diff options
| author | Eli Schwartz <eschwartz@archlinux.org> | 2022-03-20 21:19:36 -0400 |
|---|---|---|
| committer | Xavier Claessens <xclaesse@gmail.com> | 2022-03-27 18:57:07 -0400 |
| commit | b28e6aead4708a100d60b56a044f36b28a112326 (patch) | |
| tree | 1bf80c3b450b9642f068dcbd88ac37971a360d22 /mesonbuild/wrap | |
| parent | aa495ff7584de5a69077903d59196d526597cea4 (diff) | |
| download | meson-b28e6aead4708a100d60b56a044f36b28a112326.zip meson-b28e6aead4708a100d60b56a044f36b28a112326.tar.gz meson-b28e6aead4708a100d60b56a044f36b28a112326.tar.bz2 | |
wrap: add functionality to specify whether insecure downloads should be used
We have a fallback route in `meson subprojects download` and friends,
which tries to retrieve wrapdb urls via http, if Python was not built
with SSL support.
Stop doing this. Replace it with a command line option to specify that
insecure downloads are wanted, and reference it in the error message if
downloading fails due to SSL issues.
Diffstat (limited to 'mesonbuild/wrap')
| -rw-r--r-- | mesonbuild/wrap/wrap.py | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/mesonbuild/wrap/wrap.py b/mesonbuild/wrap/wrap.py index a42a734..4166d1d 100644 --- a/mesonbuild/wrap/wrap.py +++ b/mesonbuild/wrap/wrap.py @@ -66,21 +66,36 @@ def whitelist_wrapdb(urlstr: str) -> urllib.parse.ParseResult: raise WrapException(f'WrapDB did not have expected SSL https url, instead got {urlstr}') return url -def open_wrapdburl(urlstring: str) -> 'http.client.HTTPResponse': - global SSL_WARNING_PRINTED +def open_wrapdburl(urlstring: str, allow_insecure: bool = False, have_opt: bool = False) -> 'http.client.HTTPResponse': + if have_opt: + insecure_msg = '\n\n To allow connecting anyway, pass `--allow-insecure`.' + else: + insecure_msg = '' url = whitelist_wrapdb(urlstring) if has_ssl: try: return T.cast('http.client.HTTPResponse', urllib.request.urlopen(urllib.parse.urlunparse(url), timeout=REQ_TIMEOUT)) except urllib.error.URLError as excp: - raise WrapException(f'WrapDB connection failed to {urlstring} with error {excp}') - - # following code is only for those without Python SSL + msg = f'WrapDB connection failed to {urlstring} with error {excp}.' + if isinstance(excp.reason, ssl.SSLCertVerificationError): + if allow_insecure: + mlog.warning(f'{msg}\n\n Proceeding without authentication.') + else: + raise WrapException(f'{msg}{insecure_msg}') + else: + raise WrapException(msg) + elif not allow_insecure: + raise WrapException(f'SSL module not available in {sys.executable}: Cannot contact the WrapDB.{insecure_msg}') + else: + # following code is only for those without Python SSL + global SSL_WARNING_PRINTED + if not SSL_WARNING_PRINTED: + mlog.warning(f'SSL module not available in {sys.executable}: WrapDB traffic not authenticated.') + SSL_WARNING_PRINTED = True + + # If we got this far, allow_insecure was manually passed nossl_url = url._replace(scheme='http') - if not SSL_WARNING_PRINTED: - mlog.warning(f'SSL module not available in {sys.executable}: WrapDB traffic not authenticated.') - SSL_WARNING_PRINTED = True try: return T.cast('http.client.HTTPResponse', urllib.request.urlopen(urllib.parse.urlunparse(nossl_url), timeout=REQ_TIMEOUT)) except urllib.error.URLError as excp: @@ -212,6 +227,8 @@ class Resolver: subdir: str subproject: str = '' wrap_mode: WrapMode = WrapMode.default + wrap_frontend: bool = False + allow_insecure: bool = False def __post_init__(self) -> None: self.subdir_root = os.path.join(self.source_dir, self.subdir) @@ -491,7 +508,7 @@ class Resolver: tmpfile = tempfile.NamedTemporaryFile(mode='wb', dir=self.cachedir, delete=False) url = urllib.parse.urlparse(urlstring) if url.hostname and url.hostname.endswith(WHITELIST_SUBDOMAIN): - resp = open_wrapdburl(urlstring) + resp = open_wrapdburl(urlstring, allow_insecure=self.allow_insecure, have_opt=self.wrap_frontend) elif WHITELIST_SUBDOMAIN in urlstring: raise WrapException(f'{urlstring} may be a WrapDB-impersonating URL') else: |