Show More
| @@ -1,87 +1,93 b'' | |||||
| 1 | #!/usr/bin/env python |
|
1 | #!/usr/bin/env python | |
| 2 | # |
|
2 | # | |
| 3 | # Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de> |
|
3 | # Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de> | |
| 4 | # |
|
4 | # | |
| 5 | # Author(s): |
|
5 | # Author(s): | |
| 6 | # Thomas Arendsen Hein <thomas@intevation.de> |
|
6 | # Thomas Arendsen Hein <thomas@intevation.de> | |
| 7 | # |
|
7 | # | |
| 8 | # This software may be used and distributed according to the terms of the |
|
8 | # This software may be used and distributed according to the terms of the | |
| 9 | # GNU General Public License version 2 or any later version. |
|
9 | # GNU General Public License version 2 or any later version. | |
| 10 |
|
10 | |||
| 11 | """ |
|
11 | """ | |
| 12 | hg-ssh - a wrapper for ssh access to a limited set of mercurial repos |
|
12 | hg-ssh - a wrapper for ssh access to a limited set of mercurial repos | |
| 13 |
|
13 | |||
| 14 | To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8): |
|
14 | To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8): | |
| 15 | command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ... |
|
15 | command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ... | |
| 16 | (probably together with these other useful options: |
|
16 | (probably together with these other useful options: | |
| 17 | no-port-forwarding,no-X11-forwarding,no-agent-forwarding) |
|
17 | no-port-forwarding,no-X11-forwarding,no-agent-forwarding) | |
| 18 |
|
18 | |||
| 19 | This allows pull/push over ssh from/to the repositories given as arguments. |
|
19 | This allows pull/push over ssh from/to the repositories given as arguments. | |
| 20 |
|
20 | |||
| 21 | If all your repositories are subdirectories of a common directory, you can |
|
21 | If all your repositories are subdirectories of a common directory, you can | |
| 22 | allow shorter paths with: |
|
22 | allow shorter paths with: | |
| 23 | command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2" |
|
23 | command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2" | |
| 24 |
|
24 | |||
| 25 | You can use pattern matching of your normal shell, e.g.: |
|
25 | You can use pattern matching of your normal shell, e.g.: | |
| 26 | command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}" |
|
26 | command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}" | |
| 27 |
|
27 | |||
| 28 | You can also add a --read-only flag to allow read-only access to a key, e.g.: |
|
28 | You can also add a --read-only flag to allow read-only access to a key, e.g.: | |
| 29 | command="hg-ssh --read-only repos/*" |
|
29 | command="hg-ssh --read-only repos/*" | |
| 30 | """ |
|
30 | """ | |
|
|
31 | from __future__ import absolute_import | |||
|
|
32 | ||||
|
|
33 | import os | |||
|
|
34 | import shlex | |||
|
|
35 | import sys | |||
| 31 |
|
36 | |||
| 32 | # enable importing on demand to reduce startup time |
|
37 | # enable importing on demand to reduce startup time | |
| 33 |
|
|
38 | import hgdemandimport ; hgdemandimport.enable() | |
| 34 |
|
39 | |||
| 35 |
from mercurial import |
|
40 | from mercurial import ( | |
| 36 |
|
41 | dispatch, | ||
| 37 | import sys, os, shlex |
|
42 | ui as uimod, | |
|
|
43 | ) | |||
| 38 |
|
44 | |||
| 39 | def main(): |
|
45 | def main(): | |
| 40 | cwd = os.getcwd() |
|
46 | cwd = os.getcwd() | |
| 41 | readonly = False |
|
47 | readonly = False | |
| 42 | args = sys.argv[1:] |
|
48 | args = sys.argv[1:] | |
| 43 | while len(args): |
|
49 | while len(args): | |
| 44 | if args[0] == '--read-only': |
|
50 | if args[0] == '--read-only': | |
| 45 | readonly = True |
|
51 | readonly = True | |
| 46 | args.pop(0) |
|
52 | args.pop(0) | |
| 47 | else: |
|
53 | else: | |
| 48 | break |
|
54 | break | |
| 49 | allowed_paths = [os.path.normpath(os.path.join(cwd, |
|
55 | allowed_paths = [os.path.normpath(os.path.join(cwd, | |
| 50 | os.path.expanduser(path))) |
|
56 | os.path.expanduser(path))) | |
| 51 | for path in args] |
|
57 | for path in args] | |
| 52 | orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?') |
|
58 | orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?') | |
| 53 | try: |
|
59 | try: | |
| 54 | cmdargv = shlex.split(orig_cmd) |
|
60 | cmdargv = shlex.split(orig_cmd) | |
| 55 | except ValueError as e: |
|
61 | except ValueError as e: | |
| 56 | sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e)) |
|
62 | sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e)) | |
| 57 | sys.exit(255) |
|
63 | sys.exit(255) | |
| 58 |
|
64 | |||
| 59 | if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']: |
|
65 | if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']: | |
| 60 | path = cmdargv[2] |
|
66 | path = cmdargv[2] | |
| 61 | repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) |
|
67 | repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) | |
| 62 | if repo in allowed_paths: |
|
68 | if repo in allowed_paths: | |
| 63 | cmd = ['-R', repo, 'serve', '--stdio'] |
|
69 | cmd = ['-R', repo, 'serve', '--stdio'] | |
| 64 | req = dispatch.request(cmd) |
|
70 | req = dispatch.request(cmd) | |
| 65 | if readonly: |
|
71 | if readonly: | |
| 66 | if not req.ui: |
|
72 | if not req.ui: | |
| 67 | req.ui = uimod.ui.load() |
|
73 | req.ui = uimod.ui.load() | |
| 68 | req.ui.setconfig('hooks', 'pretxnopen.hg-ssh', |
|
74 | req.ui.setconfig('hooks', 'pretxnopen.hg-ssh', | |
| 69 | 'python:__main__.rejectpush', 'hg-ssh') |
|
75 | 'python:__main__.rejectpush', 'hg-ssh') | |
| 70 | req.ui.setconfig('hooks', 'prepushkey.hg-ssh', |
|
76 | req.ui.setconfig('hooks', 'prepushkey.hg-ssh', | |
| 71 | 'python:__main__.rejectpush', 'hg-ssh') |
|
77 | 'python:__main__.rejectpush', 'hg-ssh') | |
| 72 | dispatch.dispatch(req) |
|
78 | dispatch.dispatch(req) | |
| 73 | else: |
|
79 | else: | |
| 74 | sys.stderr.write('Illegal repository "%s"\n' % repo) |
|
80 | sys.stderr.write('Illegal repository "%s"\n' % repo) | |
| 75 | sys.exit(255) |
|
81 | sys.exit(255) | |
| 76 | else: |
|
82 | else: | |
| 77 | sys.stderr.write('Illegal command "%s"\n' % orig_cmd) |
|
83 | sys.stderr.write('Illegal command "%s"\n' % orig_cmd) | |
| 78 | sys.exit(255) |
|
84 | sys.exit(255) | |
| 79 |
|
85 | |||
| 80 | def rejectpush(ui, **kwargs): |
|
86 | def rejectpush(ui, **kwargs): | |
| 81 | ui.warn(("Permission denied\n")) |
|
87 | ui.warn(("Permission denied\n")) | |
| 82 | # mercurial hooks use unix process conventions for hook return values |
|
88 | # mercurial hooks use unix process conventions for hook return values | |
| 83 | # so a truthy return means failure |
|
89 | # so a truthy return means failure | |
| 84 | return True |
|
90 | return True | |
| 85 |
|
91 | |||
| 86 | if __name__ == '__main__': |
|
92 | if __name__ == '__main__': | |
| 87 | main() |
|
93 | main() | |
General Comments 0
You need to be logged in to leave comments.
Login now