From: Alexandre Belloni <alexandre.belloni@bootlin.com>
To: anders.joergensen@advent.energy
Cc: bitbake-devel@lists.openembedded.org
Subject: Re: [bitbake-devel] [PATCH] Add path control to BB_ALLOWED_NETWORKS
Date: Wed, 1 Feb 2023 22:30:52 +0100 [thread overview]
Message-ID: <Y9raDFsNMvuuhBRI@mail.local> (raw)
In-Reply-To: <xWAM.1675259966225954323.ROLQ@lists.openembedded.org>
Hello,
This patch doesn't apply, it is malformed
On 01/02/2023 05:59:26-0800, Anders J�rgensen via lists.openembedded.org wrote:
> From: =?UTF-8?q?Anders=20J=C3=B8rgensen?= <anders.joergensen@advent.energy>
> Date: Wed, 1 Feb 2023 13:08:11 +0100
> Subject: [PATCH] Add path control to BB_ALLOWED_NETWORKS
>
> Make it able to add path control to the allowed network, so e.g. it is only possible to access own repositories at a given host
>
> Eg.
> BB_ALLOWED_NETWORKS="bitbucket.org/your_company"
> The fetcher will be able to download from bitbucket.org/your_company but not from bitbucket.org/other_company
> ---
> .../bitbake-user-manual-ref-variables.rst� � �|� 3 +++
> bitbake/lib/bb/fetch2/__init__.py� � � � � � �| 23 +++++++++++++++----
> bitbake/lib/bb/tests/fetch.py� � � � � � � � �| 12 ++++++++++
> 3 files changed, 34 insertions(+), 4 deletions(-)
>
> diff --git a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
> index af4ff9805c..7942cd2d3a 100644
> --- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
> +++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
> @@ -84,6 +84,9 @@ overview of their function and contents.
>
> -� Attempts to access networks not in the host list cause a failure.
>
> +� � � -� Limit path control is also possible like. ::
> +� � � � � � BB_ALLOWED_NETWORKS = "github.com/your_project bitbucket.org/your_company"
> +
> Using :term:`BB_ALLOWED_NETWORKS` in conjunction with
There are missing spaces here
> :term:`PREMIRRORS` is very useful. Adding the
> host you want to use to :term:`PREMIRRORS` results in the source code
> diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
> index ac557176d7..69ad898464 100644
> --- a/bitbake/lib/bb/fetch2/__init__.py
> +++ b/bitbake/lib/bb/fetch2/__init__.py
> @@ -1158,12 +1158,27 @@ def trusted_network(d, url):
>
> network = network.split(':')[0]
> network = network.lower()
> +� � path = path.lower()
> +
> +� � for host_path in trusted_hosts.split(" "):
> +� � � � host_path = host_path.lower()
> +� � � � is_trusted = False
> +� � � � split_data = host_path.split("/", 1)
> +� � � � host = split_data[0]
> +� � � � trusted_path = None
> +� � � � if len(split_data) == 2:
> +� � � � � � trusted_path = "/" + split_data[1]
>
> -� � for host in trusted_hosts.split(" "):
> -� � � � host = host.lower()
> if host.startswith("*.") and ("." + network).endswith(host[1:]):
> -� � � � � � return True
> -� � � � if host == network:
> +� � � � � � is_trusted = True
> +� � � � elif host == network:
> +� � � � � � is_trusted = True
> +
> +� � � � if trusted_path and is_trusted:
> +� � � � � � if not path.startswith(trusted_path):
> +� � � � � � � � is_trusted = False
> +
> +� � � � if is_trusted:
> return True
>
> return False
> diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
> index 1152e89c0d..c641c1221e 100644
> --- a/bitbake/lib/bb/tests/fetch.py
> +++ b/bitbake/lib/bb/tests/fetch.py
> @@ -1288,6 +1288,18 @@ class TrustedNetworksTest(FetcherTest):
> self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
> self.assertFalse(bb.fetch.trusted_network(self.d, url))
>
> +� � def test_trusted_network_path(self):
> +� � � � # Ensure trusted_network returns true when the host and path IS in the list.
> +� � � � url = "git://Someserver.org/RightPath/foo;rev=1;branch=master"
> +� � � � self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
> +� � � � self.assertTrue(bb.fetch.trusted_network(self.d, url))
> +
> +� � def test_untrusted_network_path(self):
> +� � � � # Ensure trusted_network returns False when the host is in list but the path is wrong.
> +� � � � url = "git://Someserver.org/WrongPath/foo;rev=1;branch=master"
> +� � � � self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org/rightpath server2.org")
> +� � � � self.assertFalse(bb.fetch.trusted_network(self.d, url))
> +
> class URLHandle(unittest.TestCase):
>
> datatable = {
> --
> 2.34.1
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#14363): https://lists.openembedded.org/g/bitbake-devel/message/14363
> Mute This Topic: https://lists.openembedded.org/mt/96676597/3617179
> Group Owner: bitbake-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/bitbake-devel/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2023-02-01 21:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-01 13:59 [PATCH] Add path control to BB_ALLOWED_NETWORKS Anders Jørgensen
2023-02-01 21:30 ` Alexandre Belloni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y9raDFsNMvuuhBRI@mail.local \
--to=alexandre.belloni@bootlin.com \
--cc=anders.joergensen@advent.energy \
--cc=bitbake-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox