namespaces: let namespaces override singlenode() definition Some namespaces have multiple nodes per name (meaning that their namemap() returns multiple nodes). One such namespace is the "topics" namespace (from the evolve repo). We also have our own internal namespace at Google (for review units) that has multiple nodes per name. These namespaces may not want to use the default "pick highest revnum" resolution that we currently use when resolving a name to a single node. As an example, they may decide that `hg co <name>` should check out a commit that's last in some sense even if an earlier commit had just been amended and thus had a higher revnum [1]. This patch gives the namespace the option to continue to return multiple nodes and to override how the best node is picked. Allowing namespaces to override that may also be useful as an optimization (it may be cheaper for the namespace to find just that node). I have been arguing (in D3715) for using all the nodes returned from namemap() when resolving the symbol to a revset, so e.g. `hg log -r stable` would resolve to *all* nodes on stable, not just the one with the highest revnum (except that I don't actually think we should change it for the branch namespace because of BC). Most people seem opposed to that. If we decide not to do it, I think we can deprecate the namemap() function in favor of the new singlenode() (I find it weird to have namespaces, like the branch namespace, where namemap() isn't nodemap()'s inverse). I therefore think this patch makes sense regardless of what we decide on that issue. [1] Actually, even the branch namespace would have wanted to override singlenode() if it had supported multiple nodes. That's because closes branch heads are mostly ignored, so "hg co default" will not check out the highest-revnum node if that's a closed head. Differential Revision: https://phab.mercurial-scm.org/D3852

Generate a private key (priv.pem):

  $ openssl genrsa -out priv.pem 2048

Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem):

  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'
  $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \
    -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Now generate an expired certificate by turning back the system time:

  $ faketime 2016-01-01T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a certificate not yet active by advancing the system time:

  $ faketime 2030-01-1T00:00:00Z \
    openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \
    -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/'

Generate a passphrase protected client certificate private key:

  $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048

Create a copy of the private key without a passphrase:

  $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem

Create a CSR and sign the key using the server keypair:

  $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \
    openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem
  $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \
    -set_serial 01 -out client-cert.pem

When replacing the certificates, references to certificate fingerprints will
need to be updated in test files.

Fingerprints for certs can be obtained by running:

  $ openssl x509 -in pub.pem -noout -sha1 -fingerprint
  $ openssl x509 -in pub.pem -noout -sha256 -fingerprint