From 4fe415683e685838fde4e11f14f0309bbadb36e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 28 May 2024 17:30:34 +0200 Subject: [PATCH] Add an immutable tarball link to archive download headers for Nix (#31139) This allows `nix flake metadata` and nix in general to lock a *branch* tarball link in a manner that causes it to fetch the correct commit even if the branch is updated with a newer version. Co-authored-by: Jade Lovelace Co-authored-by: wxiaoguang --- routers/api/v1/repo/file.go | 6 ++++++ routers/web/repo/repo.go | 6 ++++++ tests/integration/api_repo_archive_test.go | 11 +++++++++++ 3 files changed, 23 insertions(+) diff --git a/routers/api/v1/repo/file.go b/routers/api/v1/repo/file.go index 156033f58a..979f5f30b9 100644 --- a/routers/api/v1/repo/file.go +++ b/routers/api/v1/repo/file.go @@ -319,6 +319,12 @@ func archiveDownload(ctx *context.APIContext) { func download(ctx *context.APIContext, archiveName string, archiver *repo_model.RepoArchiver) { downloadName := ctx.Repo.Repository.Name + "-" + archiveName + // Add nix format link header so tarballs lock correctly: + // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md + ctx.Resp.Header().Add("Link", fmt.Sprintf(`<%s/archive/%s.tar.gz?rev=%s>; rel="immutable"`, + ctx.Repo.Repository.APIURL(), + archiver.CommitID, archiver.CommitID)) + rPath := archiver.RelativePath() if setting.RepoArchive.Storage.MinioConfig.ServeDirect { // If we have a signed url (S3, object storage), redirect to this directly. diff --git a/routers/web/repo/repo.go b/routers/web/repo/repo.go index 71c582b5f9..f54b35c3e0 100644 --- a/routers/web/repo/repo.go +++ b/routers/web/repo/repo.go @@ -484,6 +484,12 @@ func Download(ctx *context.Context) { func download(ctx *context.Context, archiveName string, archiver *repo_model.RepoArchiver) { downloadName := ctx.Repo.Repository.Name + "-" + archiveName + // Add nix format link header so tarballs lock correctly: + // https://github.com/nixos/nix/blob/56763ff918eb308db23080e560ed2ea3e00c80a7/doc/manual/src/protocols/tarball-fetcher.md + ctx.Resp.Header().Add("Link", fmt.Sprintf(`<%s/archive/%s.tar.gz?rev=%s>; rel="immutable"`, + ctx.Repo.Repository.APIURL(), + archiver.CommitID, archiver.CommitID)) + rPath := archiver.RelativePath() if setting.RepoArchive.Storage.MinioConfig.ServeDirect { // If we have a signed url (S3, object storage), redirect to this directly. diff --git a/tests/integration/api_repo_archive_test.go b/tests/integration/api_repo_archive_test.go index 57d3abfe84..eecb84d5d1 100644 --- a/tests/integration/api_repo_archive_test.go +++ b/tests/integration/api_repo_archive_test.go @@ -8,6 +8,7 @@ import ( "io" "net/http" "net/url" + "regexp" "testing" auth_model "code.gitea.io/gitea/models/auth" @@ -39,6 +40,16 @@ func TestAPIDownloadArchive(t *testing.T) { assert.NoError(t, err) assert.Len(t, bs, 266) + // Must return a link to a commit ID as the "immutable" archive link + linkHeaderRe := regexp.MustCompile(`^<(https?://.*/api/v1/repos/user2/repo1/archive/[a-f0-9]+\.tar\.gz.*)>; rel="immutable"$`) + m := linkHeaderRe.FindStringSubmatch(resp.Header().Get("Link")) + assert.NotEmpty(t, m[1]) + resp = MakeRequest(t, NewRequest(t, "GET", m[1]).AddTokenAuth(token), http.StatusOK) + bs2, err := io.ReadAll(resp.Body) + assert.NoError(t, err) + // The locked URL should give the same bytes as the non-locked one + assert.EqualValues(t, bs, bs2) + link, _ = url.Parse(fmt.Sprintf("/api/v1/repos/%s/%s/archive/master.bundle", user2.Name, repo.Name)) resp = MakeRequest(t, NewRequest(t, "GET", link.String()).AddTokenAuth(token), http.StatusOK) bs, err = io.ReadAll(resp.Body)