Mercurial > hg
view mercurial/sslutil.py @ 21424:d13b4ecdb680
test: split test-largefile.t in multiple file
The `test-largefiles.t` unified test is significantly longer (about 30%) than
any other tests in the mercurial test suite. As a result, its is alway the last
test my test runner is waiting for at the end of a run.
In practice, this means that `test-largefile.t` is wasting half a minute of my
life every times I'm running the mercurial test suites. This probably mean more
a few cumulated day by now.
I've finally decided to split it up in multiple smaller tests to bring it back in
reasonable length.
This changeset extracts independent test cases in two files. One dedicated to
wire protocole testing, and another one dedicated to all other tests that could
be independently extracted.
No test case were haltered in the making of this changeset.
Various timing available below. All timing have been done on a with 90 jobs on a
64 cores machine. Similar result are shown on firefly (20 jobs on 12 core).
General timing of the whole run
--------------------------------
We see a 25% real time improvement for no significant cpu time impact.
Before split:
real 2m1.149s
user 58m4.662s
sys 11m28.563s
After split:
real 1m31.977s
user 57m45.993s
sys 11m33.634s
Last test to finish (using run-test.py --time)
----------------------------------------------
test-largefile.t is now finishing at the same time than other slow tests.
Before split:
Time Test
119.280 test-largefiles.t
93.995 test-mq.t
89.897 test-subrepo.t
86.920 test-glog.t
85.508 test-rename-merge2.t
83.594 test-revset.t
79.824 test-keyword.t
78.077 test-mq-header-date.t
After split:
Time Test
90.414 test-mq.t
88.594 test-largefiles.t
85.363 test-subrepo.t
81.059 test-glog.t
78.927 test-rename-merge2.t
78.021 test-revset.t
77.777 test-command-template.t
Timing of largefile test themself
-----------------------------------
Running only tests prefixed with "test-largefiles".
No significant change in cumulated time.
Before:
Time Test
58.673 test-largefiles.t
2.931 test-largefiles-cache.t
0.583 test-largefiles-small-disk.t
After:
Time Test
31.754 test-largefiles.t
17.460 test-largefiles-misc.t
8.888 test-largefiles-wireproto.t
2.864 test-largefiles-cache.t
0.580 test-largefiles-small-disk.t
author | Pierre-Yves David <pierre-yves.david@fb.com> |
---|---|
date | Fri, 16 May 2014 13:18:57 -0700 |
parents | 3b82d412e9e8 |
children | a00a7951b20c |
line wrap: on
line source
# sslutil.py - SSL handling for mercurial # # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com> # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br> # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. import os from mercurial import util from mercurial.i18n import _ try: # avoid using deprecated/broken FakeSocket in python 2.6 import ssl CERT_REQUIRED = ssl.CERT_REQUIRED PROTOCOL_SSLv23 = ssl.PROTOCOL_SSLv23 PROTOCOL_TLSv1 = ssl.PROTOCOL_TLSv1 def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, cert_reqs=ssl.CERT_NONE, ca_certs=None): sslsocket = ssl.wrap_socket(sock, keyfile, certfile, cert_reqs=cert_reqs, ca_certs=ca_certs, ssl_version=ssl_version) # check if wrap_socket failed silently because socket had been closed # - see http://bugs.python.org/issue13721 if not sslsocket.cipher(): raise util.Abort(_('ssl connection failed')) return sslsocket except ImportError: CERT_REQUIRED = 2 PROTOCOL_SSLv23 = 2 PROTOCOL_TLSv1 = 3 import socket, httplib def ssl_wrap_socket(sock, keyfile, certfile, ssl_version=PROTOCOL_TLSv1, cert_reqs=CERT_REQUIRED, ca_certs=None): if not util.safehasattr(socket, 'ssl'): raise util.Abort(_('Python SSL support not found')) if ca_certs: raise util.Abort(_( 'certificate checking requires Python 2.6')) ssl = socket.ssl(sock, keyfile, certfile) return httplib.FakeSocket(sock, ssl) def _verifycert(cert, hostname): '''Verify that cert (in socket.getpeercert() format) matches hostname. CRLs is not handled. Returns error message if any problems are found and None on success. ''' if not cert: return _('no certificate received') dnsname = hostname.lower() def matchdnsname(certname): return (certname == dnsname or '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]) san = cert.get('subjectAltName', []) if san: certnames = [value.lower() for key, value in san if key == 'DNS'] for name in certnames: if matchdnsname(name): return None if certnames: return _('certificate is for %s') % ', '.join(certnames) # subject is only checked when subjectAltName is empty for s in cert.get('subject', []): key, value = s[0] if key == 'commonName': try: # 'subject' entries are unicode certname = value.lower().encode('ascii') except UnicodeEncodeError: return _('IDN in certificate not supported') if matchdnsname(certname): return None return _('certificate is for %s') % certname return _('no commonName or subjectAltName found in certificate') # CERT_REQUIRED means fetch the cert from the server all the time AND # validate it against the CA store provided in web.cacerts. # # We COMPLETELY ignore CERT_REQUIRED on Python <= 2.5, as it's totally # busted on those versions. def sslkwargs(ui, host): cacerts = ui.config('web', 'cacerts') forcetls = ui.configbool('ui', 'tls', default=True) if forcetls: ssl_version = PROTOCOL_TLSv1 else: ssl_version = PROTOCOL_SSLv23 hostfingerprint = ui.config('hostfingerprints', host) kws = {'ssl_version': ssl_version, } if cacerts and not hostfingerprint: cacerts = util.expandpath(cacerts) if not os.path.exists(cacerts): raise util.Abort(_('could not find web.cacerts: %s') % cacerts) kws.update({'ca_certs': cacerts, 'cert_reqs': CERT_REQUIRED, }) return kws class validator(object): def __init__(self, ui, host): self.ui = ui self.host = host def __call__(self, sock, strict=False): host = self.host cacerts = self.ui.config('web', 'cacerts') hostfingerprint = self.ui.config('hostfingerprints', host) if not getattr(sock, 'getpeercert', False): # python 2.5 ? if hostfingerprint: raise util.Abort(_("host fingerprint for %s can't be " "verified (Python too old)") % host) if strict: raise util.Abort(_("certificate for %s can't be verified " "(Python too old)") % host) if self.ui.configbool('ui', 'reportoldssl', True): self.ui.warn(_("warning: certificate for %s can't be verified " "(Python too old)\n") % host) return if not sock.cipher(): # work around http://bugs.python.org/issue13721 raise util.Abort(_('%s ssl connection error') % host) try: peercert = sock.getpeercert(True) peercert2 = sock.getpeercert() except AttributeError: raise util.Abort(_('%s ssl connection error') % host) if not peercert: raise util.Abort(_('%s certificate error: ' 'no certificate received') % host) peerfingerprint = util.sha1(peercert).hexdigest() nicefingerprint = ":".join([peerfingerprint[x:x + 2] for x in xrange(0, len(peerfingerprint), 2)]) if hostfingerprint: if peerfingerprint.lower() != \ hostfingerprint.replace(':', '').lower(): raise util.Abort(_('certificate for %s has unexpected ' 'fingerprint %s') % (host, nicefingerprint), hint=_('check hostfingerprint configuration')) self.ui.debug('%s certificate matched fingerprint %s\n' % (host, nicefingerprint)) elif cacerts: msg = _verifycert(peercert2, host) if msg: raise util.Abort(_('%s certificate error: %s') % (host, msg), hint=_('configure hostfingerprint %s or use ' '--insecure to connect insecurely') % nicefingerprint) self.ui.debug('%s certificate successfully verified\n' % host) elif strict: raise util.Abort(_('%s certificate with fingerprint %s not ' 'verified') % (host, nicefingerprint), hint=_('check hostfingerprints or web.cacerts ' 'config setting')) else: self.ui.warn(_('warning: %s certificate with fingerprint %s not ' 'verified (check hostfingerprints or web.cacerts ' 'config setting)\n') % (host, nicefingerprint))