From e8d507857df5bb17799b5fae663ba7bf9de1c9fa Mon Sep 17 00:00:00 2001
From: Greg Curtis <greg.curtis@jetpack.io>
Date: Mon, 26 Sep 2022 15:15:15 -0400
Subject: [PATCH] nix: carry over (NIX_)SSL_CERT_FILE to devbox shells (#178)

When `NIX_SSL_CERT_FILE` and `SSL_CERT_FILE` aren't explicitly set,
`nix-shell --pure` sets them to invalid paths
(specifically "/no-cert-file.crt") to ensure that openssl doesn't use
certificates that live outside of the current Nix environment. This
causes HTTPS requests in most programs to fail. For example:

	(devbox) $ curl https://google.com
curl: (77) error setting certificate verify locations: CAfile:
/no-cert-file.crt CApath: none

This is pretty inconvenient for development, so we want to undo those
changes when launching a devbox shell. To do that, we:

1. Keep any `NIX_SSL_CERT_FILE` and `SSL_CERT_FILE` values that are set
in the parent shell.
2. Unset `NIX_SSL_CERT_FILE` or `SSL_CERT_FILE` when they're set to the
"/no-cert-file.crt" value set by `nix-shell`. This causes openssl to go
back to using the default paths.

NIX_SSL_CERT_FILE is used by some programs installed by Nix.
SSL_CERT_FILE is used by non-Nix programs and some Nix programs.

Fixes #177.
---
 nix/shell.go        | 2 ++
 tmpl/shell.nix.tmpl | 9 +++++++++
 2 files changed, 11 insertions(+)

diff --git a/nix/shell.go b/nix/shell.go
index c3e4e4589e1..5e8c5402be3 100644
--- a/nix/shell.go
+++ b/nix/shell.go
@@ -312,6 +312,8 @@ var envToKeep = map[string]bool{
 	// Variables specific to running in a Nix shell and devbox shell.
 	"PARENT_PATH":               true, // The PATH of the parent shell (where `devbox shell` was invoked).
 	"__ETC_PROFILE_NIX_SOURCED": true, // Prevents Nix from being sourced again inside a devbox shell.
+	"NIX_SSL_CERT_FILE":         true, // The path to Nix-installed SSL certificates (used by some Nix programs).
+	"SSL_CERT_FILE":             true, // The path to non-Nix SSL certificates (used by some Nix and non-Nix programs).
 }
 
 // toKeepArgs takes a slice of environment variables in key=value format and
diff --git a/tmpl/shell.nix.tmpl b/tmpl/shell.nix.tmpl
index 18fbe1ece7c..8a13bbf8e74 100644
--- a/tmpl/shell.nix.tmpl
+++ b/tmpl/shell.nix.tmpl
@@ -27,6 +27,15 @@ mkShell {
       export IN_NIX_SHELL=0
       export DEVBOX_SHELL_ENABLED=1
 
+      # Undo the effects of `nix-shell --pure` on SSL certs.
+      # See https://github.com/NixOS/nixpkgs/blob/dae204faa0243b4d0c0234a5f5f83a2549ecb5b7/pkgs/stdenv/generic/setup.sh#L677-L685
+      if [ "$NIX_SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
+      	unset NIX_SSL_CERT_FILE
+      fi
+      if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
+      	unset SSL_CERT_FILE
+      fi
+
       # Append the parent shell's PATH so that we retain access to
       # non-Nix programs, while still preferring the Nix ones.
       export "PATH=$PATH:$PARENT_PATH"