diff options
-rw-r--r-- | README.md | 6 | ||||
-rwxr-xr-x | lorry | 33 |
2 files changed, 31 insertions, 8 deletions
@@ -98,6 +98,12 @@ all of them will be processed by lorry. The following shows two repositories. Lorry can import other version control systems into git. +When the URL uses the `https:` scheme, Lorry will validate the SSL/TLS +server certificate by default. If necessary, this can be disabled for +a Bazaar, Git, and Mercurial server by adding the key: + + "check-certificates": false + ### Mercurial Mercurial is very similar to git, just change the type field to "hg" @@ -231,6 +231,9 @@ class Lorry(cliapp.Application): 'command used to access Bazaar repositories', metavar='COMMAND', default=find_bazaar_command()) + self.settings.boolean(['check-certificates'], + 'validate SSL/TLS server certificates', + default=True) def process_args(self, args): status = 0 @@ -267,6 +270,10 @@ class Lorry(cliapp.Application): #print 'total failed:',status sys.exit(status) + def should_check_certificates(self, spec): + return self.settings['check-certificates'] \ + and spec.get('check-certificates', True) + def bundle(self, name, gitdir): if self.settings['bundle'] == 'never': return if len(self.settings['mirror-base-url-fetch']) == 0: return @@ -452,10 +459,11 @@ class Lorry(cliapp.Application): return dest def mirror_git(self, project_name, dirname, gitdir, spec): - # Turn off git's SSL/TLS certificate verification, until Baserock - # has an CA management infrastructure. - env = dict(os.environ) - env['GIT_SSL_NO_VERIFY'] = 'true' + if self.should_check_certificates(spec): + env = os.environ + else: + env = dict(os.environ) + env['GIT_SSL_NO_VERIFY'] = 'true' if not os.path.exists(gitdir): self.progress('.. initialising git dir') @@ -494,17 +502,21 @@ class Lorry(cliapp.Application): branches['trunk'] = spec['url'] logging.debug('all branches: %s' % repr(branches)) + cert_options = [] + if not self.should_check_certificates(spec): + cert_options.append('-Ossl.cert_reqs=none') + for branch, address in branches.items(): branchdir = os.path.join(bzrdir, branch) if not os.path.exists(branchdir): self.progress('.. doing initial bzr branch') self.run_program( - [bzr, 'branch', '--quiet', '-Ossl.cert_reqs=none', + [bzr, 'branch', '--quiet', *cert_options, address, branchdir]) else: self.progress('.. updating bzr branch') self.run_program( - [bzr, 'pull', '--quiet', '-Ossl.cert_reqs=none', + [bzr, 'pull', '--quiet', *cert_options, address], cwd=branchdir) @@ -611,6 +623,10 @@ class Lorry(cliapp.Application): env=env) def gitify_hg(self, project_name, dirname, gitdir, spec): + cert_options = [] + if not self.should_check_certificates(spec): + cert_options.append('--insecure') + hgdir = os.path.join(dirname, 'hg') if os.path.exists(hgdir): self.progress('.. updating hg branch') @@ -618,11 +634,12 @@ class Lorry(cliapp.Application): # Note that we always specify the URL from the spec, so # that if the spec changes, we pick up the new URL. self.run_program( - ['hg', 'pull', '--quiet', '--insecure', spec['url']], + ['hg', 'pull', '--quiet', *cert_options, spec['url']], cwd=hgdir) else: self.progress('.. doing initial hg branch') - self.run_program(['hg', 'clone', '--quiet', '--insecure', spec['url'], hgdir]) + self.run_program(['hg', 'clone', '--quiet', *cert_options, + spec['url'], hgdir]) if not os.path.exists(gitdir): self.needs_aggressive = True |