Mercurial > hg
view tests/sslcerts/README @ 39548:7ce9dea3a14a
localrepo: move repo creation logic out of localrepository.__init__ (API)
It has long bothered me that local repository creation is handled as
part of localrepository.__init__. Upcoming changes I want to make
around how repositories are initialized and instantiated will make
the continued existence of repository creation code in
localrepository.__init__ even more awkward.
localrepository instances are almost never constructed directly:
instead, callers are supposed to go through hg.repository() to obtain
a handle on a repository. And hg.repository() calls
localrepo.instance() to return a new repo instance.
This commit teaches localrepo.instance() to handle the create=True
logic. Most of the code for repo construction has been moved to a
standalone function. This allows extensions to monkeypatch the function
to further customize freshly-created repositories.
A few calls to localrepo.localrepository.__init__ that were passing
create=True were converted to call localrepo.instance().
.. api:: local repo creation moved out of constructor
``localrepo.localrepository.__init__`` no longer accepts a
``create`` argument to create a new repository. New repository
creation is now performed as part of ``localrepo.instance()``
and the bulk of the work is performed by
``localrepo.createrepository()``.
Differential Revision: https://phab.mercurial-scm.org/D4534
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Tue, 11 Sep 2018 13:46:59 -0700 |
parents | 43f3c0df2fab |
children |
line wrap: on
line source
Generate a private key (priv.pem): $ openssl genrsa -out priv.pem 2048 Generate 2 self-signed certificates from this key (pub.pem, pub-other.pem): $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ -out pub.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' $ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 9000 \ -out pub-other.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Now generate an expired certificate by turning back the system time: $ faketime 2016-01-01T00:00:00Z \ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ -out pub-expired.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Generate a certificate not yet active by advancing the system time: $ faketime 2030-01-1T00:00:00Z \ openssl req -new -x509 -key priv.pem -nodes -sha256 -days 1 \ -out pub-not-yet.pem -batch -subj '/CN=localhost/emailAddress=hg@localhost/' Generate a passphrase protected client certificate private key: $ openssl genrsa -aes256 -passout pass:1234 -out client-key.pem 2048 Create a copy of the private key without a passphrase: $ openssl rsa -in client-key.pem -passin pass:1234 -out client-key-decrypted.pem Create a CSR and sign the key using the server keypair: $ printf '.\n.\n.\n.\n.\n.\nhg-client@localhost\n.\n.\n' | \ openssl req -new -key client-key.pem -passin pass:1234 -out client-csr.pem $ openssl x509 -req -days 9000 -in client-csr.pem -CA pub.pem -CAkey priv.pem \ -set_serial 01 -out client-cert.pem When replacing the certificates, references to certificate fingerprints will need to be updated in test files. Fingerprints for certs can be obtained by running: $ openssl x509 -in pub.pem -noout -sha1 -fingerprint $ openssl x509 -in pub.pem -noout -sha256 -fingerprint