Unverified Commit 3d7fd4ed authored by Philip Taron's avatar Philip Taron Committed by GitHub
Browse files

fetchFromGitLab: support for private repositories (#176950)

parents 4e6b4100 2b5981c5

pkgs/build-support/fetchgitlab/default.nix

+46 −0
Original line number Diff line number Diff line
@@ -21,6 +21,8 @@ lib.makeOverridable ( 
    deepClone ? false,

    forceFetchGit ? false,

    sparseCheckout ? [ ],

    private ? false,

    varPrefix ? null,

    ... # For hash agility

  }@args:
@@ -51,14 +53,57 @@ lib.makeOverridable ( 
      "tag"

      "fetchSubmodules"

      "forceFetchGit"

      "private"

      "varPrefix"

      "leaveDotGit"

      "deepClone"

    ];



    varBase = "NIX${lib.optionalString (varPrefix != null) "_${varPrefix}"}_GITLAB_PRIVATE_";

    useFetchGit =

      fetchSubmodules || leaveDotGit || deepClone || forceFetchGit || (sparseCheckout != [ ]);

    fetcher = if useFetchGit then fetchgit else fetchzip;



    privateAttrs = lib.optionalAttrs private (

      lib.throwIfNot (protocol == "https") "private token login is only supported for https" {

        netrcPhase = ''

          if [ -z "''$${varBase}USERNAME" -o -z "''$${varBase}PASSWORD" ]; then

            echo "Error: Private fetchFromGitLab requires the nix building process (nix-daemon in multi user mode) to have the ${varBase}USERNAME and ${varBase}PASSWORD env vars set." >&2

            exit 1

          fi

        ''

        + (

          if useFetchGit then

            # GitLab supports HTTP Basic Authentication only when Git is used:

            # https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html#project-access-tokens

            ''

              cat > netrc <<EOF

              machine ${domain}

                      login ''$${varBase}USERNAME

                      password ''$${varBase}PASSWORD

              EOF

            ''

          else

            # Access via the GitLab API requires a custom header and does not work

            # with HTTP Basic Authentication:

            # https://docs.gitlab.com/ee/api/#personalprojectgroup-access-tokens

            ''

              # needed because fetchurl always sets --netrc-file if a netrcPhase is present

              touch netrc



              cat > private-token <<EOF

              PRIVATE-TOKEN: ''$${varBase}PASSWORD

              EOF

              curlOpts="$curlOpts --header @./private-token"

            ''

        );

        netrcImpureEnvVars = [

          "${varBase}USERNAME"

          "${varBase}PASSWORD"

        ];

      }

    );



    gitRepoUrl = "${protocol}://${domain}/${slug}.git";



    fetcherArgs =
@@ -84,6 +129,7 @@ lib.makeOverridable ( 
            };

          }

      )

      // privateAttrs

      // passthruAttrs

      // {

        inherit name;