#pragma once

#include <functional>
#include <string>
#include <cstdint>

#include "types.hh"

class sqlite3;
class sqlite3_stmt;

namespace nix {

/* RAII wrapper to close a SQLite database automatically. */
struct SQLite
{
    sqlite3 * db;
    SQLite() { db = 0; }
    ~SQLite();
    operator sqlite3 * () { return db; }
};

/* RAII wrapper to create and destroy SQLite prepared statements. */
struct SQLiteStmt
{
    sqlite3 * db = 0;
    sqlite3_stmt * stmt = 0;
    SQLiteStmt() { }
    void create(sqlite3 * db, const std::string & s);
    ~SQLiteStmt();
    operator sqlite3_stmt * () { return stmt; }

    /* Helper for binding / executing statements. */
    class Use
    {
        friend struct SQLiteStmt;
    private:
        SQLiteStmt & stmt;
        unsigned int curArg = 1;
        Use(SQLiteStmt & stmt);

    public:

        ~Use();

        /* Bind the next parameter. */
        Use & operator () (const std::string & value, bool notNull = true);
        Use & operator () (int64_t value, bool notNull = true);
        Use & bind(); // null

        int step();

        /* Execute a statement that does not return rows. */
        void exec();

        /* For statements that return 0 or more rows. Returns true iff
           a row is available. */
        bool next();

        std::string getStr(int col);
        int64_t getInt(int col);
    };

    Use use()
    {
        return Use(*this);
    }
};

/* RAII helper that ensures transactions are aborted unless explicitly
   committed. */
struct SQLiteTxn
{
    bool active = false;
    sqlite3 * db;

    SQLiteTxn(sqlite3 * db);

    void commit();

    ~SQLiteTxn();
};


MakeError(SQLiteError, Error);
MakeError(SQLiteBusy, SQLiteError);

[[noreturn]] void throwSQLiteError(sqlite3 * db, const format & f);

/* Convenience function for retrying a SQLite transaction when the
   database is busy. */
template<typename T>
T retrySQLite(std::function<T()> fun)
{
    while (true) {
        try {
            return fun();
        } catch (SQLiteBusy & e) {
        }
    }
}

}
ainer '() (lambda () (assert-exit (and (= 42 (getuid)) (= 77 (getgid))))) #:guest-uid 42 #:guest-gid 77 #:namespaces '(user)))) (skip-if-unsupported) (test-assert "call-with-container, uts namespace" (zero? (call-with-container '() (lambda () ;; The user is root within the container and should be able to change ;; the hostname of that container. (sethostname "test-container") (primitive-exit 0)) #:namespaces '(user uts)))) (skip-if-unsupported) (test-assert "call-with-container, pid namespace" (zero? (call-with-container '() (lambda () (match (primitive-fork) (0 ;; The first forked process in the new pid namespace is pid 2. (assert-exit (= 2 (getpid)))) (pid (primitive-exit (match (waitpid pid) ((_ . status) (status:exit-val status))))))) #:namespaces '(user pid)))) (skip-if-unsupported) (test-assert "call-with-container, mnt namespace" (zero? (call-with-container (list (file-system (device "none") (mount-point "/testing") (type "tmpfs") (check? #f))) (lambda () (assert-exit (file-exists? "/testing"))) #:namespaces '(user mnt)))) (skip-if-unsupported) (test-equal "call-with-container, mnt namespace, wrong bind mount" `(system-error ,ENOENT) ;; An exception should be raised; see <http://bugs.gnu.org/23306>. (catch 'system-error (lambda () (call-with-container (list (file-system (device "/does-not-exist") (mount-point "/foo") (type "none") (flags '(bind-mount)) (check? #f))) (const #t) #:namespaces '(user mnt))) (lambda args (list 'system-error (system-error-errno args))))) (skip-if-unsupported) (test-assert "call-with-container, all namespaces" (zero? (call-with-container '() (lambda () (primitive-exit 0))))) (skip-if-unsupported) (test-assert "call-with-container, mnt namespace, root permissions" (zero? (call-with-container '() (lambda () (assert-exit (= #o755 (stat:perms (lstat "/"))))) #:namespaces '(user mnt)))) (skip-if-unsupported) (test-assert "container-excursion" (call-with-temporary-directory (lambda (root) ;; Two pipes: One for the container to signal that the test can begin, ;; and one for the parent to signal to the container that the test is ;; over. (match (list (pipe) (pipe)) (((start-in . start-out) (end-in . end-out)) (define (container) (close end-out) (close start-in) ;; Signal for the test to start. (write 'ready start-out) (close start-out) ;; Wait for test completion. (read end-in) (close end-in)) (define (namespaces pid) (let ((pid (number->string pid))) (map (lambda (ns) (readlink (string-append "/proc/" pid "/ns/" ns))) '("user" "ipc" "uts" "net" "pid" "mnt")))) (let* ((pid (run-container root '() %namespaces 1 container)) (container-namespaces (namespaces pid)) (result (begin (close start-out) ;; Wait for container to be ready. (read start-in) (close start-in) (container-excursion pid (lambda () ;; Check that all of the namespace identifiers are ;; the same as the container process. (assert-exit (equal? container-namespaces (namespaces (getpid))))))))) (close end-in) ;; Stop the container. (write 'done end-out) (close end-out) (waitpid pid) (zero? result))))))) (skip-if-unsupported) (test-equal "container-excursion, same namespaces" 42 ;; The parent and child are in the same namespaces. 'container-excursion' ;; should notice that and avoid calling 'setns' since that would fail. (status:exit-val (container-excursion (getpid) (lambda () (primitive-exit 42))))) (skip-if-unsupported) (test-assert "container-excursion*" (call-with-temporary-directory (lambda (root) (define (namespaces pid) (let ((pid (number->string pid))) (map (lambda (ns) (readlink (string-append "/proc/" pid "/ns/" ns))) '("user" "ipc" "uts" "net" "pid" "mnt")))) (let* ((pid (run-container root '() %namespaces 1 (lambda () (sleep 100)))) (expected (namespaces pid)) (result (container-excursion* pid (lambda () (namespaces 1))))) (kill pid SIGKILL) (equal? result expected))))) (skip-if-unsupported) (test-equal "container-excursion*, same namespaces" 42 (container-excursion* (getpid) (lambda () (* 6 7)))) (skip-if-unsupported) (test-equal "container-excursion*, /proc" '("1" "2") (call-with-temporary-directory (lambda (root) (let* ((pid (run-container root '() %namespaces 1 (lambda () (sleep 100)))) (result (container-excursion* pid (lambda () ;; We expect to see exactly two processes in this ;; namespace. (scandir "/proc" (lambda (file) (char-set-contains? char-set:digit (string-ref file 0)))))))) (kill pid SIGKILL) result)))) (skip-if-unsupported) (test-equal "eval/container, exit status" 42 (let* ((store (open-connection-for-tests)) (status (run-with-store store (eval/container #~(exit 42))))) (close-connection store) (status:exit-val status))) (skip-if-unsupported) (test-assert "eval/container, writable user mapping" (call-with-temporary-directory (lambda (directory) (define store (open-connection-for-tests)) (define result (string-append directory "/r")) (define requisites* (store-lift requisites)) (call-with-output-file result (const #t)) (run-with-store store (mlet %store-monad ((status (eval/container #~(begin (use-modules (ice-9 ftw)) (call-with-output-file "/result" (lambda (port) (write (scandir #$(%store-prefix)) port)))) #:mappings (list (file-system-mapping (source result) (target "/result") (writable? #t))))) (reqs (requisites* (list (derivation->output-path (%guile-for-build)))))) (close-connection store) (return (and (zero? (pk 'status status)) (lset= string=? (cons* "." ".." (map basename reqs)) (pk (call-with-input-file result read)))))))))) (skip-if-unsupported) (test-assert "eval/container, non-empty load path" (call-with-temporary-directory (lambda (directory) (define store (open-connection-for-tests)) (define result (string-append directory "/r")) (define requisites* (store-lift requisites)) (mkdir result) (run-with-store store (mlet %store-monad ((status (eval/container (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p "/result/a/b/c"))) #:mappings (list (file-system-mapping (source result) (target "/result") (writable? #t)))))) (close-connection store) (return (and (zero? status) (file-is-directory? (string-append result "/a/b/c"))))))))) (test-end)