##// END OF EJS Templates
sslutil: per-host config option to define certificates...
sslutil: per-host config option to define certificates Recent work has introduced the [hostsecurity] config section for defining per-host security settings. This patch builds on top of this foundation and implements the ability to define a per-host path to a file containing certificates used for verifying the server certificate. It is logically a per-host web.cacerts setting. This patch also introduces a warning when both per-host certificates and fingerprints are defined. These are mutually exclusive for host verification and I think the user should be alerted when security settings are ambiguous because, well, security is important. Tests validating the new behavior have been added. I decided against putting "ca" in the option name because a non-CA certificate can be specified and used to validate the server certificate (commonly this will be the exact public certificate used by the server). It's worth noting that the underlying Python API used is load_verify_locations(cafile=X) and it calls into OpenSSL's SSL_CTX_load_verify_locations(). Even OpenSSL's documentation seems to omit that the file can contain a non-CA certificate if it matches the server's certificate exactly. I thought a CA certificate was a special kind of x509 certificate. Perhaps I'm wrong and any x509 certificate can be used as a CA certificate [as far as OpenSSL is concerned]. In any case, I thought it best to drop "ca" from the name because this reflects reality.

File last commit:

r28883:032c4c2f default
r29334:ecc9b788 default
Show More
statichttprepo.py
187 lines | 5.3 KiB | text/x-python | PythonLexer
mpm@selenic.com
Separate out old-http support...
r1101 # statichttprepo.py - simple http repository class for mercurial
#
# This provides read-only repo access to repositories exported via static http
#
Thomas Arendsen Hein
Updated copyright notices and add "and others" to "hg version"
r4635 # Copyright 2005-2007 Matt Mackall <mpm@selenic.com>
mpm@selenic.com
Separate out old-http support...
r1101 #
Martin Geisler
updated license to be explicit about GPL version 2
r8225 # This software may be used and distributed according to the terms of the
Matt Mackall
Update license to GPLv2+
r10263 # GNU General Public License version 2 or any later version.
mpm@selenic.com
Separate out old-http support...
r1101
Gregory Szorc
statichttprepo: use absolute_import
r25978 from __future__ import absolute_import
import errno
import os
from .i18n import _
from . import (
byterange,
changelog,
error,
localrepo,
manifest,
namespaces,
scmutil,
store,
url,
util,
)
Bryan O'Sullivan
Move urllib error handling from revlog into statichttprepo, where it belongs.
r1325
timeless
pycompat: switch to util.urlreq/util.urlerr for py3 compat
r28883 urlerr = util.urlerr
urlreq = util.urlreq
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 class httprangereader(object):
def __init__(self, url, opener):
# we assume opener has HTTPRangeHandler
self.url = url
self.pos = 0
self.opener = opener
Nicolas Dumazet
static-http: mimic more closely localrepo (issue2164: allow clone -r )...
r11066 self.name = url
Gregory Szorc
statichttprepo: implement __enter__ and __exit__ on httprangeheader...
r27705
def __enter__(self):
return self
def __exit__(self, exc_type, exc_value, traceback):
self.close()
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 def seek(self, pos):
self.pos = pos
def read(self, bytes=None):
timeless
pycompat: switch to util.urlreq/util.urlerr for py3 compat
r28883 req = urlreq.request(self.url)
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 end = ''
if bytes:
end = self.pos + bytes - 1
Alexander Boyd
statichttprepo: don't send Range header when requesting entire file...
r16882 if self.pos or end:
req.add_header('Range', 'bytes=%d-%s' % (self.pos, end))
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274
Bryan O'Sullivan
Move urllib error handling from revlog into statichttprepo, where it belongs.
r1325 try:
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 f = self.opener.open(req)
data = f.read()
Augie Fackler
statichttprepo: remove wrong getattr ladder...
r25196 code = f.code
timeless
pycompat: switch to util.urlreq/util.urlerr for py3 compat
r28883 except urlerr.httperror as inst:
Dirkjan Ochtman
make static-http work with empty repos (issue965)
r6028 num = inst.code == 404 and errno.ENOENT or None
raise IOError(num, inst)
timeless
pycompat: switch to util.urlreq/util.urlerr for py3 compat
r28883 except urlerr.urlerror as inst:
Thomas Arendsen Hein
Catch urllib errors for old-http in a nicer way.
r1821 raise IOError(None, inst.reason[1])
mpm@selenic.com
Separate out old-http support...
r1101
Patrick Mezard
statichttprepo: handle remote not supporting Range headers...
r8612 if code == 200:
# HTTPRangeHandler does nothing if remote does not support
# Range headers and returns the full entity. Let's slice it.
if bytes:
data = data[self.pos:self.pos + bytes]
else:
data = data[self.pos:]
elif bytes:
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 data = data[:bytes]
Patrick Mezard
statichttprepo: handle remote not supporting Range headers...
r8612 self.pos += len(data)
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 return data
Siddharth Agarwal
statichttprepo.httprangeheader: implement readlines...
r20055 def readlines(self):
return self.read().splitlines(True)
Nicolas Dumazet
static-http: mimic more closely localrepo (issue2164: allow clone -r )...
r11066 def __iter__(self):
Siddharth Agarwal
statichttprepo.httprangeheader: implement readlines...
r20055 return iter(self.readlines())
Nicolas Dumazet
static-http: mimic more closely localrepo (issue2164: allow clone -r )...
r11066 def close(self):
pass
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274
def build_opener(ui, authinfo):
# urllib cannot handle URLs with embedded user or passwd
urlopener = url.opener(ui, authinfo)
urlopener.add_handler(byterange.HTTPRangeHandler())
FUJIWARA Katsunori
scmutil: rename classes from "opener" to "vfs"...
r17649 class statichttpvfs(scmutil.abstractvfs):
Dan Villiom Podlaski Christiansen
statichttprepo: make the opener a subclass of abstractopener
r14091 def __init__(self, base):
self.base = base
Mads Kiilerich
statichttprepo: update profile of __call__ in mock vfs object...
r23552 def __call__(self, path, mode='r', *args, **kw):
Adrian Buehlmann
statichttprepo: abort if opener mode is 'r+' or 'rb+'...
r13533 if mode not in ('r', 'rb'):
Nicolas Dumazet
static-http: mimic more closely localrepo (issue2164: allow clone -r )...
r11066 raise IOError('Permission denied')
timeless
pycompat: switch to util.urlreq/util.urlerr for py3 compat
r28883 f = "/".join((self.base, urlreq.quote(path)))
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274 return httprangereader(f, urlopener)
FUJIWARA Katsunori
vfs: define "join()" in each classes derived from "abstractvfs"...
r17725 def join(self, path):
if path:
return os.path.join(self.base, path)
else:
return self.base
FUJIWARA Katsunori
scmutil: rename classes from "opener" to "vfs"...
r17649 return statichttpvfs
mpm@selenic.com
Separate out old-http support...
r1101
Peter Arrenbrecht
peer: introduce real peer classes...
r17192 class statichttppeer(localrepo.localpeer):
def local(self):
return None
Sune Foldager
peer: introduce canpush and improve error message
r17193 def canpush(self):
return False
Peter Arrenbrecht
peer: introduce real peer classes...
r17192
mpm@selenic.com
Separate out old-http support...
r1101 class statichttprepository(localrepo.localrepository):
FUJIWARA Katsunori
localrepo: make supported features manageable in each repositories individually...
r19778 supported = localrepo.localrepository._basesupported
mpm@selenic.com
Separate out old-http support...
r1101 def __init__(self, ui, path):
Vadim Gelfer
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks...
r2673 self._url = path
mpm@selenic.com
Separate out old-http support...
r1101 self.ui = ui
Benoit Boissinot
switch to the .hg/store layout, fix the tests
r3853
Nicolas Dumazet
static-http: mimic more closely localrepo (issue2164: allow clone -r )...
r11066 self.root = path
Brodie Rao
url: move URL parsing functions into util to improve startup time...
r14076 u = util.url(path.rstrip('/') + "/.hg")
Brodie Rao
httprepo/sshrepo: use url.url...
r13819 self.path, authinfo = u.authinfo()
Benoit Boissinot
statichttprepo: cleanups, use url.py (proxy, password support)...
r7274
opener = build_opener(ui, authinfo)
mpm@selenic.com
Separate out old-http support...
r1101 self.opener = opener(self.path)
FUJIWARA Katsunori
localrepo: add "vfs" fields to "localrepository" for migration from "opener"...
r17156 self.vfs = self.opener
Pierre-Yves David
phases: mechanism to allow extension to alter initial computation of phase...
r15922 self._phasedefaults = []
Dirkjan Ochtman
make static-http work with empty repos (issue965)
r6028
Ryan McElroy
namespaces: remove weakref; always pass in repo...
r23561 self.names = namespaces.namespaces()
Sean Farley
namespaces: add bookmarks to the names data structure...
r23558
Benoit Boissinot
add "requires" file to the repo, specifying the requirements
r3851 try:
Angel Ezquerra
localrepo: remove all external users of localrepo.opener...
r23877 requirements = scmutil.readrequires(self.vfs, self.supported)
Gregory Szorc
global: mass rewrite to use modern exception syntax...
r25660 except IOError as inst:
Thomas Arendsen Hein
Fix Debian bug #494889 (fetching from static-http://... broken)...
r7178 if inst.errno != errno.ENOENT:
raise
Adrian Buehlmann
introduce new function scmutil.readrequires...
r14482 requirements = set()
Thomas Arendsen Hein
Fix Debian bug #494889 (fetching from static-http://... broken)...
r7178 # check if it is a non-empty old-style repository
try:
Angel Ezquerra
localrepo: remove all external users of localrepo.opener...
r23877 fp = self.vfs("00changelog.i")
Dan Villiom Podlaski Christiansen
explicitly close files...
r13400 fp.read(1)
fp.close()
Gregory Szorc
global: mass rewrite to use modern exception syntax...
r25660 except IOError as inst:
Thomas Arendsen Hein
Fix Debian bug #494889 (fetching from static-http://... broken)...
r7178 if inst.errno != errno.ENOENT:
raise
# we do not care about empty old-style repositories here
Dirkjan Ochtman
make static-http work with empty repos (issue965)
r6028 msg = _("'%s' does not appear to be an hg repository") % path
Matt Mackall
error: move repo errors...
r7637 raise error.RepoError(msg)
Benoit Boissinot
add "requires" file to the repo, specifying the requirements
r3851
# setup store
Adrian Buehlmann
store: remove pointless pathjoiner parameter...
r13426 self.store = store.store(requirements, self.path, opener)
Matt Mackall
statichttp: use store class...
r6897 self.spath = self.store.path
Angel Ezquerra
localrepo: remove all external users of localrepo.sopener...
r23878 self.svfs = self.store.opener
Matt Mackall
statichttp: use store class...
r6897 self.sjoin = self.store.join
Idan Kamara
scmutil: update cached copy when filecached attribute is assigned (issue3263)...
r16115 self._filecache = {}
Peter Arrenbrecht
peer: introduce real peer classes...
r17192 self.requirements = requirements
Benoit Boissinot
add "requires" file to the repo, specifying the requirements
r3851
Angel Ezquerra
localrepo: remove all external users of localrepo.sopener...
r23878 self.manifest = manifest.manifest(self.svfs)
self.changelog = changelog.changelog(self.svfs)
Greg Ward
localrepo: rename in-memory tag cache instance attributes (issue548)....
r9146 self._tags = None
mpm@selenic.com
Separate out old-http support...
r1101 self.nodetagscache = None
Pierre-Yves David
branchmap: enable caching for filtered version too...
r18189 self._branchcaches = {}
Durham Goode
revbranchcache: move out of branchmap onto localrepo...
r24373 self._revbranchcache = None
Benoit Boissinot
cleanup of revlog.group when repository is local...
r1598 self.encodepats = None
self.decodepats = None
Durham Goode
revbranchcache: move cache writing to the transaction finalizer...
r24377 self._transref = None
Peter Arrenbrecht
peer: introduce real peer classes...
r17192
def _restrictcapabilities(self, caps):
Pierre-Yves David
statichttp: respect localrepo _restrictcapabilities...
r20962 caps = super(statichttprepository, self)._restrictcapabilities(caps)
Peter Arrenbrecht
peer: introduce real peer classes...
r17192 return caps.difference(["pushkey"])
mpm@selenic.com
Separate out old-http support...
r1101
Vadim Gelfer
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks...
r2673 def url(self):
Matt Mackall
Autodetect static-http
r7211 return self._url
Vadim Gelfer
hooks: add url to changegroup, incoming, prechangegroup, pretxnchangegroup hooks...
r2673
mpm@selenic.com
Separate out old-http support...
r1101 def local(self):
return False
Vadim Gelfer
clean up hg.py: move repo constructor code into each repo module
r2740
Peter Arrenbrecht
peer: introduce real peer classes...
r17192 def peer(self):
return statichttppeer(self)
Martin Geisler
do not pretend to lock static-http repositories (issue994)
r7005 def lock(self, wait=True):
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
r26587 raise error.Abort(_('cannot lock static-http repository'))
Martin Geisler
do not pretend to lock static-http repositories (issue994)
r7005
Vadim Gelfer
clean up hg.py: move repo constructor code into each repo module
r2740 def instance(ui, path, create):
if create:
Pierre-Yves David
error: get Abort from 'error' instead of 'util'...
r26587 raise error.Abort(_('cannot create new static-http repository'))
Thomas Arendsen Hein
Removed deprecated hg:// and old-http:// protocols (issue406)
r4853 return statichttprepository(ui, path[7:])