[OE-core] [poky][PATCH 2/2] devtool sdk-update: --updateserver-insecure-tls

Adrian Freihofer adrian.freihofer at gmail.com
Tue May 29 19:31:01 UTC 2018 

Support insecure HTTPS connections for devtool sdk-update. This
adds a boolean --updateserver-insecure-tls option the the command
line parameters and to the devtool.conf file's SDK section.

This addresses a common szenario:
* Authorization (HTTPS + user credentials) is required by security
  policy.
* Linux development workstations are not domain members, so they
  don't get the company's ca.cert enrolled.
* The build server has a self signed certificate

Signed-off-by: Adrian Freihofer <adrian.freihofer at gmail.com>
---
 scripts/lib/devtool/sdk.py | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/scripts/lib/devtool/sdk.py b/scripts/lib/devtool/sdk.py
index fbf69264e6..1b703dd21f 100644
--- a/scripts/lib/devtool/sdk.py
+++ b/scripts/lib/devtool/sdk.py
@@ -23,6 +23,7 @@ import shutil
 import errno
 import tempfile
 import re
+import ssl
 import urllib.request
 import base64
 import getpass
@@ -39,6 +40,13 @@ class SdkUpdateHelper(object):
         self.__user_name = user_name
         self.__user_password = None
         self.__ba_credentials = None
+        self.__ssl_context = ssl.create_default_context();
+        self.__git_ssl_args = ""
+
+    def enable_insecure_ssl(self):
+        self.__ssl_context.check_hostname=False
+        self.__ssl_context.verify_mode=ssl.CERT_NONE
+        self.__git_ssl_args = "-c http.sslVerify=false"
 
     def ask_ba_credentials(self, user_name=None):
         '''Ask user for Basic Auth Credentials'''
@@ -66,7 +74,7 @@ class SdkUpdateHelper(object):
             if self.__ba_credentials:
                 req.add_header('Authorization', self.__ba_credentials)
             try:
-                with urllib.request.urlopen(req) as response, open(out_file_name, 'wb') as out_file:
+                with urllib.request.urlopen(req, context=self.__ssl_context) as response, open(out_file_name, 'wb') as out_file:
                     data = response.read()
                     out_file.write(data)
                     return 0  # success
@@ -93,11 +101,15 @@ class SdkUpdateHelper(object):
         return 1
 
     def _git_http_command(self, command, updateserver="", cwd=None):
+        git_ssl_args = ""
+        if self.__git_ssl_args:
+            git_ssl_args = "%s " % self.__git_ssl_args
+
         git_ba_header = ""
         if self.__ba_credentials:
             git_ba_header = "-c http.extraheader=\"Authorization: %s\" " % self.__ba_credentials
 
-        git_cmd = "git %s %s %s" % (git_ba_header, command, updateserver)
+        git_cmd = "git %s%s %s %s" % (git_ssl_args, git_ba_header, command, updateserver)
         logger.debug("Running: %s", git_cmd)
         return subprocess.call(git_cmd, shell=True, cwd=cwd)
 
@@ -193,6 +205,12 @@ def sdk_update(args, config, basepath, workspace):
         updateserver = config.get('SDK', 'updateserver', '')
     logger.debug("updateserver: %s" % updateserver)
 
+    updateserver_insecure_tls = args.updateserver_insecure_tls
+    if not updateserver_insecure_tls:
+        updateserver_insecure_tls = config.get('SDK', 'updateserver-insecure-tls', '')
+    if updateserver_insecure_tls:
+        logger.info("Certificate of update server is not validated.")
+
     # Make sure we are using sdk-update from within SDK
     logger.debug("basepath = %s" % basepath)
     old_locked_sig_file_path = os.path.join(basepath, 'conf/locked-sigs.inc')
@@ -219,6 +237,8 @@ def sdk_update(args, config, basepath, workspace):
         tinfoil.shutdown()
 
     sdk_update_helper = SdkUpdateHelper()
+    if updateserver_insecure_tls:
+        sdk_update_helper.enable_insecure_ssl()
     tmpsdk_dir = tempfile.mkdtemp()
     try:
         os.makedirs(os.path.join(tmpsdk_dir, 'conf'))
@@ -416,6 +436,13 @@ def register_commands(subparsers, context):
             parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from (default %s)' % updateserver, nargs='?')
         else:
             parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from')
+
+        try:
+            updateserver_insecure_tls = context.config.get('SDK', 'updateserver-insecure-tls', '')
+        except AttributeError:
+            updateserver_insecure_tls = False
+        parser_sdk.add_argument('--updateserver-insecure-tls', action="store_true", help='Do not validate the SSL Certificate of the update server (default %s)' % updateserver_insecure_tls)
+
         parser_sdk.add_argument('--skip-prepare', action="store_true", help='Skip re-preparing the build system after updating (for debugging only)')
         parser_sdk.set_defaults(func=sdk_update)
 
-- 
2.14.1

More information about the Openembedded-core mailing list