pw_name);
+ },
+ [&](ACL::Group group) {
+ struct group * gr = getgrgid(group.gid);
+ groups.insert(gr->gr_name);
+ }
+ }, entity);
+ }
+ if (json) {
+ nlohmann::json j;
+ j["exists"] = isValid;
+ j["protected"] = status.isProtected;
+ j["users"] = users;
+ j["groups"] = groups;
+ logger->cout(j.dump());
+ }
+ else {
+ std::string be, have, has;
+ if (isValid) {
+ be = "is";
+ have = "have";
+ has = "has";
+ }
+ else {
+ be = "will be";
+ have = "will have";
+ has = "will have";
+
+ logger->cout("The path does not exist yet; the permissions will be applied when it is added to the store.\n");
+ }
+
+ if (status.isProtected)
+ logger->cout("The path " + be + " " ANSI_BOLD ANSI_GREEN "protected" ANSI_NORMAL);
+ else
+ logger->cout("The path " + be + " " ANSI_BOLD ANSI_RED "not" ANSI_NORMAL " protected");
+
+ if (users.empty() && groups.empty()) {
+ if (status.isProtected) { logger->cout(""); logger->cout("Nobody " + has + " access to the path"); };
+ } else {
+ logger->cout("");
+ if (!status.isProtected) {
+ logger->warn("Despite this path not being protected, some users and groups " + have + " additional access to it.");
+ logger->cout("");
+ }
+
+ if (!users.empty()) {
+ if (status.isProtected)
+ logger->cout("The following users " + have + " access to the path:");
+ else
+ logger->cout(ANSI_BOLD "If the path was protected" ANSI_NORMAL ", the following users would have access to it:");
+
+ for (auto user : users)
+ logger->cout(ANSI_MAGENTA " %s" ANSI_NORMAL, user);
+ }
+ if (! (users.empty() && groups.empty())) logger->cout("");
+ if (!groups.empty()) {
+ if (status.isProtected)
+ logger->cout("Users in the following groups " + have + " access to the path:");
+ else
+ logger->cout(ANSI_BOLD "If the path was protected" ANSI_NORMAL ", users in the following groups would have access to it:");
+ for (auto group : groups)
+ logger->cout(ANSI_CYAN " %s" ANSI_NORMAL, group);
+ }
+ }
+ }
+ }
+
+};
+
+static auto rStoreAccessInfo = registerCommand2<CmdStoreAccessInfo>({"store", "access", "info"});
@@ -0,0 +1,17 @@
+R"(
+# Examples
+
+```console
+$ nix store access info /nix/store/fzn8agjb9qmikbf97h1a5wlf3iifjgqz-foo
+The path is protected
+The following users have access to the path:
+ alice
+$ nix store access info /nix/store/fzn8agjb9qmikbf97h1a5wlf3iifjgqz-foo --json
+{"protected":true,users:["alice"]}
+```
+
+# Description
+
+This command shows information about the access control list of a store path.
+
+)"
@@ -0,0 +1,37 @@
+#include "command.hh"
+#include "granular-access-store.hh"
+#include "local-fs-store.hh"
+#include "store-api.hh"
+#include "store-cast.hh"
+
+using namespace nix;
+
+struct CmdStoreAccessProtect : StorePathsCommand
+{
+ std::string description() override
+ {
+ return "protect store paths";
+ }
+
+ std::string doc() override
+ {
+ return
+ #include "store-repair.md"
+ ;
+ }
+
+ void run(ref<Store> store, StorePaths && storePaths) override
+ {
+ auto & localStore = require<LocalGranularAccessStore>(*store);
+ for (auto & path : storePaths) {
+ auto status = localStore.getAccessStatus(path);
+ if (!status.entities.empty())
+ warn("There are some users or groups who have access to path %s; consider removing them with \n" ANSI_BOLD "nix store access revoke --all-entities %s" ANSI_NORMAL, localStore.printStorePath(path), localStore.printStorePath(path));
+ if (!localStore.isValidPath(path)) warn("Path %s does not exist yet; permissions will be applied as soon as it is added to the store", localStore.printStorePath(path));
+ status.isProtected = true;
+ localStore.setAccessStatus(path, status);
+ }
+ }
+};
+
+static auto rStoreAccessProtect = registerCommand2<CmdStoreAccessProtect>({"store", "access", "protect"});