upstream/mercurial-mirror Commit - r41756:698667eb

lfs: disable all authentication except Basic for HTTP(S) connections...

Matt Harbison -

r41756:698667eb default

parent child

hgext/lfs/blobstore.py

0 +19 0

@@ -264,6 +264,24 b' def _urlerrorreason(urlerror):'
264	else:	264	else:
265	return stringutil.forcebytestr(urlerror)	265	return stringutil.forcebytestr(urlerror)
266		266
		267	class lfsauthhandler(util.urlreq.basehandler):
		268	handler_order = 480 # Before HTTPDigestAuthHandler (== 490)
		269
		270	def http_error_401(self, req, fp, code, msg, headers):
		271	"""Enforces that any authentication performed is HTTP Basic
		272	Authentication. No authentication is also acceptable.
		273	"""
		274	authreq = headers.get(r'www-authenticate', None)
		275	if authreq:
		276	scheme = authreq.split()[0]
		277
		278	if scheme.lower() != r'basic':
		279	msg = _(b'the server must support Basic Authentication')
		280	raise util.urlerr.httperror(req.get_full_url(), code,
		281	encoding.strfromlocal(msg), headers,
		282	fp)
		283	return None
		284
267	class _gitlfsremote(object):	285	class _gitlfsremote(object):
268		286
269	def __init__(self, repo, url):	287	def __init__(self, repo, url):
@@ -275,6 +293,7 b' class _gitlfsremote(object):'
275	if not useragent:	293	if not useragent:
276	useragent = b'git-lfs/2.3.4 (Mercurial %s)' % util.version()	294	useragent = b'git-lfs/2.3.4 (Mercurial %s)' % util.version()
277	self.urlopener = urlmod.opener(ui, authinfo, useragent)	295	self.urlopener = urlmod.opener(ui, authinfo, useragent)
		296	self.urlopener.add_handler(lfsauthhandler())
278	self.retry = ui.configint(b'lfs', b'retry')	297	self.retry = ui.configint(b'lfs', b'retry')
279		298
280	def writebatch(self, pointers, fromstore):	299	def writebatch(self, pointers, fromstore):

tests/test-lfs-serve-access.t

0 +39 0

@@ -421,6 +421,32 b' the GET/PUT request.'
421		421
422	$ echo 'another blob' > auth_clone/lfs.blob	422	$ echo 'another blob' > auth_clone/lfs.blob
423	$ hg -R auth_clone ci -Aqm 'add blob'	423	$ hg -R auth_clone ci -Aqm 'add blob'
		424
		425	$ cat > use_digests.py << EOF
		426	> from mercurial import (
		427	> exthelper,
		428	> url,
		429	> )
		430	>
		431	> eh = exthelper.exthelper()
		432	> uisetup = eh.finaluisetup
		433	>
		434	> @eh.wrapfunction(url, 'opener')
		435	> def urlopener(orig, args, *kwargs):
		436	> opener = orig(args, *kwargs)
		437	> opener.addheaders.append((r'X-HgTest-AuthType', r'Digest'))
		438	> return opener
		439	> EOF
		440
		441	Test that Digest Auth fails gracefully before testing the successful Basic Auth
		442
		443	$ hg -R auth_clone push --config extensions.x=use_digests.py
		444	pushing to http://localhost:$HGPORT1/
		445	searching for changes
		446	abort: LFS HTTP error: HTTP Error 401: the server must support Basic Authentication!
		447	(api=http://localhost:$HGPORT1/.git/info/lfs/objects/batch, action=upload)
		448	[255]
		449
424	$ hg -R auth_clone --debug push \| egrep '^[{}]\| '	450	$ hg -R auth_clone --debug push \| egrep '^[{}]\| '
425	{	451	{
426	"objects": [	452	"objects": [
@@ -452,6 +478,19 b' the GET/PUT request.'
452	$LOCALIP - - [$~~LOGDATE~~$] "~~POST /.git/info/lfs/objects/batch HTTP/1.1"~~ 401 - (glob)	478	$LOCALIP - - [$LOGDATE$] "POST /.git/info/lfs/objects/batch HTTP/1.1" 401 - (glob)
453	$LOCALIP - - [$~~LOGDATE~~$] "~~POST /.git/info/lfs/objects/batch HTTP/1.1"~~ 200 - (glob)	479	$LOCALIP - - [$LOGDATE$] "POST /.git/info/lfs/objects/batch HTTP/1.1" 200 - (glob)
454	$LOCALIP - - [$~~LOGDATE~~$] "~~GET /.hg/lfs/objects/276f73cfd75f9fb519810df5f5d96d6594ca2521abd86cbcd92122f7d51a1f3d HTTP/1.1"~~ 200 - (glob)	480	$LOCALIP - - [$LOGDATE$] "GET /.hg/lfs/objects/276f73cfd75f9fb519810df5f5d96d6594ca2521abd86cbcd92122f7d51a1f3d HTTP/1.1" 200 - (glob)
		481	$LOCALIP - - [$LOGDATE$] "GET /?cmd=capabilities HTTP/1.1" 401 - x-hgtest-authtype:Digest (glob)
		482	$LOCALIP - - [$LOGDATE$] "GET /?cmd=capabilities HTTP/1.1" 200 - x-hgtest-authtype:Digest (glob)
		483	$LOCALIP - - [$LOGDATE$] "GET /?cmd=batch HTTP/1.1" 401 - x-hgarg-1:cmds=heads+%3Bknown+nodes%3D525251863cad618e55d483555f3d00a2ca99597e+4d9397055dc0c205f3132f331f36353ab1a525a3 x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		484	$LOCALIP - - [$LOGDATE$] "GET /?cmd=batch HTTP/1.1" 200 - x-hgarg-1:cmds=heads+%3Bknown+nodes%3D525251863cad618e55d483555f3d00a2ca99597e+4d9397055dc0c205f3132f331f36353ab1a525a3 x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		485	$LOCALIP - - [$LOGDATE$] "GET /?cmd=listkeys HTTP/1.1" 401 - x-hgarg-1:namespace=phases x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		486	$LOCALIP - - [$LOGDATE$] "GET /?cmd=listkeys HTTP/1.1" 200 - x-hgarg-1:namespace=phases x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		487	$LOCALIP - - [$LOGDATE$] "GET /?cmd=listkeys HTTP/1.1" 401 - x-hgarg-1:namespace=bookmarks x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		488	$LOCALIP - - [$LOGDATE$] "GET /?cmd=listkeys HTTP/1.1" 200 - x-hgarg-1:namespace=bookmarks x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		489	$LOCALIP - - [$LOGDATE$] "GET /?cmd=branchmap HTTP/1.1" 401 - x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		490	$LOCALIP - - [$LOGDATE$] "GET /?cmd=branchmap HTTP/1.1" 200 - x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		491	$LOCALIP - - [$LOGDATE$] "GET /?cmd=listkeys HTTP/1.1" 401 - x-hgarg-1:namespace=bookmarks x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		492	$LOCALIP - - [$LOGDATE$] "GET /?cmd=listkeys HTTP/1.1" 200 - x-hgarg-1:namespace=bookmarks x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull x-hgtest-authtype:Digest (glob)
		493	$LOCALIP - - [$LOGDATE$] "POST /.git/info/lfs/objects/batch HTTP/1.1" 401 - x-hgtest-authtype:Digest (glob)
455	$LOCALIP - - [$~~LOGDATE~~$] "~~GET /?cmd=capabilities HTTP/1.1"~~ 401 - (glob)	494	$LOCALIP - - [$LOGDATE$] "GET /?cmd=capabilities HTTP/1.1" 401 - (glob)
456	$LOCALIP - - [$~~LOGDATE~~$] "~~GET /?cmd=capabilities HTTP/1.1"~~ 200 - (glob)	495	$LOCALIP - - [$LOGDATE$] "GET /?cmd=capabilities HTTP/1.1" 200 - (glob)
457	$LOCALIP - - [$~~LOGDATE~~$] "~~GET /?cmd=batch HTTP/1.1"~~ 200 - x-hgarg-1:cmds=heads+%3Bknown+nodes%3D525251863cad618e55d483555f3d00a2ca99597e+4d9397055dc0c205f3132f331f36353ab1a525a3 x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull (glob)	496	$LOCALIP - - [$LOGDATE$] "GET /?cmd=batch HTTP/1.1" 200 - x-hgarg-1:cmds=heads+%3Bknown+nodes%3D525251863cad618e55d483555f3d00a2ca99597e+4d9397055dc0c205f3132f331f36353ab1a525a3 x-hgproto-1:0.1 0.2 comp=$USUAL_COMPRESSIONS$ partial-pull (glob)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages