lib/types: add types.pathNotInStore

This option parallels our existing `types.pathInStore` type. This is useful for when a module needs a path to a file, and wants to protect people from accidentally leaking that file into the nix store.
NixOS · Jan 12, 2025 · c377630 · c377630
1 parent 3766aa0
commit c377630
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 12 deletions.
diff --git a/lib/tests/modules.sh b/lib/tests/modules.sh
@@ -170,6 +170,16 @@ checkConfigError 'A definition for option .* is not of type .path in the Nix sto
 checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: ".*/store/"' config.pathInStore.bad3 ./types.nix
 checkConfigError 'A definition for option .* is not of type .path in the Nix store.. Definition values:\n\s*- In .*: "/foo/bar"' config.pathInStore.bad4 ./types.nix
 
+# types.pathNotInStore
+checkConfigOutput '"/foo/bar"' config.pathNotInStore.ok1 ./types.nix
+checkConfigOutput '".*/store"' config.pathNotInStore.ok2 ./types.nix
+checkConfigOutput '".*/store/"' config.pathNotInStore.ok3 ./types.nix
+checkConfigError 'A definition for option .* is not of type .path not in the Nix store.. Definition values:\n\s*- In .*: ".*/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv"' config.pathNotInStore.bad1 ./types.nix
+checkConfigError 'A definition for option .* is not of type .path not in the Nix store.. Definition values:\n\s*- In .*: ".*/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15"' config.pathNotInStore.bad2 ./types.nix
+checkConfigError 'A definition for option .* is not of type .path not in the Nix store.. Definition values:\n\s*- In .*: ".*/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15/bin/bash"' config.pathNotInStore.bad3 ./types.nix
+checkConfigError 'A definition for option .* is not of type .path not in the Nix store.. Definition values:\n\s*- In .*: ""' config.pathNotInStore.bad4 ./types.nix
+checkConfigError 'A definition for option .* is not of type .path not in the Nix store.. Definition values:\n\s*- In .*: ".*/\.links"' config.pathNotInStore.bad5 ./types.nix
+
 # Check boolean option.
 checkConfigOutput '^false$' config.enable ./declare-enable.nix
 checkConfigError 'The option .* does not exist. Definition values:\n\s*- In .*: true' config.enable ./define-enable.nix

diff --git a/lib/tests/modules/types.nix b/lib/tests/modules/types.nix
@@ -10,6 +10,7 @@ in
 {
   options = {
     pathInStore = mkOption { type = types.lazyAttrsOf types.pathInStore; };
+    pathNotInStore = mkOption { type = types.lazyAttrsOf types.pathNotInStore; };
   };
   config = {
     pathInStore.ok1 = "${storeDir}/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv";
@@ -20,5 +21,14 @@ in
     pathInStore.bad2 = "${storeDir}";
     pathInStore.bad3 = "${storeDir}/";
     pathInStore.bad4 = "/foo/bar";
+
+    pathNotInStore.ok1 = "/foo/bar";
+    pathNotInStore.ok2 = "${storeDir}"; # strange, but consistent with `pathInStore` above
+    pathNotInStore.ok3 = "${storeDir}/"; # also strange, but also consistent
+    pathNotInStore.bad1 = "${storeDir}/0lz9p8xhf89kb1c1kk6jxrzskaiygnlh-bash-5.2-p15.drv";
+    pathNotInStore.bad2 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15";
+    pathNotInStore.bad3 = "${storeDir}/0fb3ykw9r5hpayd05sr0cizwadzq1d8q-bash-5.2-p15/bin/bash";
+    pathNotInStore.bad4 = "";
+    pathNotInStore.bad5 = "${storeDir}/.links";
   };
 }
diff --git a/lib/types.nix b/lib/types.nix
@@ -581,6 +581,14 @@ rec {
       merge = mergeEqualOption;
     };
 
+    pathNotInStore = mkOptionType {
+      name = "pathNotInStore";
+      description = "path not in the Nix store";
+      descriptionClass = "noun";
+      check = x: isStringLike x && builtins.substring 0 1 (toString x) == "/" && builtins.match "${builtins.storeDir}/.+" (toString x) == null;
+      merge = mergeEqualOption;
+    };
+
     listOf = elemType: mkOptionType rec {
       name = "listOf";
       description = "list of ${optionDescriptionPhrase (class: class == "noun" || class == "composite") elemType}";

diff --git a/nixos/modules/services/security/step-ca.nix b/nixos/modules/services/security/step-ca.nix
@@ -60,7 +60,7 @@ in
         '';
       };
       intermediatePasswordFile = lib.mkOption {
-        type = lib.types.path;
+        type = lib.types.pathNotInStore;
         example = "/run/keys/smallstep-password";
         description = ''
           Path to the file containing the password for the intermediate
@@ -86,17 +86,6 @@ in
       );
     in
     {
-      assertions = [
-        {
-          assertion = !lib.isStorePath cfg.intermediatePasswordFile;
-          message = ''
-            <option>services.step-ca.intermediatePasswordFile</option> points to
-            a file in the Nix store. You should use a quoted absolute path to
-            prevent this.
-          '';
-        }
-      ];
-
       systemd.packages = [ cfg.package ];
 
       # configuration file indirection is needed to support reloading