| Message ID | tRzV.1675761464866849302.d3iU@lists.openembedded.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake | expand |
Hello Anders, On Tue, 07 Feb 2023 01:17:44 -0800 Anders Jørgensen via lists.openembedded.org <anders.joergensen=advent.energy@lists.openembedded.org> wrote: > From d08ab52c29cda8969b9f9e198d1ef2fd11d06ca4 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy> > Date: Wed, 1 Feb 2023 13:08:11 +0100 > Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS I'm afraid also this v2 does not apply. The few lines quoted above suggest you did not use git send-email to send it but maybe you forwarded another email. I recommend you to read the guidelines at https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded in order to prepare a good commit message and to send your patch in a way that makes it more easily reviewed, applied and tested. Before sending it again to the list I suggest you try to send it to yourself and check whether it looks correct, or to send it to a colleague or friend who can try to apply it on a local tree. ... > @@ -1071,12 +1071,27 @@ def trusted_network(d, url): > > network = network.split(':')[0] > network = network.lower() > + path = path.lower() > + > + for host_path in trusted_hosts.split(" "): > + host_path = host_path.lower() > + is_trusted = False > + split_data = host_path.split("/", 1) > + host = split_data[0] > + trusted_path = None > + if len(split_data) == 2: > + trusted_path = "/" + split_data[1] > > - for host in trusted_hosts.split(" "): > - host = host.lower() > if host.startswith("*.") and ("." + network).endswith(host[1:]): The lines here without a leading space character clearly show that this is not a correctly formatted patch. Best regards,
Hi Anders, On 2/7/23 10:17, Anders Jørgensen via lists.openembedded.org wrote: > From d08ab52c29cda8969b9f9e198d1ef2fd11d06ca4 Mon Sep 17 00:00:00 2001 > From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy> > Date: Wed, 1 Feb 2023 13:08:11 +0100 > Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS > > Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host > > Eg. > BB_ALLOWED_NETWORKS="bitbucket.org/your_company" > The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company > > Signed-off-by: Anders Joergensen <anders.joergensen@advent.energy> > --- > .../bitbake-user-manual-ref-variables.xml | 5 ++++ > lib/bb/fetch2/__init__.py | 23 +++++++++++++++---- > lib/bb/tests/fetch.py | 12 ++++++++++ > 3 files changed, 36 insertions(+), 4 deletions(-) > > diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml > index 66d8f844e..b0c129000 100644 > --- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml > +++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml This file does not exist since Gatesgarth and Dunfell 3.1.5, please develop and test on top of the master branch when submitting patches. (But thanks for updating the docs at the same time a feature is added, much appreciated) Cheers, Quentin
diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml index 66d8f844e..b0c129000 100644 --- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml +++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml @@ -125,6 +125,11 @@ BB_ALLOWED_NETWORKS = "*.gnu.org" </literallayout> </para></listitem> + <listitem><para> + Limit path control is also possible like. <literallayout class='monospaced'> + BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company" + </literallayout> + </para></listitem> <listitem><para> Mirrors not in the host list are skipped and logged in debug. diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index 70387f52d..ce5ff6bd2 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1071,12 +1071,27 @@ def trusted_network(d, url): network = network.split(':')[0] network = network.lower() + path = path.lower() + + for host_path in trusted_hosts.split(" "): + host_path = host_path.lower() + is_trusted = False + split_data = host_path.split("/", 1) + host = split_data[0] + trusted_path = None + if len(split_data) == 2: + trusted_path = "/" + split_data[1] - for host in trusted_hosts.split(" "): - host = host.lower() if host.startswith("*.") and ("." + network).endswith(host[1:]): - return True - if host == network: + is_trusted = True + elif host == network: + is_trusted = True + + if trusted_path and is_trusted: + if not path.startswith(trusted_path): + is_trusted = False + + if is_trusted: return True return False diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 0fd2c0216..7d1651094 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -698,6 +698,18 @@ class TrustedNetworksTest(FetcherTest): self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org") self.assertFalse(bb.fetch.trusted_network(self.d, url)) + def test_trusted_network_path(self): + # Ensure trusted_network returns true when the host and path IS in the list. + url = "git://Someserver.org/RightPath/foo;rev=1;branch=master" + self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") + self.assertTrue(bb.fetch.trusted_network(self.d, url)) + + def test_untrusted_network_path(self): + # Ensure trusted_network returns False when the host is in list but the path is wrong. + url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master" + self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org") + self.assertFalse(bb.fetch.trusted_network(self.d, url)) + class URLHandle(unittest.TestCase): datatable = {