[OE-core] [poky][PATCH 2/2] devtool sdk-update: --updateserver-insecure-tls
Adrian Freihofer
adrian.freihofer at gmail.com
Tue May 29 19:31:01 UTC 2018
Support insecure HTTPS connections for devtool sdk-update. This
adds a boolean --updateserver-insecure-tls option the the command
line parameters and to the devtool.conf file's SDK section.
This addresses a common szenario:
* Authorization (HTTPS + user credentials) is required by security
policy.
* Linux development workstations are not domain members, so they
don't get the company's ca.cert enrolled.
* The build server has a self signed certificate
Signed-off-by: Adrian Freihofer <adrian.freihofer at gmail.com>
---
scripts/lib/devtool/sdk.py | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/scripts/lib/devtool/sdk.py b/scripts/lib/devtool/sdk.py
index fbf69264e6..1b703dd21f 100644
--- a/scripts/lib/devtool/sdk.py
+++ b/scripts/lib/devtool/sdk.py
@@ -23,6 +23,7 @@ import shutil
import errno
import tempfile
import re
+import ssl
import urllib.request
import base64
import getpass
@@ -39,6 +40,13 @@ class SdkUpdateHelper(object):
self.__user_name = user_name
self.__user_password = None
self.__ba_credentials = None
+ self.__ssl_context = ssl.create_default_context();
+ self.__git_ssl_args = ""
+
+ def enable_insecure_ssl(self):
+ self.__ssl_context.check_hostname=False
+ self.__ssl_context.verify_mode=ssl.CERT_NONE
+ self.__git_ssl_args = "-c http.sslVerify=false"
def ask_ba_credentials(self, user_name=None):
'''Ask user for Basic Auth Credentials'''
@@ -66,7 +74,7 @@ class SdkUpdateHelper(object):
if self.__ba_credentials:
req.add_header('Authorization', self.__ba_credentials)
try:
- with urllib.request.urlopen(req) as response, open(out_file_name, 'wb') as out_file:
+ with urllib.request.urlopen(req, context=self.__ssl_context) as response, open(out_file_name, 'wb') as out_file:
data = response.read()
out_file.write(data)
return 0 # success
@@ -93,11 +101,15 @@ class SdkUpdateHelper(object):
return 1
def _git_http_command(self, command, updateserver="", cwd=None):
+ git_ssl_args = ""
+ if self.__git_ssl_args:
+ git_ssl_args = "%s " % self.__git_ssl_args
+
git_ba_header = ""
if self.__ba_credentials:
git_ba_header = "-c http.extraheader=\"Authorization: %s\" " % self.__ba_credentials
- git_cmd = "git %s %s %s" % (git_ba_header, command, updateserver)
+ git_cmd = "git %s%s %s %s" % (git_ssl_args, git_ba_header, command, updateserver)
logger.debug("Running: %s", git_cmd)
return subprocess.call(git_cmd, shell=True, cwd=cwd)
@@ -193,6 +205,12 @@ def sdk_update(args, config, basepath, workspace):
updateserver = config.get('SDK', 'updateserver', '')
logger.debug("updateserver: %s" % updateserver)
+ updateserver_insecure_tls = args.updateserver_insecure_tls
+ if not updateserver_insecure_tls:
+ updateserver_insecure_tls = config.get('SDK', 'updateserver-insecure-tls', '')
+ if updateserver_insecure_tls:
+ logger.info("Certificate of update server is not validated.")
+
# Make sure we are using sdk-update from within SDK
logger.debug("basepath = %s" % basepath)
old_locked_sig_file_path = os.path.join(basepath, 'conf/locked-sigs.inc')
@@ -219,6 +237,8 @@ def sdk_update(args, config, basepath, workspace):
tinfoil.shutdown()
sdk_update_helper = SdkUpdateHelper()
+ if updateserver_insecure_tls:
+ sdk_update_helper.enable_insecure_ssl()
tmpsdk_dir = tempfile.mkdtemp()
try:
os.makedirs(os.path.join(tmpsdk_dir, 'conf'))
@@ -416,6 +436,13 @@ def register_commands(subparsers, context):
parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from (default %s)' % updateserver, nargs='?')
else:
parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from')
+
+ try:
+ updateserver_insecure_tls = context.config.get('SDK', 'updateserver-insecure-tls', '')
+ except AttributeError:
+ updateserver_insecure_tls = False
+ parser_sdk.add_argument('--updateserver-insecure-tls', action="store_true", help='Do not validate the SSL Certificate of the update server (default %s)' % updateserver_insecure_tls)
+
parser_sdk.add_argument('--skip-prepare', action="store_true", help='Skip re-preparing the build system after updating (for debugging only)')
parser_sdk.set_defaults(func=sdk_update)
--
2.14.1
More information about the Openembedded-core
mailing list