Mercurial > hg-stable

view tests/test-ssh @ 12592:f2937d6492c5 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
url: verify correctness of https server certificates (issue2407) Pythons SSL module verifies that certificates received for HTTPS are valid according to the specified cacerts, but it doesn't verify that the certificate is for the host we connect to. We now explicitly verify that the commonName in the received certificate matches the requested hostname and is valid for the time being. This is a minimal patch where we try to fail to the safe side, but we do still rely on Python's SSL functionality and do not try to implement the standards fully and correctly. CRLs and subjectAltName are not handled and proxies haven't been considered. This change might break connections to some sites if cacerts is specified and the certificates (by our definition) isn't correct. The workaround is to disable cacerts which in most cases isn't much worse than it was before with cacerts.
author Mads Kiilerich <mads@kiilerich.com>
date Fri, 01 Oct 2010 00:46:59 +0200
parents 9f76df0edb7d
children 4c94b6d0fb1c
line wrap: on
line source

#!/bin/sh

cp "$TESTDIR"/printenv.py .

# This test tries to exercise the ssh functionality with a dummy script

cat <<EOF > dummyssh
import sys
import os

os.chdir(os.path.dirname(sys.argv[0]))
if sys.argv[1] != "user@dummy":
    sys.exit(-1)

if not os.path.exists("dummyssh"):
    sys.exit(-1)

os.environ["SSH_CLIENT"] = "127.0.0.1 1 2"

log = open("dummylog", "ab")
log.write("Got arguments")
for i, arg in enumerate(sys.argv[1:]):
    log.write(" %d:%s" % (i+1, arg))
log.write("\n")
log.close()
r = os.system(sys.argv[2])
sys.exit(bool(r))
EOF

cat <<EOF > badhook
import sys
sys.stdout.write("KABOOM\n")
EOF

echo "# creating 'remote'"
hg init remote
cd remote
echo this > foo
echo this > fooO
hg ci -A -m "init" -d "1000000 0" foo fooO
echo '[server]' > .hg/hgrc
echo 'uncompressed = True' >> .hg/hgrc
echo '[hooks]' >> .hg/hgrc
echo 'changegroup = python ../printenv.py changegroup-in-remote 0 ../dummylog' >> .hg/hgrc

cd ..

echo "# repo not found error"
hg clone -e "python ./dummyssh" ssh://user@dummy/nonexistent local

echo "# clone remote via stream"
hg clone -e "python ./dummyssh" --uncompressed ssh://user@dummy/remote local-stream 2>&1 | \
  sed -e 's/[0-9][0-9.]*/XXX/g' -e 's/[KM]\(B\/sec\)/X\1/'
cd local-stream
hg verify
cd ..

echo "# clone remote via pull"
hg clone -e "python ./dummyssh" ssh://user@dummy/remote local

echo "# verify"
cd local
hg verify

echo '[hooks]' >> .hg/hgrc
echo 'changegroup = python ../printenv.py changegroup-in-local 0 ../dummylog' >> .hg/hgrc

echo "# empty default pull"
hg paths
hg pull -e "python ../dummyssh"

echo "# local change"
echo bleah > foo
hg ci -m "add" -d "1000000 0"

echo "# updating rc"
echo "default-push = ssh://user@dummy/remote" >> .hg/hgrc
echo "[ui]" >> .hg/hgrc
echo "ssh = python ../dummyssh" >> .hg/hgrc

echo "# find outgoing"
hg out ssh://user@dummy/remote

echo "# find incoming on the remote side"
hg incoming -R ../remote -e "python ../dummyssh" ssh://user@dummy/local

echo "# push"
hg push

cd ../remote

echo "# check remote tip"
hg tip
hg verify
hg cat -r tip foo

echo z > z
hg ci -A -m z -d '1000001 0' z
# a bad, evil hook that prints to stdout
echo 'changegroup.stdout = python ../badhook' >> .hg/hgrc

cd ../local
echo r > r
hg ci -A -m z -d '1000002 0' r

echo "# push should succeed even though it has an unexpected response"
hg push
hg -R ../remote heads

cd ..
cat dummylog