From bdfa301998218e879281de58e1ab8097d34d6f08 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 7 Aug 2020 00:59:52 +0100 Subject: lorry: Enable TLS server certificate validation by default Lorry is not only used in Baserock, and it's reasonable to assume that there is normally a useful CA certificate store available. It's also no longer common for open source projects to avoid the "CA cartel" by using self-signed or CAcert certificates. * Enable validation by default for Bazaar, Git, and Mercurial * Add a configuration option to disable it * Add and document a .lorry keyword to disable it We already validate server certificates for file downloads since the Python standard library enabled it by default. We also never disabled validation for Subversion. Since this seems to have worked OK, don't add the option to disable it for these upstream types. Closes #9. --- lorry | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) (limited to 'lorry') diff --git a/lorry b/lorry index b42861b..0c08aee 100755 --- a/lorry +++ b/lorry @@ -231,6 +231,9 @@ class Lorry(cliapp.Application): 'command used to access Bazaar repositories', metavar='COMMAND', default=find_bazaar_command()) + self.settings.boolean(['check-certificates'], + 'validate SSL/TLS server certificates', + default=True) def process_args(self, args): status = 0 @@ -267,6 +270,10 @@ class Lorry(cliapp.Application): #print 'total failed:',status sys.exit(status) + def should_check_certificates(self, spec): + return self.settings['check-certificates'] \ + and spec.get('check-certificates', True) + def bundle(self, name, gitdir): if self.settings['bundle'] == 'never': return if len(self.settings['mirror-base-url-fetch']) == 0: return @@ -452,10 +459,11 @@ class Lorry(cliapp.Application): return dest def mirror_git(self, project_name, dirname, gitdir, spec): - # Turn off git's SSL/TLS certificate verification, until Baserock - # has an CA management infrastructure. - env = dict(os.environ) - env['GIT_SSL_NO_VERIFY'] = 'true' + if self.should_check_certificates(spec): + env = os.environ + else: + env = dict(os.environ) + env['GIT_SSL_NO_VERIFY'] = 'true' if not os.path.exists(gitdir): self.progress('.. initialising git dir') @@ -494,17 +502,21 @@ class Lorry(cliapp.Application): branches['trunk'] = spec['url'] logging.debug('all branches: %s' % repr(branches)) + cert_options = [] + if not self.should_check_certificates(spec): + cert_options.append('-Ossl.cert_reqs=none') + for branch, address in branches.items(): branchdir = os.path.join(bzrdir, branch) if not os.path.exists(branchdir): self.progress('.. doing initial bzr branch') self.run_program( - [bzr, 'branch', '--quiet', '-Ossl.cert_reqs=none', + [bzr, 'branch', '--quiet', *cert_options, address, branchdir]) else: self.progress('.. updating bzr branch') self.run_program( - [bzr, 'pull', '--quiet', '-Ossl.cert_reqs=none', + [bzr, 'pull', '--quiet', *cert_options, address], cwd=branchdir) @@ -611,6 +623,10 @@ class Lorry(cliapp.Application): env=env) def gitify_hg(self, project_name, dirname, gitdir, spec): + cert_options = [] + if not self.should_check_certificates(spec): + cert_options.append('--insecure') + hgdir = os.path.join(dirname, 'hg') if os.path.exists(hgdir): self.progress('.. updating hg branch') @@ -618,11 +634,12 @@ class Lorry(cliapp.Application): # Note that we always specify the URL from the spec, so # that if the spec changes, we pick up the new URL. self.run_program( - ['hg', 'pull', '--quiet', '--insecure', spec['url']], + ['hg', 'pull', '--quiet', *cert_options, spec['url']], cwd=hgdir) else: self.progress('.. doing initial hg branch') - self.run_program(['hg', 'clone', '--quiet', '--insecure', spec['url'], hgdir]) + self.run_program(['hg', 'clone', '--quiet', *cert_options, + spec['url'], hgdir]) if not os.path.exists(gitdir): self.needs_aggressive = True -- cgit v1.2.1