Message ID | xWAM.1675259966225954323.ROLQ@lists.openembedded.org |
---|---|
State | New |
Headers | show |
Series | Add path control to BB_ALLOWED_NETWORKS | expand |
Hello, This patch doesn't apply, it is malformed On 01/02/2023 05:59:26-0800, Anders J�rgensen via lists.openembedded.org wrote: > From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy> > Date: Wed, 1 Feb 2023 13:08:11 +0100 > Subject: [PATCH] Add path control to BB_ALLOWED_NETWORKS > > Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host > > Eg. > BB_ALLOWED_NETWORKS="bitbucket.org/your_company" > The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company > --- > .../bitbake-user-manual-ref-variables.rst� � �|� 3 +++ > bitbake/lib/bb/fetch2/__init__.py� � � � � � �| 23 +++++++++++++++---- > bitbake/lib/bb/tests/fetch.py� � � � � � � � �| 12 ++++++++++ > 3 files changed, 34 insertions(+), 4 deletions(-) > > diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst > index af4ff9805c..7942cd2d3a 100644 > --- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst > +++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst > @@ -84,6 +84,9 @@ overview of their function and contents. > > -� Attempts to access networks not in the host list cause a failure. > > +� � � -� Limit path control is also possible like. :: > +� � � � � � BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company" > + > Using :term:`BB_ALLOWED_NETWORKS` in conjunction with There are missing spaces here > :term:`PREMIRRORS` is very useful. Adding the > host you want to use to :term:`PREMIRRORS` results in the source code > diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py > index ac557176d7..69ad898464 100644 > --- a/bitbake/lib/bb/fetch2/__init__.py > +++ b/bitbake/lib/bb/fetch2/__init__.py > @@ -1158,12 +1158,27 @@ def trusted_network(d, url): > > network = network.split(':')[0] > network = network.lower() > +� � path = path.lower() > + > +� � for host_path in trusted_hosts.split(" "): > +� � � � host_path = host_path.lower() > +� � � � is_trusted = False > +� � � � split_data = host_path.split("/", 1) > +� � � � host = split_data[0] > +� � � � trusted_path = None > +� � � � if len(split_data) == 2: > +� � � � � � trusted_path = "/" + split_data[1] > > -� � for host in trusted_hosts.split(" "): > -� � � � host = host.lower() > if host.startswith("*.") and ("." + network).endswith(host[1:]): > -� � � � � � return True > -� � � � if host == network: > +� � � � � � is_trusted = True > +� � � � elif host == network: > +� � � � � � is_trusted = True > + > +� � � � if trusted_path and is_trusted: > +� � � � � � if not path.startswith(trusted_path): > +� � � � � � � � is_trusted = False > + > +� � � � if is_trusted: > return True > > return False > diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py > index 1152e89c0d..c641c1221e 100644 > --- a/bitbake/lib/bb/tests/fetch.py > +++ b/bitbake/lib/bb/tests/fetch.py > @@ -1288,6 +1288,18 @@ class TrustedNetworksTest(FetcherTest): > self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org") > self.assertFalse(bb.fetch.trusted_network(self.d, url)) > > +� � def test_trusted_network_path(self): > +� � � � # Ensure trusted_network returns true when the host and path IS in the list. > +� � � � url = "git://Someserver.org/RightPath/foo;rev=1;branch=master" > +� � � � self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") > +� � � � self.assertTrue(bb.fetch.trusted_network(self.d, url)) > + > +� � def test_untrusted_network_path(self): > +� � � � # Ensure trusted_network returns False when the host is in list but the path is wrong. > +� � � � url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master" > +� � � � self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") > +� � � � self.assertFalse(bb.fetch.trusted_network(self.d, url)) > + > class URLHandle(unittest.TestCase): > > datatable = { > -- > 2.34.1 > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#14363): https://lists.openembedded.org/g/bitbake-devel/message/14363 > Mute This Topic: https://lists.openembedded.org/mt/96676597/3617179 > Group Owner: bitbake-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [alexandre.belloni@bootlin.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst index af4ff9805c..7942cd2d3a 100644 --- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst +++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst @@ -84,6 +84,9 @@ overview of their function and contents. - Attempts to access networks not in the host list cause a failure. + - Limit path control is also possible like. :: + BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company" + Using :term:`BB_ALLOWED_NETWORKS` in conjunction with :term:`PREMIRRORS` is very useful. Adding the host you want to use to :term:`PREMIRRORS` results in the source code diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py index ac557176d7..69ad898464 100644 --- a/bitbake/lib/bb/fetch2/__init__.py +++ b/bitbake/lib/bb/fetch2/__init__.py @@ -1158,12 +1158,27 @@ def trusted_network(d, url): network = network.split(':')[0] network = network.lower() + path = path.lower() + + for host_path in trusted_hosts.split(" "): + host_path = host_path.lower() + is_trusted = False + split_data = host_path.split("/", 1) + host = split_data[0] + trusted_path = None + if len(split_data) == 2: + trusted_path = "/" + split_data[1] - for host in trusted_hosts.split(" "): - host = host.lower() if host.startswith("*.") and ("." + network).endswith(host[1:]): - return True - if host == network: + is_trusted = True + elif host == network: + is_trusted = True + + if trusted_path and is_trusted: + if not path.startswith(trusted_path): + is_trusted = False + + if is_trusted: return True return False diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py index 1152e89c0d..c641c1221e 100644 --- a/bitbake/lib/bb/tests/fetch.py +++ b/bitbake/lib/bb/tests/fetch.py @@ -1288,6 +1288,18 @@ class TrustedNetworksTest(FetcherTest): self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org") self.assertFalse(bb.fetch.trusted_network(self.d, url)) + def test_trusted_network_path(self): + # Ensure trusted_network returns true when the host and path IS in the list. + url = "git://Someserver.org/RightPath/foo;rev=1;branch=master" + self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") + self.assertTrue(bb.fetch.trusted_network(self.d, url)) + + def test_untrusted_network_path(self): + # Ensure trusted_network returns False when the host is in list but the path is wrong. + url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master" + self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") + self.assertFalse(bb.fetch.trusted_network(self.d, url)) + class URLHandle(unittest.TestCase): datatable = {
From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy> Date: Wed, 1 Feb 2023 13:08:11 +0100 Subject: [PATCH] Add path control to BB_ALLOWED_NETWORKS Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host Eg. BB_ALLOWED_NETWORKS="bitbucket.org/your_company" The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company --- .../bitbake-user-manual-ref-variables.rst | 3 +++ bitbake/lib/bb/fetch2/__init__.py | 23 +++++++++++++++---- bitbake/lib/bb/tests/fetch.py | 12 ++++++++++ 3 files changed, 34 insertions(+), 4 deletions(-) -- 2.34.1