| Message ID | 2D8Y.1675772137721512677.cmXP@lists.openembedded.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake | expand |
Hi Anders, On 2/7/23 13:15, Anders Jørgensen via lists.openembedded.org wrote: > From 2ec3567b1a7a765b7047140fd35dc885872cc376 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy> > Date: Wed, 1 Feb 2023 13:08:11 +0100 > Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS > > Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host > > Eg. > BB_ALLOWED_NETWORKS="bitbucket.org/your_company" > The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company > > Signed-off-by: Anders Joergensen <anders.joergensen@advent.energy> > --- > .../bitbake-user-manual-ref-variables.rst | 4 ++++ > lib/bb/fetch2/__init__.py | 23 +++++++++++++++---- > lib/bb/tests/fetch.py | 12 ++++++++++ > 3 files changed, 35 insertions(+), 4 deletions(-) > > diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst > index 09d09a8d..7d370668 100644 > --- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst > +++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst > @@ -79,6 +79,10 @@ overview of their function and contents. > For example, ``*.foo.bar`` is supported, while ``*aa.foo.bar`` > is not. > > + - Limited path control is also possible like. :: Can you explain what the example is supposed to do here? e.g. a few line above we have: """ For example, the following setting matches ``git.gnu.org``, ``ftp.gnu.org``, and ``foo.git.gnu.org``. :: """ So I'm expecting something more explicit here too. > + > + BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company" Then indentation seems a bit odd here, the previous code-block in the paragraph just above has a three-space indent and here you have way more. > + > - Mirrors not in the host list are skipped and logged in debug. > > - Attempts to access networks not in the host list cause a failure. > diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py > index 5a7a6024..d90d9cc9 100644 > --- a/lib/bb/fetch2/__init__.py > +++ b/lib/bb/fetch2/__init__.py > @@ -1165,12 +1165,27 @@ def trusted_network(d, url): > > network = network.split(':')[0] > network = network.lower() > + path = path.lower() > + Something's not right here. Python won't allow this indent in the middle of the code without actually being in an if, for-loop, while-loop, try-catch, function definition, class definition. How are you sending the patch? Usually one is supposed to create the patch locally, commit it, then use git send-email (with possibly git format-patch before as an optional step). https://git-send-email.io/ should help you figure the details out. I believe this should fix the odd indentation here (if the original commit was properly created of course). You can also use git-send-email to send the mail to yourself and then try to apply it yourself locally on master branch and see if it works. Cheers, Quentin
diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst index 09d09a8d..7d370668 100644 --- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst +++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst @@ -79,6 +79,10 @@ overview of their function and contents. For example, ``*.foo.bar`` is supported, while ``*aa.foo.bar`` is not. + - Limited path control is also possible like. :: + + BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company" + - Mirrors not in the host list are skipped and logged in debug. - Attempts to access networks not in the host list cause a failure. diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 5a7a6024..d90d9cc9 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1165,12 +1165,27 @@ def trusted_network(d, url): network = network.split(':')[0] network = network.lower() + path = path.lower() + + for host_path in trusted_hosts.split(" "): + host_path = host_path.lower() + is_trusted = False + split_data = host_path.split("/", 1) + host = split_data[0] + trusted_path = None + if len(split_data) == 2: + trusted_path = "/" + split_data[1] - for host in trusted_hosts.split(" "): - host = host.lower() if host.startswith("*.") and ("." + network).endswith(host[1:]): - return True - if host == network: + is_trusted = True + elif host == network: + is_trusted = True + + if trusted_path and is_trusted: + if not path.startswith(trusted_path): + is_trusted = False + + if is_trusted: return True return False diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index f3890321..3fbe7a01 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -1323,6 +1323,18 @@ class TrustedNetworksTest(FetcherTest): self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org") self.assertFalse(bb.fetch.trusted_network(self.d, url)) + def test_trusted_network_path(self): + # Ensure trusted_network returns true when the host and path IS in the list. + url = "git://Someserver.org/RightPath/foo;rev=1;branch=master" + self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") + self.assertTrue(bb.fetch.trusted_network(self.d, url)) + + def test_untrusted_network_path(self): + # Ensure trusted_network returns False when the host is in list but the path is wrong. + url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master" + self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") + self.assertFalse(bb.fetch.trusted_network(self.d, url)) + class URLHandle(unittest.TestCase): datatable = {