unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: 74776@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>,
	"Christopher Baines" <guix@cbaines.net>,
	"Josselin Poiret" <dev@jpoiret.xyz>,
	"Ludovic Courtès" <ludo@gnu.org>,
	"Mathieu Othacehe" <othacehe@gnu.org>,
	"Simon Tournier" <zimon.toutoune@gmail.com>,
	"Tobias Geerinckx-Rice" <me@tobias.gr>
Subject: [bug#74776] [PATCH 2/7] git: Allow X.509 certificate verification to be disabled.
Date: Wed, 11 Dec 2024 00:34:41 +0100	[thread overview]
Message-ID: <a6029ade5b287bbdfe2cfa76ca488219da562d84.1733873391.git.ludo@gnu.org> (raw)
In-Reply-To: <cover.1733873391.git.ludo@gnu.org>

* guix/git.scm (make-default-fetch-options): Add #:verify-certificate?
and honor it.  Define ‘warn-for-invalid-certificate’.
(clone*): Add #:verify-certificate? and pass it on.
(clone/swh-fallback): Likewise.
(update-cached-checkout): Likewise.
(latest-repository-commit): Likewise.

Change-Id: Ibf535a4a8d2a7e0c4026a896da9d4ab72e85401a
---
 guix/git.scm | 66 ++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 49 insertions(+), 17 deletions(-)

diff --git a/guix/git.scm b/guix/git.scm
index 1b0839b1e3..6ac6e4e3a2 100644
--- a/guix/git.scm
+++ b/guix/git.scm
@@ -182,16 +182,29 @@ (define (show-progress progress)
   ;; Return true to indicate that we should go on.
   #t)
 
-(define (make-default-fetch-options)
-  "Return the default fetch options."
-  (let ((auth-method (%make-auth-ssh-agent)))
-    (make-fetch-options auth-method
-                        ;; Guile-Git doesn't distinguish between these.
-                        #:proxy-url (or (getenv "http_proxy")
-                                        (getenv "https_proxy"))
-                        #:transfer-progress
-                        (and (isatty? (current-error-port))
-                             show-progress))))
+(define* (make-default-fetch-options #:key (verify-certificate? #t))
+  "Return the default fetch options.  VERIFY-CERTIFICATE? determines whether
+to verify X.509 host certificates."
+  (define (warn-for-invalid-certificate host valid?)
+    (unless valid?
+      (warning (G_ "ignoring invalid certificate for '~a'~%") host)))
+
+  (let* ((auth-method (%make-auth-ssh-agent))
+         (options
+          (make-fetch-options auth-method
+                              ;; Guile-Git doesn't distinguish between these.
+                              #:proxy-url (or (getenv "http_proxy")
+                                              (getenv "https_proxy"))
+                              #:transfer-progress
+                              (and (isatty? (current-error-port))
+                                   show-progress))))
+    ;; When VERIFY-CERTIFICATE? is true, keep the default libgit2 behavior,
+    ;; which is to raise an exception upon invalid certificates.
+    (unless verify-certificate?
+      (let ((callbacks (fetch-options-remote-callbacks options)))
+        (set-remote-callbacks-certificate-check! callbacks
+                                                 warn-for-invalid-certificate)))
+    options))
 
 (define GITERR_HTTP
   ;; Guile-Git <= 0.5.2 lacks this constant.
@@ -213,7 +226,7 @@ (define (set-git-timeouts connection-timeout read-timeout)
              read-timeout)
     (set-server-timeout! read-timeout)))
 
-(define (clone* url directory)
+(define* (clone* url directory #:key (verify-certificate? #t))
   "Clone git repository at URL into DIRECTORY.  Upon failure,
 make sure no empty directory is left behind."
   (with-throw-handler #t
@@ -222,7 +235,8 @@ (define (clone* url directory)
 
       (clone url directory
              (make-clone-options
-              #:fetch-options (make-default-fetch-options))))
+              #:fetch-options (make-default-fetch-options
+                               #:verify-certificate? verify-certificate?))))
     (lambda _
       (false-if-exception (rmdir directory)))))
 
@@ -445,7 +459,8 @@ (define (clone-from-swh url tag-or-commit output)
             (remote-set-url! repository "origin" url)
             repository)))))
 
-(define (clone/swh-fallback url ref cache-directory)
+(define* (clone/swh-fallback url ref cache-directory
+                             #:key (verify-certificate? #t))
   "Like 'clone', but fallback to Software Heritage if the repository cannot be
 found at URL."
   (define (inaccessible-url-error? err)
@@ -456,7 +471,8 @@ (define (clone/swh-fallback url ref cache-directory)
 
   (catch 'git-error
     (lambda ()
-      (clone* url cache-directory))
+      (clone* url cache-directory
+              #:verify-certificate? verify-certificate?))
     (lambda (key err)
       (match ref
         (((or 'commit 'tag-or-commit) . commit)
@@ -526,6 +542,7 @@ (define* (update-cached-checkout url
                                  (check-out? #t)
                                  starting-commit
                                  (log-port (%make-void-port "w"))
+                                 (verify-certificate? #t)
                                  (cache-directory
                                   (url-cache-directory
                                    url (%repository-cache-directory)
@@ -544,6 +561,9 @@ (define* (update-cached-checkout url
 When CHECK-OUT? is true, reset the cached working tree to REF; otherwise leave
 it unchanged.
 
+When VERIFY-CERTIFICATE? is true, raise an error when encountering an invalid
+X.509 host certificate; otherwise, warn about the problem and keep going.
+
 Wait for up to CONNECTION-TIMEOUT milliseconds when establishing connection to
 the remote server, and for up to READ-TIMEOUT milliseconds when reading from
 it.  When zero, use the system defaults for these timeouts; when false, leave
@@ -573,15 +593,22 @@ (define* (update-cached-checkout url
    (let* ((cache-exists? (openable-repository? cache-directory))
           (repository    (if cache-exists?
                              (repository-open cache-directory)
-                             (clone/swh-fallback url ref cache-directory))))
+                             (clone/swh-fallback url ref cache-directory
+                                                 #:verify-certificate?
+                                                 verify-certificate?))))
      ;; Only fetch remote if it has not been cloned just before.
      (when (and cache-exists?
                 (not (reference-available? repository ref)))
        (remote-fetch (remote-lookup repository "origin")
-                     #:fetch-options (make-default-fetch-options)))
+                     #:fetch-options (make-default-fetch-options
+                                      #:verify-certificate?
+                                      verify-certificate?)))
      (when recursive?
        (update-submodules repository #:log-port log-port
-                          #:fetch-options (make-default-fetch-options)))
+                          #:fetch-options
+                          (make-default-fetch-options
+                           #:verify-certificate?
+                           verify-certificate?)))
 
      ;; Note: call 'commit-relation' from here because it's more efficient
      ;; than letting users re-open the checkout later on.
@@ -632,6 +659,7 @@ (define* (latest-repository-commit store url
                                    #:key
                                    recursive?
                                    (log-port (%make-void-port "w"))
+                                   (verify-certificate? #t)
                                    (cache-directory
                                     (%repository-cache-directory))
                                    (ref '()))
@@ -644,6 +672,9 @@ (define* (latest-repository-commit store url
 
 When RECURSIVE? is true, check out submodules as well, if any.
 
+When VERIFY-CERTIFICATE? is true, raise an error when encountering an invalid
+X.509 host certificate; otherwise, warn about the problem and keep going.
+
 Git repositories are kept in the cache directory specified by
 %repository-cache-directory parameter.
 
@@ -668,6 +699,7 @@ (define* (latest-repository-commit store url
                                 (url-cache-directory url cache-directory
                                                      #:recursive?
                                                      recursive?)
+                                #:verify-certificate? verify-certificate?
                                 #:log-port log-port))
        ((name)
         (url+commit->name url commit)))
-- 
2.46.0





  parent reply	other threads:[~2024-12-10 23:36 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-10 23:33 [bug#74776] [PATCH 0/7] Adding '--no-check-certificate' to 'pull' and 'time-machine' Ludovic Courtès
2024-12-10 23:34 ` [bug#74776] [PATCH 1/7] git: Remove Guile-Git < 0.4.0 compatibility fallback Ludovic Courtès
2024-12-10 23:34 ` Ludovic Courtès [this message]
2024-12-10 23:34 ` [bug#74776] [PATCH 3/7] guix download: Honor ‘--no-check-certificate’ for ‘--git’ Ludovic Courtès
2024-12-10 23:34 ` [bug#74776] [PATCH 4/7] channels: Add #:verify-certificate? and honor it Ludovic Courtès
2024-12-10 23:34 ` [bug#74776] [PATCH 5/7] pull: Add ‘--no-check-certificate’ Ludovic Courtès
2024-12-11  2:45   ` Maxim Cournoyer
2024-12-10 23:34 ` [bug#74776] [PATCH 6/7] inferior: Add #:verify-certificate? to ‘cached-channel-instance’ Ludovic Courtès
2024-12-10 23:34 ` [bug#74776] [PATCH 7/7] time-machine: Add ‘--no-check-certificate’ Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a6029ade5b287bbdfe2cfa76ca488219da562d84.1733873391.git.ludo@gnu.org \
    --to=ludo@gnu.org \
    --cc=74776@debbugs.gnu.org \
    --cc=dev@jpoiret.xyz \
    --cc=guix@cbaines.net \
    --cc=me@tobias.gr \
    --cc=othacehe@gnu.org \
    --cc=zimon.toutoune@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).