upstream/mercurial-mirror Commit - r24347:1bcfecbb

censor: add censor command to hgext with basic client-side tests...

Mike Edgar -

r24347:1bcfecbb default

parent child

hgext/censor.py

0 created 644 +168 0

@@ -0,0 +1,168 b''
	1	# Copyright (C) 2015 - Mike Edgar <adgar@google.com>
	2	#
	3	# This extension enables removal of file content at a given revision,
	4	# rewriting the data/metadata of successive revisions to preserve revision log
	5	# integrity.
	6
	7	"""erase file content at a given revision
	8
	9	The censor command instructs Mercurial to erase all content of a file at a given
	10	revision without updating the changeset hash. This allows existing history to
	11	remain valid while preventing future clones/pulls from receiving the erased
	12	data.
	13
	14	Typical uses for censor are due to security or legal requirements, including::
	15
	16	* Passwords, private keys, crytographic material
	17	* Licensed data/code/libraries for which the license has expired
	18	* Personally Identifiable Information or other private data
	19
	20	Censored file revisions are listed in a tracked file called .hgcensored stored
	21	in the repository root. The censor command adds an entry to the .hgcensored file
	22	in the working directory and commits it (much like ``hg tag`` and .hgtags). The
	23	censored file data is then replaced with a pointer to the new commit, enabling
	24	verification.
	25
	26	Censored nodes can interrupt mercurial's typical operation whenever the excised
	27	data needs to be materialized. Some commands, like ``hg cat``/``hg revert``,
	28	simply fail when asked to produce censored data. Others, like ``hg verify`` and
	29	``hg update``, must be capable of tolerating censored data to continue to
	30	function in a meaningful way. Such commands only tolerate censored file
	31	revisions if they are allowed by the policy specified by the "censor.allow"
	32	config option.
	33	"""
	34
	35	from mercurial.node import short
	36	from mercurial import cmdutil, error, filelog, revlog, scmutil, util
	37	from mercurial.i18n import _
	38
	39	cmdtable = {}
	40	command = cmdutil.command(cmdtable)
	41	testedwith = 'internal'
	42
	43	@command('censor',
	44	[('r', 'rev', '', _('censor file from specified revision'), _('REV')),
	45	('t', 'tombstone', '', _('replacement tombstone data'), _('TEXT'))],
	46	_('-r REV [-t TEXT] [FILE]'))
	47	def censor(ui, repo, path, rev='', tombstone='', **opts):
	48	if not path:
	49	raise util.Abort(_('must specify file path to censor'))
	50	if not rev:
	51	raise util.Abort(_('must specify revision to censor'))
	52
	53	flog = repo.file(path)
	54	if not len(flog):
	55	raise util.Abort(_('cannot censor file with no history'))
	56
	57	rev = scmutil.revsingle(repo, rev, rev).rev()
	58	try:
	59	ctx = repo[rev]
	60	except KeyError:
	61	raise util.Abort(_('invalid revision identifier %s') % rev)
	62
	63	try:
	64	fctx = ctx.filectx(path)
	65	except error.LookupError:
	66	raise util.Abort(_('file does not exist at revision %s') % rev)
	67
	68	fnode = fctx.filenode()
	69	headctxs = [repo[c] for c in repo.heads()]
	70	heads = [c for c in headctxs if path in c and c.filenode(path) == fnode]
	71	if heads:
	72	headlist = ', '.join([short(c.node()) for c in heads])
	73	raise util.Abort(_('cannot censor file in heads (%s)') % headlist,
	74	hint=_('clean/delete and commit first'))
	75
	76	wctx = repo[None]
	77	wp = wctx.parents()
	78	if ctx.node() in [p.node() for p in wp]:
	79	raise util.Abort(_('cannot censor working directory'),
	80	hint=_('clean/delete/update first'))
	81
	82	flogv = flog.version & 0xFFFF
	83	if flogv != revlog.REVLOGNG:
	84	raise util.Abort(
	85	_('censor does not support revlog version %d') % (flogv,))
	86
	87	tombstone = filelog.packmeta({"censored": tombstone}, "")
	88
	89	crev = fctx.filerev()
	90
	91	if len(tombstone) > flog.rawsize(crev):
	92	raise util.Abort(_(
	93	'censor tombstone must be no longer than censored data'))
	94
	95	# Using two files instead of one makes it easy to rewrite entry-by-entry
	96	idxread = repo.svfs(flog.indexfile, 'r')
	97	idxwrite = repo.svfs(flog.indexfile, 'wb', atomictemp=True)
	98	if flog.version & revlog.REVLOGNGINLINEDATA:
	99	dataread, datawrite = idxread, idxwrite
	100	else:
	101	dataread = repo.svfs(flog.datafile, 'r')
	102	datawrite = repo.svfs(flog.datafile, 'wb', atomictemp=True)
	103
	104	# Copy all revlog data up to the entry to be censored.
	105	rio = revlog.revlogio()
	106	offset = flog.start(crev)
	107
	108	for chunk in util.filechunkiter(idxread, limit=crev * rio.size):
	109	idxwrite.write(chunk)
	110	for chunk in util.filechunkiter(dataread, limit=offset):
	111	datawrite.write(chunk)
	112
	113	def rewriteindex(r, newoffs, newdata=None):
	114	"""Rewrite the index entry with a new data offset and optional new data.
	115
	116	The newdata argument, if given, is a tuple of three positive integers:
	117	(new compressed, new uncompressed, added flag bits).
	118	"""
	119	offlags, comp, uncomp, base, link, p1, p2, nodeid = flog.index[r]
	120	flags = revlog.gettype(offlags)
	121	if newdata:
	122	comp, uncomp, nflags = newdata
	123	flags \|= nflags
	124	offlags = revlog.offset_type(newoffs, flags)
	125	e = (offlags, comp, uncomp, r, link, p1, p2, nodeid)
	126	idxwrite.write(rio.packentry(e, None, flog.version, r))
	127	idxread.seek(rio.size, 1)
	128
	129	def rewrite(r, offs, data, nflags=revlog.REVIDX_DEFAULT_FLAGS):
	130	"""Write the given full text to the filelog with the given data offset.
	131
	132	Returns:
	133	The integer number of data bytes written, for tracking data offsets.
	134	"""
	135	flag, compdata = flog.compress(data)
	136	newcomp = len(flag) + len(compdata)
	137	rewriteindex(r, offs, (newcomp, len(data), nflags))
	138	datawrite.write(flag)
	139	datawrite.write(compdata)
	140	dataread.seek(flog.length(r), 1)
	141	return newcomp
	142
	143	# Rewrite censored revlog entry with (padded) tombstone data.
	144	pad = ' ' * (flog.rawsize(crev) - len(tombstone))
	145	offset += rewrite(crev, offset, tombstone + pad, revlog.REVIDX_ISCENSORED)
	146
	147	# Rewrite all following filelog revisions fixing up offsets and deltas.
	148	for srev in xrange(crev + 1, len(flog)):
	149	if crev in flog.parentrevs(srev):
	150	# Immediate children of censored node must be re-added as fulltext.
	151	try:
	152	revdata = flog.revision(srev)
	153	except error.CensoredNodeError, e:
	154	revdata = e.tombstone
	155	dlen = rewrite(srev, offset, revdata)
	156	else:
	157	# Copy any other revision data verbatim after fixing up the offset.
	158	rewriteindex(srev, offset)
	159	dlen = flog.length(srev)
	160	for chunk in util.filechunkiter(dataread, limit=dlen):
	161	datawrite.write(chunk)
	162	offset += dlen
	163
	164	idxread.close()
	165	idxwrite.close()
	166	if dataread is not idxread:
	167	dataread.close()
	168	datawrite.close()

tests/test-censor.t

0 created 644 +315 0

@@ -0,0 +1,315 b''
	1	$ cat >> $HGRCPATH <<EOF
	2	> [extensions]
	3	> censor=
	4	> EOF
	5	$ cp $HGRCPATH $HGRCPATH.orig
	6
	7	Create repo with unimpeachable content
	8
	9	$ hg init r
	10	$ cd r
	11	$ echo 'Initially untainted file' > target
	12	$ echo 'Normal file here' > bystander
	13	$ hg add target bystander
	14	$ hg ci -m init
	15
	16	Clone repo so we can test pull later
	17
	18	$ cd ..
	19	$ hg clone r rpull
	20	updating to branch default
	21	2 files updated, 0 files merged, 0 files removed, 0 files unresolved
	22	$ cd r
	23
	24	Introduce content which will ultimately require censorship. Name the first
	25	censored node C1, second C2, and so on
	26
	27	$ echo 'Tainted file' > target
	28	$ echo 'Passwords: hunter2' >> target
	29	$ hg ci -m taint target
	30	$ C1=`hg id --debug -i`
	31
	32	$ echo 'hunter3' >> target
	33	$ echo 'Normal file v2' > bystander
	34	$ hg ci -m moretaint target bystander
	35	$ C2=`hg id --debug -i`
	36
	37	Add a new sanitized versions to correct our mistake. Name the first head H1,
	38	the second head H2, and so on
	39
	40	$ echo 'Tainted file is now sanitized' > target
	41	$ hg ci -m sanitized target
	42	$ H1=`hg id --debug -i`
	43
	44	$ hg update -r $C2
	45	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	46	$ echo 'Tainted file now super sanitized' > target
	47	$ hg ci -m 'super sanitized' target
	48	created new head
	49	$ H2=`hg id --debug -i`
	50
	51	Verify target contents before censorship at each revision
	52
	53	$ hg cat -r 3 target
	54	Tainted file is now sanitized
	55	$ hg cat -r $H2 target
	56	Tainted file now super sanitized
	57	$ hg cat -r $C2 target
	58	Tainted file
	59	Passwords: hunter2
	60	hunter3
	61	$ hg cat -r $C1 target
	62	Tainted file
	63	Passwords: hunter2
	64	$ hg cat -r 0 target
	65	Initially untainted file
	66
	67	Try to censor revision with too large of a tombstone message
	68
	69	$ hg censor -r $C1 -t 'blah blah blah blah blah blah blah blah bla' target
	70	abort: censor tombstone must be no longer than censored data
	71	[255]
	72
	73	Censor revision with 2 offenses
	74
	75	$ hg censor -r $C2 -t "remove password" target
	76	$ hg cat -r 3 target
	77	Tainted file is now sanitized
	78	$ hg cat -r $H2 target
	79	Tainted file now super sanitized
	80	$ hg cat -r $C2 target
	81	abort: censored node: 1e0247a9a4b7
	82	(set censor.policy to ignore errors)
	83	[255]
	84	$ hg cat -r $C1 target
	85	Tainted file
	86	Passwords: hunter2
	87	$ hg cat -r 0 target
	88	Initially untainted file
	89
	90	Censor revision with 1 offense
	91
	92	$ hg censor -r $C1 target
	93	$ hg cat -r 3 target
	94	Tainted file is now sanitized
	95	$ hg cat -r $H2 target
	96	Tainted file now super sanitized
	97	$ hg cat -r $C2 target
	98	abort: censored node: 1e0247a9a4b7
	99	(set censor.policy to ignore errors)
	100	[255]
	101	$ hg cat -r $C1 target
	102	abort: censored node: 613bc869fceb
	103	(set censor.policy to ignore errors)
	104	[255]
	105	$ hg cat -r 0 target
	106	Initially untainted file
	107
	108	Can only checkout target at uncensored revisions, -X is workaround for --all
	109
	110	$ hg revert -r $C2 target
	111	abort: censored node: 1e0247a9a4b7
	112	(set censor.policy to ignore errors)
	113	[255]
	114	$ hg revert -r $C1 target
	115	abort: censored node: 613bc869fceb
	116	(set censor.policy to ignore errors)
	117	[255]
	118	$ hg revert -r $C1 --all
	119	reverting bystander
	120	reverting target
	121	abort: censored node: 613bc869fceb
	122	(set censor.policy to ignore errors)
	123	[255]
	124	$ hg revert -r $C1 --all -X target
	125	$ cat target
	126	Tainted file now super sanitized
	127	$ hg revert -r 0 --all
	128	reverting target
	129	$ cat target
	130	Initially untainted file
	131	$ hg revert -r $H2 --all
	132	reverting bystander
	133	reverting target
	134	$ cat target
	135	Tainted file now super sanitized
	136
	137	Uncensored file can be viewed at any revision
	138
	139	$ hg cat -r 3 bystander
	140	Normal file v2
	141	$ hg cat -r $C2 bystander
	142	Normal file v2
	143	$ hg cat -r $C1 bystander
	144	Normal file here
	145	$ hg cat -r 0 bystander
	146	Normal file here
	147
	148	Can update to children of censored revision
	149
	150	$ hg update -r 3
	151	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	152	$ cat target
	153	Tainted file is now sanitized
	154	$ hg update -r $H2
	155	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	156	$ cat target
	157	Tainted file now super sanitized
	158
	159	Set censor policy to abort in trusted $HGRC so hg verify fails
	160
	161	$ cp $HGRCPATH.orig $HGRCPATH
	162	$ cat >> $HGRCPATH <<EOF
	163	> [censor]
	164	> policy = abort
	165	> EOF
	166
	167	Repo fails verification due to censorship
	168
	169	$ hg verify
	170	checking changesets
	171	checking manifests
	172	crosschecking files in changesets and manifests
	173	checking files
	174	target@1: censored file data
	175	target@2: censored file data
	176	2 files, 5 changesets, 7 total revisions
	177	2 integrity errors encountered!
	178	(first damaged changeset appears to be 1)
	179	[1]
	180
	181	Cannot update to revision with censored data
	182
	183	$ hg update -r $C2
	184	abort: censored node: 1e0247a9a4b7
	185	(set censor.policy to ignore errors)
	186	[255]
	187	$ hg update -r $C1
	188	abort: censored node: 613bc869fceb
	189	(set censor.policy to ignore errors)
	190	[255]
	191	$ hg update -r 0
	192	2 files updated, 0 files merged, 0 files removed, 0 files unresolved
	193	$ hg update -r $H2
	194	2 files updated, 0 files merged, 0 files removed, 0 files unresolved
	195
	196	Set censor policy to ignore in trusted $HGRC so hg verify passes
	197
	198	$ cp $HGRCPATH.orig $HGRCPATH
	199	$ cat >> $HGRCPATH <<EOF
	200	> [censor]
	201	> policy = ignore
	202	> EOF
	203
	204	Repo passes verification with warnings with explicit config
	205
	206	$ hg verify
	207	checking changesets
	208	checking manifests
	209	crosschecking files in changesets and manifests
	210	checking files
	211	2 files, 5 changesets, 7 total revisions
	212
	213	May update to revision with censored data with explicit config
	214
	215	$ hg update -r $C2
	216	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	217	$ cat target
	218	$ hg update -r $C1
	219	2 files updated, 0 files merged, 0 files removed, 0 files unresolved
	220	$ cat target
	221	$ hg update -r 0
	222	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	223	$ cat target
	224	Initially untainted file
	225	$ hg update -r $H2
	226	2 files updated, 0 files merged, 0 files removed, 0 files unresolved
	227	$ cat target
	228	Tainted file now super sanitized
	229
	230	Can merge in revision with censored data. Test requires one branch of history
	231	with the file censored, but we can't censor at a head, so advance H1.
	232
	233	$ hg update -r $H1
	234	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	235	$ C3=$H1
	236	$ echo 'advanced head H1' > target
	237	$ hg ci -m 'advance head H1' target
	238	$ H1=`hg id --debug -i`
	239	$ hg censor -r $C3 target
	240	$ hg update -r $H2
	241	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	242	$ hg merge -r $C3
	243	merging target
	244	0 files updated, 1 files merged, 0 files removed, 0 files unresolved
	245	(branch merge, don't forget to commit)
	246
	247	Revisions present in repository heads may not be censored
	248
	249	$ hg update -C -r $H2
	250	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	251	$ hg censor -r $H2 target
	252	abort: cannot censor file in heads (78a8fc215e79)
	253	(clean/delete and commit first)
	254	[255]
	255	$ echo 'twiddling thumbs' > bystander
	256	$ hg ci -m 'bystander commit'
	257	$ H2=`hg id --debug -i`
	258	$ hg censor -r "$H2^" target
	259	abort: cannot censor file in heads (efbe78065929)
	260	(clean/delete and commit first)
	261	[255]
	262
	263	Cannot censor working directory
	264
	265	$ echo 'seriously no passwords' > target
	266	$ hg ci -m 'extend second head arbitrarily' target
	267	$ H2=`hg id --debug -i`
	268	$ hg update -r "$H2^"
	269	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	270	$ hg censor -r . target
	271	abort: cannot censor working directory
	272	(clean/delete/update first)
	273	[255]
	274	$ hg update -r $H2
	275	1 files updated, 0 files merged, 0 files removed, 0 files unresolved
	276
	277	Can re-add file after being deleted + censored
	278
	279	$ C4=$H2
	280	$ hg rm target
	281	$ hg ci -m 'delete target so it may be censored'
	282	$ H2=`hg id --debug -i`
	283	$ hg censor -r $C4 target
	284	$ hg cat -r $C4 target
	285	$ hg cat -r "$H2^^" target
	286	Tainted file now super sanitized
	287	$ echo 'fresh start' > target
	288	$ hg add target
	289	$ hg ci -m reincarnated target
	290	$ H2=`hg id --debug -i`
	291	$ hg cat -r $H2 target
	292	fresh start
	293	$ hg cat -r "$H2^" target
	294	target: no such file in rev 452ec1762369
	295	[1]
	296	$ hg cat -r $C4 target
	297	$ hg cat -r "$H2^^^" target
	298	Tainted file now super sanitized
	299
	300	Can censor after revlog has expanded to no longer permit inline storage
	301
	302	$ for x in `seq 0 50000`
	303	> do
	304	> echo "Password: hunter$x" >> target
	305	> done
	306	$ hg ci -m 'add 100k passwords'
	307	$ H2=`hg id --debug -i`
	308	$ C5=$H2
	309	$ hg revert -r "$H2^" target
	310	$ hg ci -m 'cleaned 100k passwords'
	311	$ H2=`hg id --debug -i`
	312	$ hg censor -r $C5 target
	313	$ hg cat -r $C5 target
	314	$ hg cat -r $H2 target
	315	fresh start

tests/test-help.t

0 +1 0

                    acl           hooks for controlling repository access
                    blackbox      log repository events to a blackbox for debugging
                    bugzilla      hooks for integrating with the Bugzilla bug tracker
+                   censor        erase file content at a given revision
                    churn         command to display statistics about repository history
                    color         colorize output from some commands
                    convert       import revisions from foreign VCS repositories into

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages