Support insecure HTTPS connections for devtool sdk-update. This adds a boolean --updateserver-insecure-tls option the the command line parameters and to the devtool.conf file's SDK section.
This addresses a common szenario: * Authorization (HTTPS + user credentials) is required by security policy. * Linux development workstations are not domain members, so they don't get the company's ca.cert enrolled. * The build server has a self signed certificate Signed-off-by: Adrian Freihofer <[email protected]> --- scripts/lib/devtool/sdk.py | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/scripts/lib/devtool/sdk.py b/scripts/lib/devtool/sdk.py index fbf69264e6..1b703dd21f 100644 --- a/scripts/lib/devtool/sdk.py +++ b/scripts/lib/devtool/sdk.py @@ -23,6 +23,7 @@ import shutil import errno import tempfile import re +import ssl import urllib.request import base64 import getpass @@ -39,6 +40,13 @@ class SdkUpdateHelper(object): self.__user_name = user_name self.__user_password = None self.__ba_credentials = None + self.__ssl_context = ssl.create_default_context(); + self.__git_ssl_args = "" + + def enable_insecure_ssl(self): + self.__ssl_context.check_hostname=False + self.__ssl_context.verify_mode=ssl.CERT_NONE + self.__git_ssl_args = "-c http.sslVerify=false" def ask_ba_credentials(self, user_name=None): '''Ask user for Basic Auth Credentials''' @@ -66,7 +74,7 @@ class SdkUpdateHelper(object): if self.__ba_credentials: req.add_header('Authorization', self.__ba_credentials) try: - with urllib.request.urlopen(req) as response, open(out_file_name, 'wb') as out_file: + with urllib.request.urlopen(req, context=self.__ssl_context) as response, open(out_file_name, 'wb') as out_file: data = response.read() out_file.write(data) return 0 # success @@ -93,11 +101,15 @@ class SdkUpdateHelper(object): return 1 def _git_http_command(self, command, updateserver="", cwd=None): + git_ssl_args = "" + if self.__git_ssl_args: + git_ssl_args = "%s " % self.__git_ssl_args + git_ba_header = "" if self.__ba_credentials: git_ba_header = "-c http.extraheader=\"Authorization: %s\" " % self.__ba_credentials - git_cmd = "git %s %s %s" % (git_ba_header, command, updateserver) + git_cmd = "git %s%s %s %s" % (git_ssl_args, git_ba_header, command, updateserver) logger.debug("Running: %s", git_cmd) return subprocess.call(git_cmd, shell=True, cwd=cwd) @@ -193,6 +205,12 @@ def sdk_update(args, config, basepath, workspace): updateserver = config.get('SDK', 'updateserver', '') logger.debug("updateserver: %s" % updateserver) + updateserver_insecure_tls = args.updateserver_insecure_tls + if not updateserver_insecure_tls: + updateserver_insecure_tls = config.get('SDK', 'updateserver-insecure-tls', '') + if updateserver_insecure_tls: + logger.info("Certificate of update server is not validated.") + # Make sure we are using sdk-update from within SDK logger.debug("basepath = %s" % basepath) old_locked_sig_file_path = os.path.join(basepath, 'conf/locked-sigs.inc') @@ -219,6 +237,8 @@ def sdk_update(args, config, basepath, workspace): tinfoil.shutdown() sdk_update_helper = SdkUpdateHelper() + if updateserver_insecure_tls: + sdk_update_helper.enable_insecure_ssl() tmpsdk_dir = tempfile.mkdtemp() try: os.makedirs(os.path.join(tmpsdk_dir, 'conf')) @@ -416,6 +436,13 @@ def register_commands(subparsers, context): parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from (default %s)' % updateserver, nargs='?') else: parser_sdk.add_argument('updateserver', help='The update server to fetch latest SDK components from') + + try: + updateserver_insecure_tls = context.config.get('SDK', 'updateserver-insecure-tls', '') + except AttributeError: + updateserver_insecure_tls = False + parser_sdk.add_argument('--updateserver-insecure-tls', action="store_true", help='Do not validate the SSL Certificate of the update server (default %s)' % updateserver_insecure_tls) + parser_sdk.add_argument('--skip-prepare', action="store_true", help='Skip re-preparing the build system after updating (for debugging only)') parser_sdk.set_defaults(func=sdk_update) -- 2.14.1 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
