filelog: raise CensoredNodeError when hash checks fail with censor metadata
With this change, when a revlog revision hash does not match its content, and
the content is empty with a special metadata key, the integrity failure is
assumed to be intentionally caused to remove sensitive content from repository
history.
To allow different Mercurial functionality to handle this scenario differently
a more specific exception is raised than "ordinary" hash failures.
Alternatives to this approach include, but are not limited to:
- Calling a hook when hashes mismatch to allow arbitrary tombstone validation.
Cons: Irresponsibly easy to disable integrity checking altogether.
- Returning empty revision data eagerly instead of raising, masking the error.
Cons: Push/pull won't roundtrip the tombstone, so client repos are unusable.
- Doing nothing differently at this layer. Callers must do their own detection
of tombstoned data if they want to handle some hash checks and not others.
- Impacts dozens of callsites, many of which don't have the revision data
- Would probably be missing one or two callsites at any given time
- Currently we throw a RevlogError, as do 12 other places in revlog.py.
Callers would need to parse the exception message and/or ensure
RevlogError is not thrown from any other part of their call tree.
#require serve
#if no-outer-repo
no repo
$ hg id
abort: there is no Mercurial repository here (.hg not found)
[255]
#endif
create repo
$ hg init test
$ cd test
$ echo a > a
$ hg ci -Ama
adding a
basic id usage
$ hg id
cb9a9f314b8b tip
$ hg id --debug
cb9a9f314b8b07ba71012fcdbc544b5a4d82ff5b tip
$ hg id -q
cb9a9f314b8b
$ hg id -v
cb9a9f314b8b tip
with options
$ hg id -r.
cb9a9f314b8b tip
$ hg id -n
0
$ hg id -t
tip
$ hg id -b
default
$ hg id -i
cb9a9f314b8b
$ hg id -n -t -b -i
cb9a9f314b8b 0 default tip
with modifications
$ echo b > a
$ hg id -n -t -b -i
cb9a9f314b8b+ 0+ default tip
other local repo
$ cd ..
$ hg -R test id
cb9a9f314b8b+ tip
#if no-outer-repo
$ hg id test
cb9a9f314b8b+ tip
#endif
with remote http repo
$ cd test
$ hg serve -p $HGPORT1 -d --pid-file=hg.pid
$ cat hg.pid >> $DAEMON_PIDS
$ hg id http://localhost:$HGPORT1/
cb9a9f314b8b
remote with rev number?
$ hg id -n http://localhost:$HGPORT1/
abort: can't query remote revision number, branch, or tags
[255]
remote with tags?
$ hg id -t http://localhost:$HGPORT1/
abort: can't query remote revision number, branch, or tags
[255]
remote with branch?
$ hg id -b http://localhost:$HGPORT1/
abort: can't query remote revision number, branch, or tags
[255]
test bookmark support
$ hg bookmark Y
$ hg bookmark Z
$ hg bookmarks
Y 0:cb9a9f314b8b
* Z 0:cb9a9f314b8b
$ hg id
cb9a9f314b8b+ tip Y/Z
$ hg id --bookmarks
Y Z
test remote identify with bookmarks
$ hg id http://localhost:$HGPORT1/
cb9a9f314b8b Y/Z
$ hg id --bookmarks http://localhost:$HGPORT1/
Y Z
$ hg id -r . http://localhost:$HGPORT1/
cb9a9f314b8b Y/Z
$ hg id --bookmarks -r . http://localhost:$HGPORT1/
Y Z
test invalid lookup
$ hg id -r noNoNO http://localhost:$HGPORT1/
abort: unknown revision 'noNoNO'!
[255]
Make sure we do not obscure unknown requires file entries (issue2649)
$ echo fake >> .hg/requires
$ hg id
abort: repository requires features unknown to this Mercurial: fake!
(see http://mercurial.selenic.com/wiki/MissingRequirement for more information)
[255]
$ cd ..
#if no-outer-repo
$ hg id test
abort: repository requires features unknown to this Mercurial: fake!
(see http://mercurial.selenic.com/wiki/MissingRequirement for more information)
[255]
#endif