Fix restricted eval mode issue with mkCacheFile (#392)

If the .nix files listed in the cache are full paths pointing at the
store we get errors like this in restricted eval mode:

error: access to path '/nix/store/...-cabal-simple.nix' is forbidden
in restricted mode

lib/call-stack-to-nix.nix

@@ -35,7 +35,7 @@ let
   } (''
     mkdir -p $out
   '' + pkgs.lib.optionalString (cache != null) ''
-    cp ${mkCacheFile cache} $out/.stack-to-nix.cache
+    cp ${mkCacheFile cache}/.stack-to-nix.cache* $out
   '' + ''
     (cd $out && stack-to-nix ${stackToNixArgs})
 

overlays/haskell.nix

@@ -285,18 +285,34 @@ self: super: {
 
             sha256String = if isNull sha256 then self.buildPackages.lib.fakeSha256 else sha256;
 
-          in "${url} ${rev} ${subdir} ${sha256String} ${name} ${nix-expr}";
+          in {
+            line = "${url} ${rev} ${subdir} ${sha256String} ${name}";
+            inherit nix-expr;
+          };
 
         # Given a list of repos:
         # [ { name = ...; url = ...; rev = ...; ref = ...; sha256 = ...; cabal-file = ...; type = ...; is-private = ...; } ]
         # produce a cache file that can be used for
         # stack-to-nix or plan-to-nix to prevent them
         # from needing network access.
+        # The cache contains only local paths to nix files so that it can
+        # the results of `stack-to-nix` can be imported in restrected eval
+        # mode.
         mkCacheFile = repos:
-          self.buildPackages.pkgs.writeTextFile {
-              name = "cache-file";
-              text = self.buildPackages.lib.concatMapStringsSep "\n" mkCacheLine repos;
-          };
+          self.buildPackages.pkgs.runCommand "cache-file" {} ''
+              mkdir -p $out
+              touch $out/.stack-to-nix.cache
+              ${self.lib.concatStrings (
+                self.lib.lists.zipListsWith (n: repo:
+                  let l = mkCacheLine repo;
+                  in ''
+                    cp ${l.nix-expr} $out/.stack-to-nix.cache.${toString n}
+                    echo ${l.line} .stack-to-nix.cache.${toString n} >> $out/.stack-to-nix.cache
+                  '')
+                  (self.lib.lists.range 0 ((builtins.length repos) - 1))
+                  repos)
+              }
+          '';
 
         mkCacheModule = cache:
             # for each item in the `cache`, set

test/default.nix

@@ -40,6 +40,7 @@ in pkgs.recurseIntoAttrs {
   ghc-options-cabal = haskell-nix.callPackage ./ghc-options/cabal.nix {};
   ghc-options-stack = haskell-nix.callPackage ./ghc-options/stack.nix {};
   exe-only = haskell-nix.callPackage ./exe-only { inherit util; };
+  stack-source-repo = haskell-nix.callPackage ./stack-source-repo {};
 
   # Run unit tests with: nix-instantiate --eval --strict -A unit.tests
   # An empty list means success.

test/stack-source-repo/.gitignore

@@ -0,0 +1,2 @@
+/.stack-work/
+/*.cabal

test/stack-source-repo/default.nix

@@ -0,0 +1,15 @@
+{ stackProject', recurseIntoAttrs }:
+
+let
+  project = stackProject' {
+    src = ./.;
+    cache = [ { is-private = false; name = "cabal-simple"; rev = "bc01ebc05a8105035c9449943046b46c8364b932"; sha256 = "003lm3pm024vhbfmii7xcdd9v2rczpflxf7gdl2pyxia7p014i8z"; subdir = "test/cabal-simple"; url = "https://github.com/input-output-hk/haskell.nix.git"; } ];
+  };
+  packages = project.hsPkgs;
+
+in recurseIntoAttrs {
+  ifdInputs = {
+    inherit (project) stack-nix;
+  };
+  inherit (packages.stack-source-repo.components) library;
+}

test/stack-source-repo/package.yaml

@@ -0,0 +1,8 @@
+name: stack-source-repo
+
+dependencies:
+- base
+- cabal-simple
+
+library:
+  source-dirs: src

test/stack-source-repo/src/Lib.hs

@@ -0,0 +1,6 @@
+module Lib
+    ( someFunc
+    ) where
+
+someFunc :: IO ()
+someFunc = putStrLn "someFunc"

test/stack-source-repo/stack.yaml

@@ -0,0 +1,11 @@
+resolver: lts-14.13
+
+packages:
+- .
+
+extra-deps:
+- git: https://github.com/input-output-hk/haskell.nix.git
+  commit: bc01ebc05a8105035c9449943046b46c8364b932
+  subdirs:
+    - test/cabal-simple
+