Mercurial > hg
view tests/fakemergerecord.py @ 28525:dfb21c34e07d
sslutil: allow multiple fingerprints per host
Certificate pinning via [hostfingerprints] is a useful security
feature. Currently, we only support one fingerprint per hostname.
This is simple but it fails in the real world:
* Switching certificates breaks clients until they change the
pinned certificate fingerprint. This incurs client downtime
and can require massive amounts of coordination to perform
certificate changes.
* Some servers operate with multiple certificates on the same
hostname.
This patch adds support for defining multiple certificate
fingerprints per host. This overcomes the deficiencies listed
above. I anticipate the primary use case of this feature will
be to define both the old and new certificate so a certificate
transition can occur with minimal interruption, so this scenario
has been called out in the help documentation.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Sun, 13 Mar 2016 14:03:58 -0700 |
parents | a01ecbcfaf84 |
children | b303b3817d0e |
line wrap: on
line source
# Extension to write out fake unsupported records into the merge state # # from __future__ import absolute_import from mercurial import ( cmdutil, merge, ) cmdtable = {} command = cmdutil.command(cmdtable) @command('fakemergerecord', [('X', 'mandatory', None, 'add a fake mandatory record'), ('x', 'advisory', None, 'add a fake advisory record')], '') def fakemergerecord(ui, repo, *pats, **opts): ms = merge.mergestate.read(repo) records = ms._makerecords() if opts.get('mandatory'): records.append(('X', 'mandatory record')) if opts.get('advisory'): records.append(('x', 'advisory record')) ms._writerecords(records)