##// END OF EJS Templates
acl: add bookmarks support...
idlsoft -
r38550:6beb8347 @66 default
parent child Browse files
Show More
@@ -57,6 +57,28 b' access control. Keys in these sections a'
57 57 a glob syntax by default). The corresponding values follow the same
58 58 syntax as the other sections above.
59 59
60 Bookmark-based Access Control
61 -----------------------------
62 Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to
63 have bookmark-based access control. Keys in these sections can be
64 either:
65
66 - a bookmark name, or
67 - an asterisk, to match any bookmark;
68
69 The corresponding values can be either:
70
71 - a comma-separated list containing users and groups, or
72 - an asterisk, to match anyone;
73
74 You can add the "!" prefix to a user or group name to invert the sense
75 of the match.
76
77 Note: for interactions between clients and servers using Mercurial 3.6+
78 a rejection will generally reject the entire push, for interactions
79 involving older clients, the commit transactions will already be accepted,
80 and only the bookmark movement will be rejected.
81
60 82 Groups
61 83 ------
62 84
@@ -326,9 +348,10 b' def hook(ui, repo, hooktype, node=None, '
326 348
327 349 ensureenabled(ui)
328 350
329 if hooktype not in ['pretxnchangegroup', 'pretxncommit']:
330 raise error.Abort(_('config error - hook type "%s" cannot stop '
331 'incoming changesets nor commits') % hooktype)
351 if hooktype not in ['pretxnchangegroup', 'pretxncommit', 'prepushkey']:
352 raise error.Abort(
353 _('config error - hook type "%s" cannot stop '
354 'incoming changesets, commits, nor bookmarks') % hooktype)
332 355 if (hooktype == 'pretxnchangegroup' and
333 356 source not in ui.configlist('acl', 'sources')):
334 357 ui.debug('acl: changes have source "%s" - skipping\n' % source)
@@ -345,6 +368,30 b' def hook(ui, repo, hooktype, node=None, '
345 368
346 369 ui.debug('acl: checking access for user "%s"\n' % user)
347 370
371 if hooktype == 'prepushkey':
372 _pkhook(ui, repo, hooktype, node, source, user, **kwargs)
373 else:
374 _txnhook(ui, repo, hooktype, node, source, user, **kwargs)
375
376 def _pkhook(ui, repo, hooktype, node, source, user, **kwargs):
377 if kwargs['namespace'] == 'bookmarks':
378 bookmark = kwargs['key']
379 ctx = kwargs['new']
380 allowbookmarks = buildmatch(ui, None, user, 'acl.allow.bookmarks')
381 denybookmarks = buildmatch(ui, None, user, 'acl.deny.bookmarks')
382
383 if denybookmarks and denybookmarks(bookmark):
384 raise error.Abort(_('acl: user "%s" denied on bookmark "%s"'
385 ' (changeset "%s")')
386 % (user, bookmark, ctx))
387 if allowbookmarks and not allowbookmarks(bookmark):
388 raise error.Abort(_('acl: user "%s" not allowed on bookmark "%s"'
389 ' (changeset "%s")')
390 % (user, bookmark, ctx))
391 ui.debug('acl: bookmark access granted: "%s" on bookmark "%s"\n'
392 % (ctx, bookmark))
393
394 def _txnhook(ui, repo, hooktype, node, source, user, **kwargs):
348 395 # deprecated config: acl.config
349 396 cfg = ui.config('acl', 'config')
350 397 if cfg:
@@ -15,7 +15,7 b''
15 15 > # LOGNAME=$user hg --cws a --debug push ../b
16 16 > # fails with "This variable is read only."
17 17 > # Use env to work around this.
18 > env LOGNAME=$user hg --cwd a --debug push ../b
18 > env LOGNAME=$user hg --cwd a --debug push ../b $*
19 19 > hg --cwd b rollback
20 20 > hg --cwd b --quiet tip
21 21 > echo
@@ -47,6 +47,7 b''
47 47 > cat > $config <<EOF
48 48 > [hooks]
49 49 > pretxnchangegroup.acl = python:hgext.acl.hook
50 > prepushkey.acl = python:hgext.acl.hook
50 51 > [acl]
51 52 > sources = push
52 53 > [extensions]
@@ -148,6 +149,7 b' Extension disabled for lack of a hook'
148 149
149 150 $ echo '[hooks]' >> $config
150 151 $ echo 'pretxnchangegroup.acl = python:hgext.acl.hook' >> $config
152 $ echo 'prepushkey.acl = python:hgext.acl.hook' >> $config
151 153
152 154 Extension disabled for lack of acl.sources
153 155
@@ -156,6 +158,7 b' Extension disabled for lack of acl.sourc'
156 158 hgrc = """
157 159 [hooks]
158 160 pretxnchangegroup.acl = python:hgext.acl.hook
161 prepushkey.acl = python:hgext.acl.hook
159 162 """
160 163 pushing to ../b
161 164 query 1; heads
@@ -220,6 +223,7 b' No [acl.allow]/[acl.deny]'
220 223 hgrc = """
221 224 [hooks]
222 225 pretxnchangegroup.acl = python:hgext.acl.hook
226 prepushkey.acl = python:hgext.acl.hook
223 227 [acl]
224 228 sources = push
225 229 """
@@ -295,6 +299,7 b' Empty [acl.allow]'
295 299 hgrc = """
296 300 [hooks]
297 301 pretxnchangegroup.acl = python:hgext.acl.hook
302 prepushkey.acl = python:hgext.acl.hook
298 303 [acl]
299 304 sources = push
300 305 [acl.allow]
@@ -362,6 +367,7 b' fred is allowed inside foo/'
362 367 hgrc = """
363 368 [hooks]
364 369 pretxnchangegroup.acl = python:hgext.acl.hook
370 prepushkey.acl = python:hgext.acl.hook
365 371 [acl]
366 372 sources = push
367 373 [acl.allow]
@@ -434,6 +440,7 b' Empty [acl.deny]'
434 440 hgrc = """
435 441 [hooks]
436 442 pretxnchangegroup.acl = python:hgext.acl.hook
443 prepushkey.acl = python:hgext.acl.hook
437 444 [acl]
438 445 sources = push
439 446 [acl.allow]
@@ -503,6 +510,7 b' fred is allowed inside foo/, but not foo'
503 510 hgrc = """
504 511 [hooks]
505 512 pretxnchangegroup.acl = python:hgext.acl.hook
513 prepushkey.acl = python:hgext.acl.hook
506 514 [acl]
507 515 sources = push
508 516 [acl.allow]
@@ -577,6 +585,7 b' fred is allowed inside foo/, but not foo'
577 585 hgrc = """
578 586 [hooks]
579 587 pretxnchangegroup.acl = python:hgext.acl.hook
588 prepushkey.acl = python:hgext.acl.hook
580 589 [acl]
581 590 sources = push
582 591 [acl.allow]
@@ -649,6 +658,7 b' fred is allowed inside foo/, but not foo'
649 658 hgrc = """
650 659 [hooks]
651 660 pretxnchangegroup.acl = python:hgext.acl.hook
661 prepushkey.acl = python:hgext.acl.hook
652 662 [acl]
653 663 sources = push
654 664 [acl.allow]
@@ -712,6 +722,178 b' fred is allowed inside foo/, but not foo'
712 722 0:6675d58eff77
713 723
714 724
725 fred is not blocked from moving bookmarks
726
727 $ hg -R a book -q moving-bookmark -r 1
728 $ hg -R b book -q moving-bookmark -r 0
729 $ cp $config normalconfig
730 $ do_push fred -r 1
731 Pushing as user fred
732 hgrc = """
733 [hooks]
734 pretxnchangegroup.acl = python:hgext.acl.hook
735 prepushkey.acl = python:hgext.acl.hook
736 [acl]
737 sources = push
738 [acl.allow]
739 foo/** = fred
740 [acl.deny]
741 foo/bar/** = fred
742 foo/Bar/** = fred
743 """
744 pushing to ../b
745 query 1; heads
746 searching for changes
747 all remote heads known locally
748 listing keys for "phases"
749 checking for updated bookmarks
750 listing keys for "bookmarks"
751 listing keys for "bookmarks"
752 1 changesets found
753 list of changesets:
754 ef1ea85a6374b77d6da9dcda9541f498f2d17df7
755 bundle2-output-bundle: "HG20", 7 parts total
756 bundle2-output-part: "replycaps" 205 bytes payload
757 bundle2-output-part: "check:bookmarks" 37 bytes payload
758 bundle2-output-part: "check:phases" 24 bytes payload
759 bundle2-output-part: "check:heads" streamed payload
760 bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
761 bundle2-output-part: "phase-heads" 24 bytes payload
762 bundle2-output-part: "bookmarks" 37 bytes payload
763 bundle2-input-bundle: with-transaction
764 bundle2-input-part: "replycaps" supported
765 bundle2-input-part: total payload size 205
766 bundle2-input-part: "check:bookmarks" supported
767 bundle2-input-part: total payload size 37
768 bundle2-input-part: "check:phases" supported
769 bundle2-input-part: total payload size 24
770 bundle2-input-part: "check:heads" supported
771 bundle2-input-part: total payload size 20
772 bundle2-input-part: "changegroup" (params: 1 mandatory) supported
773 adding changesets
774 add changeset ef1ea85a6374
775 adding manifests
776 adding file changes
777 adding foo/file.txt revisions
778 added 1 changesets with 1 changes to 1 files
779 calling hook pretxnchangegroup.acl: hgext.acl.hook
780 acl: checking access for user "fred"
781 acl: acl.allow.branches not enabled
782 acl: acl.deny.branches not enabled
783 acl: acl.allow enabled, 1 entries for user fred
784 acl: acl.deny enabled, 2 entries for user fred
785 acl: branch access granted: "ef1ea85a6374" on branch "default"
786 acl: path access granted: "ef1ea85a6374"
787 bundle2-input-part: total payload size 520
788 bundle2-input-part: "phase-heads" supported
789 bundle2-input-part: total payload size 24
790 bundle2-input-part: "bookmarks" supported
791 bundle2-input-part: total payload size 37
792 calling hook prepushkey.acl: hgext.acl.hook
793 acl: checking access for user "fred"
794 acl: acl.allow.bookmarks not enabled
795 acl: acl.deny.bookmarks not enabled
796 acl: bookmark access granted: "ef1ea85a6374b77d6da9dcda9541f498f2d17df7" on bookmark "moving-bookmark"
797 bundle2-input-bundle: 6 parts total
798 updating the branch cache
799 bundle2-output-bundle: "HG20", 1 parts total
800 bundle2-output-part: "reply:changegroup" (advisory) (params: 0 advisory) empty payload
801 bundle2-input-bundle: no-transaction
802 bundle2-input-part: "reply:changegroup" (advisory) (params: 0 advisory) supported
803 bundle2-input-bundle: 0 parts total
804 updating bookmark moving-bookmark
805 listing keys for "phases"
806 repository tip rolled back to revision 0 (undo push)
807 0:6675d58eff77
808
809
810 fred is not allowed to move bookmarks
811
812 $ echo '[acl.deny.bookmarks]' >> $config
813 $ echo '* = fred' >> $config
814 $ do_push fred -r 1
815 Pushing as user fred
816 hgrc = """
817 [hooks]
818 pretxnchangegroup.acl = python:hgext.acl.hook
819 prepushkey.acl = python:hgext.acl.hook
820 [acl]
821 sources = push
822 [acl.allow]
823 foo/** = fred
824 [acl.deny]
825 foo/bar/** = fred
826 foo/Bar/** = fred
827 [acl.deny.bookmarks]
828 * = fred
829 """
830 pushing to ../b
831 query 1; heads
832 searching for changes
833 all remote heads known locally
834 listing keys for "phases"
835 checking for updated bookmarks
836 listing keys for "bookmarks"
837 listing keys for "bookmarks"
838 1 changesets found
839 list of changesets:
840 ef1ea85a6374b77d6da9dcda9541f498f2d17df7
841 bundle2-output-bundle: "HG20", 7 parts total
842 bundle2-output-part: "replycaps" 205 bytes payload
843 bundle2-output-part: "check:bookmarks" 37 bytes payload
844 bundle2-output-part: "check:phases" 24 bytes payload
845 bundle2-output-part: "check:heads" streamed payload
846 bundle2-output-part: "changegroup" (params: 1 mandatory) streamed payload
847 bundle2-output-part: "phase-heads" 24 bytes payload
848 bundle2-output-part: "bookmarks" 37 bytes payload
849 bundle2-input-bundle: with-transaction
850 bundle2-input-part: "replycaps" supported
851 bundle2-input-part: total payload size 205
852 bundle2-input-part: "check:bookmarks" supported
853 bundle2-input-part: total payload size 37
854 bundle2-input-part: "check:phases" supported
855 bundle2-input-part: total payload size 24
856 bundle2-input-part: "check:heads" supported
857 bundle2-input-part: total payload size 20
858 bundle2-input-part: "changegroup" (params: 1 mandatory) supported
859 adding changesets
860 add changeset ef1ea85a6374
861 adding manifests
862 adding file changes
863 adding foo/file.txt revisions
864 added 1 changesets with 1 changes to 1 files
865 calling hook pretxnchangegroup.acl: hgext.acl.hook
866 acl: checking access for user "fred"
867 acl: acl.allow.branches not enabled
868 acl: acl.deny.branches not enabled
869 acl: acl.allow enabled, 1 entries for user fred
870 acl: acl.deny enabled, 2 entries for user fred
871 acl: branch access granted: "ef1ea85a6374" on branch "default"
872 acl: path access granted: "ef1ea85a6374"
873 bundle2-input-part: total payload size 520
874 bundle2-input-part: "phase-heads" supported
875 bundle2-input-part: total payload size 24
876 bundle2-input-part: "bookmarks" supported
877 bundle2-input-part: total payload size 37
878 calling hook prepushkey.acl: hgext.acl.hook
879 acl: checking access for user "fred"
880 acl: acl.allow.bookmarks not enabled
881 acl: acl.deny.bookmarks enabled, 1 entries for user fred
882 error: prepushkey.acl hook failed: acl: user "fred" denied on bookmark "moving-bookmark" (changeset "ef1ea85a6374b77d6da9dcda9541f498f2d17df7")
883 bundle2-input-bundle: 6 parts total
884 transaction abort!
885 rollback completed
886 abort: acl: user "fred" denied on bookmark "moving-bookmark" (changeset "ef1ea85a6374b77d6da9dcda9541f498f2d17df7")
887 no rollback information available
888 0:6675d58eff77
889
890
891 cleanup bookmark stuff
892
893 $ hg book -R a -d moving-bookmark
894 $ hg book -R b -d moving-bookmark
895 $ cp normalconfig $config
896
715 897 barney is allowed everywhere
716 898
717 899 $ echo '[acl.allow]' >> $config
@@ -721,6 +903,7 b' barney is allowed everywhere'
721 903 hgrc = """
722 904 [hooks]
723 905 pretxnchangegroup.acl = python:hgext.acl.hook
906 prepushkey.acl = python:hgext.acl.hook
724 907 [acl]
725 908 sources = push
726 909 [acl.allow]
@@ -803,6 +986,7 b' wilma can change files with a .txt exten'
803 986 hgrc = """
804 987 [hooks]
805 988 pretxnchangegroup.acl = python:hgext.acl.hook
989 prepushkey.acl = python:hgext.acl.hook
806 990 [acl]
807 991 sources = push
808 992 [acl.allow]
@@ -882,6 +1066,7 b' file specified by acl.config does not ex'
882 1066 hgrc = """
883 1067 [hooks]
884 1068 pretxnchangegroup.acl = python:hgext.acl.hook
1069 prepushkey.acl = python:hgext.acl.hook
885 1070 [acl]
886 1071 sources = push
887 1072 [acl.allow]
@@ -954,6 +1139,7 b' betty is allowed inside foo/ by a acl.co'
954 1139 hgrc = """
955 1140 [hooks]
956 1141 pretxnchangegroup.acl = python:hgext.acl.hook
1142 prepushkey.acl = python:hgext.acl.hook
957 1143 [acl]
958 1144 sources = push
959 1145 [acl.allow]
@@ -1039,6 +1225,7 b' acl.config can set only [acl.allow]/[acl'
1039 1225 hgrc = """
1040 1226 [hooks]
1041 1227 pretxnchangegroup.acl = python:hgext.acl.hook
1228 prepushkey.acl = python:hgext.acl.hook
1042 1229 [acl]
1043 1230 sources = push
1044 1231 [acl.allow]
@@ -1138,6 +1325,7 b' fred is always allowed'
1138 1325 hgrc = """
1139 1326 [hooks]
1140 1327 pretxnchangegroup.acl = python:hgext.acl.hook
1328 prepushkey.acl = python:hgext.acl.hook
1141 1329 [acl]
1142 1330 sources = push
1143 1331 [extensions]
@@ -1219,6 +1407,7 b' no one is allowed inside foo/Bar/'
1219 1407 hgrc = """
1220 1408 [hooks]
1221 1409 pretxnchangegroup.acl = python:hgext.acl.hook
1410 prepushkey.acl = python:hgext.acl.hook
1222 1411 [acl]
1223 1412 sources = push
1224 1413 [extensions]
@@ -1301,6 +1490,7 b' OS-level groups'
1301 1490 hgrc = """
1302 1491 [hooks]
1303 1492 pretxnchangegroup.acl = python:hgext.acl.hook
1493 prepushkey.acl = python:hgext.acl.hook
1304 1494 [acl]
1305 1495 sources = push
1306 1496 [extensions]
@@ -1383,6 +1573,7 b' OS-level groups'
1383 1573 hgrc = """
1384 1574 [hooks]
1385 1575 pretxnchangegroup.acl = python:hgext.acl.hook
1576 prepushkey.acl = python:hgext.acl.hook
1386 1577 [acl]
1387 1578 sources = push
1388 1579 [extensions]
@@ -1507,6 +1698,7 b' No branch acls specified'
1507 1698 hgrc = """
1508 1699 [hooks]
1509 1700 pretxnchangegroup.acl = python:hgext.acl.hook
1701 prepushkey.acl = python:hgext.acl.hook
1510 1702 [acl]
1511 1703 sources = push
1512 1704 [extensions]
@@ -1590,6 +1782,7 b' Branch acl deny test'
1590 1782 hgrc = """
1591 1783 [hooks]
1592 1784 pretxnchangegroup.acl = python:hgext.acl.hook
1785 prepushkey.acl = python:hgext.acl.hook
1593 1786 [acl]
1594 1787 sources = push
1595 1788 [extensions]
@@ -1669,6 +1862,7 b' Branch acl empty allow test'
1669 1862 hgrc = """
1670 1863 [hooks]
1671 1864 pretxnchangegroup.acl = python:hgext.acl.hook
1865 prepushkey.acl = python:hgext.acl.hook
1672 1866 [acl]
1673 1867 sources = push
1674 1868 [extensions]
@@ -1742,6 +1936,7 b' Branch acl allow other'
1742 1936 hgrc = """
1743 1937 [hooks]
1744 1938 pretxnchangegroup.acl = python:hgext.acl.hook
1939 prepushkey.acl = python:hgext.acl.hook
1745 1940 [acl]
1746 1941 sources = push
1747 1942 [extensions]
@@ -1810,6 +2005,7 b' Branch acl allow other'
1810 2005 hgrc = """
1811 2006 [hooks]
1812 2007 pretxnchangegroup.acl = python:hgext.acl.hook
2008 prepushkey.acl = python:hgext.acl.hook
1813 2009 [acl]
1814 2010 sources = push
1815 2011 [extensions]
@@ -1899,6 +2095,7 b' push foobar into the remote'
1899 2095 hgrc = """
1900 2096 [hooks]
1901 2097 pretxnchangegroup.acl = python:hgext.acl.hook
2098 prepushkey.acl = python:hgext.acl.hook
1902 2099 [acl]
1903 2100 sources = push
1904 2101 [extensions]
@@ -1987,6 +2184,7 b' Branch acl conflicting deny'
1987 2184 hgrc = """
1988 2185 [hooks]
1989 2186 pretxnchangegroup.acl = python:hgext.acl.hook
2187 prepushkey.acl = python:hgext.acl.hook
1990 2188 [acl]
1991 2189 sources = push
1992 2190 [extensions]
@@ -2062,6 +2260,7 b" User 'astro' must not be denied"
2062 2260 hgrc = """
2063 2261 [hooks]
2064 2262 pretxnchangegroup.acl = python:hgext.acl.hook
2263 prepushkey.acl = python:hgext.acl.hook
2065 2264 [acl]
2066 2265 sources = push
2067 2266 [extensions]
@@ -2145,6 +2344,7 b' Non-astro users must be denied'
2145 2344 hgrc = """
2146 2345 [hooks]
2147 2346 pretxnchangegroup.acl = python:hgext.acl.hook
2347 prepushkey.acl = python:hgext.acl.hook
2148 2348 [acl]
2149 2349 sources = push
2150 2350 [extensions]
General Comments 0
You need to be logged in to leave comments. Login now