Add Store::isTrustedClient()

[MatthewCroughan]

This PR extends the worker protocol in worker-protocol-hh by adding a new operation (47) which permits a client to check if they are trusted. I have needed this for some scripts I'm trying to write which use Nix, that need to check.

In addition, it also adds a new command nix store check-trusted which will make use of this addition. It will return exit code 0 if trusted, 1 if not trusted or 2 if an unexpected error occurs.

I have also added a new checkInfo function to doctor.cc which will print an inconsequential blue [INFO] telling the user whether they are trusted. This does not change the exit status of the nix doctor command.

The following Bash function is an example of a fallback mechanism I've implemented in Bash but do not have the skills to implement in C++.

function isTrustedUser {
  function writeDummyBuildLog {
    {
      echo 0x6378696e 0x00000000; # WORKER_MAGIC_1
      echo 0x0a010000 0x00000000; # PROTOCOL_VERSION
      echo 0x2d000000 0x00000000; # wopAddBuildlog (45)
      echo 0x26000000 0x00000000; # Length of Store Path (38)
      echo -n "$(echo -n aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-a.drv | xxd -p -c0)00000000000000000000"; # Store Path
    } \
    | xxd -p -r \
    | socat - UNIX-CONNECT:/nix/var/nix/daemon-socket/socket \
    | tr -d '\0'
  }
  x=$(writeDummyBuildLog)
  if (grep -aq "error:" <<< "$x") && (grep -aq "not privileged" <<< "$x")
  then
    echo "You are not a trusted user"
    return 1
  elif (grep -aq "error:" <<< "$x")
    echo "An unknown error occurred whilst checking if you are a trusted user"
    return 2
  else
    :
    return 0
  fi
}
isTrustedUser

Thanks a lot to @roberth who introduced me to the C++ codebase and answering a lot of questions. And thanks to @tomberek + @pkharvey + @helicalbytes for helping me understand the daemon protocol.

[NobbZ]

This is a good first step into a solution for #6752/#6672.

Can't say much codewise though.

[MatthewCroughan]

This PR will also improve #7461

[MatthewCroughan]

I somehow accidentally removed the review request for @edolstra @fricklerhandwerk and @thufschmitt just by requesting a re-review from @max-privatevoid, this seems to be a bug in the way reviews are handled on GitHub. I am unable to add new reviewers, or add these reviewers back.

[MatthewCroughan]

I marked the PR as a draft, then unmarked it as a draft. It seems that the GitHub review bug is still in effect.

[MatthewCroughan]

Just pushed to resolve conflicts with the release notes.

[thufschmitt]

Thanks, that's a useful command to have I think.

Left some suggestions on the code and docs, but that looks good overall.

(That also makes me realize with horror that we don't have any test for the "non-trusted-user" case 😬 )

[thufschmitt]

I think it's fine to define this to unsupported by default like we do for a bunch of other methods and remove all the custom implementations for the stores that don't support it:

Suggested change

	virtual bool isTrustedUser() = 0;
	virtual bool isTrustedUser()
	{ unsupported("isTrustedUser"); }

[MatthewCroughan]

That definitely makes it a smaller diff too.

[MatthewCroughan]

Done. I've left the implementation for legacy ssh though, since it's more helpful to print it.

[roberth]

@thufschmitt This pattern is counterproductive for discovering such functionality as recursive nix store is not trusted early. Perhaps not a great example, but who knows what else we might have missed because of the bad default?

[thufschmitt]

@roberth since the default behaviour is to fail loudly, I think it's OK because it's a conservative approach, and we can always refine the implementation after the fact if we realize that we've been missing one

[MatthewCroughan]

I've rebased this PR on 2.14 after the Nix 2.13 release yesterday.

[tomberek]

From Nix meeting:

• instead of a new subcommand, implement nix store ping to return these results explicitly when available
• In a new PR add --json to nix store ping to allow for easier scripting.
• include the trusted status into the daemon handshake, this is mediated in the area of the below.

if (GET_PROTOCOL_MINOR(conn.daemonVersion) >= 33) {
            conn.to.flush();
            conn.daemonNixVersion = readString(conn.from);
        } 

[Ericson2314]

@MatthewCroughan Do note with #7723 merged the nix store ping changes will be less work!

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-01-20-nix-team-meeting-minutes-25/25432/1

[MatthewCroughan]

Have dropped the ball on this temporarily, I'm a bit ill after FOSDEM, will pick this up when I am better, anyone else feel free to contribute by making a PR to this PR!

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-01-23-nix-team-meeting-minutes-26/25433/1

[fricklerhandwerk]

Discussed in the Nix team meeting 2023-04-03:

• @Ericson2314 rewrote the PR based on the team's requested changes, needs a different reviewer
• assigned to @thufschmitt

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/2023-04-03-nix-team-meeting-minutes-46/27008/1

[domenkozar]

Would be great to have this in for 2.15.

[thufschmitt]

The change is good overall, but the wire encoding/decoding logic is a bit too smart imho. Let's keep things simple as much as we can.

[Ericson2314]

Good point, I did sort of forget about that mechanism! 😳

[thufschmitt]

Yay!

Just a small suggestion, but fairly minor and not blocking. So let's merge

[thufschmitt]

Saving it for a potential follow-up (and fairly low-prio), but it could be nicer to just warn and return std::nullopt in that case. Just to make potential future evolutions of the protocol nicer.

[Ericson2314]

I had thought about that, but I think it's just better to bunl the protocol version on that case? Maybe I'm forgetting, but I couldn't think of another time we tried to do this sort of week forward compat before.

[roberth]

We currently have more or less one forward compat mechanism, which is the protocol version handshake.
If we're going to improve the forward compat mechanism, it would make more sense to do it structurally, with a self-describing or schema based serialization where we can add fields as we please.