diff options
| author | Ben Brown <ben.brown@codethink.co.uk> | 2020-08-12 13:40:19 +0000 |
|---|---|---|
| committer | Ben Brown <ben.brown@codethink.co.uk> | 2020-08-12 13:40:19 +0000 |
| commit | b56e0f3deb9159784e42b73a3ac64d2cb4414ec7 (patch) | |
| tree | f6c970a84f21bedcce3711ae2f299a08af89b4fe /lorry | |
| parent | 4453c29e7812deb3c64a479e16bcad571a29f825 (diff) | |
| parent | bdfa301998218e879281de58e1ab8097d34d6f08 (diff) | |
| download | lorry-b56e0f3deb9159784e42b73a3ac64d2cb4414ec7.tar.gz | |
Merge branch 'bwh/validate-server-certs' into 'master'
lorry: Enable TLS server certificate validation by default
Closes #9
See merge request CodethinkLabs/lorry/lorry!15
Diffstat (limited to 'lorry')
| -rwxr-xr-x | lorry | 33 |
1 files changed, 25 insertions, 8 deletions
@@ -234,6 +234,9 @@ class Lorry(cliapp.Application): 'command used to access Bazaar repositories', metavar='COMMAND', default=find_bazaar_command()) + self.settings.boolean(['check-certificates'], + 'validate SSL/TLS server certificates', + default=True) def process_args(self, args): status = 0 @@ -270,6 +273,10 @@ class Lorry(cliapp.Application): #print 'total failed:',status sys.exit(status) + def should_check_certificates(self, spec): + return self.settings['check-certificates'] \ + and spec.get('check-certificates', True) + def bundle(self, name, gitdir): if self.settings['bundle'] == 'never': return if len(self.settings['mirror-base-url-fetch']) == 0: return @@ -503,10 +510,11 @@ class Lorry(cliapp.Application): return dest def mirror_git(self, project_name, dirname, gitdir, spec): - # Turn off git's SSL/TLS certificate verification, until Baserock - # has an CA management infrastructure. - env = dict(os.environ) - env['GIT_SSL_NO_VERIFY'] = 'true' + if self.should_check_certificates(spec): + env = os.environ + else: + env = dict(os.environ) + env['GIT_SSL_NO_VERIFY'] = 'true' if not os.path.exists(gitdir): self.progress('.. initialising git dir') @@ -545,17 +553,21 @@ class Lorry(cliapp.Application): branches['trunk'] = spec['url'] logging.debug('all branches: %s' % repr(branches)) + cert_options = [] + if not self.should_check_certificates(spec): + cert_options.append('-Ossl.cert_reqs=none') + for branch, address in branches.items(): branchdir = os.path.join(bzrdir, branch) if not os.path.exists(branchdir): self.progress('.. doing initial bzr branch') self.run_program( - [bzr, 'branch', '--quiet', '-Ossl.cert_reqs=none', + [bzr, 'branch', '--quiet', *cert_options, address, branchdir]) else: self.progress('.. updating bzr branch') self.run_program( - [bzr, 'pull', '--quiet', '-Ossl.cert_reqs=none', + [bzr, 'pull', '--quiet', *cert_options, address], cwd=branchdir) @@ -662,6 +674,10 @@ class Lorry(cliapp.Application): env=env) def gitify_hg(self, project_name, dirname, gitdir, spec): + cert_options = [] + if not self.should_check_certificates(spec): + cert_options.append('--insecure') + hgdir = os.path.join(dirname, 'hg') if os.path.exists(hgdir): self.progress('.. updating hg branch') @@ -669,11 +685,12 @@ class Lorry(cliapp.Application): # Note that we always specify the URL from the spec, so # that if the spec changes, we pick up the new URL. self.run_program( - ['hg', 'pull', '--quiet', '--insecure', spec['url']], + ['hg', 'pull', '--quiet', *cert_options, spec['url']], cwd=hgdir) else: self.progress('.. doing initial hg branch') - self.run_program(['hg', 'clone', '--quiet', '--insecure', spec['url'], hgdir]) + self.run_program(['hg', 'clone', '--quiet', *cert_options, + spec['url'], hgdir]) if not os.path.exists(gitdir): self.needs_aggressive = True |