From patchwork Wed Feb  1 13:59:26 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Anders_J=C3=B8rgensen?=
 <anders.joergensen@advent.energy>
X-Patchwork-Id: 18869
Return-Path: <anders.joergensen@advent.energy>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 83967C636D7
	for <webhook@archiver.kernel.org>; Wed,  1 Feb 2023 13:59:32 +0000 (UTC)
Subject: [PATCH] Add path control to BB_ALLOWED_NETWORKS
To: bitbake-devel@lists.openembedded.org
From: =?utf-8?q?Anders_J=C3=B8rgensen?= <anders.joergensen@advent.energy>
X-Originating-Location: Copenhagen, Capital Region, DK (89.221.170.34)
X-Originating-Platform: Linux Chrome 109
User-Agent: GROUPS.IO Web Poster
MIME-Version: 1.0
Date: Wed, 01 Feb 2023 05:59:26 -0800
Message-ID: <xWAM.1675259966225954323.ROLQ@lists.openembedded.org>
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Wed, 01 Feb 2023 13:59:32 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/14363

From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
Date: Wed, 1 Feb 2023 13:08:11 +0100
Subject: [PATCH] Add path control to BB_ALLOWED_NETWORKS

Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host

Eg.
BB_ALLOWED_NETWORKS="bitbucket.org/your_company"
The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company
---
.../bitbake-user-manual-ref-variables.rst     |  3 +++
bitbake/lib/bb/fetch2/__init__.py             | 23 +++++++++++++++----
bitbake/lib/bb/tests/fetch.py                 | 12 ++++++++++
3 files changed, 34 insertions(+), 4 deletions(-)

--
2.34.1

diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
index af4ff9805c..7942cd2d3a 100644
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
@@ -84,6 +84,9 @@ overview of their function and contents.

-  Attempts to access networks not in the host list cause a failure.

+      -  Limit path control is also possible like. ::
+            BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company"
+
Using :term:`BB_ALLOWED_NETWORKS` in conjunction with
:term:`PREMIRRORS` is very useful. Adding the
host you want to use to :term:`PREMIRRORS` results in the source code
diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index ac557176d7..69ad898464 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -1158,12 +1158,27 @@ def trusted_network(d, url):

network = network.split(':')[0]
network = network.lower()
+    path = path.lower()
+
+    for host_path in trusted_hosts.split(" "):
+        host_path = host_path.lower()
+        is_trusted = False
+        split_data = host_path.split("/", 1)
+        host = split_data[0]
+        trusted_path = None
+        if len(split_data) == 2:
+            trusted_path = "/" + split_data[1]

-    for host in trusted_hosts.split(" "):
-        host = host.lower()
if host.startswith("*.") and ("." + network).endswith(host[1:]):
-            return True
-        if host == network:
+            is_trusted = True
+        elif host == network:
+            is_trusted = True
+
+        if trusted_path and is_trusted:
+            if not path.startswith(trusted_path):
+                is_trusted = False
+
+        if is_trusted:
return True

return False
diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
index 1152e89c0d..c641c1221e 100644
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -1288,6 +1288,18 @@ class TrustedNetworksTest(FetcherTest):
self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
self.assertFalse(bb.fetch.trusted_network(self.d, url))

+    def test_trusted_network_path(self):
+        # Ensure trusted_network returns true when the host and path IS in the list.
+        url = "git://Someserver.org/RightPath/foo;rev=1;branch=master"
+        self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
+        self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+    def test_untrusted_network_path(self):
+        # Ensure trusted_network returns False when the host is in list but the path is wrong.
+        url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master"
+        self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
+        self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
class URLHandle(unittest.TestCase):

datatable = {