tests/test-acl.t
author Augie Fackler <augie@google.com>
Wed, 12 Apr 2017 11:23:55 -0700
branchstable
changeset 32050 77eaf9539499
parent 30211 6b0741d6d234
child 32307 c2380b448265
permissions -rw-r--r--
dispatch: protect against malicious 'hg serve --stdio' invocations (sec) Some shared-ssh installations assume that 'hg serve --stdio' is a safe command to run for minimally trusted users. Unfortunately, the messy implementation of argument parsing here meant that trying to access a repo named '--debugger' would give the user a pdb prompt, thereby sidestepping any hoped-for sandboxing. Serving repositories over HTTP(S) is unaffected. We're not currently hardening any subcommands other than 'serve'. If your service exposes other commands to users with arbitrary repository names, it is imperative that you defend against repository names of '--debugger' and anything starting with '--config'. The read-only mode of hg-ssh stopped working because it provided its hook configuration to "hg serve --stdio" via --config parameter. This is banned for security reasons now. This patch switches it to directly call ui.setconfig(). If your custom hosting infrastructure relies on passing --config to "hg serve --stdio", you'll need to find a different way to get that configuration into Mercurial, either by using ui.setconfig() as hg-ssh does in this patch, or by placing an hgrc file someplace where Mercurial will read it. mitrandir@fb.com provided some extra fixes for the dispatch code and for hg-ssh in places that I overlooked.

  > do_push()
  > {
  >     user=$1
  >     shift
  >     echo "Pushing as user $user"
  >     echo 'hgrc = """'
  >     sed -n '/\[[ha]/,$p' b/.hg/hgrc | grep -v fakegroups.py
  >     echo '"""'
  >     if test -f acl.config; then
  >         echo 'acl.config = """'
  >         cat acl.config
  >         echo '"""'
  >     fi
  >     # On AIX /etc/profile sets LOGNAME read-only. So
  >     #  LOGNAME=$user hg --cws a --debug push ../b
  >     # fails with "This variable is read only."
  >     # Use env to work around this.
  >     env LOGNAME=$user hg --cwd a --debug push ../b
  >     hg --cwd b rollback
  >     hg --cwd b --quiet tip
  >     echo
  > }

  > init_config()
  > {
  >     cat > fakegroups.py <<EOF
  > from hgext import acl
  > def fakegetusers(ui, group):
  >     try:
  >         return acl._getusersorig(ui, group)
  >     except:
  >         return ["fred", "betty"]
  > acl._getusersorig = acl._getusers
  > acl._getusers = fakegetusers
  > EOF
  >     rm -f acl.config
  >     cat > $config <<EOF
  > [hooks]
  > pretxnchangegroup.acl = python:hgext.acl.hook
  > [acl]
  > sources = push
  > [extensions]
  > f=`pwd`/fakegroups.py
  > EOF
  > }

  $ hg init a
  $ cd a
  $ mkdir foo foo/Bar quux
  $ echo 'in foo' > foo/file.txt
  $ echo 'in foo/Bar' > foo/Bar/file.txt
  $ echo 'in quux' > quux/file.py
  $ hg add -q
  $ hg ci -m 'add files' -d '1000000 0'
  $ echo >> foo/file.txt
  $ hg ci -m 'change foo/file' -d '1000001 0'
  $ echo >> foo/Bar/file.txt
  $ hg ci -m 'change foo/Bar/file' -d '1000002 0'
  $ echo >> quux/file.py
  $ hg ci -m 'change quux/file' -d '1000003 0'
  $ hg tip --quiet
  3:911600dab2ae

  $ cd ..
  $ hg clone -r 0 a b
  adding changesets
  adding manifests
  adding file changes
  added 1 changesets with 3 changes to 3 files
  updating to branch default
  3 files updated, 0 files merged, 0 files removed, 0 files unresolved

  $ config=b/.hg/hgrc

Extension disabled for lack of a hook

  $ do_push fred
  Pushing as user fred
  hgrc = """
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

  $ echo '[hooks]' >> $config
  $ echo 'pretxnchangegroup.acl = python:hgext.acl.hook' >> $config

Extension disabled for lack of acl.sources

  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: changes have source "push" - skipping
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

No [acl.allow]/[acl.deny]

  $ echo '[acl]' >> $config
  $ echo 'sources = push' >> $config
  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

Empty [acl.allow]

  $ echo '[acl.allow]' >> $config
  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 0 entries for user fred
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "fred" not allowed on "foo/file.txt" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "fred" not allowed on "foo/file.txt" (changeset "ef1ea85a6374")
  no rollback information available
  0:6675d58eff77
  

fred is allowed inside foo/

  $ echo 'foo/** = fred' >> $config
  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user fred
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "fred" not allowed on "quux/file.py" (changeset "911600dab2ae")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "fred" not allowed on "quux/file.py" (changeset "911600dab2ae")
  no rollback information available
  0:6675d58eff77
  

Empty [acl.deny]

  $ echo '[acl.deny]' >> $config
  $ do_push barney
  Pushing as user barney
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "barney"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 0 entries for user barney
  acl: acl.deny enabled, 0 entries for user barney
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "barney" not allowed on "foo/file.txt" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "barney" not allowed on "foo/file.txt" (changeset "ef1ea85a6374")
  no rollback information available
  0:6675d58eff77
  

fred is allowed inside foo/, but not foo/bar/ (case matters)

  $ echo 'foo/bar/** = fred' >> $config
  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user fred
  acl: acl.deny enabled, 1 entries for user fred
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "fred" not allowed on "quux/file.py" (changeset "911600dab2ae")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "fred" not allowed on "quux/file.py" (changeset "911600dab2ae")
  no rollback information available
  0:6675d58eff77
  

fred is allowed inside foo/, but not foo/Bar/

  $ echo 'foo/Bar/** = fred' >> $config
  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user fred
  acl: acl.deny enabled, 2 entries for user fred
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "fred" denied on "foo/Bar/file.txt" (changeset "f9cafe1212c8")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "fred" denied on "foo/Bar/file.txt" (changeset "f9cafe1212c8")
  no rollback information available
  0:6675d58eff77
  

  $ echo 'barney is not mentioned => not allowed anywhere'
  barney is not mentioned => not allowed anywhere
  $ do_push barney
  Pushing as user barney
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "barney"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 0 entries for user barney
  acl: acl.deny enabled, 0 entries for user barney
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "barney" not allowed on "foo/file.txt" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "barney" not allowed on "foo/file.txt" (changeset "ef1ea85a6374")
  no rollback information available
  0:6675d58eff77
  

barney is allowed everywhere

  $ echo '[acl.allow]' >> $config
  $ echo '** = barney' >> $config
  $ do_push barney
  Pushing as user barney
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  [acl.allow]
  ** = barney
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "barney"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user barney
  acl: acl.deny enabled, 0 entries for user barney
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

wilma can change files with a .txt extension

  $ echo '**/*.txt = wilma' >> $config
  $ do_push wilma
  Pushing as user wilma
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  [acl.allow]
  ** = barney
  **/*.txt = wilma
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "wilma"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user wilma
  acl: acl.deny enabled, 0 entries for user wilma
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "wilma" not allowed on "quux/file.py" (changeset "911600dab2ae")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "wilma" not allowed on "quux/file.py" (changeset "911600dab2ae")
  no rollback information available
  0:6675d58eff77
  

file specified by acl.config does not exist

  $ echo '[acl]' >> $config
  $ echo 'config = ../acl.config' >> $config
  $ do_push barney
  Pushing as user barney
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  [acl.allow]
  ** = barney
  **/*.txt = wilma
  [acl]
  config = ../acl.config
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "barney"
  error: pretxnchangegroup.acl hook raised an exception: [Errno 2] No such file or directory: '../acl.config'
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: No such file or directory: ../acl.config
  no rollback information available
  0:6675d58eff77
  

betty is allowed inside foo/ by a acl.config file

  $ echo '[acl.allow]' >> acl.config
  $ echo 'foo/** = betty' >> acl.config
  $ do_push betty
  Pushing as user betty
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  [acl.allow]
  ** = barney
  **/*.txt = wilma
  [acl]
  config = ../acl.config
  """
  acl.config = """
  [acl.allow]
  foo/** = betty
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "betty"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user betty
  acl: acl.deny enabled, 0 entries for user betty
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "betty" not allowed on "quux/file.py" (changeset "911600dab2ae")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "betty" not allowed on "quux/file.py" (changeset "911600dab2ae")
  no rollback information available
  0:6675d58eff77
  

acl.config can set only [acl.allow]/[acl.deny]

  $ echo '[hooks]' >> acl.config
  $ echo 'changegroup.acl = false' >> acl.config
  $ do_push barney
  Pushing as user barney
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [acl.allow]
  foo/** = fred
  [acl.deny]
  foo/bar/** = fred
  foo/Bar/** = fred
  [acl.allow]
  ** = barney
  **/*.txt = wilma
  [acl]
  config = ../acl.config
  """
  acl.config = """
  [acl.allow]
  foo/** = betty
  [hooks]
  changegroup.acl = false
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "barney"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user barney
  acl: acl.deny enabled, 0 entries for user barney
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

asterisk

  $ init_config

asterisk test

  $ echo '[acl.allow]' >> $config
  $ echo "** = fred" >> $config

fred is always allowed

  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow]
  ** = fred
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user fred
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

  $ echo '[acl.deny]' >> $config
  $ echo "foo/Bar/** = *" >> $config

no one is allowed inside foo/Bar/

  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow]
  ** = fred
  [acl.deny]
  foo/Bar/** = *
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow enabled, 1 entries for user fred
  acl: acl.deny enabled, 1 entries for user fred
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "fred" denied on "foo/Bar/file.txt" (changeset "f9cafe1212c8")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "fred" denied on "foo/Bar/file.txt" (changeset "f9cafe1212c8")
  no rollback information available
  0:6675d58eff77
  

Groups

  $ init_config

OS-level groups

  $ echo '[acl.allow]' >> $config
  $ echo "** = @group1" >> $config

@group1 is always allowed

  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow]
  ** = @group1
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: "group1" not defined in [acl.groups]
  acl: acl.allow enabled, 1 entries for user fred
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  updating the branch cache
  bundle2-input-part: total payload size 1553
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-bundle: 3 parts total
  bundle2-output-bundle: "HG20", 2 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 1 parts total
  listing keys for "phases"
  repository tip rolled back to revision 0 (undo push)
  0:6675d58eff77
  

  $ echo '[acl.deny]' >> $config
  $ echo "foo/Bar/** = @group1" >> $config

@group is allowed inside anything but foo/Bar/

  $ do_push fred
  Pushing as user fred
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow]
  ** = @group1
  [acl.deny]
  foo/Bar/** = @group1
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  invalid branchheads cache (served): tip differs
  listing keys for "bookmarks"
  3 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  bundle2-output-bundle: "HG20", 4 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  adding manifests
  adding file changes
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 3 changesets with 3 changes to 3 files
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "fred"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: "group1" not defined in [acl.groups]
  acl: acl.allow enabled, 1 entries for user fred
  acl: "group1" not defined in [acl.groups]
  acl: acl.deny enabled, 1 entries for user fred
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  error: pretxnchangegroup.acl hook failed: acl: user "fred" denied on "foo/Bar/file.txt" (changeset "f9cafe1212c8")
  bundle2-input-part: total payload size 1553
  bundle2-input-bundle: 3 parts total
  transaction abort!
  rollback completed
  abort: acl: user "fred" denied on "foo/Bar/file.txt" (changeset "f9cafe1212c8")
  no rollback information available
  0:6675d58eff77
  

Invalid group

Disable the fakegroups trick to get real failures

  $ grep -v fakegroups $config > config.tmp
  $ mv config.tmp $config
  $ echo '[acl.allow]' >> $config
  $ echo "** = @unlikelytoexist" >> $config
  $ do_push fred 2>&1 | grep unlikelytoexist
  ** = @unlikelytoexist
  acl: "unlikelytoexist" not defined in [acl.groups]
  error: pretxnchangegroup.acl hook failed: group 'unlikelytoexist' is undefined
  abort: group 'unlikelytoexist' is undefined


Branch acl tests setup

  $ init_config
  $ cd b
  $ hg up
  0 files updated, 0 files merged, 0 files removed, 0 files unresolved
  $ hg branch foobar
  marked working directory as branch foobar
  (branches are permanent and global, did you want a bookmark?)
  $ hg commit -m 'create foobar'
  $ echo 'foo contents' > abc.txt
  $ hg add abc.txt
  $ hg commit -m 'foobar contents'
  $ cd ..
  $ hg --cwd a pull ../b
  pulling from ../b
  searching for changes
  adding changesets
  adding manifests
  adding file changes
  added 2 changesets with 1 changes to 1 files (+1 heads)
  (run 'hg heads' to see heads)

Create additional changeset on foobar branch

  $ cd a
  $ hg up -C foobar
  4 files updated, 0 files merged, 0 files removed, 0 files unresolved
  $ echo 'foo contents2' > abc.txt
  $ hg commit -m 'foobar contents2'
  $ cd ..


No branch acls specified

  $ do_push astro
  Pushing as user astro
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "astro"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches not enabled
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  acl: branch access granted: "e8fc755d4d82" on branch "foobar"
  acl: path access granted: "e8fc755d4d82"
  updating the branch cache
  bundle2-input-part: total payload size 2068
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:e8fc755d4d8217ee5b0c2bb41558c40d43b92c01"
  bundle2-input-bundle: 4 parts total
  bundle2-output-bundle: "HG20", 3 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 2 parts total
  listing keys for "phases"
  repository tip rolled back to revision 2 (undo push)
  2:fb35475503ef
  

Branch acl deny test

  $ echo "[acl.deny.branches]" >> $config
  $ echo "foobar = *" >> $config
  $ do_push astro
  Pushing as user astro
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.deny.branches]
  foobar = *
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "astro"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches enabled, 1 entries for user astro
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  error: pretxnchangegroup.acl hook failed: acl: user "astro" denied on branch "foobar" (changeset "e8fc755d4d82")
  bundle2-input-part: total payload size 2068
  bundle2-input-bundle: 4 parts total
  transaction abort!
  rollback completed
  abort: acl: user "astro" denied on branch "foobar" (changeset "e8fc755d4d82")
  no rollback information available
  2:fb35475503ef
  

Branch acl empty allow test

  $ init_config
  $ echo "[acl.allow.branches]" >> $config
  $ do_push astro
  Pushing as user astro
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow.branches]
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "astro"
  acl: acl.allow.branches enabled, 0 entries for user astro
  acl: acl.deny.branches not enabled
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  error: pretxnchangegroup.acl hook failed: acl: user "astro" not allowed on branch "default" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 2068
  bundle2-input-bundle: 4 parts total
  transaction abort!
  rollback completed
  abort: acl: user "astro" not allowed on branch "default" (changeset "ef1ea85a6374")
  no rollback information available
  2:fb35475503ef
  

Branch acl allow other

  $ init_config
  $ echo "[acl.allow.branches]" >> $config
  $ echo "* = george" >> $config
  $ do_push astro
  Pushing as user astro
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow.branches]
  * = george
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "astro"
  acl: acl.allow.branches enabled, 0 entries for user astro
  acl: acl.deny.branches not enabled
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  error: pretxnchangegroup.acl hook failed: acl: user "astro" not allowed on branch "default" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 2068
  bundle2-input-bundle: 4 parts total
  transaction abort!
  rollback completed
  abort: acl: user "astro" not allowed on branch "default" (changeset "ef1ea85a6374")
  no rollback information available
  2:fb35475503ef
  
  $ do_push george
  Pushing as user george
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow.branches]
  * = george
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "george"
  acl: acl.allow.branches enabled, 1 entries for user george
  acl: acl.deny.branches not enabled
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  acl: branch access granted: "e8fc755d4d82" on branch "foobar"
  acl: path access granted: "e8fc755d4d82"
  updating the branch cache
  bundle2-input-part: total payload size 2068
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:e8fc755d4d8217ee5b0c2bb41558c40d43b92c01"
  bundle2-input-bundle: 4 parts total
  bundle2-output-bundle: "HG20", 3 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 2 parts total
  listing keys for "phases"
  repository tip rolled back to revision 2 (undo push)
  2:fb35475503ef
  

Branch acl conflicting allow
asterisk ends up applying to all branches and allowing george to
push foobar into the remote

  $ init_config
  $ echo "[acl.allow.branches]" >> $config
  $ echo "foobar = astro" >> $config
  $ echo "* = george" >> $config
  $ do_push george
  Pushing as user george
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.allow.branches]
  foobar = astro
  * = george
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "george"
  acl: acl.allow.branches enabled, 1 entries for user george
  acl: acl.deny.branches not enabled
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  acl: branch access granted: "e8fc755d4d82" on branch "foobar"
  acl: path access granted: "e8fc755d4d82"
  updating the branch cache
  bundle2-input-part: total payload size 2068
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:e8fc755d4d8217ee5b0c2bb41558c40d43b92c01"
  bundle2-input-bundle: 4 parts total
  bundle2-output-bundle: "HG20", 3 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 2 parts total
  listing keys for "phases"
  repository tip rolled back to revision 2 (undo push)
  2:fb35475503ef
  
Branch acl conflicting deny

  $ init_config
  $ echo "[acl.deny.branches]" >> $config
  $ echo "foobar = astro" >> $config
  $ echo "default = astro" >> $config
  $ echo "* = george" >> $config
  $ do_push george
  Pushing as user george
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.deny.branches]
  foobar = astro
  default = astro
  * = george
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "george"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches enabled, 1 entries for user george
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  error: pretxnchangegroup.acl hook failed: acl: user "george" denied on branch "default" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 2068
  bundle2-input-bundle: 4 parts total
  transaction abort!
  rollback completed
  abort: acl: user "george" denied on branch "default" (changeset "ef1ea85a6374")
  no rollback information available
  2:fb35475503ef
  
User 'astro' must not be denied

  $ init_config
  $ echo "[acl.deny.branches]" >> $config
  $ echo "default = !astro" >> $config
  $ do_push astro
  Pushing as user astro
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.deny.branches]
  default = !astro
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "astro"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches enabled, 0 entries for user astro
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  acl: branch access granted: "ef1ea85a6374" on branch "default"
  acl: path access granted: "ef1ea85a6374"
  acl: branch access granted: "f9cafe1212c8" on branch "default"
  acl: path access granted: "f9cafe1212c8"
  acl: branch access granted: "911600dab2ae" on branch "default"
  acl: path access granted: "911600dab2ae"
  acl: branch access granted: "e8fc755d4d82" on branch "foobar"
  acl: path access granted: "e8fc755d4d82"
  updating the branch cache
  bundle2-input-part: total payload size 2068
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:911600dab2ae7a9baff75958b84fe606851ce955"
  bundle2-input-part: "pushkey" (params: 4 mandatory) supported
  pushing key for "phases:e8fc755d4d8217ee5b0c2bb41558c40d43b92c01"
  bundle2-input-bundle: 4 parts total
  bundle2-output-bundle: "HG20", 3 parts total
  bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-output-part: "reply:pushkey" (params: 0 advisory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-part: "reply:pushkey" (params: 0 advisory) supported
  bundle2-input-bundle: 2 parts total
  listing keys for "phases"
  repository tip rolled back to revision 2 (undo push)
  2:fb35475503ef
  

Non-astro users must be denied

  $ do_push george
  Pushing as user george
  hgrc = """
  [hooks]
  pretxnchangegroup.acl = python:hgext.acl.hook
  [acl]
  sources = push
  [extensions]
  [acl.deny.branches]
  default = !astro
  """
  pushing to ../b
  query 1; heads
  searching for changes
  all remote heads known locally
  listing keys for "phases"
  checking for updated bookmarks
  listing keys for "bookmarks"
  listing keys for "bookmarks"
  4 changesets found
  list of changesets:
  ef1ea85a6374b77d6da9dcda9541f498f2d17df7
  f9cafe1212c8c6fa1120d14a556e18cc44ff8bdd
  911600dab2ae7a9baff75958b84fe606851ce955
  e8fc755d4d8217ee5b0c2bb41558c40d43b92c01
  bundle2-output-bundle: "HG20", 5 parts total
  bundle2-output-part: "replycaps" 155 bytes payload
  bundle2-output-part: "check:heads" streamed payload
  bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-output-part: "pushkey" (params: 4 mandatory) empty payload
  bundle2-input-bundle: with-transaction
  bundle2-input-part: "replycaps" supported
  bundle2-input-part: total payload size 155
  bundle2-input-part: "check:heads" supported
  bundle2-input-part: total payload size 20
  bundle2-input-part: "changegroup" (params: 1 mandatory) supported
  adding changesets
  add changeset ef1ea85a6374
  add changeset f9cafe1212c8
  add changeset 911600dab2ae
  add changeset e8fc755d4d82
  adding manifests
  adding file changes
  adding abc.txt revisions
  adding foo/Bar/file.txt revisions
  adding foo/file.txt revisions
  adding quux/file.py revisions
  added 4 changesets with 4 changes to 4 files (+1 heads)
  calling hook pretxnchangegroup.acl: hgext.acl.hook
  acl: checking access for user "george"
  acl: acl.allow.branches not enabled
  acl: acl.deny.branches enabled, 1 entries for user george
  acl: acl.allow not enabled
  acl: acl.deny not enabled
  error: pretxnchangegroup.acl hook failed: acl: user "george" denied on branch "default" (changeset "ef1ea85a6374")
  bundle2-input-part: total payload size 2068
  bundle2-input-bundle: 4 parts total
  transaction abort!
  rollback completed
  abort: acl: user "george" denied on branch "default" (changeset "ef1ea85a6374")
  no rollback information available
  2:fb35475503ef