Mercurial > hg
changeset 29226:33006bd6a1d7
sslutil: store and use hostname and ui in socket instance
Currently, we pass a hostname and ui to sslutil.wrap_socket()
then create a separate sslutil.validator instance also from
a hostname and ui. There is a 1:1 mapping between a wrapped
socket and a validator instance. This commit lays the groundwork
for making the validation function generic by storing the
hostname and ui instance in the state dict attached to the
socket instance and then using these variables in the
validator function.
Since the arguments to sslutil.validator.__init__ are no longer
used, we make them optional and make __init__ a no-op.
| author | Gregory Szorc <gregory.szorc@gmail.com> |
|---|---|
| date | Sun, 15 May 2016 11:32:11 -0700 |
| parents | b115eed11780 |
| children | dffe78d80a6c |
| files | mercurial/sslutil.py |
| diffstat | 1 files changed, 18 insertions(+), 16 deletions(-) [+] |
line wrap: on
line diff
--- a/mercurial/sslutil.py Sun May 15 11:25:07 2016 -0700 +++ b/mercurial/sslutil.py Sun May 15 11:32:11 2016 -0700 @@ -173,6 +173,8 @@ sslsocket._hgstate = { 'caloaded': caloaded, + 'hostname': serverhostname, + 'ui': ui, } return sslsocket @@ -290,12 +292,12 @@ return kws class validator(object): - def __init__(self, ui, host): - self.ui = ui - self.host = host + def __init__(self, ui=None, host=None): + pass def __call__(self, sock, strict=False): - host = self.host + host = sock._hgstate['hostname'] + ui = sock._hgstate['ui'] if not sock.cipher(): # work around http://bugs.python.org/issue13721 raise error.Abort(_('%s ssl connection error') % host) @@ -311,7 +313,7 @@ # If a certificate fingerprint is pinned, use it and only it to # validate the remote cert. - hostfingerprints = self.ui.configlist('hostfingerprints', host) + hostfingerprints = ui.configlist('hostfingerprints', host) peerfingerprint = util.sha1(peercert).hexdigest() nicefingerprint = ":".join([peerfingerprint[x:x + 2] for x in xrange(0, len(peerfingerprint), 2)]) @@ -326,8 +328,8 @@ raise error.Abort(_('certificate for %s has unexpected ' 'fingerprint %s') % (host, nicefingerprint), hint=_('check hostfingerprint configuration')) - self.ui.debug('%s certificate matched fingerprint %s\n' % - (host, nicefingerprint)) + ui.debug('%s certificate matched fingerprint %s\n' % + (host, nicefingerprint)) return # If insecure connections were explicitly requested via --insecure, @@ -336,11 +338,11 @@ # It may seem odd that this is checked *after* host fingerprint pinning. # This is for backwards compatibility (for now). The message is also # the same as below for BC. - if self.ui.insecureconnections: - self.ui.warn(_('warning: %s certificate with fingerprint %s not ' - 'verified (check hostfingerprints or web.cacerts ' - 'config setting)\n') % - (host, nicefingerprint)) + if ui.insecureconnections: + ui.warn(_('warning: %s certificate with fingerprint %s not ' + 'verified (check hostfingerprints or web.cacerts ' + 'config setting)\n') % + (host, nicefingerprint)) return if not sock._hgstate['caloaded']: @@ -350,10 +352,10 @@ hint=_('check hostfingerprints or ' 'web.cacerts config setting')) else: - self.ui.warn(_('warning: %s certificate with fingerprint %s ' - 'not verified (check hostfingerprints or ' - 'web.cacerts config setting)\n') % - (host, nicefingerprint)) + ui.warn(_('warning: %s certificate with fingerprint %s ' + 'not verified (check hostfingerprints or ' + 'web.cacerts config setting)\n') % + (host, nicefingerprint)) return