publish: Prevent publication of non-substitutable derivation outputs.

This commit prevents Guix substitute servers from distributing binaries
which are marked non-substitutable.  This prevents substitute servers
from accidentally committing copyright violations by distributing
binaries that are non-substitutable for copyright reasons.

* guix/scripts/publish.scm (render-nar): Query the derivers of
‘store-path’ and do nothing if one of them does not match
‘substitutable-derivation?’.
* tests/publish.scm ("non-substitutable derivation"): New test.

Change-Id: Iaca81f5bdb430a12a3ad41e9b83e0bcc535af607
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Modified-by: Ludovic Courtès <ludo@gnu.org>

tests/publish.scm

@@ -425,6 +425,23 @@ FileSize: ~a~%"
         (display "This file is not a valid store item." port)))
     (response-code (http-get (publish-uri (string-append "/nar/invalid"))))))
 
+(test-equal "non-substitutable derivation"
+  404
+  (let* ((non-substitutable
+          (run-with-store %store
+            (gexp->derivation "non-substitutable"
+                              #~(begin
+                                  (mkdir #$output)
+                                  (chdir #$output)
+                                  (call-with-output-file "foo.txt"
+                                    (lambda (port)
+                                      (display "bar" port))))
+                              #:substitutable? #f)))
+         (item (derivation->output-path non-substitutable)))
+    (build-derivations %store (list non-substitutable))
+    (response-code (http-get (publish-uri
+                              (string-append "/nar/" (basename item)))))))
+
 (test-equal "/file/NAME/sha256/HASH"
   "Hello, Guix world!"
   (let* ((data "Hello, Guix world!")