src/hg/utils/hubCheck/hubCheck.c cf09d38904dd6b0333eb2369d8f84c3ee6478450

cf09d38904dd6b0333eb2369d8f84c3ee6478450
galt
  Tue Nov 23 23:35:32 2021 -0800
Since IP addresses are automatically whitelisted and no cert verify takes place, we no longer need them. Also added a useful option for controlling the hardwired whitelist for hubCheck.

diff --git src/hg/utils/hubCheck/hubCheck.c src/hg/utils/hubCheck/hubCheck.c
index eadd61b..e6c0b73 100644
--- src/hg/utils/hubCheck/hubCheck.c
+++ src/hg/utils/hubCheck/hubCheck.c
@@ -32,50 +32,52 @@
 errAbort(
   "hubCheck - Check a track data hub for integrity.\n"
   "usage:\n"
   "   hubCheck http://yourHost/yourDir/hub.txt\n"
   "options:\n"
   "   -noTracks             - don't check remote files for tracks, just trackDb (faster)\n"
   "   -checkSettings        - check trackDb settings to spec\n"
   "   -version=[v?|url]     - version to validate settings against\n"
   "                                     (defaults to version in hub.txt, or current standard)\n"
   "   -extra=[file|url]     - accept settings in this file (or url)\n"
   "   -level=base|required  - reject settings below this support level\n"
   "   -settings             - just list settings with support level\n"
   "   -genome=genome        - only check this genome\n"
   "   -udcDir=/dir/to/cache - place to put cache for remote bigBed/bigWigs.\n"
   "                                     Will create this directory if not existing\n"
-  "   -httpsCertCheck=[abort,warn,none] - set the ssl certificate verification mode.\n"  
+  "   -httpsCertCheck=[abort,warn,log,none] - set the ssl certificate verification mode.\n"  
+  "   -httpsCertCheckDomainExceptions= - space separated list of domains to whitelist.\n"  
   "   -printMeta            - print the metadata for each track\n"
   "   -cacheTime=N          - set cache refresh time in seconds, default %d\n"
   "   -verbose=2            - output verbosely\n"
   , cacheTime
   );
 }
 
 static struct optionSpec options[] = {
    {"version", OPTION_STRING},
    {"level", OPTION_STRING},
    {"extra", OPTION_STRING},
    {"noTracks", OPTION_BOOLEAN},
    {"settings", OPTION_BOOLEAN},
    {"checkSettings", OPTION_BOOLEAN},
    {"genome", OPTION_STRING},
    {"test", OPTION_BOOLEAN},
    {"printMeta", OPTION_BOOLEAN},
    {"udcDir", OPTION_STRING},
    {"httpsCertCheck", OPTION_STRING},
+   {"httpsCertCheckDomainExceptions", OPTION_STRING},
    {"specHost", OPTION_STRING},
    {"cacheTime", OPTION_INT},
    // intentionally undocumented option for hgHubConnect
    {"htmlOut", OPTION_BOOLEAN},
    {NULL, 0},
 };
 
 struct trackHubCheckOptions
 /* How to check track hub */
     {
     boolean checkFiles;         /* check remote files exist and are correct type */
     boolean checkSettings;      /* check trackDb settings to spec */
     boolean printMeta;          /* print out the metadata for each track */
     char *version;              /* hub spec version to check */
     char *specHost;             /* server hosting hub spec */
@@ -1154,45 +1156,52 @@
 checkOptions->version = version;
 
 char *extraFile = optionVal("extra", NULL);
 if (extraFile != NULL)
     addExtras(extraFile, checkOptions);
 
 cacheTime = optionInt("cacheTime", cacheTime);
 udcSetCacheTimeout(cacheTime);
 // UDC cache dir: first check for hg.conf setting, then override with command line option if given.
 setUdcCacheDir();
 udcSetDefaultDir(optionVal("udcDir", udcDefaultDir()));
 
 char *httpsCertCheck = optionVal("httpsCertCheck", NULL);
 if (httpsCertCheck)
     {
-    // secretly accept level log for testing, but you only see something if SCRIPT_NAME env variable is set like CGIs have.
+    //  level log for testing, but you only see something if SCRIPT_NAME env variable is set like CGIs have.
     if (sameString(httpsCertCheck, "abort") || sameString(httpsCertCheck, "warn") || sameString(httpsCertCheck, "log") || sameString(httpsCertCheck, "none"))
 	{
 	setenv("https_cert_check", httpsCertCheck, 1);
 	}
     else
 	{
 	// log level is not very useful, but included it for completeness.
 	verbose(1, "The value of -httpsCertCheck should be either abort to avoid Man-in-middle attack,\n"
 		"warn to warn about failed certs,\n"
 		"none indicating the verify is skipped entirely.");
 	usage();
 	}
     }
 
+// should be space separated list, if that lists contains "noHardwiredExceptions" then the built-in hardwired whitelist in https.c is skipped.
+char *httpsCertCheckDomainExceptions = optionVal("httpsCertCheckDomainExceptions", NULL);
+if (httpsCertCheckDomainExceptions)
+    {
+    setenv("https_cert_check_domain_exceptions", httpsCertCheckDomainExceptions, 1);
+    }
+
 knetUdcInstall();  // make the htslib library use udc
 
 if (optionExists("settings"))
     {
     showSettings(checkOptions);
     return 0;
     }
 
 // hgHubConnect specific option for generating a jstree of the hub errors
 checkOptions->htmlOut = optionExists("htmlOut");
 struct dyString *errors = newDyString(1024);
 if (trackHubCheck(argv[1], checkOptions, errors) || checkOptions->htmlOut)
     {
     if (checkOptions->htmlOut) // just dump errors string to stdout
         {