annotate contrib/hg-ssh @ 51695:d859554a9187

WIP test new CI image
author Raphaël Gomès <rgomes@octobus.net>
date Thu, 18 Jul 2024 14:57:37 +0200
parents 6000f5b25c9b
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
45830
c102b704edb5 global: use python3 in shebangs
Gregory Szorc <gregory.szorc@gmail.com>
parents: 43659
diff changeset
1 #!/usr/bin/env python3
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
2 #
5191
831ebc408ffb Adjust contrib/hg-ssh for moved dispatch() function.
Thomas Arendsen Hein <thomas@intevation.de>
parents: 1640
diff changeset
3 # Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
8228
eee2319c5895 add blank line after copyright notices and after header
Martin Geisler <mg@lazybytes.net>
parents: 8225
diff changeset
4 #
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
5 # Author(s):
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
6 # Thomas Arendsen Hein <thomas@intevation.de>
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
7 #
8225
46293a0c7e9f updated license to be explicit about GPL version 2
Martin Geisler <mg@lazybytes.net>
parents: 5197
diff changeset
8 # This software may be used and distributed according to the terms of the
10263
25e572394f5c Update license to GPLv2+
Matt Mackall <mpm@selenic.com>
parents: 8228
diff changeset
9 # GNU General Public License version 2 or any later version.
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
10
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
11 """
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
12 hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
13
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
14 To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
15 command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
16 (probably together with these other useful options:
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
17 no-port-forwarding,no-X11-forwarding,no-agent-forwarding)
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
18
13996
1cafa0426a1a hg-ssh: fix duplicate word in docstring
Andreas Freimuth <andreas.freimuth@united-bits.de>
parents: 10263
diff changeset
19 This allows pull/push over ssh from/to the repositories given as arguments.
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
20
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
21 If all your repositories are subdirectories of a common directory, you can
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
22 allow shorter paths with:
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
23 command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"
1640
9a5b778f7e2d Added hint to hg-ssh that you can use shell pattern matching.
Thomas Arendsen Hein <thomas@intevation.de>
parents: 1537
diff changeset
24
9a5b778f7e2d Added hint to hg-ssh that you can use shell pattern matching.
Thomas Arendsen Hein <thomas@intevation.de>
parents: 1537
diff changeset
25 You can use pattern matching of your normal shell, e.g.:
9a5b778f7e2d Added hint to hg-ssh that you can use shell pattern matching.
Thomas Arendsen Hein <thomas@intevation.de>
parents: 1537
diff changeset
26 command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"
16836
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
27
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
28 You can also add a --read-only flag to allow read-only access to a key, e.g.:
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
29 command="hg-ssh --read-only repos/*"
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
30 """
33891
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
31
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
32 import os
47620
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
33 import re
33891
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
34 import shlex
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
35 import sys
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
36
5197
55860a45bbf2 Enable demandimport only in scripts, not in importable modules (issue605)
Thomas Arendsen Hein <thomas@intevation.de>
parents: 5191
diff changeset
37 # enable importing on demand to reduce startup time
43659
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
38 import hgdemandimport
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
39
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
40 hgdemandimport.enable()
5197
55860a45bbf2 Enable demandimport only in scripts, not in importable modules (issue605)
Thomas Arendsen Hein <thomas@intevation.de>
parents: 5191
diff changeset
41
33891
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
42 from mercurial import (
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
43 dispatch,
38109
666d90ace0bb py3: use pycompat.fsencode to convert path to bytes
Pulkit Goyal <7895pulkit@gmail.com>
parents: 38107
diff changeset
44 pycompat,
33891
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
45 ui as uimod,
42bc7f39376b contrib: update hg-ssh to conform with import style checks
Augie Fackler <raf@durin42.com>
parents: 32050
diff changeset
46 )
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
47
43659
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
48
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
49 def main():
37944
dc1ed7fe33e4 sshserver: do setbinary() by caller (API)
Yuya Nishihara <yuya@tcha.org>
parents: 33891
diff changeset
50 # Prevent insertion/deletion of CRs
dc1ed7fe33e4 sshserver: do setbinary() by caller (API)
Yuya Nishihara <yuya@tcha.org>
parents: 33891
diff changeset
51 dispatch.initstdio()
dc1ed7fe33e4 sshserver: do setbinary() by caller (API)
Yuya Nishihara <yuya@tcha.org>
parents: 33891
diff changeset
52
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
53 cwd = os.getcwd()
47620
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
54 if os.name == 'nt':
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
55 # os.getcwd() is inconsistent on the capitalization of the drive
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
56 # letter, so adjust it. see https://bugs.python.org/issue40368
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
57 if re.match('^[a-z]:', cwd):
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
58 cwd = cwd[0:1].upper() + cwd[1:]
724066f23e2d hg-ssh: normalize the drive of the current working directory on windows
Pierre-Yves David <pierre-yves.david@octobus.net>
parents: 45830
diff changeset
59
16836
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
60 readonly = False
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
61 args = sys.argv[1:]
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
62 while len(args):
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
63 if args[0] == '--read-only':
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
64 readonly = True
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
65 args.pop(0)
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
66 else:
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
67 break
43659
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
68 allowed_paths = [
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
69 os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
70 for path in args
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
71 ]
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
72 orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
73 try:
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
74 cmdargv = shlex.split(orig_cmd)
28047
863075fd4cd0 misc: use modern exception syntax
FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
parents: 28045
diff changeset
75 except ValueError as e:
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
76 sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
77 sys.exit(255)
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
78
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
79 if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
80 path = cmdargv[2]
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
81 repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
82 if repo in allowed_paths:
38109
666d90ace0bb py3: use pycompat.fsencode to convert path to bytes
Pulkit Goyal <7895pulkit@gmail.com>
parents: 38107
diff changeset
83 cmd = [b'-R', pycompat.fsencode(repo), b'serve', b'--stdio']
32050
77eaf9539499 dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents: 28047
diff changeset
84 req = dispatch.request(cmd)
16836
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
85 if readonly:
32050
77eaf9539499 dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents: 28047
diff changeset
86 if not req.ui:
77eaf9539499 dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents: 28047
diff changeset
87 req.ui = uimod.ui.load()
43659
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
88 req.ui.setconfig(
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
89 b'hooks',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
90 b'pretxnopen.hg-ssh',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
91 b'python:__main__.rejectpush',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
92 b'hg-ssh',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
93 )
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
94 req.ui.setconfig(
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
95 b'hooks',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
96 b'prepushkey.hg-ssh',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
97 b'python:__main__.rejectpush',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
98 b'hg-ssh',
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
99 )
32050
77eaf9539499 dispatch: protect against malicious 'hg serve --stdio' invocations (sec)
Augie Fackler <augie@google.com>
parents: 28047
diff changeset
100 dispatch.dispatch(req)
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
101 else:
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
102 sys.stderr.write('Illegal repository "%s"\n' % repo)
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
103 sys.exit(255)
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
104 else:
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
105 sys.stderr.write('Illegal command "%s"\n' % orig_cmd)
16607
feb1fd2d13a9 hg-ssh: exit with 255 instead of -1 on error
Mads Kiilerich <mads@kiilerich.com>
parents: 16606
diff changeset
106 sys.exit(255)
1537
583b3696d24d Added hg-ssh - a wrapper for ssh access to a limited set of mercurial repos
Thomas Arendsen Hein <thomas@intevation.de>
parents:
diff changeset
107
43659
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
108
16836
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
109 def rejectpush(ui, **kwargs):
38107
44ef9bb7ccd9 py3: add b'' prefixes in contrib/hg-ssh
Pulkit Goyal <7895pulkit@gmail.com>
parents: 37944
diff changeset
110 ui.warn((b"Permission denied\n"))
16836
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
111 # mercurial hooks use unix process conventions for hook return values
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
112 # so a truthy return means failure
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
113 return True
1ba3e17186c8 hg-ssh: read-only flag
David Schleimer <dschleimer@fb.com>
parents: 16779
diff changeset
114
43659
99e231afc29c black: blacken scripts
Gregory Szorc <gregory.szorc@gmail.com>
parents: 38109
diff changeset
115
16779
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
116 if __name__ == '__main__':
67bfe7f64e57 hg-ssh: refactor to have main() method
David Schleimer <dschleimer@fb.com>
parents: 16607
diff changeset
117 main()