Mercurial > hg
annotate contrib/hg-ssh @ 46530:b994db7c4d1e stable
narrow: fix flaky behavior described in issue6150
This has been plaguing the CI for a good while, and it doesn't appear to have
an easy fix proposed yet. The solution in this change is to always do an
unambiguous (but expensive) lookup in case of comparison. This should always
be correct, albeit suboptimal.
Differential Revision: https://phab.mercurial-scm.org/D10034
author | Raphaël Gomès <rgomes@octobus.net> |
---|---|
date | Fri, 19 Feb 2021 17:52:04 +0100 |
parents | c102b704edb5 |
children | 724066f23e2d |
rev | line source |
---|---|
45830
c102b704edb5
global: use python3 in shebangs
Gregory Szorc <gregory.szorc@gmail.com>
parents:
43659
diff
changeset
|
1 #!/usr/bin/env python3 |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
2 # |
5191
831ebc408ffb
Adjust contrib/hg-ssh for moved dispatch() function.
Thomas Arendsen Hein <thomas@intevation.de>
parents:
1640
diff
changeset
|
3 # Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de> |
8228
eee2319c5895
add blank line after copyright notices and after header
Martin Geisler <mg@lazybytes.net>
parents:
8225
diff
changeset
|
4 # |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
5 # Author(s): |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
6 # Thomas Arendsen Hein <thomas@intevation.de> |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
7 # |
8225
46293a0c7e9f
updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents:
5197
diff
changeset
|
8 # This software may be used and distributed according to the terms of the |
10263 | 9 # GNU General Public License version 2 or any later version. |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
10 |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
11 """ |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
12 hg-ssh - a wrapper for ssh access to a limited set of mercurial repos |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
13 |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
14 To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8): |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
15 command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ... |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
16 (probably together with these other useful options: |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
17 no-port-forwarding,no-X11-forwarding,no-agent-forwarding) |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
18 |
13996
1cafa0426a1a
hg-ssh: fix duplicate word in docstring
Andreas Freimuth <andreas.freimuth@united-bits.de>
parents:
10263
diff
changeset
|
19 This allows pull/push over ssh from/to the repositories given as arguments. |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
20 |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
21 If all your repositories are subdirectories of a common directory, you can |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
22 allow shorter paths with: |
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
23 command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2" |
1640
9a5b778f7e2d
Added hint to hg-ssh that you can use shell pattern matching.
Thomas Arendsen Hein <thomas@intevation.de>
parents:
1537
diff
changeset
|
24 |
9a5b778f7e2d
Added hint to hg-ssh that you can use shell pattern matching.
Thomas Arendsen Hein <thomas@intevation.de>
parents:
1537
diff
changeset
|
25 You can use pattern matching of your normal shell, e.g.: |
9a5b778f7e2d
Added hint to hg-ssh that you can use shell pattern matching.
Thomas Arendsen Hein <thomas@intevation.de>
parents:
1537
diff
changeset
|
26 command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}" |
16836
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
27 |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
28 You can also add a --read-only flag to allow read-only access to a key, e.g.: |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
29 command="hg-ssh --read-only repos/*" |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
30 """ |
33891
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
31 from __future__ import absolute_import |
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
32 |
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
33 import os |
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
34 import shlex |
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
35 import sys |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
36 |
5197
55860a45bbf2
Enable demandimport only in scripts, not in importable modules (issue605)
Thomas Arendsen Hein <thomas@intevation.de>
parents:
5191
diff
changeset
|
37 # enable importing on demand to reduce startup time |
43659
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
38 import hgdemandimport |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
39 |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
40 hgdemandimport.enable() |
5197
55860a45bbf2
Enable demandimport only in scripts, not in importable modules (issue605)
Thomas Arendsen Hein <thomas@intevation.de>
parents:
5191
diff
changeset
|
41 |
33891
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
42 from mercurial import ( |
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
43 dispatch, |
38109
666d90ace0bb
py3: use pycompat.fsencode to convert path to bytes
Pulkit Goyal <7895pulkit@gmail.com>
parents:
38107
diff
changeset
|
44 pycompat, |
33891
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
45 ui as uimod, |
42bc7f39376b
contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents:
32050
diff
changeset
|
46 ) |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
47 |
43659
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
48 |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
49 def main(): |
37944
dc1ed7fe33e4
sshserver: do setbinary() by caller (API)
Yuya Nishihara <yuya@tcha.org>
parents:
33891
diff
changeset
|
50 # Prevent insertion/deletion of CRs |
dc1ed7fe33e4
sshserver: do setbinary() by caller (API)
Yuya Nishihara <yuya@tcha.org>
parents:
33891
diff
changeset
|
51 dispatch.initstdio() |
dc1ed7fe33e4
sshserver: do setbinary() by caller (API)
Yuya Nishihara <yuya@tcha.org>
parents:
33891
diff
changeset
|
52 |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
53 cwd = os.getcwd() |
16836
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
54 readonly = False |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
55 args = sys.argv[1:] |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
56 while len(args): |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
57 if args[0] == '--read-only': |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
58 readonly = True |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
59 args.pop(0) |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
60 else: |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
61 break |
43659
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
62 allowed_paths = [ |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
63 os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
64 for path in args |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
65 ] |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
66 orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?') |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
67 try: |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
68 cmdargv = shlex.split(orig_cmd) |
28047
863075fd4cd0
misc: use modern exception syntax
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents:
28045
diff
changeset
|
69 except ValueError as e: |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
70 sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e)) |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
71 sys.exit(255) |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
72 |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
73 if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']: |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
74 path = cmdargv[2] |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
75 repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
76 if repo in allowed_paths: |
38109
666d90ace0bb
py3: use pycompat.fsencode to convert path to bytes
Pulkit Goyal <7895pulkit@gmail.com>
parents:
38107
diff
changeset
|
77 cmd = [b'-R', pycompat.fsencode(repo), b'serve', b'--stdio'] |
32050
77eaf9539499
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents:
28047
diff
changeset
|
78 req = dispatch.request(cmd) |
16836
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
79 if readonly: |
32050
77eaf9539499
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents:
28047
diff
changeset
|
80 if not req.ui: |
77eaf9539499
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents:
28047
diff
changeset
|
81 req.ui = uimod.ui.load() |
43659
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
82 req.ui.setconfig( |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
83 b'hooks', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
84 b'pretxnopen.hg-ssh', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
85 b'python:__main__.rejectpush', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
86 b'hg-ssh', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
87 ) |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
88 req.ui.setconfig( |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
89 b'hooks', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
90 b'prepushkey.hg-ssh', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
91 b'python:__main__.rejectpush', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
92 b'hg-ssh', |
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
93 ) |
32050
77eaf9539499
dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents:
28047
diff
changeset
|
94 dispatch.dispatch(req) |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
95 else: |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
96 sys.stderr.write('Illegal repository "%s"\n' % repo) |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
97 sys.exit(255) |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
98 else: |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
99 sys.stderr.write('Illegal command "%s"\n' % orig_cmd) |
16607
feb1fd2d13a9
hg-ssh: exit with 255 instead of -1 on error
Mads Kiilerich <mads@kiilerich.com>
parents:
16606
diff
changeset
|
100 sys.exit(255) |
1537
583b3696d24d
Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff
changeset
|
101 |
43659
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
102 |
16836
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
103 def rejectpush(ui, **kwargs): |
38107
44ef9bb7ccd9
py3: add b'' prefixes in contrib/hg-ssh
Pulkit Goyal <7895pulkit@gmail.com>
parents:
37944
diff
changeset
|
104 ui.warn((b"Permission denied\n")) |
16836
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
105 # mercurial hooks use unix process conventions for hook return values |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
106 # so a truthy return means failure |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
107 return True |
1ba3e17186c8
hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents:
16779
diff
changeset
|
108 |
43659
99e231afc29c
black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents:
38109
diff
changeset
|
109 |
16779
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
110 if __name__ == '__main__': |
67bfe7f64e57
hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents:
16607
diff
changeset
|
111 main() |