hidden: add support to explicitly access hidden changesets with SSH peers
This implements support for using --remote-hidden with an SSH server. The
remote `hg serve --stdio` call is passed the `--hidden` flag as a request to
access hidden changesets.
This approach has benefits similar to the one we used for HTTP peers. It
* works around the lack of global parameters in wire protocol v1,
* reuses the `--hidden` flag (that does not use the wireproto), and
* can be safely ignored by older client (fitting the best effort contract).
Same as for HTTP, the feature is experimental so we have all the room we needs
to update the implementation in the future if deemed necessary.
The SSH version of the `--remote-hidden` config uses the same configuration as
the HTTP support to control the access to this feature. The name of the user
running the command is used for the checking.
Test written by Pierre-Yves David.
--- a/mercurial/commands.py Sat Apr 13 03:44:47 2019 +0200
+++ b/mercurial/commands.py Sat Apr 13 03:44:55 2019 +0200
@@ -69,6 +69,7 @@
)
from .utils import (
dateutil,
+ procutil,
stringutil,
urlutil,
)
@@ -6672,7 +6673,25 @@
raise error.RepoError(
_(b"there is no Mercurial repository here (.hg not found)")
)
- s = wireprotoserver.sshserver(ui, repo)
+ accesshidden = False
+ if repo.filtername is None:
+ allow = ui.configlist(
+ b'experimental', b'server.allow-hidden-access'
+ )
+ user = procutil.getuser()
+ if allow and scmutil.ismember(ui, user, allow):
+ accesshidden = True
+ else:
+ msg = (
+ _(
+ b'ignoring request to access hidden changeset by '
+ b'unauthorized user: %s\n'
+ )
+ % user
+ )
+ ui.warn(msg)
+
+ s = wireprotoserver.sshserver(ui, repo, accesshidden=accesshidden)
s.serve_forever()
return
--- a/mercurial/sshpeer.py Sat Apr 13 03:44:47 2019 +0200
+++ b/mercurial/sshpeer.py Sat Apr 13 03:44:55 2019 +0200
@@ -177,7 +177,9 @@
ui.develwarn(b'missing close on SSH connection created at:\n%s' % warn)
-def _makeconnection(ui, sshcmd, args, remotecmd, path, sshenv=None):
+def _makeconnection(
+ ui, sshcmd, args, remotecmd, path, sshenv=None, remotehidden=False
+):
"""Create an SSH connection to a server.
Returns a tuple of (process, stdin, stdout, stderr) for the
@@ -187,8 +189,12 @@
sshcmd,
args,
procutil.shellquote(
- b'%s -R %s serve --stdio'
- % (_serverquote(remotecmd), _serverquote(path))
+ b'%s -R %s serve --stdio%s'
+ % (
+ _serverquote(remotecmd),
+ _serverquote(path),
+ b' --hidden' if remotehidden else b'',
+ )
),
)
@@ -393,13 +399,6 @@
stderr and to forward its output.
"""
super().__init__(ui, path=path, remotehidden=remotehidden)
- if remotehidden:
- msg = _(
- b"ignoring `--remote-hidden` request\n"
- b"(access to hidden changeset for ssh peers not supported "
- b"yet)\n"
- )
- ui.warn(msg)
# self._subprocess is unused. Keeping a handle on the process
# holds a reference and prevents it from being garbage collected.
self._subprocess = proc
@@ -416,6 +415,7 @@
self._caps = caps
self._autoreadstderr = autoreadstderr
self._initstack = b''.join(util.getstackframes(1))
+ self._remotehidden = remotehidden
# Commands that have a "framed" response where the first line of the
# response contains the length of that response.
@@ -683,7 +683,13 @@
raise error.RepoError(_(b'could not create remote repo'))
proc, stdin, stdout, stderr = _makeconnection(
- ui, sshcmd, args, remotecmd, remotepath, sshenv
+ ui,
+ sshcmd,
+ args,
+ remotecmd,
+ remotepath,
+ sshenv,
+ remotehidden=remotehidden,
)
peer = _make_peer(
--- a/mercurial/wireprotoserver.py Sat Apr 13 03:44:47 2019 +0200
+++ b/mercurial/wireprotoserver.py Sat Apr 13 03:44:55 2019 +0200
@@ -446,7 +446,7 @@
pass
-def _runsshserver(ui, repo, fin, fout, ev):
+def _runsshserver(ui, repo, fin, fout, ev, accesshidden=False):
# This function operates like a state machine of sorts. The following
# states are defined:
#
@@ -487,7 +487,9 @@
_sshv1respondbytes(fout, b'')
continue
- rsp = wireprotov1server.dispatch(repo, proto, request)
+ rsp = wireprotov1server.dispatch(
+ repo, proto, request, accesshidden=accesshidden
+ )
repo.ui.fout.flush()
repo.ui.ferr.flush()
@@ -522,10 +524,11 @@
class sshserver:
- def __init__(self, ui, repo, logfh=None):
+ def __init__(self, ui, repo, logfh=None, accesshidden=False):
self._ui = ui
self._repo = repo
self._fin, self._fout = ui.protectfinout()
+ self._accesshidden = accesshidden
# Log write I/O to stdout and stderr if configured.
if logfh:
@@ -542,4 +545,6 @@
def serveuntil(self, ev):
"""Serve until a threading.Event is set."""
- _runsshserver(self._ui, self._repo, self._fin, self._fout, ev)
+ _runsshserver(
+ self._ui, self._repo, self._fin, self._fout, ev, self._accesshidden
+ )
--- a/tests/test-remote-hidden.t Sat Apr 13 03:44:47 2019 +0200
+++ b/tests/test-remote-hidden.t Sat Apr 13 03:44:55 2019 +0200
@@ -6,6 +6,8 @@
$ . $TESTDIR/testlib/obsmarker-common.sh
$ cat >> $HGRCPATH << EOF
+ > [ui]
+ > ssh = "$PYTHON" "$RUNTESTDIR/dummyssh"
> [phases]
> # public changeset are not obsolete
> publish=false
@@ -305,6 +307,98 @@
abort: filtered revision 'be215fbb8c50' (not in 'served' subset)
[255]
+Test --remote-hidden for ssh peer
+----------------------------------
+
+ $ hg clone --pull ssh://user@dummy/repo-with-hidden client-ssh
+ requesting all changes
+ adding changesets
+ adding manifests
+ adding file changes
+ added 2 changesets with 2 changes to 1 files
+ 2 new obsolescence markers
+ new changesets 5f354f46e585:c33affeb3f6b (1 drafts)
+ updating to branch default
+ 1 files updated, 0 files merged, 0 files removed, 0 files unresolved
+ $ hg -R client-ssh log -G --hidden -v
+ @ 1:c33affeb3f6b c_Amend_New [draft]
+ |
+ o 0:5f354f46e585 c_Public [public]
+
+
+Check on a server that do not allow hidden access:
+``````````````````````````````````````````````````
+
+pulling an hidden changeset should fail:
+
+ $ hg -R client-ssh pull -r be215fbb8c50
+ pulling from ssh://user@dummy/repo-with-hidden
+ abort: filtered revision 'be215fbb8c50' (not in 'served' subset)
+ [255]
+
+pulling an hidden changeset with --remote-hidden should succeed:
+
+ $ hg -R client-ssh pull --remote-hidden -r be215fbb8c50
+ pulling from ssh://user@dummy/repo-with-hidden
+ remote: ignoring request to access hidden changeset by unauthorized user: * (glob)
+ abort: filtered revision 'be215fbb8c50' (not in 'served' subset)
+ [255]
+ $ hg -R client-ssh log -G --hidden -v
+ @ 1:c33affeb3f6b c_Amend_New [draft]
+ |
+ o 0:5f354f46e585 c_Public [public]
+
+
+Check on a server that do allow hidden access:
+``````````````````````````````````````````````
+
+ $ cat << EOF >> repo-with-hidden/.hg/hgrc
+ > [experimental]
+ > server.allow-hidden-access=*
+ > EOF
+
+pulling an hidden changeset should fail:
+
+ $ hg -R client-ssh pull -r be215fbb8c50
+ pulling from ssh://user@dummy/repo-with-hidden
+ abort: filtered revision 'be215fbb8c50' (not in 'served' subset)
+ [255]
+
+pulling an hidden changeset with --remote-hidden should succeed:
+
+ $ hg -R client-ssh pull --remote-hidden -r be215fbb8c50
+ pulling from ssh://user@dummy/repo-with-hidden
+ searching for changes
+ adding changesets
+ adding manifests
+ adding file changes
+ added 1 changesets with 1 changes to 1 files (+1 heads)
+ (1 other changesets obsolete on arrival)
+ (run 'hg heads' to see heads)
+ $ hg -R client-ssh log -G --hidden -v
+ x 2:be215fbb8c50 c_Amend_Old [draft]
+ |
+ | @ 1:c33affeb3f6b c_Amend_New [draft]
+ |/
+ o 0:5f354f46e585 c_Public [public]
+
+
+Pulling a secret changeset is still forbidden:
+
+secret visible:
+
+ $ hg -R client-ssh pull --remote-hidden -r 8d28cbe335f3
+ pulling from ssh://user@dummy/repo-with-hidden
+ abort: filtered revision '8d28cbe335f3' (not in 'served.hidden' subset)
+ [255]
+
+secret hidden:
+
+ $ hg -R client-ssh pull --remote-hidden -r 1c6afd79eb66
+ pulling from ssh://user@dummy/repo-with-hidden
+ abort: filtered revision '1c6afd79eb66' (not in 'served.hidden' subset)
+ [255]
+
=============
Final cleanup
=============