summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLiam R. Howlett <Liam.Howlett@windriver.com>2015-04-16 13:23:18 -0400
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-12 12:17:13 +0100
commit59ce7d02a57e0a642d839ab48677f6ac1886180f (patch)
tree7905b7a23b0d60574b7160e5094d6f231a3c6240
parent9e24bde011479d9f22830080720510e52e9923d8 (diff)
downloadpoky-59ce7d02a57e0a642d839ab48677f6ac1886180f.tar.gz
bitbake: fetch2: Add BB_ALLOWED_NETWORKS support
BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be allowed to use when BB_NO_NETWORK is not set. If BB_NO_NETWORK is set, then networking is still disabled. If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same as today. If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is configured, then only the hosts in the list are usable by the fetcher. eg: BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org" The fetcher will be able to download from yoctoproject.org, git.gnu.org, but not ftp.gnu.org or any other hostname that is not in the list. There is also limited support for wildcards on the beginning of the hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org and ftp.gnu.org as well as foo.git.gnu.org (Bitbake rev: c7263096ba31ba45daeeb9de90c1cb9ebef24a28) Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--bitbake/lib/bb/fetch2/__init__.py53
-rw-r--r--bitbake/lib/bb/tests/fetch.py37
2 files changed, 90 insertions, 0 deletions
diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index 36c955473a..68f65a97e0 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -61,6 +61,17 @@ class BBFetchException(Exception):
61 def __str__(self): 61 def __str__(self):
62 return self.msg 62 return self.msg
63 63
64class UntrustedUrl(BBFetchException):
65 """Exception raised when encountering a host not listed in BB_ALLOWED_NETWORKS"""
66 def __init__(self, url, message=''):
67 if message:
68 msg = message
69 else:
70 msg = "The URL: '%s' is not trusted and cannot be used" % url
71 self.url = url
72 BBFetchException.__init__(self, msg)
73 self.args = (url,)
74
64class MalformedUrl(BBFetchException): 75class MalformedUrl(BBFetchException):
65 """Exception raised when encountering an invalid url""" 76 """Exception raised when encountering an invalid url"""
66 def __init__(self, url, message=''): 77 def __init__(self, url, message=''):
@@ -852,6 +863,11 @@ def build_mirroruris(origud, mirrors, ld):
852 newuri = uri_replace(ud, find, replace, replacements, ld) 863 newuri = uri_replace(ud, find, replace, replacements, ld)
853 if not newuri or newuri in uris or newuri == origud.url: 864 if not newuri or newuri in uris or newuri == origud.url:
854 continue 865 continue
866
867 if not trusted_network(ld, newuri):
868 logger.debug(1, "Mirror %s not in the list of trusted networks, skipping" % (newuri))
869 continue
870
855 try: 871 try:
856 newud = FetchData(newuri, ld) 872 newud = FetchData(newuri, ld)
857 newud.setup_localpath(ld) 873 newud.setup_localpath(ld)
@@ -972,6 +988,41 @@ def try_mirrors(d, origud, mirrors, check = False):
972 return ret 988 return ret
973 return None 989 return None
974 990
991def trusted_network(d, url):
992 """
993 Use a trusted url during download if networking is enabled and
994 BB_ALLOWED_NETWORKS is set globally or for a specific recipe.
995 Note: modifies SRC_URI & mirrors.
996 """
997 if d.getVar('BB_NO_NETWORK', True) == "1":
998 return True
999
1000 pkgname = d.expand(d.getVar('PN'))
1001 trusted_hosts = d.getVarFlag('BB_ALLOWED_NETWORKS', pkgname)
1002
1003 if not trusted_hosts:
1004 trusted_hosts = d.getVar('BB_ALLOWED_NETWORKS', True)
1005
1006 # Not enabled.
1007 if not trusted_hosts:
1008 return True
1009
1010 scheme, network, path, user, passwd, param = decodeurl(url)
1011
1012 if not network:
1013 return True
1014
1015 network = network.lower()
1016
1017 for host in trusted_hosts.split(" "):
1018 host = host.lower()
1019 if host.startswith("*.") and ("." + network).endswith(host[1:]):
1020 return True
1021 if host == network:
1022 return True
1023
1024 return False
1025
975def srcrev_internal_helper(ud, d, name): 1026def srcrev_internal_helper(ud, d, name):
976 """ 1027 """
977 Return: 1028 Return:
@@ -1530,6 +1581,8 @@ class Fetch(object):
1530 firsterr = None 1581 firsterr = None
1531 if not localpath and ((not verify_donestamp(ud, self.d)) or m.need_update(ud, self.d)): 1582 if not localpath and ((not verify_donestamp(ud, self.d)) or m.need_update(ud, self.d)):
1532 try: 1583 try:
1584 if not trusted_network(self.d, ud.url):
1585 raise UntrustedUrl(ud.url)
1533 logger.debug(1, "Trying Upstream") 1586 logger.debug(1, "Trying Upstream")
1534 m.download(ud, self.d) 1587 m.download(ud, self.d)
1535 if hasattr(m, "build_mirror_data"): 1588 if hasattr(m, "build_mirror_data"):
diff --git a/bitbake/lib/bb/tests/fetch.py b/bitbake/lib/bb/tests/fetch.py
index d56ef49948..d3f7b6ac6c 100644
--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -547,6 +547,43 @@ class FetcherNetworkTest(FetcherTest):
547 os.chdir(os.path.dirname(self.unpackdir)) 547 os.chdir(os.path.dirname(self.unpackdir))
548 fetcher.unpack(self.unpackdir) 548 fetcher.unpack(self.unpackdir)
549 549
550 def test_trusted_network(self):
551 # Ensure trusted_network returns False when the host IS in the list.
552 url = "git://Someserver.org/foo;rev=1"
553 self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org someserver.org server2.org server3.org")
554 self.assertTrue(bb.fetch.trusted_network(self.d, url))
555
556 def test_wild_trusted_network(self):
557 # Ensure trusted_network returns true when the *.host IS in the list.
558 url = "git://Someserver.org/foo;rev=1"
559 self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org server2.org server3.org")
560 self.assertTrue(bb.fetch.trusted_network(self.d, url))
561
562 def test_prefix_wild_trusted_network(self):
563 # Ensure trusted_network returns true when the prefix matches *.host.
564 url = "git://git.Someserver.org/foo;rev=1"
565 self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org server2.org server3.org")
566 self.assertTrue(bb.fetch.trusted_network(self.d, url))
567
568 def test_two_prefix_wild_trusted_network(self):
569 # Ensure trusted_network returns true when the prefix matches *.host.
570 url = "git://something.git.Someserver.org/foo;rev=1"
571 self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org server2.org server3.org")
572 self.assertTrue(bb.fetch.trusted_network(self.d, url))
573
574 def test_untrusted_network(self):
575 # Ensure trusted_network returns False when the host is NOT in the list.
576 url = "git://someserver.org/foo;rev=1"
577 self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
578 self.assertFalse(bb.fetch.trusted_network(self.d, url))
579
580 def test_wild_untrusted_network(self):
581 # Ensure trusted_network returns False when the host is NOT in the list.
582 url = "git://*.someserver.org/foo;rev=1"
583 self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
584 self.assertFalse(bb.fetch.trusted_network(self.d, url))
585
586
550class URLHandle(unittest.TestCase): 587class URLHandle(unittest.TestCase):
551 588
552 datatable = { 589 datatable = {