[OE-core] [PATCH 10/27] bbclass/sstate_readonly: only allowed sstate-cache objects to be built (read-only sstate-cache)

[Ross Burton]

From: Hongxu Jia <hongxu.jia at windriver.com>

The requirement is the developer who demand only the "new" software
they write is allowed to be compiled from source, they only want to
reuse binaries from an existed sstate-cache, if the developer makes
a change that triggers a rebuild, it should be an instant error.

When the readonly sstate-cache is enabled, an error will be generated
if a recipe is not available within the sstate-cache. Adding recipes
to the whitelist will allow only select recipes to be allowed to build
from source.

[YOCTO #6639]

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
Signed-off-by: Saul Wold <sgw at linux.intel.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
---
 meta/classes/sstate_readonly.bbclass |   53 ++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 meta/classes/sstate_readonly.bbclass

diff --git a/meta/classes/sstate_readonly.bbclass b/meta/classes/sstate_readonly.bbclass
new file mode 100644
index 0000000..488353d
--- /dev/null
+++ b/meta/classes/sstate_readonly.bbclass
@@ -0,0 +1,53 @@
+SSTATE_CHECK_FUNCTIONS_append = " sstate_readonly_check"
+# 1) The read-only sstate-cache will always be enabled if this bbclass
+#    inherited
+#
+# 2) If ${SSTATECACHE_WHITELIST} is "", it means always blacklist
+#    everything
+#
+# 3) Adding recipes to ${SSTATECACHE_WHITELIST} will allow only select
+#    recipes to be allowed to build
+#
+# 4) While recipes not in ${SSTATECACHE_WHITELIST}, an error will be
+#    generated if a recipe is not available within sstate-cache.
+SSTATECACHE_WHITELIST ?= ""
+
+python sstate_readonly_check(){
+    whitelist = (d.getVar('SSTATECACHE_WHITELIST', True) or '').split()
+    sq_fn = d.getVar('sq_fn', True) or []
+    missed = d.getVar('missed', True) or []
+    missed_pn = []
+    for task in missed:
+        fn = sq_fn[task]
+        data = bb.cache.Cache.loadDataFull(fn, '', d)
+        pn = data.getVar('PN', True)
+        if pn and pn not in missed_pn:
+            missed_pn.append(pn)
+
+    if missed_pn:
+        blacklist = [pn for pn in missed_pn if pn not in whitelist]
+        if blacklist:
+            msg =  'Read-only sstate-cache is enabled, the build of \n'
+            msg += '"' + ' '.join(blacklist) + '"\n'
+            msg += 'did not come from sstate-cache. Only the recipe listed in\n'
+            msg += 'SSTATECACHE_WHITELIST is allowed to build from source'
+            bb.fatal(msg)
+}
+
+def _sstate_readonly_clean_check(d):
+    whitelist = (d.getVar('SSTATECACHE_WHITELIST', True) or '').split()
+    pn = d.getVar('PN', True)
+    if pn not in whitelist:
+        msg =  'Read-only sstate-cache is enabled, the clean of \n'
+        msg += '%s is not allowed. Only the recipe listed in\n' % pn
+        msg += 'SSTATECACHE_WHITELIST is allowed to clean sstate-cache'
+        bb.fatal(msg)
+
+python do_cleansstate_prepend() {
+        _sstate_readonly_clean_check(d)
+}
+
+python do_cleanall_prepend() {
+    _sstate_readonly_clean_check(d)
+}
+
-- 
1.7.10.4