allowhosts.txt 4.18 KB
Newer Older
Tarek Ziad's avatar
Tarek Ziad committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108
Allow hosts
-----------

On some environments the links visited by `zc.buildout` can be forbidden
by paranoiac firewalls. These URL might be on the chain of links 
visited by `zc.buildout` wheter they are defined in the `find-links` option,
wheter they are defined by various eggs in their `url`, `download_url`, 
`dependency_links` metadata.

It is even harder to track that package_index works like a spider and 
might visit links and go to other location.

The `allow-hosts` option provides a way to prevent this, and 
works exactly like the one provided in `easy_install`
(see `easy_install allow-hosts option`_).

You can provide a list of allowed host, together with wildcards::

    [buildout]
    ...
    
    allow-hosts =
        *.python.org
        example.com

Let's create a develop egg in our buildout that specifies
`dependency_links` which points to a server in the outside world::

    >>> mkdir(sample_buildout, 'allowdemo')
    >>> write(sample_buildout, 'allowdemo', 'dependencydemo.py',
    ...       'import eggrecipekss.core')
    >>> write(sample_buildout, 'allowdemo', 'setup.py',
    ... '''from setuptools import setup; setup(
    ...     name='allowdemo', py_modules=['dependencydemo'],
    ...     install_requires = 'kss.core',
    ...     dependency_links = ['http://dist.plone.org'],
    ...     zip_safe=True, version='1')
    ... ''')

Now let's configure the buildout to use the develop egg, 
together with some rules that disallow any website but PyPI and
local files::

    >>> write(sample_buildout, 'buildout.cfg',
    ... '''
    ... [buildout]
    ... develop = allowdemo
    ... parts = eggs
    ... allow-hosts =
    ...     pypi.python.org
    ...
    ... [eggs]
    ... recipe = zc.recipe.egg:eggs
    ... eggs = allowdemo
    ... ''')

Now we can run the buildout and make sure all attempts to dist.plone.org fails::

    >>> print system(buildout)
    Develop: '/sample-buildout/allowdemo'
    Installing eggs.
    <BLANKLINE>
    Link to http://dist.plone.org ***BLOCKED*** by --allow-hosts
    <BLANKLINE>
    Couldn't find index page for 'kss.core' (maybe misspelled?)
    Getting distribution for 'kss.core'.
    While:
      Installing eggs.
      Getting distribution for 'kss.core'.
    Error: Couldn't find a distribution for 'kss.core'.
    <BLANKLINE>

That's what we wanted : this will prevent any attempt to access
unwanted domains. For instance, some packages are listing in their
links `svn://` links. These can lead to error in some cases, and
can therefore be protected like this::

XXX (showcase with a svn:// file)

    >>> write(sample_buildout, 'buildout.cfg',
    ... '''
    ... [buildout]
    ... develop = allowdemo
    ... parts = eggs
    ... allow-hosts =
    ...     ^(!svn://).*
    ...
    ... [eggs]
    ... recipe = zc.recipe.egg:eggs
    ... eggs = allowdemo
    ... ''')

Now we can run the buildout and make sure all attempts to dist.plone.org fails::

    >>> print system(buildout)
    Develop: '/sample-buildout/allowdemo'
    Installing eggs.
    <BLANKLINE>
    Link to http://dist.plone.org ***BLOCKED*** by --allow-hosts
    <BLANKLINE>
    Couldn't find index page for 'kss.core' (maybe misspelled?)
    Getting distribution for 'kss.core'.
    While:
      Installing eggs.
      Getting distribution for 'kss.core'.
    Error: Couldn't find a distribution for 'kss.core'.
    <BLANKLINE>

109 110
Test for issues
---------------
Tarek Ziad's avatar
Tarek Ziad committed
111

112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137
Test for 1.0.5 breakage as in https://bugs.launchpad.net/zc.buildout/+bug/239212::

    >>> write(sample_buildout, 'buildout.cfg',
    ... '''
    ... [buildout]
    ... parts=
    ...     python
    ...      
    ... foo = ${python:interpreter}
    ...      
    ... [python]
    ... recipe=zc.recipe.egg
    ... eggs=ipython
    ... interpreter=python
    ... ''')
    >>> print system(buildout)
    Unused options for buildout: 'foo'.
    Installing python.
    Getting distribution for 'ipython'.
    Got ipython 0.8.3.
    Generated script 'bin/ipython'.
    Generated script 'bin/pycolor'.
    Generated interpreter 'bin/python'.
    <BLANKLINE>

The bug 239212 above would have got us an *AttrubuteError* on *buildout._allow_hosts*.
138 139
This was fixed in thhis changeset:
http://svn.zope.org/zc.buildout/trunk/src/zc/buildout/buildout.py?rev=87309&r1=87277&r2=87309