revlog: addgroup checks if incoming deltas add censored revs, sets flag bit
A censored revision stored in a revlog should have the censored revlog index
flag bit set. This implies we must know if a revision is censored before we
add it to the revlog. When adding revisions from exchanged deltas, we would
prefer to determine this flag without decoding every single full text.
This change introduces a heuristic based on assumptions around the Mercurial
delta format and filelog metadata. Since deltas which produce a censored
revision must be full-replacement deltas, we can read the delta's first bytes
to check the filelog metadata. Since "censored" is the alphabetically first
filelog metadata key, censored filelog revisions have a well-known prefix we
can look for.
For more on the design and background of the censorship feature, see:
http://mercurial.selenic.com/wiki/CensorPlan
# same user, same group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# same user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, same group
not trusting file .hg/hgrc from untrusted user abc, group bar
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, same group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the user
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the user and the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all users
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all groups
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all users and groups
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we don't get confused by users and groups with the same name
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# list of user names
# different user, different group, but we trust the user
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# list of group names
# different user, different group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# Can't figure out the name of the user running this process
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# prints debug warnings
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
ignoring untrusted configuration option paths.local = /another/path
global = /some/path
untrusted
. . global = /some/path
.ignoring untrusted configuration option paths.local = /another/path
. local = /another/path
# report_untrusted enabled without debug hides warnings
# different user, different group
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# report_untrusted enabled with debug shows warnings
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
ignoring untrusted configuration option paths.local = /another/path
global = /some/path
untrusted
. . global = /some/path
.ignoring untrusted configuration option paths.local = /another/path
. local = /another/path
# ui.readconfig sections
quux
# read trusted, untrusted, new ui, trusted
not trusting file foobar from untrusted user abc, group def
trusted:
ignoring untrusted configuration option foobar.baz = quux
None
untrusted:
quux
# error handling
# file doesn't exist
# same user, same group
# different user, different group
# parse error
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
('foo', '.hg/hgrc:1')
# same user, same group
('foo', '.hg/hgrc:1')