bazel_repository_cache_test: explicitly allow unverified downloads from localhost
The repository cache tests (among other things) that a download of a file adds it
to the cache under its sha256 hash, even if no hash was specified on the download.
To make the test certificate-independent, this is done via plain http on the
loopback device. Explicitly allow this use of unverified http download.
Related to #8607
Change-Id: I0140356b1d952c3ccdea78d5f35a2fa9d5926c84
PiperOrigin-RevId: 258557255
diff --git a/src/test/shell/bazel/bazel_repository_cache_test.sh b/src/test/shell/bazel/bazel_repository_cache_test.sh
index 076bd33..3a7efed 100755
--- a/src/test/shell/bazel/bazel_repository_cache_test.sh
+++ b/src/test/shell/bazel/bazel_repository_cache_test.sh
@@ -300,7 +300,14 @@
# Fetch; as we did not specify a hash, we expect bazel to tell us the hash
# in an info message.
- bazel fetch --repository_cache="$repo_cache_dir" //zoo:breeding-program >& $TEST_log \
+ #
+ # The intended use case is, of course, downloading from a known-to-be-good
+ # upstream https site. Here we test with plain http, which we have to allow
+ # to do without checksum. But we can safely do so, as the loopback device
+ # is reasonably safe against man-in-the-middle attacks.
+ bazel fetch --repository_cache="$repo_cache_dir" \
+ --noincompatible_disallow_unverified_http_downloads \
+ //zoo:breeding-program >& $TEST_log \
|| fail "expected fetch to succeed"
expect_log "${sha256}"
