From patchwork Tue Feb  7 09:17:44 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Anders_J=C3=B8rgensen?=
 <anders.joergensen@advent.energy>
X-Patchwork-Id: 19068
Return-Path: <anders.joergensen@advent.energy>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 64E29C636CC
	for <webhook@archiver.kernel.org>; Tue,  7 Feb 2023 09:17:50 +0000 (UTC)
Subject: [PATCH v2] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake
To: bitbake-devel@lists.openembedded.org
From: =?utf-8?q?Anders_J=C3=B8rgensen?= <anders.joergensen@advent.energy>
X-Originating-Location: Copenhagen, Capital Region, DK (89.221.170.34)
X-Originating-Platform: Linux Chrome 109
User-Agent: GROUPS.IO Web Poster
MIME-Version: 1.0
Date: Tue, 07 Feb 2023 01:17:44 -0800
Message-ID: <tRzV.1675761464866849302.d3iU@lists.openembedded.org>
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Tue, 07 Feb 2023 09:17:50 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/14374

From d08ab52c29cda8969b9f9e198d1ef2fd11d06ca4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
Date: Wed, 1 Feb 2023 13:08:11 +0100
Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS

Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host

Eg.
BB_ALLOWED_NETWORKS="bitbucket.org/your_company"
The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company

Signed-off-by: Anders Joergensen <anders.joergensen@advent.energy>
---
.../bitbake-user-manual-ref-variables.xml     |  5 ++++
lib/bb/fetch2/__init__.py                     | 23 +++++++++++++++----
lib/bb/tests/fetch.py                         | 12 ++++++++++
3 files changed, 36 insertions(+), 4 deletions(-)

--
2.34.1

diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
index 66d8f844e..b0c129000 100644
--- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
+++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
@@ -125,6 +125,11 @@
BB_ALLOWED_NETWORKS = "*.gnu.org"
</literallayout>
</para></listitem>
+                        <listitem><para>
+                            Limit path control is also possible like. <literallayout class='monospaced'>
+     BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company"
+                            </literallayout>
+                            </para></listitem>
<listitem><para>
Mirrors not in the host list are skipped and
logged in debug.
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index 70387f52d..ce5ff6bd2 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -1071,12 +1071,27 @@ def trusted_network(d, url):

network = network.split(':')[0]
network = network.lower()
+    path = path.lower()
+
+    for host_path in trusted_hosts.split(" "):
+        host_path = host_path.lower()
+        is_trusted = False
+        split_data = host_path.split("/", 1)
+        host = split_data[0]
+        trusted_path = None
+        if len(split_data) == 2:
+            trusted_path = "/" + split_data[1]

-    for host in trusted_hosts.split(" "):
-        host = host.lower()
if host.startswith("*.") and ("." + network).endswith(host[1:]):
-            return True
-        if host == network:
+            is_trusted = True
+        elif host == network:
+            is_trusted = True
+
+        if trusted_path and is_trusted:
+            if not path.startswith(trusted_path):
+                is_trusted = False
+
+        if is_trusted:
return True

return False
diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index 0fd2c0216..7d1651094 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -698,6 +698,18 @@ class TrustedNetworksTest(FetcherTest):
self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
self.assertFalse(bb.fetch.trusted_network(self.d, url))

+    def test_trusted_network_path(self):
+        # Ensure trusted_network returns true when the host and path IS in the list.
+        url = "git://Someserver.org/RightPath/foo;rev=1;branch=master"
+        self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
+        self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+    def test_untrusted_network_path(self):
+        # Ensure trusted_network returns False when the host is in list but the path is wrong.
+        url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master"
+        self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
+        self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
class URLHandle(unittest.TestCase):

datatable = {