Mercurial > hg

view contrib/hg-ssh @ 19778:55ef79031009

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
localrepo: make supported features manageable in each repositories individually Before this patch, all localrepositories support same features, because supported features are managed by the class variable "supported" of "localrepository". For example, "largefiles" feature provided by largefiles extension is recognized as supported, by adding the feature name to "supported" of "localrepository". So, commands handling multiple repositories at a time like below misunderstand that such features are supported also in repositories not enabling corresponded extensions: - clone/pull from or push to localhost - recursive execution in subrepo tree "reposetup()" can't be used to fix this problem, because it is invoked after checking whether supported features satisfy ones required in the target repository. So, this patch adds the set object named as "featuresetupfuncs" to "localrepository" to manage hook functions to setup supported features of each repositories. If any functions are added to "featuresetupfuncs", they are invoked, and information about supported features is managed in each repositories individually. This patch also adds checking below: - pull from localhost: whether features supported in the local(= dst) repository satisfies ones required in the remote(= src) - push to localhost: whether features supported in the remote(= dst) repository satisfies ones required in the local(= src) Managing supported features by the class variable means that there is no difference of supported features between each instances of "localrepository" in the same Python process, so such checking is not needed before this patch. Even with this patch, if intermediate bundlefile is used as pulling source, pulling indirectly from the remote repository, which requires features more than ones supported in the local, can't be prevented, because bundlefile has no information about "required features" in it.
author FUJIWARA Katsunori <foozy@lares.dti.ne.jp>
date Sat, 21 Sep 2013 21:33:29 +0900
parents 1ba3e17186c8
children 2b9cda9040f7
line wrap: on
line source

#!/usr/bin/env python
#
# Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
#
# Author(s):
# Thomas Arendsen Hein <thomas@intevation.de>
#
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.

"""
hg-ssh - a wrapper for ssh access to a limited set of mercurial repos

To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):
command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
(probably together with these other useful options:
 no-port-forwarding,no-X11-forwarding,no-agent-forwarding)

This allows pull/push over ssh from/to the repositories given as arguments.

If all your repositories are subdirectories of a common directory, you can
allow shorter paths with:
command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"

You can use pattern matching of your normal shell, e.g.:
command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"

You can also add a --read-only flag to allow read-only access to a key, e.g.:
command="hg-ssh --read-only repos/*"
"""

# enable importing on demand to reduce startup time
from mercurial import demandimport; demandimport.enable()

from mercurial import dispatch

import sys, os, shlex

def main():
    cwd = os.getcwd()
    readonly = False
    args = sys.argv[1:]
    while len(args):
        if args[0] == '--read-only':
            readonly = True
            args.pop(0)
        else:
            break
    allowed_paths = [os.path.normpath(os.path.join(cwd,
                                                   os.path.expanduser(path)))
                     for path in args]
    orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')
    try:
        cmdargv = shlex.split(orig_cmd)
    except ValueError, e:
        sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))
        sys.exit(255)

    if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:
        path = cmdargv[2]
        repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
        if repo in allowed_paths:
            cmd = ['-R', repo, 'serve', '--stdio']
            if readonly:
                cmd += [
                    '--config',
                    'hooks.prechangegroup.hg-ssh=python:__main__.rejectpush',
                    '--config',
                    'hooks.prepushkey.hg-ssh=python:__main__.rejectpush'
                    ]
            dispatch.dispatch(dispatch.request(cmd))
        else:
            sys.stderr.write('Illegal repository "%s"\n' % repo)
            sys.exit(255)
    else:
        sys.stderr.write('Illegal command "%s"\n' % orig_cmd)
        sys.exit(255)

def rejectpush(ui, **kwargs):
    ui.warn("Permission denied\n")
    # mercurial hooks use unix process conventions for hook return values
    # so a truthy return means failure
    return True

if __name__ == '__main__':
    main()