wireproto: define permissions-based routing of HTTPv2 wire protocol
Now that we have a scaffolding for serving version 2 of the HTTP
protocol, let's start implementing it.
A good place to start is URL routing and basic request processing
semantics. We can focus on content types, capabilities detect, etc
later.
Version 2 of the HTTP wire protocol encodes the needed permissions
of the request in the URL path. The reasons for this are documented
in the added documentation. In short, a) it makes it really easy and
fail proof for server administrators to implement path-based
authentication and b) it will enable clients to realize very early in
a server exchange that authentication will be required to complete
the operation. This latter point avoids all kinds of complexity and
problems, like dealing with Expect: 100-continue and clients finding
out later during `hg push` that they need to provide authentication.
This will avoid the current badness where clients send a full bundle,
get an HTTP 403, provide authentication, then retransmit the bundle.
In order to implement command checking, we needed to implement a
protocol handler for the new wire protocol. Our handler is just
small enough to run the code we've implemented.
Tests for the defined functionality have been added.
I very much want to refactor the permissions checking code and define
a better response format. But this can be done later. Nothing is
covered by backwards compatibility at this point.
Differential Revision: https://phab.mercurial-scm.org/D2836
# same user, same group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# same user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, same group
not trusting file .hg/hgrc from untrusted user abc, group bar
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, same group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the user
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# different user, different group, but we trust the user and the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all users
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all groups
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we trust all users and groups
# different user, different group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# we don't get confused by users and groups with the same name
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# list of user names
# different user, different group, but we trust the user
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# list of group names
# different user, different group, but we trust the group
trusted
global = /some/path
local = /another/path
untrusted
. . global = /some/path
. . local = /another/path
# Can't figure out the name of the user running this process
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# prints debug warnings
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
ignoring untrusted configuration option paths.local = /another/path
global = /some/path
untrusted
. . global = /some/path
. ignoring untrusted configuration option paths.local = /another/path
. local = /another/path
# report_untrusted enabled without debug hides warnings
# different user, different group
trusted
global = /some/path
untrusted
. . global = /some/path
. . local = /another/path
# report_untrusted enabled with debug shows warnings
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
trusted
ignoring untrusted configuration option paths.local = /another/path
global = /some/path
untrusted
. . global = /some/path
. ignoring untrusted configuration option paths.local = /another/path
. local = /another/path
# ui.readconfig sections
quux
# read trusted, untrusted, new ui, trusted
not trusting file foobar from untrusted user abc, group def
trusted:
ignoring untrusted configuration option foobar.baz = quux
None
untrusted:
quux
# error handling
# file doesn't exist
# same user, same group
# different user, different group
# parse error
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
('foo', '.hg/hgrc:1')
# same user, same group
('foo', '.hg/hgrc:1')
# access typed information
# different user, different group
not trusting file .hg/hgrc from untrusted user abc, group def
# suboptions, trusted and untrusted
(None, []) ('main', [('one', 'one'), ('two', 'two')])
# path, trusted and untrusted
None .hg/monty/python
# bool, trusted and untrusted
False True
# int, trusted and untrusted
0 42
# bytes, trusted and untrusted
0 84934656
# list, trusted and untrusted
[] ['spam', 'ham', 'eggs']