fetchPypiLegacy: Pass cacert to enable TLS verification when username/password is used

The intent was for TLS verification to be enabled when transfering credentials only, and normally disabled for long-term reproducibility. See https://github.com/nix-community/poetry2nix/issues/1740
2024-08-14 13:20:21 +12:00 · 2024-08-14 13:20:21 +12:00 · bed19bdf39
commit bed19bdf39
parent 6aad68f7ca
1 changed files with 49 additions and 41 deletions
--- a/pkgs/build-support/fetchpypilegacy/default.nix
+++ b/pkgs/build-support/fetchpypilegacy/default.nix
@ -3,7 +3,8 @@
  runCommand,
  lib,
  python3,
-}:
+  cacert,
+}@pkgs:
 let
  inherit (lib)
    optionalAttrs
@ -18,45 +19,52 @@ let

  impureEnvVars = fetchers.proxyImpureEnvVars ++ optional inPureEvalMode "NETRC";
 in
-{
-  # package name
-  pname,
-  # Package index
-  url ? null,
-  # Multiple package indices to consider
-  urls ? [ ],
-  # filename including extension
-  file,
-  # SRI hash
-  hash,
-  # allow overriding the derivation name
-  name ? null,
-}:
-let
-  urls' = urls ++ optional (url != null) url;
+lib.makeOverridable (
+  {
+    # package name
+    pname,
+    # Package index
+    url ? null,
+    # Multiple package indices to consider
+    urls ? [ ],
+    # filename including extension
+    file,
+    # SRI hash
+    hash,
+    # allow overriding the derivation name
+    name ? null,
+    # allow overriding cacert using src.override { cacert = cacert.override { extraCertificateFiles = [ ./path/to/cert.pem ]; }; }
+    cacert ? pkgs.cacert,
+  }:
+  let
+    urls' = urls ++ optional (url != null) url;

-  pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath;
-  netrc_file = if (pathParts != [ ]) then (head pathParts).path else "";
+    pathParts = filter ({ prefix, path }: "NETRC" == prefix) builtins.nixPath;
+    netrc_file = if (pathParts != [ ]) then (head pathParts).path else "";

-in
-# Assert that we have at least one URL
-assert urls' != [ ];
-runCommand file
-  (
-    {
-      nativeBuildInputs = [ python3 ];
-      inherit impureEnvVars;
-      outputHashMode = "flat";
-      # if hash is empty select a default algo to let nix propose the actual hash.
-      outputHashAlgo = if hash == "" then "sha256" else null;
-      outputHash = hash;
-    }
-    // optionalAttrs (name != null) { inherit name; }
-    // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; }
-  )
-  ''
-    python ${./fetch-legacy.py} ${
-      concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls')
-    } --pname ${pname} --filename ${file}
-    mv ${file} $out
-  ''
+  in
+  # Assert that we have at least one URL
+  assert urls' != [ ];
+  runCommand file
+    (
+      {
+        nativeBuildInputs = [
+          python3
+          cacert
+        ];
+        inherit impureEnvVars;
+        outputHashMode = "flat";
+        # if hash is empty select a default algo to let nix propose the actual hash.
+        outputHashAlgo = if hash == "" then "sha256" else null;
+        outputHash = hash;
+      }
+      // optionalAttrs (name != null) { inherit name; }
+      // optionalAttrs (!inPureEvalMode) { env.NETRC = netrc_file; }
+    )
+    ''
+      python ${./fetch-legacy.py} ${
+        concatStringsSep " " (map (url: "--url ${escapeShellArg url}") urls')
+      } --pname ${pname} --filename ${file}
+      mv ${file} $out
+    ''
+)