bazel_repository_cache_test: explicitly allow unverified downloads fr…

…om localhost The repository cache tests (among other things) that a download of a file adds it to the cache under its sha256 hash, even if no hash was specified on the download. To make the test certificate-independent, this is done via plain http on the loopback device. Explicitly allow this use of unverified http download. Related to #8607 Change-Id: I0140356b1d952c3ccdea78d5f35a2fa9d5926c84 PiperOrigin-RevId: 258557255
bazelbuild · Jul 17, 2019 · 7c0cb0a · 7c0cb0a
1 parent b815b79
commit 7c0cb0a
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/test/shell/bazel/bazel_repository_cache_test.sh b/src/test/shell/bazel/bazel_repository_cache_test.sh
@@ -300,7 +300,14 @@ EOF
 
   # Fetch; as we did not specify a hash, we expect bazel to tell us the hash
   # in an info message.
-  bazel fetch --repository_cache="$repo_cache_dir" //zoo:breeding-program >& $TEST_log \
+  #
+  # The intended use case is, of course, downloading from a known-to-be-good
+  # upstream https site. Here we test with plain http, which we have to allow
+  # to do without checksum. But we can safely do so, as the loopback device
+  # is reasonably safe against man-in-the-middle attacks.
+  bazel fetch --repository_cache="$repo_cache_dir" \
+        --noincompatible_disallow_unverified_http_downloads \
+        //zoo:breeding-program >& $TEST_log \
     || fail "expected fetch to succeed"
 
   expect_log "${sha256}"