From: Adrian Freihofer <adrian.freihofer@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [poky][PATCH 2/2] devtool sdk-update: --updateserver-insecure-tls
Date: Tue, 29 May 2018 21:31:01 +0200 [thread overview]
Message-ID: <20180529193101.43396-2-adrian.freihofer@gmail.com> (raw)
In-Reply-To: <20180529193101.43396-1-adrian.freihofer@gmail.com>
Support insecure HTTPS connections for devtool sdk-update. This
adds a boolean --updateserver-insecure-tls option the the command
line parameters and to the devtool.conf file's SDK section.
This addresses a common szenario:
* Authorization (HTTPS + user credentials) is required by security
policy.
* Linux development workstations are not domain members, so they
don't get the company's ca.cert enrolled.
* The build server has a self signed certificate
Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
---
scripts/lib/devtool/sdk.py | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/scripts/lib/devtool/sdk.py b/scripts/lib/devtool/sdk.py
index fbf69264e6..1b703dd21f 100644
--- a/scripts/lib/devtool/sdk.py
+++ b/scripts/lib/devtool/sdk.py
@@ -23,6 +23,7 @@ import shutil
import errno
import tempfile
import re
+import ssl
import urllib.request
import base64
import getpass
@@ -39,6 +40,13 @@ class SdkUpdateHelper(object):
self.__user_name = user_name
self.__user_password = None
self.__ba_credentials = None
+ self.__ssl_context = ssl.create_default_context();
+ self.__git_ssl_args = ""
+
+ def enable_insecure_ssl(self):
+ self.__ssl_context.check_hostname=False
+ self.__ssl_context.verify_mode=ssl.CERT_NONE
+ self.__git_ssl_args = "-c http.sslVerify=false"
def ask_ba_credentials(self, user_name=None):
'''Ask user for Basic Auth Credentials'''
@@ -66,7 +74,7 @@ class SdkUpdateHelper(object):
if self.__ba_credentials:
req.add_header('Authorization', self.__ba_credentials)
try:
- with urllib.request.urlopen(req) as response, open(out_file_name, 'wb') as out_file:
+ with urllib.request.urlopen(req, context=self.__ssl_context) as response, open(out_file_name, 'wb') as out_file:
data = response.read()
out_file.write(data)
return 0 # success
@@ -93,11 +101,15 @@ class SdkUpdateHelper(object):
return 1
def _git_http_command(self, command, updateserver="", cwd=None):
+ git_ssl_args = ""
+ if self.__git_ssl_args:
+ git_ssl_args = "%s " % self.__git_ssl_args
+
git_ba_header = ""
if self.__ba_credentials:
git_ba_header = "-c http.extraheader=\"Authorization: %s\" " % self.__ba_credentials
- git_cmd = "git %s %s %s" % (git_ba_header, command, updateserver)
+ git_cmd = "git %s%s %s %s" % (git_ssl_args, git_ba_header, command, updateserver)
logger.debug("Running: %s", git_cmd)
return subprocess.call(git_cmd, shell=True, cwd=cwd)
@@ -193,6 +205,12 @@ def sdk_update(args, config, basepath, workspace):
updateserver = config.get('SDK', 'updateserver', '')
logger.debug("updateserver: %s" % updateserver)
+ updateserver_insecure_tls = args.updateserver_insecure_tls
+ if not updateserver_insecure_tls:
+ updateserver_insecure_tls = config.get('SDK', 'updateserver-insecure-tls', '')
+ if updateserver_insecure_tls:
+ logger.info("Certificate of update server is not validated.")
+
# Make sure we are using sdk-update from within SDK
logger.debug("basepath = %s" % basepath)
old_locked_sig_file_path = os.path.join(basepath, 'conf/locked-sigs.inc')
@@ -219,6 +237,8 @@ def sdk_update(args, config, basepath, workspace):
tinfoil.shutdown()
sdk_update_helper = SdkUpdateHelper()
+ if updateserver_insecure_tls:
+ sdk_update_helper.enable_insecure_ssl()
tmpsdk_dir = tempfile.mkdtemp()
try:
os.makedirs(os.path.join(tmpsdk_dir, 'conf'))
@@ -416,6 +436,13 @@ def register_commands(subparsers, context):
parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from (default %s)' % updateserver, nargs='?')
else:
parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from')
+
+ try:
+ updateserver_insecure_tls = context.config.get('SDK', 'updateserver-insecure-tls', '')
+ except AttributeError:
+ updateserver_insecure_tls = False
+ parser_sdk.add_argument('--updateserver-insecure-tls', action="store_true", help='Do not validate the SSL Certificate of the update server (default %s)' % updateserver_insecure_tls)
+
parser_sdk.add_argument('--skip-prepare', action="store_true", help='Skip re-preparing the build system after updating (for debugging only)')
parser_sdk.set_defaults(func=sdk_update)
--
2.14.1
prev parent reply other threads:[~2018-05-29 19:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-29 19:31 [poky][PATCH 1/2] devtool sdk-update: Support Basic Auth Adrian Freihofer
2018-05-29 19:31 ` Adrian Freihofer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180529193101.43396-2-adrian.freihofer@gmail.com \
--to=adrian.freihofer@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox