bitbake: fetch2/wget: ensure all variables are set when calling urllib

Instead of just exporting the proxy variables when calling into urllib, use bb.utils.environment() to export all of the known variables that are needed for proper connectivity. Specifically, this ensures that SSL_CERT_FILE is set, so that libssl can find the certificates in buildtools environments (Bitbake rev: 116637b0e9aabae7f680b102dbf3577b8a58f049) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross@burtonini.com> 2021-08-10 17:55:08 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-12 06:28:01 +0100
commit: ad507bd5c4e950f446b996a788b2c91bef78b0d6 (patch)
tree: d2c490cfd8675a4839bfdbd625b44ec32457e439 /bitbake/lib/bb/fetch2/wget.py
parent: 348384135272ae7c62a11eeabcc43eddc957811f (diff)
download: poky-ad507bd5c4e950f446b996a788b2c91bef78b0d6.tar.gz
1 files changed, 34 insertions, 13 deletions
diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index 784df70c9f..988ea74d26 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -282,19 +282,40 @@ class Wget(FetchMethod):
                newreq = urllib.request.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)
                newreq.get_method = req.get_method
                return newreq
-        exported_proxies = export_proxies(d)
+        # We need to update the environment here as both the proxy and HTTPS
-        handlers = [FixedHTTPRedirectHandler, HTTPMethodFallback]
+        # handlers need variables set. The proxy needs http_proxy and friends to
-        if exported_proxies:
+        # be set, and HTTPSHandler ends up calling into openssl to load the
-            handlers.append(urllib.request.ProxyHandler())
+        # certificates. In buildtools configurations this will be looking at the
-        handlers.append(CacheHTTPHandler())
+        # wrong place for certificates by default: we set SSL_CERT_FILE to the
-        # Since Python 2.7.9 ssl cert validation is enabled by default
+        # right location in the buildtools environment script but as BitBake
-        # see PEP-0476, this causes verification errors on some https servers
+        # prunes prunes the environment this is lost. When binaries are executed
-        # so disable by default.
+        # runfetchcmd ensures these values are in the environment, but this is
-        import ssl
+        # pure Python so we need to update the environment.
-        if hasattr(ssl, '_create_unverified_context'):
+        #
-            handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))
+        # Avoid tramping the environment too much by using bb.utils.environment
-        opener = urllib.request.build_opener(*handlers)
+        # to scope the changes to the build_opener request, which is when the
+        # environment lookups happen.
+        newenv = {}
+        for name in bb.fetch2.FETCH_EXPORT_VARS:
+            value = d.getVar(name)
+            if not value:
+                origenv = d.getVar("BB_ORIGENV")
+                if origenv:
+                    value = origenv.getVar(name)
+            if value:
+                newenv[name] = value
+        with bb.utils.environment(**newenv):
+            import ssl
+            context = ssl._create_unverified_context()
+            handlers = [FixedHTTPRedirectHandler,
+                        HTTPMethodFallback,
+                        urllib.request.ProxyHandler(),
+                        CacheHTTPHandler(),
+                        urllib.request.HTTPSHandler(context=context)]
+            opener = urllib.request.build_opener(*handlers)
        try:
            uri = ud.url.split(";")[0]
author	Ross Burton <ross@burtonini.com>	2021-08-10 17:55:08 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-12 06:28:01 +0100
commit	ad507bd5c4e950f446b996a788b2c91bef78b0d6 (patch)
tree	d2c490cfd8675a4839bfdbd625b44ec32457e439 /bitbake/lib/bb/fetch2/wget.py
parent	348384135272ae7c62a11eeabcc43eddc957811f (diff)
download	poky-ad507bd5c4e950f446b996a788b2c91bef78b0d6.tar.gz

diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py index 784df70c9f..988ea74d26 100644 --- a/bitbake/lib/bb/fetch2/wget.py +++ b/bitbake/lib/bb/fetch2/wget.py
@@ -282,19 +282,40 @@ class Wget(FetchMethod):
282	newreq = urllib.request.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)	282	newreq = urllib.request.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)
283	newreq.get_method = req.get_method	283	newreq.get_method = req.get_method
284	return newreq	284	return newreq
285	exported_proxies = export_proxies(d)	285
286		286	# We need to update the environment here as both the proxy and HTTPS
287	handlers = [FixedHTTPRedirectHandler, HTTPMethodFallback]	287	# handlers need variables set. The proxy needs http_proxy and friends to
288	if exported_proxies:	288	# be set, and HTTPSHandler ends up calling into openssl to load the
289	handlers.append(urllib.request.ProxyHandler())	289	# certificates. In buildtools configurations this will be looking at the
290	handlers.append(CacheHTTPHandler())	290	# wrong place for certificates by default: we set SSL_CERT_FILE to the
291	# Since Python 2.7.9 ssl cert validation is enabled by default	291	# right location in the buildtools environment script but as BitBake
292	# see PEP-0476, this causes verification errors on some https servers	292	# prunes prunes the environment this is lost. When binaries are executed
293	# so disable by default.	293	# runfetchcmd ensures these values are in the environment, but this is
294	import ssl	294	# pure Python so we need to update the environment.
295	if hasattr(ssl, '_create_unverified_context'):	295	#
296	handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))	296	# Avoid tramping the environment too much by using bb.utils.environment
297	opener = urllib.request.build_opener(*handlers)	297	# to scope the changes to the build_opener request, which is when the
		298	# environment lookups happen.
		299	newenv = {}
		300	for name in bb.fetch2.FETCH_EXPORT_VARS:
		301	value = d.getVar(name)
		302	if not value:
		303	origenv = d.getVar("BB_ORIGENV")
		304	if origenv:
		305	value = origenv.getVar(name)
		306	if value:
		307	newenv[name] = value
		308
		309	with bb.utils.environment(**newenv):
		310	import ssl
		311
		312	context = ssl._create_unverified_context()
		313	handlers = [FixedHTTPRedirectHandler,
		314	HTTPMethodFallback,
		315	urllib.request.ProxyHandler(),
		316	CacheHTTPHandler(),
		317	urllib.request.HTTPSHandler(context=context)]
		318	opener = urllib.request.build_opener(*handlers)
298		319
299	try:	320	try:
300	uri = ud.url.split(";")[0]	321	uri = ud.url.split(";")[0]