fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used

The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility. See https://github.com/nix-community/poetry2nix/issues/1740
2024-11-21 22:43:01 +00:00 · 2024-08-14 13:20:21 +12:00 · 2024-08-14 13:20:21 +12:00 · bed19bdf39
commit bed19bdf39
parent 6aad68f7ca
1 changed files with 49 additions and 41 deletions
--- a/pkgs/build-support/fetchpypilegacy/default.nix
+++ b/pkgs/build-support/fetchpypilegacy/default.nix
@ -3,7 +3,8 @@
  runCommand,
  lib,
  python3,
-}:
+  cacert,
 }@pkgs:
 let
  inherit (lib)
    optionalAttrs
@ -18,45 +19,52 @@ let
  impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC";
 in
-{
+lib.makeOverridable (
-  # package name
+  {
-  pname,
+    # package name
-  # Package index
+    pname,
-  url ? null,
+    # Package index
-  # Multiple package indices to consider
+    url ? null,
-  urls ? [ ],
+    # Multiple package indices to consider
-  # filename including extension
+    urls ? [ ],
-  file,
+    # filename including extension
-  # SRI hash
+    file,
-  hash,
+    # SRI hash
-  # allow overriding the derivation name
+    hash,
-  name ? null,
+    # allow overriding the derivation name
-}:
+    name ? null,
-let
+    # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; }
-  urls' = urls ++ optional (url != null) url;
+    cacert ? pkgs.cacert,
  }:
  let
    urls' = urls ++ optional (url != null) url;
-  pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath;
+    pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath;
-  netrc_file = if (pathParts != [ ]) then (head pathParts).path else "";
+    netrc_file = if (pathParts != [ ]) then (head pathParts).path else "";
-in
+  in
-# Assert that we have at least one URL
+  # Assert that we have at least one URL
-assert urls' != [ ];
+  assert urls' != [ ];
-runCommand file
+  runCommand file
-  (
+    (
-    {
+      {
-      nativeBuildInputs = [ python3 ];
+        nativeBuildInputs = [
-      inherit impureEnvVars;
+          python3
-      outputHashMode = "flat";
+          cacert
-      # if hash is empty select a default algo to let nix propose the actual hash.
+        ];
-      outputHashAlgo = if hash == "" then "sha256" else null;
+        inherit impureEnvVars;
-      outputHash = hash;
+        outputHashMode = "flat";
-    }
+        # if hash is empty select a default algo to let nix propose the actual hash.
-    // optionalAttrs (name != null) { inherit name; }
+        outputHashAlgo = if hash == "" then "sha256" else null;
-    // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; }
+        outputHash = hash;
-  )
+      }
-  ''
+      // optionalAttrs (name != null) { inherit name; }
-    python ${./fetch-legacy.py} ${
+      // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; }
-      concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls')
+    )
-    } --pname ${pname} --filename ${file}
+    ''
-    mv ${file} $out
+      python ${./fetch-legacy.py} ${
-  ''
+        concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls')
      } --pname ${pname} --filename ${file}
      mv ${file} $out
    ''
 )