Mercurial > hg
view mercurial/dummycert.pem @ 37047:fddcb51b5084
wireproto: define permissions-based routing of HTTPv2 wire protocol
Now that we have a scaffolding for serving version 2 of the HTTP
protocol, let's start implementing it.
A good place to start is URL routing and basic request processing
semantics. We can focus on content types, capabilities detect, etc
later.
Version 2 of the HTTP wire protocol encodes the needed permissions
of the request in the URL path. The reasons for this are documented
in the added documentation. In short, a) it makes it really easy and
fail proof for server administrators to implement path-based
authentication and b) it will enable clients to realize very early in
a server exchange that authentication will be required to complete
the operation. This latter point avoids all kinds of complexity and
problems, like dealing with Expect: 100-continue and clients finding
out later during `hg push` that they need to provide authentication.
This will avoid the current badness where clients send a full bundle,
get an HTTP 403, provide authentication, then retransmit the bundle.
In order to implement command checking, we needed to implement a
protocol handler for the new wire protocol. Our handler is just
small enough to run the code we've implemented.
Tests for the defined functionality have been added.
I very much want to refactor the permissions checking code and define
a better response format. But this can be done later. Nothing is
covered by backwards compatibility at this point.
Differential Revision: https://phab.mercurial-scm.org/D2836
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Mon, 19 Mar 2018 16:43:47 -0700 |
parents | d7f7f1860f00 |
children |
line wrap: on
line source
A dummy certificate that will make OS X 10.6+ Python use the system CA certificate store: -----BEGIN CERTIFICATE----- MIIBIzCBzgIJANjmj39sb3FmMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNVBAMTDmhn LmV4YW1wbGUuY29tMB4XDTE0MDgzMDA4NDU1OVoXDTE0MDgyOTA4NDU1OVowGTEX MBUGA1UEAxMOaGcuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA mh/ZySGlcq0ALNLmA1gZqt61HruywPrRk6WyrLJRgt+X7OP9FFlEfl2tzHfzqvmK CtSQoPINWOdAJMekBYFgKQIDAQABMA0GCSqGSIb3DQEBBQUAA0EAF9h49LkSqJ6a IlpogZuUHtihXeKZBsiktVIDlDccYsNy0RSh9XxUfhk+XMLw8jBlYvcltSXdJ7We aKdQRekuMQ== -----END CERTIFICATE----- This certificate was generated to be syntactically valid but never be usable; it expired before it became valid. Created as: $ cat > cn.conf << EOT > [req] > distinguished_name = req_distinguished_name > [req_distinguished_name] > commonName = Common Name > commonName_default = no.example.com > EOT $ openssl req -nodes -new -x509 -keyout /dev/null \ > -out dummycert.pem -days -1 -config cn.conf -subj '/CN=hg.example.com' To verify the content of this certificate: $ openssl x509 -in dummycert.pem -noout -text Certificate: Data: Version: 1 (0x0) Serial Number: 15629337334278746470 (0xd8e68f7f6c6f7166) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=hg.example.com Validity Not Before: Aug 30 08:45:59 2014 GMT Not After : Aug 29 08:45:59 2014 GMT Subject: CN=hg.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (512 bit) Modulus: 00:9a:1f:d9:c9:21:a5:72:ad:00:2c:d2:e6:03:58: 19:aa:de:b5:1e:bb:b2:c0:fa:d1:93:a5:b2:ac:b2: 51:82:df:97:ec:e3:fd:14:59:44:7e:5d:ad:cc:77: f3:aa:f9:8a:0a:d4:90:a0:f2:0d:58:e7:40:24:c7: a4:05:81:60:29 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 17:d8:78:f4:b9:12:a8:9e:9a:22:5a:68:81:9b:94:1e:d8:a1: 5d:e2:99:06:c8:a4:b5:52:03:94:37:1c:62:c3:72:d1:14:a1: f5:7c:54:7e:19:3e:5c:c2:f0:f2:30:65:62:f7:25:b5:25:dd: 27:b5:9e:68:a7:50:45:e9:2e:31