5b281c69d7c3d44aeada5a1b0ed152d345adf2e8 galt Tue Nov 9 11:09:59 2021 -0800 Squashed commit of the following: Adding new features to https like cert verification, error messages that work right with warn and errAbort and our GUI in hgCustom and hgHubConnect and also logging especially for CGIs of problem certs. Also added callback so that we can support multiple levels like warn instead of abort. Cert verify options controlled by env vars and also hg.conf variables for CGIs that use the cart. Added basic info about the new httpsCertCheck setting to various documents. Added -httpsCertCheck=[abort|warn|none] command-line option to the hubCheck utility. refs #28332, #28457, #28458 diff --git src/hg/utils/hubCheck/hubCheck.c src/hg/utils/hubCheck/hubCheck.c index 0c53254..ca85837 100644 --- src/hg/utils/hubCheck/hubCheck.c +++ src/hg/utils/hubCheck/hubCheck.c @@ -32,48 +32,50 @@ errAbort( "hubCheck - Check a track data hub for integrity.\n" "usage:\n" " hubCheck http://yourHost/yourDir/hub.txt\n" "options:\n" " -noTracks - don't check remote files for tracks, just trackDb (faster)\n" " -checkSettings - check trackDb settings to spec\n" " -version=[v?|url] - version to validate settings against\n" " (defaults to version in hub.txt, or current standard)\n" " -extra=[file|url] - accept settings in this file (or url)\n" " -level=base|required - reject settings below this support level\n" " -settings - just list settings with support level\n" " -genome=genome - only check this genome\n" " -udcDir=/dir/to/cache - place to put cache for remote bigBed/bigWigs.\n" " Will create this directory if not existing\n" + " -httpsCertCheck=[abort,warn,none] - set the ssl certificate verification mode.\n" " -printMeta - print the metadata for each track\n" " -cacheTime=N - set cache refresh time in seconds, default %d\n" " -verbose=2 - output verbosely\n" , cacheTime ); } static struct optionSpec options[] = { {"version", OPTION_STRING}, {"level", OPTION_STRING}, {"extra", OPTION_STRING}, {"noTracks", OPTION_BOOLEAN}, {"settings", OPTION_BOOLEAN}, {"checkSettings", OPTION_BOOLEAN}, {"genome", OPTION_STRING}, {"test", OPTION_BOOLEAN}, {"printMeta", OPTION_BOOLEAN}, {"udcDir", OPTION_STRING}, + {"httpsCertCheck", OPTION_STRING}, {"specHost", OPTION_STRING}, {"cacheTime", OPTION_INT}, // intentionally undocumented option for hgHubConnect {"htmlOut", OPTION_BOOLEAN}, {NULL, 0}, }; struct trackHubCheckOptions /* How to check track hub */ { boolean checkFiles; /* check remote files exist and are correct type */ boolean checkSettings; /* check trackDb settings to spec */ boolean printMeta; /* print out the metadata for each track */ char *version; /* hub spec version to check */ char *specHost; /* server hosting hub spec */ @@ -1149,30 +1151,44 @@ char *version = NULL; if (optionExists("version")) version = optionVal("version", NULL); checkOptions->version = version; char *extraFile = optionVal("extra", NULL); if (extraFile != NULL) addExtras(extraFile, checkOptions); cacheTime = optionInt("cacheTime", cacheTime); udcSetCacheTimeout(cacheTime); // UDC cache dir: first check for hg.conf setting, then override with command line option if given. setUdcCacheDir(); udcSetDefaultDir(optionVal("udcDir", udcDefaultDir())); +char *httpsCertCheck = optionVal("httpsCertCheck", NULL); +if (httpsCertCheck) + { + if (sameString(httpsCertCheck, "abort") || sameString(httpsCertCheck, "warn") || sameString(httpsCertCheck, "none")) + { + setenv("https_cert_check", httpsCertCheck, 1); + } + else + { + verbose(1, "The value of -httpsCertCheck should be either abort to avoid Man-in-middle attack, warn to warn about failed certs, or none indicating the verify is skipped."); + usage(); + } + } + knetUdcInstall(); // make the htslib library use udc if (optionExists("settings")) { showSettings(checkOptions); return 0; } // hgHubConnect specific option for generating a jstree of the hub errors checkOptions->htmlOut = optionExists("htmlOut"); struct dyString *errors = newDyString(1024); if (trackHubCheck(argv[1], checkOptions, errors) || checkOptions->htmlOut) { if (checkOptions->htmlOut) // just dump errors string to stdout {