From ed975e953c30c335f8403352acc785323a5a925c Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 18 Jan 2024 20:59:24 +0100
Subject: [PATCH 1/4] tests/nixos/fetch-git: Testsupport for private repos

---
 .../fetch-git/testsupport/gitea-repo.nix      | 36 +++++++++++++++----
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/tests/nixos/fetch-git/testsupport/gitea-repo.nix b/tests/nixos/fetch-git/testsupport/gitea-repo.nix
index 916552bb2..a3ad65ca4 100644
--- a/tests/nixos/fetch-git/testsupport/gitea-repo.nix
+++ b/tests/nixos/fetch-git/testsupport/gitea-repo.nix
@@ -1,11 +1,31 @@
 { lib, ... }:
 let
-  inherit (lib) mkOption types;
+  inherit (lib)
+    mkIf
+    mkOption
+    types
+    ;
+
+  boolPyLiteral = b: if b then "True" else "False";
 
   testCaseExtension = { config, ... }: {
-    setupScript = ''
-      repo = Repo("${config.name}")
-    '';
+    options = {
+      repo.enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to provide a repo variable - automatic repo creation.";
+      };
+      repo.private = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether the repo should be private.";
+      };
+    };
+    config = mkIf config.repo.enable {
+      setupScript = ''
+        repo = Repo("${config.name}", private=${boolPyLiteral config.repo.private})
+      '';
+    };
   };
 in
 {
@@ -16,16 +36,20 @@ in
   };
   config = {
     setupScript = ''
+      def boolToJSON(b):
+        return "true" if b else "false"
+
       class Repo:
         """
         A class to create a git repository on the gitea server and locally.
         """
-        def __init__(self, name):
+        def __init__(self, name, private=False):
           self.name = name
           self.path = "/tmp/repos/" + name
           self.remote = "http://gitea:3000/test/" + name
           self.remote_ssh = "ssh://gitea/root/" + name
           self.git = f"git -C {self.path}"
+          self.private = private
           self.create()
 
         def create(self):
@@ -37,7 +61,7 @@ in
           gitea.succeed(f"""
             curl --fail -X POST http://{gitea_admin}:{gitea_admin_password}@gitea:3000/api/v1/user/repos \
               -H 'Accept: application/json' -H 'Content-Type: application/json' \
-              -d {shlex.quote( f'{{"name":"{self.name}", "default_branch": "main"}}' )}
+              -d {shlex.quote( f'{{"name":"{self.name}", "default_branch": "main", "private": {boolToJSON(self.private)}}}' )}
           """)
           # setup git remotes on client
           client.succeed(f"""

From 76a50b3a69dd7202fa4c68ca8d12fde152e6341a Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 18 Jan 2024 22:25:30 +0100
Subject: [PATCH 2/4] doc: GitRepoImpl::path

---
 src/libfetchers/git-utils.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libfetchers/git-utils.cc b/src/libfetchers/git-utils.cc
index 6726407b5..f34329fab 100644
--- a/src/libfetchers/git-utils.cc
+++ b/src/libfetchers/git-utils.cc
@@ -139,6 +139,7 @@ T peelObject(git_repository * repo, git_object * obj, git_object_t type)
 
 struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
 {
+    /** Location of the repository on disk. */
     CanonPath path;
     Repository repo;
 

From 8d422c2fef4309b4b7de8e2f909957775a9ec3ef Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 18 Jan 2024 22:26:24 +0100
Subject: [PATCH 3/4] Revert libgit2 fetching

libgit2 is not capable of using git-credentials helpers yet.
This prevents private repositories from being used.

Based on code that was replaced in https://github.com/NixOS/nix/pull/9240
(Introduce libgit2); hence:

Co-authored-by: Eelco Dolstra <edolstra@gmail.com>
---
 src/libfetchers/git-utils.cc | 31 ++++++++++++-------------------
 1 file changed, 12 insertions(+), 19 deletions(-)

diff --git a/src/libfetchers/git-utils.cc b/src/libfetchers/git-utils.cc
index f34329fab..911c16c4b 100644
--- a/src/libfetchers/git-utils.cc
+++ b/src/libfetchers/git-utils.cc
@@ -383,27 +383,20 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
     {
         Activity act(*logger, lvlTalkative, actFetchTree, fmt("fetching Git repository '%s'", url));
 
-        Remote remote;
+        // TODO: implement git-credential helper support (preferably via libgit2, which as of 2024-01 does not support that)
+        //       then use code that was removed in this commit (see blame)
 
-        if (git_remote_create_anonymous(Setter(remote), *this, url.c_str()))
-            throw Error("cannot create Git remote '%s': %s", url, git_error_last()->message);
+        auto dir = this->path;
 
-        char * refspecs[] = {(char *) refspec.c_str()};
-        git_strarray refspecs2 {
-            .strings = refspecs,
-            .count = 1
-        };
-
-        git_fetch_options opts = GIT_FETCH_OPTIONS_INIT;
-        // FIXME: for some reason, shallow fetching over ssh barfs
-        // with "could not read from remote repository".
-        opts.depth = shallow && parseURL(url).scheme != "ssh" ? 1 : GIT_FETCH_DEPTH_FULL;
-        opts.callbacks.payload = &act;
-        opts.callbacks.sideband_progress = sidebandProgressCallback;
-        opts.callbacks.transfer_progress = transferProgressCallback;
-
-        if (git_remote_fetch(remote.get(), &refspecs2, &opts, nullptr))
-            throw Error("fetching '%s' from '%s': %s", refspec, url, git_error_last()->message);
+        runProgram(RunOptions {
+            .program = "git",
+            .searchPath = true,
+            // FIXME: git stderr messes up our progress indicator, so
+            // we're using --quiet for now. Should process its stderr.
+            .args = { "-C", path.abs(), "fetch", "--quiet", "--force", "--", url, refspec },
+            .input = {},
+            .isInteractive = true
+        });
     }
 
     void verifyCommit(

From 346d513d86491f2040735d22ba49cb0d701edb70 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Thu, 18 Jan 2024 22:34:38 +0100
Subject: [PATCH 4/4] tests/nixos/fetch-git: Add http-auth test

---
 .../test-cases/http-auth/default.nix          | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 tests/nixos/fetch-git/test-cases/http-auth/default.nix

diff --git a/tests/nixos/fetch-git/test-cases/http-auth/default.nix b/tests/nixos/fetch-git/test-cases/http-auth/default.nix
new file mode 100644
index 000000000..d483d54fb
--- /dev/null
+++ b/tests/nixos/fetch-git/test-cases/http-auth/default.nix
@@ -0,0 +1,40 @@
+{ config, ... }:
+{
+  description = "can fetch a private git repo via http";
+  repo.private = true;
+  script = ''
+    # add a file to the repo
+    client.succeed(f"""
+      echo ${config.name /* to make the git tree and store path unique */} > {repo.path}/test-case \
+      && echo lutyabrook > {repo.path}/new-york-state \
+      && {repo.git} add test-case new-york-state \
+      && {repo.git} commit -m 'commit1'
+    """)
+
+    # memoize the revision
+    rev1 = client.succeed(f"""
+      {repo.git} rev-parse HEAD
+    """).strip()
+
+    # push to the server
+    client.succeed(f"""
+      {repo.git} push origin main
+    """)
+
+    # fetch the repo via nix
+    fetched1 = client.succeed(f"""
+      nix eval --impure --raw --expr "(builtins.fetchGit {repo.remote}).outPath"
+    """)
+
+    # check if the committed file is there
+    client.succeed(f"""
+      test -f {fetched1}/new-york-state
+    """)
+
+    # check if the revision is the same
+    rev1_fetched = client.succeed(f"""
+      nix eval --impure --raw --expr "(builtins.fetchGit {repo.remote}).rev"
+    """).strip()
+    assert rev1 == rev1_fetched, f"rev1: {rev1} != rev1_fetched: {rev1_fetched}"
+  '';
+}