[bitbake-devel] fetch2/svn: Support to feed an external SSL certificate file and its password

Add parameters to feed an external SSL certificate and its password to the following SVN runtime options.
  --config-option=servers:global:ssl-client-cert-file="..."
  --config-option=servers:global:ssl-client-cert-password="..."

Can be specified with:
  SRC_URI = "svn://[repository];protocol=https;cert_file=[certificate path];cert_pass=[password]"

Signed-off-by: Mori Fumita <mfumita@electromag.com.au>
---
 lib/bb/fetch2/svn.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

On Fri, 2024-10-04 at 11:06 +0800, Morikazu Fumita via lists.openembedded.org wrote:
> Add parameters to feed an external SSL certificate and its password to the following SVN runtime options.
>   --config-option=servers:global:ssl-client-cert-file="..."
>   --config-option=servers:global:ssl-client-cert-password="..."
> 
> Can be specified with:
>   SRC_URI = "svn://[repository];protocol=https;cert_file=[certificate path];cert_pass=[password]"
> 
> Signed-off-by: Mori Fumita <mfumita@electromag.com.au>
> ---
>  lib/bb/fetch2/svn.py | 16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)

These look like things which you really shouldn't be putting into a
SRC_URI. Wouldn't they be better in the subversion config files within
the user's HOME directory?

We've not taken things adding support for passwords in various SRC_URIs
since it encourages behaviour which isn't secure/recommended.

Cheers,

Richard

On 4/10/2024 5:58 pm, Richard Purdie wrote:
> On Fri, 2024-10-04 at 11:06 +0800, Morikazu Fumita via lists.openembedded.org wrote:
>> Add parameters to feed an external SSL certificate and its password to the following SVN runtime options.
>>    --config-option=servers:global:ssl-client-cert-file="..."
>>    --config-option=servers:global:ssl-client-cert-password="..."
>>
>> Can be specified with:
>>    SRC_URI ="svn://[repository];protocol=https;cert_file=[certificate 
>> path];cert_pass=[password]"
>>
>> Signed-off-by: Mori Fumita<mfumita@electromag.com.au>
>> ---
>>   lib/bb/fetch2/svn.py | 16 +++++++++++++++-
>>   1 file changed, 15 insertions(+), 1 deletion(-)
> These look like things which you really shouldn't be putting into a
> SRC_URI. Wouldn't they be better in the subversion config files within
> the user's HOME directory?
>
> We've not taken things adding support for passwords in various SRC_URIs
> since it encourages behaviour which isn't secure/recommended.
>
> Cheers,
>
> Richard
This patch isn't meant to hard-code the certificate path and password in 
the recipe files.
Instead, it allows for dynamic configuration.

Our SVN server requires an SSL certificate for access.
We install the certificate locally and configure SVN to use it.

We also have a build machine running Jenkins for CD/CI.
For security reasons, we don't want to install the certificate on this 
machine.

Instead, we've set up Jenkins to provide the certificate and password 
via environment variables
using "Credentials Binding" plugin.
Since Jenkins temporarily installs the certificate at a dynamically 
generated obfuscated path,
it isn't straightforward to configure it in the SVN configuration file 
in the home directory.
Additionally, we want to avoid storing the password on the build machine.

So, the "SRC_URI" in the recipe would look something like this, using 
"ENV_VAR_CERT" and "ENV_VAR_PASS",
which Jenkins supplies dynamically.
SRC_URI = 
"svn://[repository];protocol=https;cert_file=${ENV_VAR_CERT};cert_pass=${ENV_VAR_PASS}

Thanks,
Mori
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#16638):https://lists.openembedded.org/g/bitbake-devel/message/16638
> Mute This Topic:https://lists.openembedded.org/mt/108811827/7022486
> Group Owner:bitbake-devel+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/bitbake-devel/unsub  [mfumita@electromag.com.au]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Mon, 7 Oct 2024 at 04:52, Mori Fumita via lists.openembedded.org
<mfumita=electromag.com.au@lists.openembedded.org> wrote:

> Since Jenkins temporarily installs the certificate at a dynamically generated obfuscated path,
> it isn't straightforward to configure it in the SVN configuration file in the home directory.
> Additionally, we want to avoid storing the password on the build machine.
>
> So, the "SRC_URI" in the recipe would look something like this, using "ENV_VAR_CERT" and "ENV_VAR_PASS",
> which Jenkins supplies dynamically.
> SRC_URI = "svn://[repository];protocol=https;cert_file=${ENV_VAR_CERT};cert_pass=${ENV_VAR_PASS}

This is still unsafe and can be easily misused. You need to write the
needed items into a temporary file(s), and configure svn to pick them
up (perhaps with a temporary configuration file that is formed just
before the build starts).

Alex

On 7/10/2024 6:20 pm, Alexander Kanavin wrote:
> On Mon, 7 Oct 2024 at 04:52, Mori Fumita via lists.openembedded.org
> <mfumita=electromag.com.au@lists.openembedded.org> wrote:
>
>> Since Jenkins temporarily installs the certificate at a dynamically generated obfuscated path,
>> it isn't straightforward to configure it in the SVN configuration file in the home directory.
>> Additionally, we want to avoid storing the password on the build machine.
>>
>> So, the "SRC_URI" in the recipe would look something like this, using "ENV_VAR_CERT" and "ENV_VAR_PASS",
>> which Jenkins supplies dynamically.
>> SRC_URI = "svn://[repository];protocol=https;cert_file=${ENV_VAR_CERT};cert_pass=${ENV_VAR_PASS}
> This is still unsafe and can be easily misused. You need to write the
> needed items into a temporary file(s), and configure svn to pick them
> up (perhaps with a temporary configuration file that is formed just
> before the build starts).
>
> Alex
Jenkins already handles most of what you mentioned automatically.
It copies the necessary items to a temporary location just before the 
build and cleans them up once it's complete.

The difference is whether these are configured through the SVN config 
file or
via the chain of Jenkins -> environment variables -> SRC_URI -> runtime 
SVN command line options.

As you suggested, these could be saved in a temporary configuration file 
instead of using environment variables.
In that case, the fetcher would need an interface to forward its path to 
the SVN "--config-dir" command line option anyway.
Also the password would need to be saved in the SVN key store, since it 
can't be saved in the config file.
I'm not sure if this key store can be temporary.

Since Jenkins already has the capability to provide the certificate via 
environment variables, I'd like to use that in bitBake.

Mori
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#16648): https://lists.openembedded.org/g/bitbake-devel/message/16648
> Mute This Topic: https://lists.openembedded.org/mt/108811827/7022486
> Group Owner: bitbake-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [mfumita@electromag.com.au]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Tue, 8 Oct 2024 at 05:02, Mori Fumita via lists.openembedded.org
<mfumita=electromag.com.au@lists.openembedded.org> wrote:

> As you suggested, these could be saved in a temporary configuration file
> instead of using environment variables.
> In that case, the fetcher would need an interface to forward its path to
> the SVN "--config-dir" command line option anyway.

But would it? Can you just add the needed options under ~/.subversion/ ?

The problem with extending the fetcher with specific tool options is
that it doesn't scale. You want these two options, someone else wants
other options. Git has hundreds of possible options. We direct
everyone to just put them in their local config.

And having passwords in recipes or environment variables still isn't
secure. Convenient, maybe, but that's a lesser priority.

Alex