contrib/plugins: init with mTLS store example

This is a collection of Lix plugins that showcase how to write one for
various usecases.

The first is a mTLS store plugin that enable mTLS cache URIs
(`https+mtls://`).

We enable meson build system support for this plugin but we are not
going to distribute it in the official packaging of Lix, we will
repackage each relevant plugin downstream in Nixpkgs.

These plugins have *NO* guarantee support, they are provided as useful
references and are possibly production-ready if your usecase is simple
enough.

Reference: NixOS/nix#13030 (this change has
resemblances but our APIs are different, the tests harness is mostly
from CppNix).

Change-Id: Ib354271981b35dff6c134b12c4748c3eaf743fcb
Co-authored-by: Jörg Thalheim <[email protected]>
Co-authored-by: László Vaskó <[email protected]>
Signed-off-by: Raito Bezarius <[email protected]>

Author: 3 people

contrib/plugins/meson.build

@@ -0,0 +1,14 @@
+plugin_mtls_store = shared_module(
+  'plugin_mtls_store',
+  'plugin_mtls_store.cc',
+  dependencies : [
+    liblixutil,
+    liblixstore,
+    liblixexpr,
+    liblixfetchers,
+    curl,
+  ],
+  install : false,
+  build_by_default : true,
+  link_args : strict_shared_module_link_args,
+)

contrib/plugins/mtls-http-binary-cache-store.md

@@ -0,0 +1,13 @@
+R"(
+
+**Store URL format**: `https+mtls://...`
+
+This store allows a binary cache to be accessed via the HTTPS
+protocol with mutual TLS mandated.
+
+Two parameters can be passed to the query string:
+
+- `tls-certificate`, a path to the TLS client certificate (optional)
+- `tls-private-key`, a path to the TLS private key backing the client certificate (required)
+
+)"

contrib/plugins/plugin_mtls_store.cc

@@ -0,0 +1,102 @@
+#include "lix/libstore/store-api.hh"
+#include "lix/libutil/config.hh"
+#include "lix/libstore/http-binary-cache-store.hh"
+#include <stdlib.h>
+#include <curl/curl.h>
+
+namespace nix {
+struct mTLSBinaryCacheStoreConfig : HttpBinaryCacheStoreConfig
+{
+    using HttpBinaryCacheStoreConfig::HttpBinaryCacheStoreConfig;
+
+    const std::string name() override
+    {
+        return "mTLS HTTP Binary Cache Store";
+    }
+
+    std::string doc() override
+    {
+        return
+#include "mtls-http-binary-cache-store.md"
+            ;
+    }
+
+    PathsSetting<nix::Path> tlsCertificate{
+        this,
+        "",
+        "tls-certificate",
+        "Path of an optional TLS client certificate in PEM format as expected by CURLOPT_SSLCERT"
+    };
+
+    PathsSetting<nix::Path> tlsKey{
+        this,
+        "",
+        "tls-private-key",
+        "Path of an TLS client certificate private key in PEM format as expected by CURLOPT_SSLKEY"
+    };
+};
+
+struct mTLSBinaryCacheStoreImpl : public HttpBinaryCacheStore
+{
+    struct Keyring
+    {
+        nix::Path tlsCertificate;
+        nix::Path tlsKey;
+    };
+
+    mTLSBinaryCacheStoreConfig config_;
+    std::shared_ptr<Keyring> keyring;
+
+    mTLSBinaryCacheStoreConfig & config() override
+    {
+        return config_;
+    }
+    const mTLSBinaryCacheStoreConfig & config() const override
+    {
+        return config_;
+    }
+
+    mTLSBinaryCacheStoreImpl(
+        const std::string & uriScheme, const Path & _cacheUri, mTLSBinaryCacheStoreConfig config
+    )
+        : Store(config)
+        , HttpBinaryCacheStore("https", _cacheUri, config)
+        , config_(std::move(config))
+        , keyring(std::make_shared<Keyring>(config_.tlsCertificate.get(), config_.tlsKey.get()))
+    {
+    }
+
+    FileTransferOptions makeOptions(Headers && headers = {}) override
+    {
+        auto options = HttpBinaryCacheStore::makeOptions(std::move(headers));
+        auto baseExtraSetup = std::move(options.extraSetup);
+        auto keyring = this->keyring;
+
+        options.extraSetup =
+            [keyring, baseExtraSetup{std::move(baseExtraSetup)}](CURL * req) {
+                if (baseExtraSetup) {
+                    baseExtraSetup(req);
+                }
+
+                if (!keyring->tlsCertificate.empty()) {
+                    curl_easy_setopt(req, CURLOPT_SSLCERT, keyring->tlsCertificate.c_str());
+                }
+
+                curl_easy_setopt(req, CURLOPT_SSLKEY, keyring->tlsKey.c_str());
+            };
+
+        return options;
+    }
+
+    static std::set<std::string> uriSchemes()
+    {
+        return {"https+mtls"};
+    }
+};
+}
+
+
+extern "C" void nix_plugin_entry()
+{
+    nix::StoreImplementations::add<nix::mTLSBinaryCacheStoreImpl, nix::mTLSBinaryCacheStoreConfig>();
+}

doc/manual/change-authors.yml

@@ -156,6 +156,9 @@ ma27:
 matthewbauer:
   github: matthewbauer
 
+mic92:
+  github: Mic92
+
 midnightveil:
   display_name: julia
   forgejo: midnightveil
@@ -243,6 +246,9 @@ vigress8:
   forgejo: vigress8
   github: vigress8
 
+vlaci:
+  github: vlaci
+
 vlinkz:
   display_name: Victor Fuentes
   forgejo: vlinkz

doc/manual/rl-next/mtls-plugin.md

@@ -0,0 +1,42 @@
+---
+synopsis: "mTLS store connections via a plugin"
+issues: []
+cls: [3754, 3696, 3697, 3698]
+category: Improvements
+credits: [raito, horrors, mic92, vlaci]
+---
+
+To support use cases requiring mutual TLS (mTLS) authentication when connecting
+to remote Nix stores, e.g. private stores, we have introduced a **contributed**
+mTLS plugin extending the Lix store interface.
+
+This design follows an extensibility model which was brought up [by a proposal
+of making Kerberos authentication possible in Lix
+directly](https://gerrit.lix.systems/c/lix/+/3637).
+
+This mTLS plugin serves as a concrete example of how store connection
+mechanisms can be modularized through external plugins, without extending Lix
+core. This idea can be generalized to integrate automatic certificate renewal
+or advanced integrations with secrets engine or posture checks.
+
+It enables custom TLS client certificates to be used for authenticating against
+a remote store that enforces mTLS.
+
+To use the plugin, configure Lix manually by setting in your `nix.conf`:
+
+```
+plugin-files = /a/path/to/libplugin_mtls_store.so
+```
+
+Currently, this must be done explicitly. In the future, Nixpkgs will provide a
+mechanism to reference an up-to-date and curated set of plugins automatically.
+
+Making plugins easily consumable outside of Nixpkgs (e.g., from external plugin
+registries or binary distributions) remains an open question and will require
+further design.
+
+Contributed plugins come with significantly reduced **stability** and
+**maintenance** guarantees compared to the Lix core. We encourage users who
+depend on a given plugin to take on maintenance responsibilities and apply for
+ownership within the Lix mono-repository. These plugins are subject to removal
+at any time.

meson.build

@@ -125,6 +125,7 @@ endif
 
 enable_nix_eval_jobs = get_option('nix-eval-jobs')
 enable_tests = get_option('enable-tests')
+enable_contrib_plugins = get_option('enable-contrib-plugins')
 
 tests_args = []
 
@@ -224,12 +225,13 @@ is_x64 = host_machine.cpu_family() == 'x86_64'
 # This corresponds to the $(1)_ALLOW_UNDEFINED option from the Make buildsystem.
 # Mostly this is load-bearing on the plugin tests defined in tests/functional/plugins/meson.build.
 shared_module_link_args = []
+# This is a stricter additional set of link flags.
+strict_shared_module_link_args = []
 if is_darwin
   shared_module_link_args += ['-undefined', 'suppress', '-flat_namespace']
+  strict_shared_module_link_args += ['-flat_namespace']
 elif is_linux
-  # -Wl,-z,defs is the equivalent, but a comment in the Make buildsystem says that breaks
-  # Clang sanitizers on Linux.
-  # FIXME(Qyriad): is that true?
+  strict_shared_module_link_args += ['-Wl,-z,defs']
 endif
 configdata = { }
 
@@ -663,6 +665,10 @@ if enable_tests
   subdir('tests/functional2')
 endif
 
+if enable_contrib_plugins
+  subdir('contrib/plugins')
+endif
+
 subdir('meson/clang-tidy')
 
 subproject('nix-eval-jobs', required : enable_nix_eval_jobs)

meson.options

@@ -32,6 +32,10 @@ option('enable-tests', type : 'boolean', value : true,
   description : 'whether to enable tests or not (requires rapidcheck and gtest)',
 )
 
+option('enable-contrib-plugins', type : 'boolean', value : true,
+  description : 'whether to build contributed plugins'
+)
+
 option('tests-color', type : 'boolean', value : true,
   description : 'set to false to disable color output in gtest',
 )

misc/pre-commit.nix

@@ -36,7 +36,7 @@ pre-commit-run {
       enable = true;
       package = pkgs.llvmPackages.libclang.python;
       entry = "${pkgs.llvmPackages.libclang.python}/bin/git-clang-format --binary ${pkgs.llvmPackages.clang-tools}/bin/clang-format";
-      files = "^(lix/|tests/)";
+      files = "^(lix/|tests/|contrib/plugins/)";
       types = [
         "c++"
         "file"

package.nix

@@ -232,6 +232,7 @@ stdenv.mkDerivation (finalAttrs: {
           ./doc
           ./lix
           ./misc
+          ./contrib/plugins
           ./COPYING
         ]
         ++ lib.optionals lintInsteadOfBuild [ ./.clang-tidy ]
@@ -309,6 +310,10 @@ stdenv.mkDerivation (finalAttrs: {
       jq
       yq
       lsof
+      # For mTLS tests.
+      curl
+      openssl
+      python3
     ]
     ++ lib.optional hostPlatform.isLinux util-linuxMinimal
     ++ lib.optional (!officialRelease && buildUnreleasedNotes) build-release-notes

tests/functional/init.sh

@@ -10,7 +10,7 @@ if test -d "$TEST_ROOT"; then
     killDaemon
     rm -rf "$TEST_ROOT"
 fi
-mkdir "$TEST_ROOT"
+mkdir -p "$TEST_ROOT"
 
 mkdir "$NIX_STORE_DIR"
 mkdir "$NIX_LOCALSTATE_DIR"