Re: [bitbake-devel] [PATCH] Add path control to BB_ALLOWED_NETWORKS

[Alexandre Belloni <alexandre.belloni@bootlin.com>]

Hello,

This patch doesn't apply, it is malformed

On 01/02/2023 05:59:26-0800, Anders J�rgensen via lists.openembedded.org wrote:
> From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
> Date: Wed, 1 Feb 2023 13:08:11 +0100
> Subject: [PATCH] Add path control to BB_ALLOWED_NETWORKS
> 
> Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host
> 
> Eg.
> BB_ALLOWED_NETWORKS="bitbucket.org/your_company"
> The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company
> ---
> .../bitbake-user-manual-ref-variables.rst� � �|� 3 +++
> bitbake/lib/bb/fetch2/__init__.py� � � � � � �| 23 +++++++++++++++----
> bitbake/lib/bb/tests/fetch.py� � � � � � � � �| 12 ++++++++++
> 3 files changed, 34 insertions(+), 4 deletions(-)
> 
> diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
> index af4ff9805c..7942cd2d3a 100644
> --- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
> +++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
> @@ -84,6 +84,9 @@ overview of their function and contents.
> 
> -� Attempts to access networks not in the host list cause a failure.
> 
> +� � � -� Limit path control is also possible like. ::
> +� � � � � � BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company"
> +
> Using :term:`BB_ALLOWED_NETWORKS` in conjunction with

There are missing spaces here

> :term:`PREMIRRORS` is very useful. Adding the
> host you want to use to :term:`PREMIRRORS` results in the source code
> diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
> index ac557176d7..69ad898464 100644
> --- a/bitbake/lib/bb/fetch2/__init__.py
> +++ b/bitbake/lib/bb/fetch2/__init__.py
> @@ -1158,12 +1158,27 @@ def trusted_network(d, url):
> 
> network = network.split(':')[0]
> network = network.lower()
> +� � path = path.lower()
> +
> +� � for host_path in trusted_hosts.split(" "):
> +� � � � host_path = host_path.lower()
> +� � � � is_trusted = False
> +� � � � split_data = host_path.split("/", 1)
> +� � � � host = split_data[0]
> +� � � � trusted_path = None
> +� � � � if len(split_data) == 2:
> +� � � � � � trusted_path = "/" + split_data[1]
> 
> -� � for host in trusted_hosts.split(" "):
> -� � � � host = host.lower()
> if host.startswith("*.") and ("." + network).endswith(host[1:]):
> -� � � � � � return True
> -� � � � if host == network:
> +� � � � � � is_trusted = True
> +� � � � elif host == network:
> +� � � � � � is_trusted = True
> +
> +� � � � if trusted_path and is_trusted:
> +� � � � � � if not path.startswith(trusted_path):
> +� � � � � � � � is_trusted = False
> +
> +� � � � if is_trusted:
> return True
> 
> return False
> diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
> index 1152e89c0d..c641c1221e 100644
> --- a/bitbake/lib/bb/tests/fetch.py
> +++ b/bitbake/lib/bb/tests/fetch.py
> @@ -1288,6 +1288,18 @@ class TrustedNetworksTest(FetcherTest):
> self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
> self.assertFalse(bb.fetch.trusted_network(self.d, url))
> 
> +� � def test_trusted_network_path(self):
> +� � � � # Ensure trusted_network returns true when the host and path IS in the list.
> +� � � � url = "git://Someserver.org/RightPath/foo;rev=1;branch=master"
> +� � � � self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
> +� � � � self.assertTrue(bb.fetch.trusted_network(self.d, url))
> +
> +� � def test_untrusted_network_path(self):
> +� � � � # Ensure trusted_network returns False when the host is in list but the path is wrong.
> +� � � � url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master"
> +� � � � self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
> +� � � � self.assertFalse(bb.fetch.trusted_network(self.d, url))
> +
> class URLHandle(unittest.TestCase):
> 
> datatable = {
> --
> 2.34.1

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#14363): https://lists.openembedded.org/g/bitbake-devel/message/14363
> Mute This Topic: https://lists.openembedded.org/mt/96676597/3617179
> Group Owner: bitbake-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com