[PATCH v2] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake

[PATCH v2] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake

[Anders Jørgensen]

[-- Attachment #1: Type: text/plain, Size: 4182 bytes --]

From d08ab52c29cda8969b9f9e198d1ef2fd11d06ca4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
Date: Wed, 1 Feb 2023 13:08:11 +0100
Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS

Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host

Eg.
BB_ALLOWED_NETWORKS="bitbucket.org/your_company"
The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company

Signed-off-by: Anders Joergensen <anders.joergensen@advent.energy>
---
.../bitbake-user-manual-ref-variables.xml     |  5 ++++
lib/bb/fetch2/__init__.py                     | 23 +++++++++++++++----
lib/bb/tests/fetch.py                         | 12 ++++++++++
3 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
index 66d8f844e..b0c129000 100644
--- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
+++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
@@ -125,6 +125,11 @@
BB_ALLOWED_NETWORKS = "*.gnu.org"
</literallayout>
</para></listitem>
+                        <listitem><para>
+                            Limit path control is also possible like. <literallayout class='monospaced'>
+     BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company"
+                            </literallayout>
+                            </para></listitem>
<listitem><para>
Mirrors not in the host list are skipped and
logged in debug.
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index 70387f52d..ce5ff6bd2 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -1071,12 +1071,27 @@ def trusted_network(d, url):

network = network.split(':')[0]
network = network.lower()
+    path = path.lower()
+
+    for host_path in trusted_hosts.split(" "):
+        host_path = host_path.lower()
+        is_trusted = False
+        split_data = host_path.split("/", 1)
+        host = split_data[0]
+        trusted_path = None
+        if len(split_data) == 2:
+            trusted_path = "/" + split_data[1]

-    for host in trusted_hosts.split(" "):
-        host = host.lower()
if host.startswith("*.") and ("." + network).endswith(host[1:]):
-            return True
-        if host == network:
+            is_trusted = True
+        elif host == network:
+            is_trusted = True
+
+        if trusted_path and is_trusted:
+            if not path.startswith(trusted_path):
+                is_trusted = False
+
+        if is_trusted:
return True

return False
diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index 0fd2c0216..7d1651094 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -698,6 +698,18 @@ class TrustedNetworksTest(FetcherTest):
self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
self.assertFalse(bb.fetch.trusted_network(self.d, url))

+    def test_trusted_network_path(self):
+        # Ensure trusted_network returns true when the host and path IS in the list.
+        url = "git://Someserver.org/RightPath/foo;rev=1;branch=master"
+        self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
+        self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+    def test_untrusted_network_path(self):
+        # Ensure trusted_network returns False when the host is in list but the path is wrong.
+        url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master"
+        self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
+        self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
class URLHandle(unittest.TestCase):

datatable = {
--
2.34.1

[-- Attachment #2: Type: text/html, Size: 7007 bytes --]

Re: [bitbake-devel] [PATCH v2] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake

[Luca Ceresoli]

Hello Anders,

On Tue, 07 Feb 2023 01:17:44 -0800
Anders Jørgensen via lists.openembedded.org
<anders.joergensen=advent.energy@lists.openembedded.org> wrote:

> From d08ab52c29cda8969b9f9e198d1ef2fd11d06ca4 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
> Date: Wed, 1 Feb 2023 13:08:11 +0100
> Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS

I'm afraid also this v2 does not apply. The few lines quoted above
suggest you did not use git send-email to send it but maybe you
forwarded another email.

I recommend you to read the guidelines at
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded
in order to prepare a good commit message and to send your patch
in a way that makes it more easily reviewed, applied and tested.

Before sending it again to the list I suggest you try to send it to
yourself and check whether it looks correct, or to send it to a
colleague or friend who can try to apply it on  a local tree.

...

> @@ -1071,12 +1071,27 @@ def trusted_network(d, url):
> 
> network = network.split(':')[0]
> network = network.lower()
> +    path = path.lower()
> +
> +    for host_path in trusted_hosts.split(" "):
> +        host_path = host_path.lower()
> +        is_trusted = False
> +        split_data = host_path.split("/", 1)
> +        host = split_data[0]
> +        trusted_path = None
> +        if len(split_data) == 2:
> +            trusted_path = "/" + split_data[1]
> 
> -    for host in trusted_hosts.split(" "):
> -        host = host.lower()
> if host.startswith("*.") and ("." + network).endswith(host[1:]):

The lines here without a leading space character clearly show that this
is not a correctly formatted patch.

Best regards,
-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [bitbake-devel] [PATCH v2] fetch2: Add path control to BB_ALLOWED_NETWORKS #bitbake

[Quentin Schulz]

Hi Anders,

On 2/7/23 10:17, Anders Jørgensen via lists.openembedded.org wrote:
>  From d08ab52c29cda8969b9f9e198d1ef2fd11d06ca4 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
> Date: Wed, 1 Feb 2023 13:08:11 +0100
> Subject: [PATCH] fetch2: Add path control to BB_ALLOWED_NETWORKS
> 
> Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host
> 
> Eg.
> BB_ALLOWED_NETWORKS="bitbucket.org/your_company"
> The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company
> 
> Signed-off-by: Anders Joergensen <anders.joergensen@advent.energy>
> ---
> .../bitbake-user-manual-ref-variables.xml     |  5 ++++
> lib/bb/fetch2/__init__.py                     | 23 +++++++++++++++----
> lib/bb/tests/fetch.py                         | 12 ++++++++++
> 3 files changed, 36 insertions(+), 4 deletions(-)
> 
> diff --git a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
> index 66d8f844e..b0c129000 100644
> --- a/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml
> +++ b/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.xml

This file does not exist since Gatesgarth and Dunfell 3.1.5, please 
develop and test on top of the master branch when submitting patches.

(But thanks for updating the docs at the same time a feature is added, 
much appreciated)

Cheers,
Quentin