Add type for metadata about StorePaths.

This is a stronger-typed version of ValidPathInfo, so this fixes #43.

Author: shlevy

hnix-store-core/hnix-store-core.cabal

@@ -20,10 +20,13 @@ library
   exposed-modules:     System.Nix.Base32
                      , System.Nix.Hash
                      , System.Nix.Internal.Hash
+                     , System.Nix.Internal.Signature
                      , System.Nix.Internal.StorePath
                      , System.Nix.Nar
                      , System.Nix.ReadonlyStore
+                     , System.Nix.Signature
                      , System.Nix.StorePath
+                     , System.Nix.StorePathMetadata
                      , System.Nix.Util
   build-depends:       base >=4.10 && <5
                      , base16-bytestring
@@ -40,6 +43,8 @@ library
                      , mtl
                      , regex-base
                      , regex-tdfa-text
+                     , saltine
+                     , time
                      , text
                      , unix
                      , unordered-containers

hnix-store-core/src/System/Nix/Hash.hs

@@ -7,6 +7,7 @@ module System.Nix.Hash (
   , HNix.HashAlgorithm(..)
   , HNix.ValidAlgo(..)
   , HNix.NamedAlgo(..)
+  , HNix.SomeNamedDigest(..)
   , HNix.hash
   , HNix.hashLazy
 

hnix-store-core/src/System/Nix/Internal/Hash.hs

@@ -9,6 +9,7 @@ Description : Cryptographic hashing interface for hnix-store, on top
 {-# LANGUAGE TypeApplications    #-}
 {-# LANGUAGE DataKinds           #-}
 {-# LANGUAGE OverloadedStrings   #-}
+{-# LANGUAGE ExistentialQuantification #-}
 
 module System.Nix.Internal.Hash where
 
@@ -72,6 +73,9 @@ instance NamedAlgo 'SHA1 where
 instance NamedAlgo 'SHA256 where
   algoName = "sha256"
 
+-- | A digest whose 'NamedAlgo' is not known at compile time.
+data SomeNamedDigest = forall a . NamedAlgo a => SomeDigest (Digest a)
+
 -- | Hash an entire (strict) 'BS.ByteString' as a single call.
 --
 --   For example:

hnix-store-core/src/System/Nix/Internal/Signature.hs

@@ -0,0 +1,29 @@
+{-|
+Description : Nix-relevant interfaces to NaCl signatures.
+-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+module System.Nix.Internal.Signature where
+
+import Data.ByteString (ByteString)
+import qualified Data.ByteString as BS
+import Data.Coerce (coerce)
+import Crypto.Saltine.Core.Sign (PublicKey)
+import Crypto.Saltine.Class (IsEncoding(..))
+import qualified Crypto.Saltine.Internal.ByteSizes as NaClSizes
+
+-- | A NaCl signature.
+newtype Signature = Signature ByteString deriving (Eq, Ord)
+
+instance IsEncoding Signature where
+  decode s
+    | BS.length s == NaClSizes.sign = Just (Signature s)
+    | otherwise = Nothing
+  encode = coerce
+
+-- | A detached NaCl signature attesting to a nix archive's validity.
+data NarSignature = NarSignature
+  { -- | The public key used to sign the archive.
+    publicKey :: PublicKey
+  , -- | The archive's signature.
+    sig :: Signature
+  } deriving (Eq, Ord)

hnix-store-core/src/System/Nix/Internal/StorePath.hs

@@ -16,6 +16,7 @@ import System.Nix.Hash
   ( HashAlgorithm(Truncated, SHA256)
   , Digest
   , encodeBase32
+  , SomeNamedDigest
   )
 import Text.Regex.Base.RegexLike (makeRegex, matchTest)
 import Text.Regex.TDFA.Text (Regex)
@@ -68,6 +69,36 @@ type StorePathHashAlgo = 'Truncated 20 'SHA256
 -- | A set of 'StorePath's.
 type StorePathSet storeDir = HashSet (StorePath storeDir)
 
+-- | An address for a content-addressable store path, i.e. one whose
+-- store path hash is purely a function of its contents (as opposed to
+-- paths that are derivation outputs, whose hashes are a function of
+-- the contents of the derivation file instead).
+--
+-- For backwards-compatibility reasons, the same information is
+-- encodable in multiple ways, depending on the method used to add the
+-- path to the store. These unfortunately result in separate store
+-- paths.
+data ContentAddressableAddress
+  = -- | The path is a plain file added via makeTextPath or
+    -- addTextToStore. It is addressed according to a sha256sum of the
+    -- file contents.
+    Text !(Digest 'SHA256)
+  | -- | The path was added to the store via makeFixedOutputPath or
+    -- addToStore. It is addressed according to some hash algorithm
+    -- applied to the nar serialization via some 'NarHashMode'.
+    Fixed !NarHashMode !SomeNamedDigest
+
+-- | Schemes for hashing a nix archive.
+--
+-- For backwards-compatibility reasons, there are two different modes
+-- here, even though 'Recursive' should be able to cover both.
+data NarHashMode
+  = -- | Require the nar to represent a non-executable regular file.
+    RegularFile
+  | -- | Hash an arbitrary nar, including a non-executable regular
+    -- file if so desired.
+    Recursive
+
 -- | A type-level representation of the root directory of a Nix store.
 --
 -- The extra complexity of type indices requires justification.

hnix-store-core/src/System/Nix/Signature.hs

@@ -0,0 +1,9 @@
+{-|
+Description : Nix-relevant interfaces to NaCl signatures.
+-}
+module System.Nix.Signature
+  ( Signature
+  , NarSignature(..)
+  ) where
+
+import System.Nix.Internal.Signature

hnix-store-core/src/System/Nix/StorePath.hs

@@ -8,6 +8,8 @@ module System.Nix.StorePath
   , StorePathSet
   , StorePathHashAlgo
   , StoreDir
+  , ContentAddressableAddress(..)
+  , NarHashMode(..)
   , -- * Manipulating 'StorePathName'
     makeStorePathName
   , unStorePathName

hnix-store-core/src/System/Nix/StorePathMetadata.hs

@@ -0,0 +1,49 @@
+{-|
+Description : Metadata about Nix store paths.
+-}
+module System.Nix.StorePathMetadata where
+
+import System.Nix.StorePath (StorePath, StorePathSet, ContentAddressableAddress)
+import System.Nix.Hash (SomeNamedDigest)
+import Data.Set (Set)
+import Data.Time (UTCTime)
+import Data.Word (Word64)
+import System.Nix.Signature (NarSignature)
+
+-- | Metadata about a 'StorePath' in @storeDir@.
+data StorePathMetadata storeDir = StorePathMetadata
+  { -- | The path this metadata is about
+    path :: !(StorePath storeDir)
+  , -- | The path to the derivation file that built this path, if any
+    -- and known.
+    deriverPath :: !(Maybe (StorePath storeDir))
+  , -- TODO should this be optional?
+    -- | The hash of the nar serialization of the path.
+    narHash :: !SomeNamedDigest
+  , -- | The paths that this path directly references
+    references :: !(StorePathSet storeDir)
+  , -- | When was this path registered valid in the store?
+    registrationTime :: !UTCTime
+  , -- | The size of the nar serialization of the path, in bytes.
+    narBytes :: !(Maybe Word64)
+  , -- | How much we trust this path.
+    trust :: !StorePathTrust
+  , -- | A set of cryptographic attestations of this path's validity.
+    --
+    -- There is no guarantee from this type alone that these
+    -- signatures are valid.
+    sigs :: !(Set NarSignature)
+  , -- | Whether and how this store path is content-addressable.
+    --
+    -- There is no guarantee from this type alone that this address
+    -- is actually correct for this store path.
+    contentAddressableAddress :: !(Maybe ContentAddressableAddress)
+  }
+
+-- | How much do we trust the path, based on its provenance?
+data StorePathTrust
+  = -- | It was built locally and thus ultimately trusted
+    BuiltLocally
+  | -- | It was built elsewhere (and substituted or similar) and so
+    -- is less trusted
+    BuiltElsewhere