Use fetchGit for source-repo-package without sha (#554)

hamishmack · web-flow · commit 1f94c06e6767 · 2020-04-21T00:10:54.000+12:00
* Downloads using `builtins.fetchGit` when no sha is found.

* Adds a `lookupSha256` arg for when we can't change `cabal.project`.

* Outputs a message when the sha256 is missing that includes advice on how add one.
diff --git a/docs/user-guide/source-repository-hashes.md b/docs/user-guide/source-repository-hashes.md
@@ -48,3 +48,27 @@ extra-deps:
   # nix-sha256: 003lm3pm024vhbfmii7xcdd9v2rczpflxf7gdl2pyxia7p014i8z
 ```
 
+## lookupSha256
+
+In some cases we cannot modify the `cabal.project` file to add the
+`--sha256` comments. As an alternative we can pass in a `lookupSha256`
+function to get them.  For instance pandoc includes a `cabal.project`
+file in hackage includes a `source-package-reference` to `pandoc-citeproc`:
+
+```
+{ haskell-nix, testSrc } :
+let
+  pandoc = haskell-nix.hackage-package {
+    name         = "pandoc";
+    version      = "2.9.2.1";
+    index-state  = "2020-04-15T00:00:00Z"; 
+    # Function that returns a sha256 string by looking up the location
+    # and tag in a nested attrset
+    lookupSha256 = { location, tag, ... }:
+      { "https://github.com/jgm/pandoc-citeproc"."0.17"
+          = "0dxx8cp2xndpw3jwiawch2dkrkp15mil7pyx7dvd810pwc22pm2q"; }
+        ."${location}"."${tag}";
+  };
+in
+  pandoc.components.exes.pandoc
+```
diff --git a/lib/call-cabal-project-to-nix.nix b/lib/call-cabal-project-to-nix.nix
@@ -16,6 +16,13 @@
                      # If the tests and benchmarks are not needed and they
                      # causes the wrong plan to be choosen, then we can use
                      # `configureArgs = "--disable-tests --disable-benchmarks";`
+, lookupSha256  ? _: null
+                     # Use the as an alternative to adding `--sha256` comments into the
+                     # cabal.project file:
+                     #   lookupSha256 = repo:
+                     #     { "https://github.com/jgm/pandoc-citeproc"."0.17"
+                     #         = "0dxx8cp2xndpw3jwiawch2dkrkp15mil7pyx7dvd810pwc22pm2q"; }
+                     #       ."${repo.location}"."${repo.tag}";
 , ...
 }@args:
 # cabal-install versions before 2.4 will generate insufficient plan information.
@@ -94,21 +101,38 @@ let
           (builtins.head pair)
           (builtins.elemAt pair 1))) blockLines);
 
-  fetchRepo = repo: (pkgs.fetchgit {
-    url = repo.location;
-    rev = repo.tag;
-    sha256 = repo."--sha256";
-  }) + (if repo.subdir or "" == "" then "" else "/" + repo.subdir);
+  hashPath = path:
+    builtins.readFile (pkgs.runCommand "hash-path" { preferLocalBuild = true; }
+      "echo -n $(${pkgs.nix}/bin/nix-hash --type sha256 --base32 ${path}) > $out");
 
-  # Parse a source-repository-package and fetch it if it containts
-  # a line of the form
-  #   --shar256: <<SHA256>>
+  # Use pkgs.fetchgit if we have a sha256. Add comment like this
+  #   --shar256: 003lm3pm0000hbfmii7xcdd9v20000flxf7gdl2pyxia7p014i8z
+  # otherwise use __fetchGit.
+  fetchRepo = repo:
+    let sha256 = repo."--sha256" or (lookupSha256 repo);
+    in (if sha256 != null
+      then pkgs.fetchgit {
+          url = repo.location;
+          rev = repo.tag;
+          inherit sha256;
+        }
+      else
+        let drv = builtins.fetchGit {
+              url = repo.location;
+              ref = repo.tag;
+            };
+        in  __trace "WARNING: No sha256 found for source-repository-package ${repo.location} ${repo.tag} download may fail in restricted mode (hydra)"
+           (__trace "Consider adding `--sha256: ${hashPath drv}` to the cabal.project file or passing in a lookupSha256 argument"
+            drv)
+    ) + (if repo.subdir or "" == "" then "" else "/" + repo.subdir);
+
+  # Parse a source-repository-package and fetch it if has `type: git`
   parseBlock = block:
     let
       x = span (pkgs.lib.strings.hasPrefix " ") (pkgs.lib.splitString "\n" block);
       attrs = parseBlockLines x.fst;
     in
-      if attrs."--sha256" or "" == ""
+      if attrs."type" or "" != "git"
         then {
           sourceRepo = [];
           otherText = "\nsource-repository-package\n" + block;
diff --git a/test/default.nix b/test/default.nix
@@ -174,6 +174,7 @@ let
     ghc-options-stack = callTest ./ghc-options/stack.nix {};
     exe-only = callTest ./exe-only { inherit util; };
     stack-source-repo = callTest ./stack-source-repo {};
+    lookup-sha256 = callTest ./lookup-sha256 {};
 
     unit = unitTests;
   };
diff --git a/test/lookup-sha256/default.nix b/test/lookup-sha256/default.nix
@@ -0,0 +1,16 @@
+{ haskell-nix, testSrc } :
+let
+  pandoc = haskell-nix.hackage-package {
+    name         = "pandoc";
+    version      = "2.9.2.1";
+    index-state  = "2020-04-15T00:00:00Z"; 
+    # Function that returns a sha256 string by looking up the location
+    # and tag in a nested attrset
+    lookupSha256 = { location, tag, ... }:
+      { "https://github.com/jgm/pandoc-citeproc"."0.17"
+          = "0dxx8cp2xndpw3jwiawch2dkrkp15mil7pyx7dvd810pwc22pm2q"; }
+        ."${location}"."${tag}";
+  };
+in
+  pandoc.components.exes.pandoc
+
