upstream/mercurial-mirror Commit - r13314:8dc488df

url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...

Mads Kiilerich -

r13314:8dc488df stable

parent child

doc/hgrc.5.txt

0 +18 0

             ======
              hgrc
             ======
             ---------------------------------
             configuration files for Mercurial
             ---------------------------------
             :Author:         Bryan O'Sullivan <bos@serpentine.com>
             :Organization:   Mercurial
             :Manual section: 5
             :Manual group:   Mercurial Manual
             .. contents::
                :backlinks: top
                :class: htmlonly
             Synopsis
             --------
             The Mercurial system uses a set of configuration files to control
             aspects of its behavior.
             Files
             -----
             Mercurial reads configuration data from several files, if they exist.
             The names of these files depend on the system on which Mercurial is
             installed. ``*.rc`` files from a single directory are read in
             alphabetical order, later ones overriding earlier ones. Where multiple
             paths are given below, settings from earlier paths override later
             ones.
             | (Unix, Windows) ``<repo>/.hg/hgrc``
                 Per-repository configuration options that only apply in a
                 particular repository. This file is not version-controlled, and
                 will not get transferred during a "clone" operation. Options in
                 this file override options in all other configuration files. On
                 Unix, most of this file will be ignored if it doesn't belong to a
                 trusted user or to a trusted group. See the documentation for the
                 trusted_ section below for more details.
             | (Unix) ``$HOME/.hgrc``
             | (Windows) ``%USERPROFILE%\.hgrc``
             | (Windows) ``%USERPROFILE%\Mercurial.ini``
             | (Windows) ``%HOME%\.hgrc``
             | (Windows) ``%HOME%\Mercurial.ini``
                 Per-user configuration file(s), for the user running Mercurial. On
                 Windows 9x, ``%HOME%`` is replaced by ``%APPDATA%``. Options in these
                 files apply to all Mercurial commands executed by this user in any
                 directory. Options in these files override per-system and per-installation
                 options.
             | (Unix) ``/etc/mercurial/hgrc``
             | (Unix) ``/etc/mercurial/hgrc.d/*.rc``
                 Per-system configuration files, for the system on which Mercurial
                 is running. Options in these files apply to all Mercurial commands
                 executed by any user in any directory. Options in these files
                 override per-installation options.
             | (Unix) ``<install-root>/etc/mercurial/hgrc``
             | (Unix) ``<install-root>/etc/mercurial/hgrc.d/*.rc``
                 Per-installation configuration files, searched for in the
                 directory where Mercurial is installed. ``<install-root>`` is the
                 parent directory of the **hg** executable (or symlink) being run. For
                 example, if installed in ``/shared/tools/bin/hg``, Mercurial will look
                 in ``/shared/tools/etc/mercurial/hgrc``. Options in these files apply
                 to all Mercurial commands executed by any user in any directory.
             | (Windows) ``<install-dir>\Mercurial.ini``
             | (Windows) ``<install-dir>\hgrc.d\*.rc``
             | (Windows) ``HKEY_LOCAL_MACHINE\SOFTWARE\Mercurial``
                 Per-installation/system configuration files, for the system on
                 which Mercurial is running. Options in these files apply to all
                 Mercurial commands executed by any user in any directory. Registry
                 keys contain PATH-like strings, every part of which must reference
                 a ``Mercurial.ini`` file or be a directory where ``*.rc`` files will
                 be read.  Mercurial checks each of these locations in the specified
                 order until one or more configuration files are detected.  If the
                 pywin32 extensions are not installed, Mercurial will only look for
                 site-wide configuration in ``C:\Mercurial\Mercurial.ini``.
             Syntax
             ------
             A configuration file consists of sections, led by a ``[section]`` header
             and followed by ``name = value`` entries (sometimes called
             ``configuration keys``)::
                 [spam]
                 eggs=ham
                 green=
                    eggs
             Each line contains one entry. If the lines that follow are indented,
             they are treated as continuations of that entry. Leading whitespace is
             removed from values. Empty lines are skipped. Lines beginning with
             ``#`` or ``;`` are ignored and may be used to provide comments.
             Configuration keys can be set multiple times, in which case mercurial
             will use the value that was configured last. As an example::
                 [spam]
                 eggs=large
                 ham=serrano
                 eggs=small
             This would set the configuration key named ``eggs`` to ``small``.
             It is also possible to define a section multiple times. A section can
             be redefined on the same and/or on different hgrc files. For example::
                 [foo]
                 eggs=large
                 ham=serrano
                 eggs=small
                 [bar]
                 eggs=ham
                 green=
                    eggs
                 [foo]
                 ham=prosciutto
                 eggs=medium
                 bread=toasted
             This would set the ``eggs``, ``ham``, and ``bread`` configuration keys
             of the ``foo`` section to ``medium``, ``prosciutto``, and ``toasted``,
             respectively. As you can see there only thing that matters is the last
             value that was set for each of the configuration keys.
             If a configuration key is set multiple times in different
             configuration files the final value will depend on the order in which
             the different configuration files are read, with settings from earlier
             paths overriding later ones as described on the ``Files`` section
             above.
             A line of the form ``%include file`` will include ``file`` into the
             current configuration file. The inclusion is recursive, which means
             that included files can include other files. Filenames are relative to
             the configuration file in which the ``%include`` directive is found.
             Environment variables and ``~user`` constructs are expanded in
             ``file``. This lets you do something like::
               %include ~/.hgrc.d/$HOST.rc
             to include a different configuration file on each computer you use.
             A line with ``%unset name`` will remove ``name`` from the current
             section, if it has been set previously.
             The values are either free-form text strings, lists of text strings,
             or Boolean values. Boolean values can be set to true using any of "1",
             "yes", "true", or "on" and to false using "0", "no", "false", or "off"
             (all case insensitive).
             List values are separated by whitespace or comma, except when values are
             placed in double quotation marks::
               allow_read = "John Doe, PhD", brian, betty
             Quotation marks can be escaped by prefixing them with a backslash. Only
             quotation marks at the beginning of a word is counted as a quotation
             (e.g., ``foo"bar baz`` is the list of ``foo"bar`` and ``baz``).
             Sections
             --------
             This section describes the different sections that may appear in a
             Mercurial "hgrc" file, the purpose of each section, its possible keys,
             and their possible values.
             ``alias``
             """""""""
             Defines command aliases.
             Aliases allow you to define your own commands in terms of other
             commands (or aliases), optionally including arguments.
             Alias definitions consist of lines of the form::
                 <alias> = <command> [<argument]...
             For example, this definition::
                 latest = log --limit 5
             creates a new command ``latest`` that shows only the five most recent
             changesets. You can define subsequent aliases using earlier ones::
                 stable5 = latest -b stable
             .. note:: It is possible to create aliases with the same names as
                existing commands, which will then override the original
                definitions. This is almost always a bad idea!
             ``auth``
             """"""""
             Authentication credentials for HTTP authentication. This section
             allows you to store usernames and passwords for use when logging
             *into* HTTP servers. See the web_ configuration section if you want to
             configure *who* can login to your HTTP server.
             Each line has the following format::
                 <name>.<argument> = <value>
             where ``<name>`` is used to group arguments into authentication
             entries. Example::
                 foo.prefix = hg.intevation.org/mercurial
                 foo.username = foo
                 foo.password = bar
                 foo.schemes = http https
                 bar.prefix = secure.example.org
                 bar.key = path/to/file.key
                 bar.cert = path/to/file.cert
                 bar.schemes = https
             Supported arguments:
             ``prefix``
                 Either ``*`` or a URI prefix with or without the scheme part.
                 The authentication entry with the longest matching prefix is used
                 (where ``*`` matches everything and counts as a match of length
 ). If the prefix doesn't include a scheme, the match is performed
                 against the URI with its scheme stripped as well, and the schemes
                 argument, q.v., is then subsequently consulted.
             ``username``
                 Optional. Username to authenticate with. If not given, and the
                 remote site requires basic or digest authentication, the user will
                 be prompted for it. Environment variables are expanded in the
                 username letting you do ``foo.username = $USER``.
             ``password``
                 Optional. Password to authenticate with. If not given, and the
                 remote site requires basic or digest authentication, the user
                 will be prompted for it.
             ``key``
                 Optional. PEM encoded client certificate key file. Environment
                 variables are expanded in the filename.
             ``cert``
                 Optional. PEM encoded client certificate chain file. Environment
                 variables are expanded in the filename.
             ``schemes``
                 Optional. Space separated list of URI schemes to use this
                 authentication entry with. Only used if the prefix doesn't include
                 a scheme. Supported schemes are http and https. They will match
                 static-http and static-https respectively, as well.
                 Default: https.
             If no suitable authentication entry is found, the user is prompted
             for credentials as usual if required by the remote.
             ``decode/encode``
             """""""""""""""""
             Filters for transforming files on checkout/checkin. This would
             typically be used for newline processing or other
             localization/canonicalization of files.
             Filters consist of a filter pattern followed by a filter command.
             Filter patterns are globs by default, rooted at the repository root.
             For example, to match any file ending in ``.txt`` in the root
             directory only, use the pattern ``*.txt``. To match any file ending
             in ``.c`` anywhere in the repository, use the pattern ``**.c``.
             For each file only the first matching filter applies.
             The filter command can start with a specifier, either ``pipe:`` or
             ``tempfile:``. If no specifier is given, ``pipe:`` is used by default.
             A ``pipe:`` command must accept data on stdin and return the transformed
             data on stdout.
             Pipe example::
               [encode]
               # uncompress gzip files on checkin to improve delta compression
               # note: not necessarily a good idea, just an example
               *.gz = pipe: gunzip
               [decode]
               # recompress gzip files when writing them to the working dir (we
               # can safely omit "pipe:", because it's the default)
               *.gz = gzip
             A ``tempfile:`` command is a template. The string ``INFILE`` is replaced
             with the name of a temporary file that contains the data to be
             filtered by the command. The string ``OUTFILE`` is replaced with the name
             of an empty temporary file, where the filtered data must be written by
             the command.
             .. note:: The tempfile mechanism is recommended for Windows systems,
                where the standard shell I/O redirection operators often have
                strange effects and may corrupt the contents of your files.
             This filter mechanism is used internally by the ``eol`` extension to
             translate line ending characters between Windows (CRLF) and Unix (LF)
             format. We suggest you use the ``eol`` extension for convenience.
             ``defaults``
             """"""""""""
             (defaults are deprecated. Don't use them. Use aliases instead)
             Use the ``[defaults]`` section to define command defaults, i.e. the
             default options/arguments to pass to the specified commands.
             The following example makes :hg:`log` run in verbose mode, and
             :hg:`status` show only the modified files, by default::
               [defaults]
               log = -v
               status = -m
             The actual commands, instead of their aliases, must be used when
             defining command defaults. The command defaults will also be applied
             to the aliases of the commands defined.
             ``diff``
             """"""""
             Settings used when displaying diffs. They are all Boolean and
             defaults to False.
             ``git``
                 Use git extended diff format.
             ``nodates``
                 Don't include dates in diff headers.
             ``showfunc``
                 Show which function each change is in.
             ``ignorews``
                 Ignore white space when comparing lines.
             ``ignorewsamount``
                 Ignore changes in the amount of white space.
             ``ignoreblanklines``
                 Ignore changes whose lines are all blank.
             ``email``
             """""""""
             Settings for extensions that send email messages.
             ``from``
                 Optional. Email address to use in "From" header and SMTP envelope
                 of outgoing messages.
             ``to``
                 Optional. Comma-separated list of recipients' email addresses.
             ``cc``
                 Optional. Comma-separated list of carbon copy recipients'
                 email addresses.
             ``bcc``
                 Optional. Comma-separated list of blind carbon copy recipients'
                 email addresses.
             ``method``
                 Optional. Method to use to send email messages. If value is ``smtp``
                 (default), use SMTP (see the SMTP_ section for configuration).
                 Otherwise, use as name of program to run that acts like sendmail
                 (takes ``-f`` option for sender, list of recipients on command line,
                 message on stdin). Normally, setting this to ``sendmail`` or
                 ``/usr/sbin/sendmail`` is enough to use sendmail to send messages.
             ``charsets``
                 Optional. Comma-separated list of character sets considered
                 convenient for recipients. Addresses, headers, and parts not
                 containing patches of outgoing messages will be encoded in the
                 first character set to which conversion from local encoding
                 (``$HGENCODING``, ``ui.fallbackencoding``) succeeds. If correct
                 conversion fails, the text in question is sent as is. Defaults to
                 empty (explicit) list.
                 Order of outgoing email character sets:
 . ``us-ascii``: always first, regardless of settings
 . ``email.charsets``: in order given by user
 . ``ui.fallbackencoding``: if not in email.charsets
 . ``$HGENCODING``: if not in email.charsets
 . ``utf-8``: always last, regardless of settings
             Email example::
               [email]
               from = Joseph User <joe.user@example.com>
               method = /usr/sbin/sendmail
               # charsets for western Europeans
               # us-ascii, utf-8 omitted, as they are tried first and last
               charsets = iso-8859-1, iso-8859-15, windows-1252
             ``extensions``
             """"""""""""""
             Mercurial has an extension mechanism for adding new features. To
             enable an extension, create an entry for it in this section.
             If you know that the extension is already in Python's search path,
             you can give the name of the module, followed by ``=``, with nothing
             after the ``=``.
             Otherwise, give a name that you choose, followed by ``=``, followed by
             the path to the ``.py`` file (including the file name extension) that
             defines the extension.
             To explicitly disable an extension that is enabled in an hgrc of
             broader scope, prepend its path with ``!``, as in
             ``hgext.foo = !/ext/path`` or ``hgext.foo = !``  when path is not
             supplied.
             Example for ``~/.hgrc``::
               [extensions]
               # (the mq extension will get loaded from Mercurial's path)
               hgext.mq =
               # (this extension will get loaded from the file specified)
               myfeature = ~/.hgext/myfeature.py
+            ``hostfingerprints``
+            """"""""""""""""""""
+            Fingerprints of the certificates of known HTTPS servers.
+            A HTTPS connection to a server with a fingerprint configured here will
+            only succeed if the servers certificate matches the fingerprint.
+            This is very similar to how ssh known hosts works.
+            The fingerprint is the SHA-1 hash value of the DER encoded certificate.
+            The CA chain and web.cacerts is not used for servers with a fingerprint.
+            For example::
+                [hostfingerprints]
+                hg.intevation.org = 38:76:52:7c:87:26:9a:8f:4a:f8:d3:de:08:45:3b:ea:d6:4b:ee:cc
+            This feature is only supported when using Python 2.6 or later.
             ``format``
             """"""""""
             ``usestore``
                 Enable or disable the "store" repository format which improves
                 compatibility with systems that fold case or otherwise mangle
                 filenames. Enabled by default. Disabling this option will allow
                 you to store longer filenames in some situations at the expense of
                 compatibility and ensures that the on-disk format of newly created
                 repositories will be compatible with Mercurial before version 0.9.4.
             ``usefncache``
                 Enable or disable the "fncache" repository format which enhances
                 the "store" repository format (which has to be enabled to use
                 fncache) to allow longer filenames and avoids using Windows
                 reserved names, e.g. "nul". Enabled by default. Disabling this
                 option ensures that the on-disk format of newly created
                 repositories will be compatible with Mercurial before version 1.1.
             ``dotencode``
                 Enable or disable the "dotencode" repository format which enhances
                 the "fncache" repository format (which has to be enabled to use
                 dotencode) to avoid issues with filenames starting with ._ on
                 Mac OS X and spaces on Windows. Enabled by default. Disabling this
                 option ensures that the on-disk format of newly created
                 repositories will be compatible with Mercurial before version 1.7.
             ``merge-patterns``
             """"""""""""""""""
             This section specifies merge tools to associate with particular file
             patterns. Tools matched here will take precedence over the default
             merge tool. Patterns are globs by default, rooted at the repository
             root.
             Example::
               [merge-patterns]
               **.c = kdiff3
               **.jpg = myimgmerge
             ``merge-tools``
             """""""""""""""
             This section configures external merge tools to use for file-level
             merges.
             Example ``~/.hgrc``::
               [merge-tools]
               # Override stock tool location
               kdiff3.executable = ~/bin/kdiff3
               # Specify command line
               kdiff3.args = $base $local $other -o $output
               # Give higher priority
               kdiff3.priority = 1
               # Define new tool
               myHtmlTool.args = -m $local $other $base $output
               myHtmlTool.regkey = Software\FooSoftware\HtmlMerge
               myHtmlTool.priority = 1
             Supported arguments:
             ``priority``
               The priority in which to evaluate this tool.
               Default: 0.
             ``executable``
               Either just the name of the executable or its pathname.  On Windows,
               the path can use environment variables with ${ProgramFiles} syntax.
               Default: the tool name.
             ``args``
               The arguments to pass to the tool executable. You can refer to the
               files being merged as well as the output file through these
               variables: ``$base``, ``$local``, ``$other``, ``$output``.
               Default: ``$local $base $other``
             ``premerge``
               Attempt to run internal non-interactive 3-way merge tool before
               launching external tool.  Options are ``true``, ``false``, or ``keep``
               to leave markers in the file if the premerge fails.
               Default: True
             ``binary``
               This tool can merge binary files. Defaults to False, unless tool
               was selected by file pattern match.
             ``symlink``
               This tool can merge symlinks. Defaults to False, even if tool was
               selected by file pattern match.
             ``check``
               A list of merge success-checking options:
               ``changed``
                 Ask whether merge was successful when the merged file shows no changes.
               ``conflicts``
                 Check whether there are conflicts even though the tool reported success.
               ``prompt``
                 Always prompt for merge success, regardless of success reported by tool.
             ``checkchanged``
               True is equivalent to ``check = changed``.
               Default: False
             ``checkconflicts``
               True is equivalent to ``check = conflicts``.
               Default: False
             ``fixeol``
               Attempt to fix up EOL changes caused by the merge tool.
               Default: False
             ``gui``
               This tool requires a graphical interface to run. Default: False
             ``regkey``
               Windows registry key which describes install location of this
               tool. Mercurial will search for this key first under
               ``HKEY_CURRENT_USER`` and then under ``HKEY_LOCAL_MACHINE``.
               Default: None
             ``regname``
               Name of value to read from specified registry key. Defaults to the
               unnamed (default) value.
             ``regappend``
               String to append to the value read from the registry, typically
               the executable name of the tool.
               Default: None
             ``hooks``
             """""""""
             Commands or Python functions that get automatically executed by
             various actions such as starting or finishing a commit. Multiple
             hooks can be run for the same action by appending a suffix to the
             action. Overriding a site-wide hook can be done by changing its
             value or setting it to an empty string.
             Example ``.hg/hgrc``::
               [hooks]
               # update working directory after adding changesets
               changegroup.update = hg update
               # do not use the site-wide hook
               incoming =
               incoming.email = /my/email/hook
               incoming.autobuild = /my/build/hook
             Most hooks are run with environment variables set that give useful
             additional information. For each hook below, the environment
             variables it is passed are listed with names of the form ``$HG_foo``.
             ``changegroup``
               Run after a changegroup has been added via push, pull or unbundle.
               ID of the first new changeset is in ``$HG_NODE``. URL from which
               changes came is in ``$HG_URL``.
             ``commit``
               Run after a changeset has been created in the local repository. ID
               of the newly created changeset is in ``$HG_NODE``. Parent changeset
               IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
             ``incoming``
               Run after a changeset has been pulled, pushed, or unbundled into
               the local repository. The ID of the newly arrived changeset is in
               ``$HG_NODE``. URL that was source of changes came is in ``$HG_URL``.
             ``outgoing``
               Run after sending changes from local repository to another. ID of
               first changeset sent is in ``$HG_NODE``. Source of operation is in
               ``$HG_SOURCE``; see "preoutgoing" hook for description.
             ``post-<command>``
               Run after successful invocations of the associated command. The
               contents of the command line are passed as ``$HG_ARGS`` and the result
               code in ``$HG_RESULT``. Parsed command line arguments are passed as
               ``$HG_PATS`` and ``$HG_OPTS``. These contain string representations of
               the python data internally passed to <command>. ``$HG_OPTS`` is a
               dictionary of options (with unspecified options set to their defaults).
               ``$HG_PATS`` is a list of arguments. Hook failure is ignored.
             ``pre-<command>``
               Run before executing the associated command. The contents of the
               command line are passed as ``$HG_ARGS``. Parsed command line arguments
               are passed as ``$HG_PATS`` and ``$HG_OPTS``. These contain string
               representations of the data internally passed to <command>. ``$HG_OPTS``
               is a  dictionary of options (with unspecified options set to their
               defaults). ``$HG_PATS`` is a list of arguments. If the hook returns
               failure, the command doesn't execute and Mercurial returns the failure
               code.
             ``prechangegroup``
               Run before a changegroup is added via push, pull or unbundle. Exit
               status 0 allows the changegroup to proceed. Non-zero status will
               cause the push, pull or unbundle to fail. URL from which changes
               will come is in ``$HG_URL``.
             ``precommit``
               Run before starting a local commit. Exit status 0 allows the
               commit to proceed. Non-zero status will cause the commit to fail.
               Parent changeset IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
             ``preoutgoing``
               Run before collecting changes to send from the local repository to
               another. Non-zero status will cause failure. This lets you prevent
               pull over HTTP or SSH. Also prevents against local pull, push
               (outbound) or bundle commands, but not effective, since you can
               just copy files instead then. Source of operation is in
               ``$HG_SOURCE``. If "serve", operation is happening on behalf of remote
               SSH or HTTP repository. If "push", "pull" or "bundle", operation
               is happening on behalf of repository on same system.
             ``pretag``
               Run before creating a tag. Exit status 0 allows the tag to be
               created. Non-zero status will cause the tag to fail. ID of
               changeset to tag is in ``$HG_NODE``. Name of tag is in ``$HG_TAG``. Tag is
               local if ``$HG_LOCAL=1``, in repository if ``$HG_LOCAL=0``.
             ``pretxnchangegroup``
               Run after a changegroup has been added via push, pull or unbundle,
               but before the transaction has been committed. Changegroup is
               visible to hook program. This lets you validate incoming changes
               before accepting them. Passed the ID of the first new changeset in
               ``$HG_NODE``. Exit status 0 allows the transaction to commit. Non-zero
               status will cause the transaction to be rolled back and the push,
               pull or unbundle will fail. URL that was source of changes is in
               ``$HG_URL``.
             ``pretxncommit``
               Run after a changeset has been created but the transaction not yet
               committed. Changeset is visible to hook program. This lets you
               validate commit message and changes. Exit status 0 allows the
               commit to proceed. Non-zero status will cause the transaction to
               be rolled back. ID of changeset is in ``$HG_NODE``. Parent changeset
               IDs are in ``$HG_PARENT1`` and ``$HG_PARENT2``.
             ``preupdate``
               Run before updating the working directory. Exit status 0 allows
               the update to proceed. Non-zero status will prevent the update.
               Changeset ID of first new parent is in ``$HG_PARENT1``. If merge, ID
               of second new parent is in ``$HG_PARENT2``.
             ``tag``
               Run after a tag is created. ID of tagged changeset is in ``$HG_NODE``.
               Name of tag is in ``$HG_TAG``. Tag is local if ``$HG_LOCAL=1``, in
               repository if ``$HG_LOCAL=0``.
             ``update``
               Run after updating the working directory. Changeset ID of first
               new parent is in ``$HG_PARENT1``. If merge, ID of second new parent is
               in ``$HG_PARENT2``. If the update succeeded, ``$HG_ERROR=0``. If the
               update failed (e.g. because conflicts not resolved), ``$HG_ERROR=1``.
             .. note:: It is generally better to use standard hooks rather than the
                generic pre- and post- command hooks as they are guaranteed to be
                called in the appropriate contexts for influencing transactions.
                Also, hooks like "commit" will be called in all contexts that
                generate a commit (e.g. tag) and not just the commit command.
             .. note:: Environment variables with empty values may not be passed to
                hooks on platforms such as Windows. As an example, ``$HG_PARENT2``
                will have an empty value under Unix-like platforms for non-merge
                changesets, while it will not be available at all under Windows.
             The syntax for Python hooks is as follows::
               hookname = python:modulename.submodule.callable
               hookname = python:/path/to/python/module.py:callable
             Python hooks are run within the Mercurial process. Each hook is
             called with at least three keyword arguments: a ui object (keyword
             ``ui``), a repository object (keyword ``repo``), and a ``hooktype``
             keyword that tells what kind of hook is used. Arguments listed as
             environment variables above are passed as keyword arguments, with no
             ``HG_`` prefix, and names in lower case.
             If a Python hook returns a "true" value or raises an exception, this
             is treated as a failure.
             ``http_proxy``
             """"""""""""""
             Used to access web-based Mercurial repositories through a HTTP
             proxy.
             ``host``
                 Host name and (optional) port of the proxy server, for example
                 "myproxy:8000".
             ``no``
                 Optional. Comma-separated list of host names that should bypass
                 the proxy.
             ``passwd``
                 Optional. Password to authenticate with at the proxy server.
             ``user``
                 Optional. User name to authenticate with at the proxy server.
             ``always``
                 Optional. Always use the proxy, even for localhost and any entries
                 in ``http_proxy.no``. True or False. Default: False.
             ``smtp``
             """"""""
             Configuration for extensions that need to send email messages.
             ``host``
                 Host name of mail server, e.g. "mail.example.com".
             ``port``
                 Optional. Port to connect to on mail server. Default: 25.
             ``tls``
                 Optional. Whether to connect to mail server using TLS. True or
                 False. Default: False.
             ``username``
                 Optional. User name for authenticating with the SMTP server.
                 Default: none.
             ``password``
                 Optional. Password for authenticating with the SMTP server. If not
                 specified, interactive sessions will prompt the user for a
                 password; non-interactive sessions will fail. Default: none.
             ``local_hostname``
                 Optional. It's the hostname that the sender can use to identify
                 itself to the MTA.
             ``patch``
             """""""""
             Settings used when applying patches, for instance through the 'import'
             command or with Mercurial Queues extension.
             ``eol``
                 When set to 'strict' patch content and patched files end of lines
                 are preserved. When set to ``lf`` or ``crlf``, both files end of
                 lines are ignored when patching and the result line endings are
                 normalized to either LF (Unix) or CRLF (Windows). When set to
                 ``auto``, end of lines are again ignored while patching but line
                 endings in patched files are normalized to their original setting
                 on a per-file basis. If target file does not exist or has no end
                 of line, patch line endings are preserved.
                 Default: strict.
             ``paths``
             """""""""
             Assigns symbolic names to repositories. The left side is the
             symbolic name, and the right gives the directory or URL that is the
             location of the repository. Default paths can be declared by setting
             the following entries.
             ``default``
                 Directory or URL to use when pulling if no source is specified.
                 Default is set to repository from which the current repository was
                 cloned.
             ``default-push``
                 Optional. Directory or URL to use when pushing if no destination
                 is specified.
             ``profiling``
             """""""""""""
             Specifies profiling format and file output. In this section
             description, 'profiling data' stands for the raw data collected
             during profiling, while 'profiling report' stands for a statistical
             text report generated from the profiling data. The profiling is done
             using lsprof.
             ``format``
                 Profiling format.
                 Default: text.
                 ``text``
                   Generate a profiling report. When saving to a file, it should be
                   noted that only the report is saved, and the profiling data is
                   not kept.
                 ``kcachegrind``
                   Format profiling data for kcachegrind use: when saving to a
                   file, the generated file can directly be loaded into
                   kcachegrind.
             ``output``
                 File path where profiling data or report should be saved. If the
                 file exists, it is replaced. Default: None, data is printed on
                 stderr
             ``server``
             """"""""""
             Controls generic server settings.
             ``uncompressed``
                 Whether to allow clients to clone a repository using the
                 uncompressed streaming protocol. This transfers about 40% more
                 data than a regular clone, but uses less memory and CPU on both
                 server and client. Over a LAN (100 Mbps or better) or a very fast
                 WAN, an uncompressed streaming clone is a lot faster (~10x) than a
                 regular clone. Over most WAN connections (anything slower than
                 about 6 Mbps), uncompressed streaming is slower, because of the
                 extra data transfer overhead. This mode will also temporarily hold
                 the write lock while determining what data to transfer.
                 Default is True.
             ``validate``
                 Whether to validate the completeness of pushed changesets by
                 checking that all new file revisions specified in manifests are
                 present. Default is False.
             ``subpaths``
             """"""""""""
             Defines subrepositories source locations rewriting rules of the form::
                 <pattern> = <replacement>
             Where ``pattern`` is a regular expression matching the source and
             ``replacement`` is the replacement string used to rewrite it. Groups
             can be matched in ``pattern`` and referenced in ``replacements``. For
             instance::
                 http://server/(.*)-hg/ = http://hg.server/\1/
             rewrites ``http://server/foo-hg/`` into ``http://hg.server/foo/``.
             All patterns are applied in definition order.
             ``trusted``
             """""""""""
             Mercurial will not use the settings in the
             ``.hg/hgrc`` file from a repository if it doesn't belong to a trusted
             user or to a trusted group, as various hgrc features allow arbitrary
             commands to be run. This issue is often encountered when configuring
             hooks or extensions for shared repositories or servers. However,
             the web interface will use some safe settings from the ``[web]``
             section.
             This section specifies what users and groups are trusted. The
             current user is always trusted. To trust everybody, list a user or a
             group with name ``*``. These settings must be placed in an
             *already-trusted file* to take effect, such as ``$HOME/.hgrc`` of the
             user or service running Mercurial.
             ``users``
               Comma-separated list of trusted users.
             ``groups``
               Comma-separated list of trusted groups.
             ``ui``
             """"""
             User interface controls.
             ``archivemeta``
                 Whether to include the .hg_archival.txt file containing meta data
                 (hashes for the repository base and for tip) in archives created
                 by the :hg:`archive` command or downloaded via hgweb.
                 Default is True.
             ``askusername``
                 Whether to prompt for a username when committing. If True, and
                 neither ``$HGUSER`` nor ``$EMAIL`` has been specified, then the user will
                 be prompted to enter a username. If no username is entered, the
                 default ``USER@HOST`` is used instead.
                 Default is False.
             ``debug``
                 Print debugging information. True or False. Default is False.
             ``editor``
                 The editor to use during a commit. Default is ``$EDITOR`` or ``vi``.
             ``fallbackencoding``
                 Encoding to try if it's not possible to decode the changelog using
                 UTF-8. Default is ISO-8859-1.
             ``ignore``
                 A file to read per-user ignore patterns from. This file should be
                 in the same format as a repository-wide .hgignore file. This
                 option supports hook syntax, so if you want to specify multiple
                 ignore files, you can do so by setting something like
                 ``ignore.other = ~/.hgignore2``. For details of the ignore file
                 format, see the |hgignore(5)|_ man page.
             ``interactive``
                 Allow to prompt the user. True or False. Default is True.
             ``logtemplate``
                 Template string for commands that print changesets.
             ``merge``
                 The conflict resolution program to use during a manual merge.
                 For more information on merge tools see :hg:`help merge-tools`.
                 For configuring merge tools see the merge-tools_ section.
             ``patch``
                 command to use to apply patches. Look for ``gpatch`` or ``patch`` in
                 PATH if unset.
             ``quiet``
                 Reduce the amount of output printed. True or False. Default is False.
             ``remotecmd``
                 remote command to use for clone/push/pull operations. Default is ``hg``.
             ``report_untrusted``
                 Warn if a ``.hg/hgrc`` file is ignored due to not being owned by a
                 trusted user or group. True or False. Default is True.
             ``slash``
                 Display paths using a slash (``/``) as the path separator. This
                 only makes a difference on systems where the default path
                 separator is not the slash character (e.g. Windows uses the
                 backslash character (``\``)).
                 Default is False.
             ``ssh``
                 command to use for SSH connections. Default is ``ssh``.
             ``strict``
                 Require exact command names, instead of allowing unambiguous
                 abbreviations. True or False. Default is False.
             ``style``
                 Name of style to use for command output.
             ``timeout``
                 The timeout used when a lock is held (in seconds), a negative value
                 means no timeout. Default is 600.
             ``traceback``
                 Mercurial always prints a traceback when an unknown exception
                 occurs. Setting this to True will make Mercurial print a traceback
                 on all exceptions, even those recognized by Mercurial (such as
                 IOError or MemoryError). Default is False.
             ``username``
                 The committer of a changeset created when running "commit".
                 Typically a person's name and email address, e.g. ``Fred Widget
                 <fred@example.com>``. Default is ``$EMAIL`` or ``username@hostname``. If
                 the username in hgrc is empty, it has to be specified manually or
                 in a different hgrc file (e.g. ``$HOME/.hgrc``, if the admin set
                 ``username =``  in the system hgrc). Environment variables in the
                 username are expanded.
             ``verbose``
                 Increase the amount of output printed. True or False. Default is False.
             ``web``
             """""""
             Web interface configuration. The settings in this section apply to
             both the builtin webserver (started by :hg:`serve`) and the script you
             run through a webserver (``hgweb.cgi`` and the derivatives for FastCGI
             and WSGI).
             The Mercurial webserver does no authentication (it does not prompt for
             usernames and passwords to validate *who* users are), but it does do
             authorization (it grants or denies access for *authenticated users*
             based on settings in this section). You must either configure your
             webserver to do authentication for you, or disable the authorization
             checks.
             For a quick setup in a trusted environment, e.g., a private LAN, where
             you want it to accept pushes from anybody, you can use the following
             command line::
                 $ hg --config web.allow_push=* --config web.push_ssl=False serve
             Note that this will allow anybody to push anything to the server and
             that this should not be used for public servers.
             The full set of options is:
             ``accesslog``
                 Where to output the access log. Default is stdout.
             ``address``
                 Interface address to bind to. Default is all.
             ``allow_archive``
                 List of archive format (bz2, gz, zip) allowed for downloading.
                 Default is empty.
             ``allowbz2``
                 (DEPRECATED) Whether to allow .tar.bz2 downloading of repository
                 revisions.
                 Default is False.
             ``allowgz``
                 (DEPRECATED) Whether to allow .tar.gz downloading of repository
                 revisions.
                 Default is False.
             ``allowpull``
                 Whether to allow pulling from the repository. Default is True.
             ``allow_push``
                 Whether to allow pushing to the repository. If empty or not set,
                 push is not allowed. If the special value ``*``, any remote user can
                 push, including unauthenticated users. Otherwise, the remote user
                 must have been authenticated, and the authenticated user name must
                 be present in this list. The contents of the allow_push list are
                 examined after the deny_push list.
             ``allow_read``
                 If the user has not already been denied repository access due to
                 the contents of deny_read, this list determines whether to grant
                 repository access to the user. If this list is not empty, and the
                 user is unauthenticated or not present in the list, then access is
                 denied for the user. If the list is empty or not set, then access
                 is permitted to all users by default. Setting allow_read to the
                 special value ``*`` is equivalent to it not being set (i.e. access
                 is permitted to all users). The contents of the allow_read list are
                 examined after the deny_read list.
             ``allowzip``
                 (DEPRECATED) Whether to allow .zip downloading of repository
                 revisions. Default is False. This feature creates temporary files.
             ``baseurl``
                 Base URL to use when publishing URLs in other locations, so
                 third-party tools like email notification hooks can construct
                 URLs. Example: ``http://hgserver/repos/``.
             ``cacerts``
                 Path to file containing a list of PEM encoded certificate
                 authority certificates. Environment variables and ``~user``
                 constructs are expanded in the filename. If specified on the
                 client, then it will verify the identity of remote HTTPS servers
                 with these certificates. The form must be as follows::
                     -----BEGIN CERTIFICATE-----
                     ... (certificate in base64 PEM encoding) ...
                     -----END CERTIFICATE-----
                     -----BEGIN CERTIFICATE-----
                     ... (certificate in base64 PEM encoding) ...
                     -----END CERTIFICATE-----
                 This feature is only supported when using Python 2.6 or later. If you wish
                 to use it with earlier versions of Python, install the backported
                 version of the ssl library that is available from
                 ``http://pypi.python.org``.
                 You can use OpenSSL's CA certificate file if your platform has one.
                 On most Linux systems this will be ``/etc/ssl/certs/ca-certificates.crt``.
                 Otherwise you will have to generate this file manually.
             ``contact``
                 Name or email address of the person in charge of the repository.
                 Defaults to ui.username or ``$EMAIL`` or "unknown" if unset or empty.
             ``deny_push``
                 Whether to deny pushing to the repository. If empty or not set,
                 push is not denied. If the special value ``*``, all remote users are
                 denied push. Otherwise, unauthenticated users are all denied, and
                 any authenticated user name present in this list is also denied. The
                 contents of the deny_push list are examined before the allow_push list.
             ``deny_read``
                 Whether to deny reading/viewing of the repository. If this list is
                 not empty, unauthenticated users are all denied, and any
                 authenticated user name present in this list is also denied access to
                 the repository. If set to the special value ``*``, all remote users
                 are denied access (rarely needed ;). If deny_read is empty or not set,
                 the determination of repository access depends on the presence and
                 content of the allow_read list (see description). If both
                 deny_read and allow_read are empty or not set, then access is
                 permitted to all users by default. If the repository is being
                 served via hgwebdir, denied users will not be able to see it in
                 the list of repositories. The contents of the deny_read list have
                 priority over (are examined before) the contents of the allow_read
                 list.
             ``descend``
                 hgwebdir indexes will not descend into subdirectories. Only repositories
                 directly in the current path will be shown (other repositories are still
                 available from the index corresponding to their containing path).
             ``description``
                 Textual description of the repository's purpose or contents.
                 Default is "unknown".
             ``encoding``
                 Character encoding name. Default is the current locale charset.
                 Example: "UTF-8"
             ``errorlog``
                 Where to output the error log. Default is stderr.
             ``hidden``
                 Whether to hide the repository in the hgwebdir index.
                 Default is False.
             ``ipv6``
                 Whether to use IPv6. Default is False.
             ``name``
                 Repository name to use in the web interface. Default is current
                 working directory.
             ``maxchanges``
                 Maximum number of changes to list on the changelog. Default is 10.
             ``maxfiles``
                 Maximum number of files to list per changeset. Default is 10.
             ``port``
                 Port to listen on. Default is 8000.
             ``prefix``
                 Prefix path to serve from. Default is '' (server root).
             ``push_ssl``
                 Whether to require that inbound pushes be transported over SSL to
                 prevent password sniffing. Default is True.
             ``staticurl``
                 Base URL to use for static files. If unset, static files (e.g. the
                 hgicon.png favicon) will be served by the CGI script itself. Use
                 this setting to serve them directly with the HTTP server.
                 Example: ``http://hgserver/static/``.
             ``stripes``
                 How many lines a "zebra stripe" should span in multiline output.
                 Default is 1; set to 0 to disable.
             ``style``
                 Which template map style to use.
             ``templates``
                 Where to find the HTML templates. Default is install path.
             Author
             ------
             Bryan O'Sullivan <bos@serpentine.com>.
             Mercurial was written by Matt Mackall <mpm@selenic.com>.
             See Also
             --------
             |hg(1)|_, |hgignore(5)|_
             Copying
             -------
             This manual page is copyright 2005 Bryan O'Sullivan.
             Mercurial is copyright 2005-2010 Matt Mackall.
             Free use of this software is granted under the terms of the GNU General
             Public License version 2 or any later version.
             .. include:: common.txt

mercurial/hg.py

0 +1 -1

             # hg.py - repository classes for mercurial
             #
             # Copyright 2005-2007 Matt Mackall <mpm@selenic.com>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from i18n import _
             from lock import release
             from node import hex, nullid, nullrev, short
             import localrepo, bundlerepo, httprepo, sshrepo, statichttprepo
             import lock, util, extensions, error, encoding, node
             import cmdutil, discovery, url
             import merge as mergemod
             import verify as verifymod
             import errno, os, shutil
             def _local(path):
                 path = util.expandpath(util.drop_scheme('file', path))
                 return (os.path.isfile(path) and bundlerepo or localrepo)
             def addbranchrevs(lrepo, repo, branches, revs):
                 hashbranch, branches = branches
                 if not hashbranch and not branches:
                     return revs or None, revs and revs[0] or None
                 revs = revs and list(revs) or []
                 if not repo.capable('branchmap'):
                     if branches:
                         raise util.Abort(_("remote branch lookup not supported"))
                     revs.append(hashbranch)
                     return revs, revs[0]
                 branchmap = repo.branchmap()
                 def primary(butf8):
                     if butf8 == '.':
                         if not lrepo or not lrepo.local():
                             raise util.Abort(_("dirstate branch not accessible"))
                         butf8 = lrepo.dirstate.branch()
                     if butf8 in branchmap:
                         revs.extend(node.hex(r) for r in reversed(branchmap[butf8]))
                         return True
                     else:
                         return False
                 for branch in branches:
                     butf8 = encoding.fromlocal(branch)
                     if not primary(butf8):
                         raise error.RepoLookupError(_("unknown branch '%s'") % branch)
                 if hashbranch:
                     butf8 = encoding.fromlocal(hashbranch)
                     if not primary(butf8):
                         revs.append(hashbranch)
                 return revs, revs[0]
             def parseurl(url, branches=None):
                 '''parse url#branch, returning (url, (branch, branches))'''
                 if '#' not in url:
                     return url, (None, branches or [])
                 url, branch = url.split('#', 1)
                 return url, (branch, branches or [])
             schemes = {
                 'bundle': bundlerepo,
                 'file': _local,
                 'http': httprepo,
                 'https': httprepo,
                 'ssh': sshrepo,
                 'static-http': statichttprepo,
             }
             def _lookup(path):
                 scheme = 'file'
                 if path:
                     c = path.find(':')
                     if c > 0:
                         scheme = path[:c]
                 thing = schemes.get(scheme) or schemes['file']
                 try:
                     return thing(path)
                 except TypeError:
                     return thing
             def islocal(repo):
                 '''return true if repo or path is local'''
                 if isinstance(repo, str):
                     try:
                         return _lookup(repo).islocal(repo)
                     except AttributeError:
                         return False
                 return repo.local()
             def repository(ui, path='', create=False):
                 """return a repository object for the specified path"""
                 repo = _lookup(path).instance(ui, path, create)
                 ui = getattr(repo, "ui", ui)
                 for name, module in extensions.extensions():
                     hook = getattr(module, 'reposetup', None)
                     if hook:
                         hook(ui, repo)
                 return repo
             def defaultdest(source):
                 '''return default destination of clone if none is given'''
                 return os.path.basename(os.path.normpath(source))
             def localpath(path):
                 if path.startswith('file://localhost/'):
                     return path[16:]
                 if path.startswith('file://'):
                     return path[7:]
                 if path.startswith('file:'):
                     return path[5:]
                 return path
             def share(ui, source, dest=None, update=True):
                 '''create a shared repository'''
                 if not islocal(source):
                     raise util.Abort(_('can only share local repositories'))
                 if not dest:
                     dest = defaultdest(source)
                 else:
                     dest = ui.expandpath(dest)
                 if isinstance(source, str):
                     origsource = ui.expandpath(source)
                     source, branches = parseurl(origsource)
                     srcrepo = repository(ui, source)
                     rev, checkout = addbranchrevs(srcrepo, srcrepo, branches, None)
                 else:
                     srcrepo = source
                     origsource = source = srcrepo.url()
                     checkout = None
                 sharedpath = srcrepo.sharedpath # if our source is already sharing
                 root = os.path.realpath(dest)
                 roothg = os.path.join(root, '.hg')
                 if os.path.exists(roothg):
                     raise util.Abort(_('destination already exists'))
                 if not os.path.isdir(root):
                     os.mkdir(root)
                 os.mkdir(roothg)
                 requirements = ''
                 try:
                     requirements = srcrepo.opener('requires').read()
                 except IOError, inst:
                     if inst.errno != errno.ENOENT:
                         raise
                 requirements += 'shared\n'
                 file(os.path.join(roothg, 'requires'), 'w').write(requirements)
                 file(os.path.join(roothg, 'sharedpath'), 'w').write(sharedpath)
                 default = srcrepo.ui.config('paths', 'default')
                 if default:
                     f = file(os.path.join(roothg, 'hgrc'), 'w')
                     f.write('[paths]\ndefault = %s\n' % default)
                     f.close()
                 r = repository(ui, root)
                 if update:
                     r.ui.status(_("updating working directory\n"))
                     if update is not True:
                         checkout = update
                     for test in (checkout, 'default', 'tip'):
                         if test is None:
                             continue
                         try:
                             uprev = r.lookup(test)
                             break
                         except error.RepoLookupError:
                             continue
                     _update(r, uprev)
             def clone(ui, source, dest=None, pull=False, rev=None, update=True,
                       stream=False, branch=None):
                 """Make a copy of an existing repository.
                 Create a copy of an existing repository in a new directory.  The
                 source and destination are URLs, as passed to the repository
                 function.  Returns a pair of repository objects, the source and
                 newly created destination.
                 The location of the source is added to the new repository's
                 .hg/hgrc file, as the default to be used for future pulls and
                 pushes.
                 If an exception is raised, the partly cloned/updated destination
                 repository will be deleted.
                 Arguments:
                 source: repository object or URL
                 dest: URL of destination repository to create (defaults to base
                 name of source repository)
                 pull: always pull from source repository, even in local case
                 stream: stream raw data uncompressed from repository (fast over
                 LAN, slow over WAN)
                 rev: revision to clone up to (implies pull=True)
                 update: update working directory after clone completes, if
                 destination is local repository (True means update to default rev,
                 anything else is treated as a revision)
                 branch: branches to clone
                 """
                 if isinstance(source, str):
                     origsource = ui.expandpath(source)
                     source, branch = parseurl(origsource, branch)
                     src_repo = repository(ui, source)
                 else:
                     src_repo = source
                     branch = (None, branch or [])
                     origsource = source = src_repo.url()
                 rev, checkout = addbranchrevs(src_repo, src_repo, branch, rev)
                 if dest is None:
                     dest = defaultdest(source)
                     ui.status(_("destination directory: %s\n") % dest)
                 else:
                     dest = ui.expandpath(dest)
                 dest = localpath(dest)
                 source = localpath(source)
                 if os.path.exists(dest):
                     if not os.path.isdir(dest):
                         raise util.Abort(_("destination '%s' already exists") % dest)
                     elif os.listdir(dest):
                         raise util.Abort(_("destination '%s' is not empty") % dest)
                 class DirCleanup(object):
                     def __init__(self, dir_):
                         self.rmtree = shutil.rmtree
                         self.dir_ = dir_
                     def close(self):
                         self.dir_ = None
                     def cleanup(self):
                         if self.dir_:
                             self.rmtree(self.dir_, True)
                 src_lock = dest_lock = dir_cleanup = None
                 try:
                     if islocal(dest):
                         dir_cleanup = DirCleanup(dest)
                     abspath = origsource
                     copy = False
                     if src_repo.cancopy() and islocal(dest):
                         abspath = os.path.abspath(util.drop_scheme('file', origsource))
                         copy = not pull and not rev
                     if copy:
                         try:
                             # we use a lock here because if we race with commit, we
                             # can end up with extra data in the cloned revlogs that's
                             # not pointed to by changesets, thus causing verify to
                             # fail
                             src_lock = src_repo.lock(wait=False)
                         except error.LockError:
                             copy = False
                     if copy:
                         src_repo.hook('preoutgoing', throw=True, source='clone')
                         hgdir = os.path.realpath(os.path.join(dest, ".hg"))
                         if not os.path.exists(dest):
                             os.mkdir(dest)
                         else:
                             # only clean up directories we create ourselves
                             dir_cleanup.dir_ = hgdir
                         try:
                             dest_path = hgdir
                             os.mkdir(dest_path)
                         except OSError, inst:
                             if inst.errno == errno.EEXIST:
                                 dir_cleanup.close()
                                 raise util.Abort(_("destination '%s' already exists")
                                                  % dest)
                             raise
                         hardlink = None
                         num = 0
                         for f in src_repo.store.copylist():
                             src = os.path.join(src_repo.sharedpath, f)
                             dst = os.path.join(dest_path, f)
                             dstbase = os.path.dirname(dst)
                             if dstbase and not os.path.exists(dstbase):
                                 os.mkdir(dstbase)
                             if os.path.exists(src):
                                 if dst.endswith('data'):
                                     # lock to avoid premature writing to the target
                                     dest_lock = lock.lock(os.path.join(dstbase, "lock"))
                                 hardlink, n = util.copyfiles(src, dst, hardlink)
                                 num += n
                         if hardlink:
                             ui.debug("linked %d files\n" % num)
                         else:
                             ui.debug("copied %d files\n" % num)
                         # we need to re-init the repo after manually copying the data
                         # into it
                         dest_repo = repository(ui, dest)
                         src_repo.hook('outgoing', source='clone',
                                       node=node.hex(node.nullid))
                     else:
                         try:
                             dest_repo = repository(ui, dest, create=True)
                         except OSError, inst:
                             if inst.errno == errno.EEXIST:
                                 dir_cleanup.close()
                                 raise util.Abort(_("destination '%s' already exists")
                                                  % dest)
                             raise
                         revs = None
                         if rev:
                             if 'lookup' not in src_repo.capabilities:
                                 raise util.Abort(_("src repository does not support "
                                                    "revision lookup and so doesn't "
                                                    "support clone by revision"))
                             revs = [src_repo.lookup(r) for r in rev]
                             checkout = revs[0]
                         if dest_repo.local():
                             dest_repo.clone(src_repo, heads=revs, stream=stream)
                         elif src_repo.local():
                             src_repo.push(dest_repo, revs=revs)
                         else:
                             raise util.Abort(_("clone from remote to remote not supported"))
                     if dir_cleanup:
                         dir_cleanup.close()
                     if dest_repo.local():
                         fp = dest_repo.opener("hgrc", "w", text=True)
                         fp.write("[paths]\n")
                         fp.write("default = %s\n" % abspath)
                         fp.close()
                         dest_repo.ui.setconfig('paths', 'default', abspath)
                         if update:
                             if update is not True:
                                 checkout = update
                                 if src_repo.local():
                                     checkout = src_repo.lookup(update)
                             for test in (checkout, 'default', 'tip'):
                                 if test is None:
                                     continue
                                 try:
                                     uprev = dest_repo.lookup(test)
                                     break
                                 except error.RepoLookupError:
                                     continue
                             bn = dest_repo[uprev].branch()
                             dest_repo.ui.status(_("updating to branch %s\n")
                                                 % encoding.tolocal(bn))
                             _update(dest_repo, uprev)
                     return src_repo, dest_repo
                 finally:
                     release(src_lock, dest_lock)
                     if dir_cleanup is not None:
                         dir_cleanup.cleanup()
             def _showstats(repo, stats):
                 repo.ui.status(_("%d files updated, %d files merged, "
                                  "%d files removed, %d files unresolved\n") % stats)
             def update(repo, node):
                 """update the working directory to node, merging linear changes"""
                 stats = mergemod.update(repo, node, False, False, None)
                 _showstats(repo, stats)
                 if stats[3]:
                     repo.ui.status(_("use 'hg resolve' to retry unresolved file merges\n"))
                 return stats[3] > 0
             # naming conflict in clone()
             _update = update
             def clean(repo, node, show_stats=True):
                 """forcibly switch the working directory to node, clobbering changes"""
                 stats = mergemod.update(repo, node, False, True, None)
                 if show_stats:
                     _showstats(repo, stats)
                 return stats[3] > 0
             def merge(repo, node, force=None, remind=True):
                 """branch merge with node, resolving changes"""
                 stats = mergemod.update(repo, node, True, force, False)
                 _showstats(repo, stats)
                 if stats[3]:
                     repo.ui.status(_("use 'hg resolve' to retry unresolved file merges "
                                      "or 'hg update -C .' to abandon\n"))
                 elif remind:
                     repo.ui.status(_("(branch merge, don't forget to commit)\n"))
                 return stats[3] > 0
             def _incoming(displaychlist, subreporecurse, ui, repo, source,
                     opts, buffered=False):
                 """
                 Helper for incoming / gincoming.
                 displaychlist gets called with
                     (remoterepo, incomingchangesetlist, displayer) parameters,
                 and is supposed to contain only code that can't be unified.
                 """
                 source, branches = parseurl(ui.expandpath(source), opts.get('branch'))
                 other = repository(remoteui(repo, opts), source)
                 ui.status(_('comparing with %s\n') % url.hidepassword(source))
                 revs, checkout = addbranchrevs(repo, other, branches, opts.get('rev'))
                 if revs:
                     revs = [other.lookup(rev) for rev in revs]
                 other, incoming, bundle = bundlerepo.getremotechanges(ui, repo, other, revs,
                                             opts["bundle"], opts["force"])
                 if incoming is None:
                     ui.status(_("no changes found\n"))
                     return subreporecurse()
                 try:
                     chlist = other.changelog.nodesbetween(incoming, revs)[0]
                     displayer = cmdutil.show_changeset(ui, other, opts, buffered)
                     # XXX once graphlog extension makes it into core,
                     # should be replaced by a if graph/else
                     displaychlist(other, chlist, displayer)
                     displayer.close()
                 finally:
                     if hasattr(other, 'close'):
                         other.close()
                     if bundle:
                         os.unlink(bundle)
                 subreporecurse()
                 return 0 # exit code is zero since we found incoming changes
             def incoming(ui, repo, source, opts):
                 def subreporecurse():
                     ret = 1
                     if opts.get('subrepos'):
                         ctx = repo[None]
                         for subpath in sorted(ctx.substate):
                             sub = ctx.sub(subpath)
                             ret = min(ret, sub.incoming(ui, source, opts))
                     return ret
                 def display(other, chlist, displayer):
                     limit = cmdutil.loglimit(opts)
                     if opts.get('newest_first'):
                         chlist.reverse()
                     count = 0
                     for n in chlist:
                         if limit is not None and count >= limit:
                             break
                         parents = [p for p in other.changelog.parents(n) if p != nullid]
                         if opts.get('no_merges') and len(parents) == 2:
                             continue
                         count += 1
                         displayer.show(other[n])
                 return _incoming(display, subreporecurse, ui, repo, source, opts)
             def _outgoing(ui, repo, dest, opts):
                 dest = ui.expandpath(dest or 'default-push', dest or 'default')
                 dest, branches = parseurl(dest, opts.get('branch'))
                 revs, checkout = addbranchrevs(repo, repo, branches, opts.get('rev'))
                 if revs:
                     revs = [repo.lookup(rev) for rev in revs]
                 other = repository(remoteui(repo, opts), dest)
                 ui.status(_('comparing with %s\n') % url.hidepassword(dest))
                 o = discovery.findoutgoing(repo, other, force=opts.get('force'))
                 if not o:
                     ui.status(_("no changes found\n"))
                     return None
                 return repo.changelog.nodesbetween(o, revs)[0]
             def outgoing(ui, repo, dest, opts):
                 def recurse():
                     ret = 1
                     if opts.get('subrepos'):
                         ctx = repo[None]
                         for subpath in sorted(ctx.substate):
                             sub = ctx.sub(subpath)
                             ret = min(ret, sub.outgoing(ui, dest, opts))
                     return ret
                 limit = cmdutil.loglimit(opts)
                 o = _outgoing(ui, repo, dest, opts)
                 if o is None:
                     return recurse()
                 if opts.get('newest_first'):
                     o.reverse()
                 displayer = cmdutil.show_changeset(ui, repo, opts)
                 count = 0
                 for n in o:
                     if limit is not None and count >= limit:
                         break
                     parents = [p for p in repo.changelog.parents(n) if p != nullid]
                     if opts.get('no_merges') and len(parents) == 2:
                         continue
                     count += 1
                     displayer.show(repo[n])
                 displayer.close()
                 recurse()
                 return 0 # exit code is zero since we found outgoing changes
             def revert(repo, node, choose):
                 """revert changes to revision in node without updating dirstate"""
                 return mergemod.update(repo, node, False, True, choose)[3] > 0
             def verify(repo):
                 """verify the consistency of a repository"""
                 return verifymod.verify(repo)
             def remoteui(src, opts):
                 'build a remote ui from ui or repo and opts'
                 if hasattr(src, 'baseui'): # looks like a repository
                     dst = src.baseui.copy() # drop repo-specific config
                     src = src.ui # copy target options from repo
                 else: # assume it's a global ui object
                     dst = src.copy() # keep all global options
                 # copy ssh-specific options
                 for o in 'ssh', 'remotecmd':
                     v = opts.get(o) or src.config('ui', o)
                     if v:
                         dst.setconfig("ui", o, v)
                 # copy bundle-specific options
                 r = src.config('bundle', 'mainreporoot')
                 if r:
                     dst.setconfig('bundle', 'mainreporoot', r)
                 # copy selected local settings to the remote ui
-                for sect in ('auth', 'http_proxy'):
+                for sect in ('auth', 'hostfingerprints', 'http_proxy'):
                     for key, val in src.configitems(sect):
                         dst.setconfig(sect, key, val)
                 v = src.config('web', 'cacerts')
                 if v:
                     dst.setconfig('web', 'cacerts', util.expandpath(v))
                 return dst

mercurial/url.py

0 +28 -4

             # url.py - HTTP handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO
             import __builtin__
             from i18n import _
             import keepalive, util
             def _urlunparse(scheme, netloc, path, params, query, fragment, url):
                 '''Handle cases where urlunparse(urlparse(x://)) doesn't preserve the "//"'''
                 result = urlparse.urlunparse((scheme, netloc, path, params, query, fragment))
                 if (scheme and
                     result.startswith(scheme + ':') and
                     not result.startswith(scheme + '://') and
                     url.startswith(scheme + '://')
                    ):
                     result = scheme + '://' + result[len(scheme + ':'):]
                 return result
             def hidepassword(url):
                 '''hide user credential in a url string'''
                 scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
                 netloc = re.sub('([^:]*):([^@]*)@(.*)', r'\1:***@\3', netloc)
                 return _urlunparse(scheme, netloc, path, params, query, fragment, url)
             def removeauth(url):
                 '''remove all authentication information from a url string'''
                 scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
                 netloc = netloc[netloc.find('@')+1:]
                 return _urlunparse(scheme, netloc, path, params, query, fragment, url)
             def netlocsplit(netloc):
                 '''split [user[:passwd]@]host[:port] into 4-tuple.'''
                 a = netloc.find('@')
                 if a == -1:
                     user, passwd = None, None
                 else:
                     userpass, netloc = netloc[:a], netloc[a + 1:]
                     c = userpass.find(':')
                     if c == -1:
                         user, passwd = urllib.unquote(userpass), None
                     else:
                         user = urllib.unquote(userpass[:c])
                         passwd = urllib.unquote(userpass[c + 1:])
                 c = netloc.find(':')
                 if c == -1:
                     host, port = netloc, None
                 else:
                     host, port = netloc[:c], netloc[c + 1:]
                 return host, port, user, passwd
             def netlocunsplit(host, port, user=None, passwd=None):
                 '''turn host, port, user, passwd into [user[:passwd]@]host[:port].'''
                 if port:
                     hostport = host + ':' + port
                 else:
                     hostport = host
                 if user:
                     quote = lambda s: urllib.quote(s, safe='')
                     if passwd:
                         userpass = quote(user) + ':' + quote(passwd)
                     else:
                         userpass = quote(user)
                     return userpass + '@' + hostport
                 return hostport
             _safe = ('abcdefghijklmnopqrstuvwxyz'
                      'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
                      '0123456789' '_.-/')
             _safeset = None
             _hex = None
             def quotepath(path):
                 '''quote the path part of a URL
                 This is similar to urllib.quote, but it also tries to avoid
                 quoting things twice (inspired by wget):
                 >>> quotepath('abc def')
                 'abc%20def'
                 >>> quotepath('abc%20def')
                 'abc%20def'
                 >>> quotepath('abc%20 def')
                 'abc%20%20def'
                 >>> quotepath('abc def%20')
                 'abc%20def%20'
                 >>> quotepath('abc def%2')
                 'abc%20def%252'
                 >>> quotepath('abc def%')
                 'abc%20def%25'
                 '''
                 global _safeset, _hex
                 if _safeset is None:
                     _safeset = set(_safe)
                     _hex = set('abcdefABCDEF0123456789')
                 l = list(path)
                 for i in xrange(len(l)):
                     c = l[i]
                     if (c == '%' and i + 2 < len(l) and
                         l[i + 1] in _hex and l[i + 2] in _hex):
                         pass
                     elif c not in _safeset:
                         l[i] = '%%%02X' % ord(c)
                 return ''.join(l)
             class passwordmgr(urllib2.HTTPPasswordMgrWithDefaultRealm):
                 def __init__(self, ui):
                     urllib2.HTTPPasswordMgrWithDefaultRealm.__init__(self)
                     self.ui = ui
                 def find_user_password(self, realm, authuri):
                     authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm.find_user_password(
                         self, realm, authuri)
                     user, passwd = authinfo
                     if user and passwd:
                         self._writedebug(user, passwd)
                         return (user, passwd)
                     if not user:
                         auth = self.readauthtoken(authuri)
                         if auth:
                             user, passwd = auth.get('username'), auth.get('password')
                     if not user or not passwd:
                         if not self.ui.interactive():
                             raise util.Abort(_('http authorization required'))
                         self.ui.write(_("http authorization required\n"))
                         self.ui.write(_("realm: %s\n") % realm)
                         if user:
                             self.ui.write(_("user: %s\n") % user)
                         else:
                             user = self.ui.prompt(_("user:"), default=None)
                         if not passwd:
                             passwd = self.ui.getpass()
                     self.add_password(realm, authuri, user, passwd)
                     self._writedebug(user, passwd)
                     return (user, passwd)
                 def _writedebug(self, user, passwd):
                     msg = _('http auth: user %s, password %s\n')
                     self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))
                 def readauthtoken(self, uri):
                     # Read configuration
                     config = dict()
                     for key, val in self.ui.configitems('auth'):
                         if '.' not in key:
                             self.ui.warn(_("ignoring invalid [auth] key '%s'\n") % key)
                             continue
                         group, setting = key.split('.', 1)
                         gdict = config.setdefault(group, dict())
                         if setting in ('username', 'cert', 'key'):
                             val = util.expandpath(val)
                         gdict[setting] = val
                     # Find the best match
                     scheme, hostpath = uri.split('://', 1)
                     bestlen = 0
                     bestauth = None
                     for auth in config.itervalues():
                         prefix = auth.get('prefix')
                         if not prefix:
                             continue
                         p = prefix.split('://', 1)
                         if len(p) > 1:
                             schemes, prefix = [p[0]], p[1]
                         else:
                             schemes = (auth.get('schemes') or 'https').split()
                         if (prefix == '*' or hostpath.startswith(prefix)) and \
                             len(prefix) > bestlen and scheme in schemes:
                             bestlen = len(prefix)
                             bestauth = auth
                     return bestauth
             class proxyhandler(urllib2.ProxyHandler):
                 def __init__(self, ui):
                     proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')
                     # XXX proxyauthinfo = None
                     if proxyurl:
                         # proxy can be proper url or host[:port]
                         if not (proxyurl.startswith('http:') or
                                 proxyurl.startswith('https:')):
                             proxyurl = 'http://' + proxyurl + '/'
                         snpqf = urlparse.urlsplit(proxyurl)
                         proxyscheme, proxynetloc, proxypath, proxyquery, proxyfrag = snpqf
                         hpup = netlocsplit(proxynetloc)
                         proxyhost, proxyport, proxyuser, proxypasswd = hpup
                         if not proxyuser:
                             proxyuser = ui.config("http_proxy", "user")
                             proxypasswd = ui.config("http_proxy", "passwd")
                         # see if we should use a proxy for this url
                         no_list = ["localhost", "127.0.0.1"]
                         no_list.extend([p.lower() for
                                         p in ui.configlist("http_proxy", "no")])
                         no_list.extend([p.strip().lower() for
                                         p in os.getenv("no_proxy", '').split(',')
                                         if p.strip()])
                         # "http_proxy.always" config is for running tests on localhost
                         if ui.configbool("http_proxy", "always"):
                             self.no_list = []
                         else:
                             self.no_list = no_list
                         proxyurl = urlparse.urlunsplit((
                             proxyscheme, netlocunsplit(proxyhost, proxyport,
                                                             proxyuser, proxypasswd or ''),
                             proxypath, proxyquery, proxyfrag))
                         proxies = {'http': proxyurl, 'https': proxyurl}
                         ui.debug('proxying through http://%s:%s\n' %
                                   (proxyhost, proxyport))
                     else:
                         proxies = {}
                     # urllib2 takes proxy values from the environment and those
                     # will take precedence if found, so drop them
                     for env in ["HTTP_PROXY", "http_proxy", "no_proxy"]:
                         try:
                             if env in os.environ:
                                 del os.environ[env]
                         except OSError:
                             pass
                     urllib2.ProxyHandler.__init__(self, proxies)
                     self.ui = ui
                 def proxy_open(self, req, proxy, type_):
                     host = req.get_host().split(':')[0]
                     if host in self.no_list:
                         return None
                     # work around a bug in Python < 2.4.2
                     # (it leaves a "\n" at the end of Proxy-authorization headers)
                     baseclass = req.__class__
                     class _request(baseclass):
                         def add_header(self, key, val):
                             if key.lower() == 'proxy-authorization':
                                 val = val.strip()
                             return baseclass.add_header(self, key, val)
                     req.__class__ = _request
                     return urllib2.ProxyHandler.proxy_open(self, req, proxy, type_)
             class httpsendfile(object):
                 """This is a wrapper around the objects returned by python's "open".
                 Its purpose is to send file-like objects via HTTP and, to do so, it
                 defines a __len__ attribute to feed the Content-Length header.
                 """
                 def __init__(self, *args, **kwargs):
                     # We can't just "self._data = open(*args, **kwargs)" here because there
                     # is an "open" function defined in this module that shadows the global
                     # one
                     self._data = __builtin__.open(*args, **kwargs)
                     self.read = self._data.read
                     self.seek = self._data.seek
                     self.close = self._data.close
                     self.write = self._data.write
                 def __len__(self):
                     return os.fstat(self._data.fileno()).st_size
             def _gen_sendfile(connection):
                 def _sendfile(self, data):
                     # send a file
                     if isinstance(data, httpsendfile):
                         # if auth required, some data sent twice, so rewind here
                         data.seek(0)
                         for chunk in util.filechunkiter(data):
                             connection.send(self, chunk)
                     else:
                         connection.send(self, data)
                 return _sendfile
             has_https = hasattr(urllib2, 'HTTPSHandler')
             if has_https:
                 try:
                     # avoid using deprecated/broken FakeSocket in python 2.6
                     import ssl
                     _ssl_wrap_socket = ssl.wrap_socket
                     CERT_REQUIRED = ssl.CERT_REQUIRED
                 except ImportError:
                     CERT_REQUIRED = 2
                     def _ssl_wrap_socket(sock, key_file, cert_file,
                                          cert_reqs=CERT_REQUIRED, ca_certs=None):
                         if ca_certs:
                             raise util.Abort(_(
                                 'certificate checking requires Python 2.6'))
                         ssl = socket.ssl(sock, key_file, cert_file)
                         return httplib.FakeSocket(sock, ssl)
                 try:
                     _create_connection = socket.create_connection
                 except AttributeError:
                     _GLOBAL_DEFAULT_TIMEOUT = object()
                     def _create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,
                                            source_address=None):
                         # lifted from Python 2.6
                         msg = "getaddrinfo returns an empty list"
                         host, port = address
                         for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
                             af, socktype, proto, canonname, sa = res
                             sock = None
                             try:
                                 sock = socket.socket(af, socktype, proto)
                                 if timeout is not _GLOBAL_DEFAULT_TIMEOUT:
                                     sock.settimeout(timeout)
                                 if source_address:
                                     sock.bind(source_address)
                                 sock.connect(sa)
                                 return sock
                             except socket.error, msg:
                                 if sock is not None:
                                     sock.close()
                         raise socket.error, msg
             class httpconnection(keepalive.HTTPConnection):
                 # must be able to send big bundle as stream.
                 send = _gen_sendfile(keepalive.HTTPConnection)
                 def connect(self):
                     if has_https and self.realhostport: # use CONNECT proxy
                         self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                         self.sock.connect((self.host, self.port))
                         if _generic_proxytunnel(self):
                             # we do not support client x509 certificates
                             self.sock = _ssl_wrap_socket(self.sock, None, None)
                     else:
                         keepalive.HTTPConnection.connect(self)
                 def getresponse(self):
                     proxyres = getattr(self, 'proxyres', None)
                     if proxyres:
                         if proxyres.will_close:
                             self.close()
                         self.proxyres = None
                         return proxyres
                     return keepalive.HTTPConnection.getresponse(self)
             # general transaction handler to support different ways to handle
             # HTTPS proxying before and after Python 2.6.3.
             def _generic_start_transaction(handler, h, req):
                 if hasattr(req, '_tunnel_host') and req._tunnel_host:
                     tunnel_host = req._tunnel_host
                     if tunnel_host[:7] not in ['http://', 'https:/']:
                         tunnel_host = 'https://' + tunnel_host
                     new_tunnel = True
                 else:
                     tunnel_host = req.get_selector()
                     new_tunnel = False
                 if new_tunnel or tunnel_host == req.get_full_url(): # has proxy
                     urlparts = urlparse.urlparse(tunnel_host)
                     if new_tunnel or urlparts[0] == 'https': # only use CONNECT for HTTPS
                         realhostport = urlparts[1]
                         if realhostport[-1] == ']' or ':' not in realhostport:
                             realhostport += ':443'
                         h.realhostport = realhostport
                         h.headers = req.headers.copy()
                         h.headers.update(handler.parent.addheaders)
                         return
                 h.realhostport = None
                 h.headers = None
             def _generic_proxytunnel(self):
                 proxyheaders = dict(
                         [(x, self.headers[x]) for x in self.headers
                          if x.lower().startswith('proxy-')])
                 self._set_hostport(self.host, self.port)
                 self.send('CONNECT %s HTTP/1.0\r\n' % self.realhostport)
                 for header in proxyheaders.iteritems():
                     self.send('%s: %s\r\n' % header)
                 self.send('\r\n')
                 # majority of the following code is duplicated from
                 # httplib.HTTPConnection as there are no adequate places to
                 # override functions to provide the needed functionality
                 res = self.response_class(self.sock,
                                           strict=self.strict,
                                           method=self._method)
                 while True:
                     version, status, reason = res._read_status()
                     if status != httplib.CONTINUE:
                         break
                     while True:
                         skip = res.fp.readline().strip()
                         if not skip:
                             break
                 res.status = status
                 res.reason = reason.strip()
                 if res.status == 200:
                     while True:
                         line = res.fp.readline()
                         if line == '\r\n':
                             break
                     return True
                 if version == 'HTTP/1.0':
                     res.version = 10
                 elif version.startswith('HTTP/1.'):
                     res.version = 11
                 elif version == 'HTTP/0.9':
                     res.version = 9
                 else:
                     raise httplib.UnknownProtocol(version)
                 if res.version == 9:
                     res.length = None
                     res.chunked = 0
                     res.will_close = 1
                     res.msg = httplib.HTTPMessage(cStringIO.StringIO())
                     return False
                 res.msg = httplib.HTTPMessage(res.fp)
                 res.msg.fp = None
                 # are we using the chunked-style of transfer encoding?
                 trenc = res.msg.getheader('transfer-encoding')
                 if trenc and trenc.lower() == "chunked":
                     res.chunked = 1
                     res.chunk_left = None
                 else:
                     res.chunked = 0
                 # will the connection close at the end of the response?
                 res.will_close = res._check_close()
                 # do we have a Content-Length?
                 # NOTE: RFC 2616, S4.4, #3 says we ignore this if tr_enc is "chunked"
                 length = res.msg.getheader('content-length')
                 if length and not res.chunked:
                     try:
                         res.length = int(length)
                     except ValueError:
                         res.length = None
                     else:
                         if res.length < 0:  # ignore nonsensical negative lengths
                             res.length = None
                 else:
                     res.length = None
                 # does the body have a fixed length? (of zero)
                 if (status == httplib.NO_CONTENT or status == httplib.NOT_MODIFIED or
 <= status < 200 or # 1xx codes
                     res._method == 'HEAD'):
                     res.length = 0
                 # if the connection remains open, and we aren't using chunked, and
                 # a content-length was not provided, then assume that the connection
                 # WILL close.
                 if (not res.will_close and
                    not res.chunked and
                    res.length is None):
                     res.will_close = 1
                 self.proxyres = res
                 return False
             class httphandler(keepalive.HTTPHandler):
                 def http_open(self, req):
                     return self.do_open(httpconnection, req)
                 def _start_transaction(self, h, req):
                     _generic_start_transaction(self, h, req)
                     return keepalive.HTTPHandler._start_transaction(self, h, req)
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs is not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 def matchdnsname(certname):
                     return (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1])
                 san = cert.get('subjectAltName', [])
                 if san:
                     certnames = [value.lower() for key, value in san if key == 'DNS']
                     for name in certnames:
                         if matchdnsname(name):
                             return None
                     return _('certificate is for %s') % ', '.join(certnames)
                 # subject is only checked when subjectAltName is empty
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         try:
                             # 'subject' entries are unicode
                             certname = value.lower().encode('ascii')
                         except UnicodeEncodeError:
                             return _('IDN in certificate not supported')
                         if matchdnsname(certname):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName or subjectAltName found in certificate')
             if has_https:
                 class BetterHTTPS(httplib.HTTPSConnection):
                     send = keepalive.safesend
                     def connect(self):
                         if hasattr(self, 'ui'):
                             cacerts = self.ui.config('web', 'cacerts')
                             if cacerts:
                                 cacerts = util.expandpath(cacerts)
                         else:
                             cacerts = None
-                        if cacerts:
+                        hostfingerprint = self.ui.config('hostfingerprints', self.host)
+                        if cacerts and not hostfingerprint:
                             sock = _create_connection((self.host, self.port))
                             self.sock = _ssl_wrap_socket(sock, self.key_file,
                                     self.cert_file, cert_reqs=CERT_REQUIRED,
                                     ca_certs=cacerts)
                             msg = _verifycert(self.sock.getpeercert(), self.host)
                             if msg:
                                 raise util.Abort(_('%s certificate error: %s') %
                                                  (self.host, msg))
                             self.ui.debug('%s certificate successfully verified\n' %
                                           self.host)
                         else:
-                            self.ui.warn(_("warning: %s certificate not verified "
-                                           "(check web.cacerts config setting)\n") %
-                                         self.host)
                             httplib.HTTPSConnection.connect(self)
+                            if hasattr(self.sock, 'getpeercert'):
+                                peercert = self.sock.getpeercert(True)
+                                peerfingerprint = util.sha1(peercert).hexdigest()
+                                nicefingerprint = ":".join([peerfingerprint[x:x + 2]
+                                    for x in xrange(0, len(peerfingerprint), 2)])
+                                if hostfingerprint:
+                                    if peerfingerprint.lower() != \
+                                            hostfingerprint.replace(':', '').lower():
+                                        raise util.Abort(_('invalid certificate for %s '
+                                                           'with fingerprint %s') %
+                                                         (self.host, nicefingerprint))
+                                    self.ui.debug('%s certificate matched fingerprint %s\n' %
+                                                  (self.host, nicefingerprint))
+                                else:
+                                    self.ui.warn(_('warning: %s certificate '
+                                                   'with fingerprint %s not verified '
+                                                   '(check hostfingerprints or web.cacerts '
+                                                   'config setting)\n') %
+                                                 (self.host, nicefingerprint))
+                            else: # python 2.5 ?
+                                if hostfingerprint:
+                                    raise util.Abort(_('no certificate for %s '
+                                                       'with fingerprint') % self.host)
+                                self.ui.warn(_('warning: %s certificate not verified '
+                                               '(check web.cacerts config setting)\n') %
+                                             self.host)
                 class httpsconnection(BetterHTTPS):
                     response_class = keepalive.HTTPResponse
                     # must be able to send big bundle as stream.
                     send = _gen_sendfile(BetterHTTPS)
                     getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)
                     def connect(self):
                         if self.realhostport: # use CONNECT proxy
                             self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                             self.sock.connect((self.host, self.port))
                             if _generic_proxytunnel(self):
                                 self.sock = _ssl_wrap_socket(self.sock, self.key_file,
                                         self.cert_file)
                         else:
                             BetterHTTPS.connect(self)
                 class httpshandler(keepalive.KeepAliveHandler, urllib2.HTTPSHandler):
                     def __init__(self, ui):
                         keepalive.KeepAliveHandler.__init__(self)
                         urllib2.HTTPSHandler.__init__(self)
                         self.ui = ui
                         self.pwmgr = passwordmgr(self.ui)
                     def _start_transaction(self, h, req):
                         _generic_start_transaction(self, h, req)
                         return keepalive.KeepAliveHandler._start_transaction(self, h, req)
                     def https_open(self, req):
                         self.auth = self.pwmgr.readauthtoken(req.get_full_url())
                         return self.do_open(self._makeconnection, req)
                     def _makeconnection(self, host, port=None, *args, **kwargs):
                         keyfile = None
                         certfile = None
                         if len(args) >= 1: # key_file
                             keyfile = args[0]
                         if len(args) >= 2: # cert_file
                             certfile = args[1]
                         args = args[2:]
                         # if the user has specified different key/cert files in
                         # hgrc, we prefer these
                         if self.auth and 'key' in self.auth and 'cert' in self.auth:
                             keyfile = self.auth['key']
                             certfile = self.auth['cert']
                         conn = httpsconnection(host, port, keyfile, certfile, *args, **kwargs)
                         conn.ui = self.ui
                         return conn
             class httpdigestauthhandler(urllib2.HTTPDigestAuthHandler):
                 def __init__(self, *args, **kwargs):
                     urllib2.HTTPDigestAuthHandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     # In python < 2.5 AbstractDigestAuthHandler raises a ValueError if
                     # it doesn't know about the auth type requested. This can happen if
                     # somebody is using BasicAuth and types a bad password.
                     try:
                         return urllib2.HTTPDigestAuthHandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
                     except ValueError, inst:
                         arg = inst.args[0]
                         if arg.startswith("AbstractDigestAuthHandler doesn't know "):
                             return
                         raise
             class httpbasicauthhandler(urllib2.HTTPBasicAuthHandler):
                 def __init__(self, *args, **kwargs):
                     urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
             def getauthinfo(path):
                 scheme, netloc, urlpath, query, frag = urlparse.urlsplit(path)
                 if not urlpath:
                     urlpath = '/'
                 if scheme != 'file':
                     # XXX: why are we quoting the path again with some smart
                     # heuristic here? Anyway, it cannot be done with file://
                     # urls since path encoding is os/fs dependent (see
                     # urllib.pathname2url() for details).
                     urlpath = quotepath(urlpath)
                 host, port, user, passwd = netlocsplit(netloc)
                 # urllib cannot handle URLs with embedded user or passwd
                 url = urlparse.urlunsplit((scheme, netlocunsplit(host, port),
                                           urlpath, query, frag))
                 if user:
                     netloc = host
                     if port:
                         netloc += ':' + port
                     # Python < 2.4.3 uses only the netloc to search for a password
                     authinfo = (None, (url, netloc), user, passwd or '')
                 else:
                     authinfo = None
                 return url, authinfo
             handlerfuncs = []
             def opener(ui, authinfo=None):
                 '''
                 construct an opener suitable for urllib2
                 authinfo will be added to the password manager
                 '''
                 handlers = [httphandler()]
                 if has_https:
                     handlers.append(httpshandler(ui))
                 handlers.append(proxyhandler(ui))
                 passmgr = passwordmgr(ui)
                 if authinfo is not None:
                     passmgr.add_password(*authinfo)
                     user, passwd = authinfo[2:4]
                     ui.debug('http auth: user %s, password %s\n' %
                              (user, passwd and '*' * len(passwd) or 'not set'))
                 handlers.extend((httpbasicauthhandler(passmgr),
                                  httpdigestauthhandler(passmgr)))
                 handlers.extend([h(ui, passmgr) for h in handlerfuncs])
                 opener = urllib2.build_opener(*handlers)
                 # 1.0 here is the _protocol_ version
                 opener.addheaders = [('User-agent', 'mercurial/proto-1.0')]
                 opener.addheaders.append(('Accept', 'application/mercurial-0.1'))
                 return opener
             scheme_re = re.compile(r'^([a-zA-Z0-9+-.]+)://')
             def open(ui, url, data=None):
                 scheme = None
                 m = scheme_re.search(url)
                 if m:
                     scheme = m.group(1).lower()
                 if not scheme:
                     path = util.normpath(os.path.abspath(url))
                     url = 'file://' + urllib.pathname2url(path)
                     authinfo = None
                 else:
                     url, authinfo = getauthinfo(url)
                 return opener(ui, authinfo).open(url, data)

tests/test-https.t

0 +21 -2

             Proper https client requires the built-in ssl from Python 2.6.
               $ "$TESTDIR/hghave" ssl || exit 80
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
               $ cd ..
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull
-              warning: localhost certificate not verified (check web.cacerts config setting)
+              warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
               $ hg pull
-              warning: localhost certificate not verified (check web.cacerts config setting)
+              warning: localhost certificate with fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca not verified (check hostfingerprints or web.cacerts config setting)
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
             cacert configured globally, also testing expansion of environment
             variables in the filename
               $ echo "[web]" >> $HGRCPATH
               $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
               $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
+            Fingerprints
+              $ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
+              $ echo "localhost = 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca" >> copy-pull/.hg/hgrc
+              $ echo "127.0.0.1 = 914f1aff87249c09b6859b88b1906d30756491ca" >> copy-pull/.hg/hgrc
+            - works without cacerts
+              $ hg -R copy-pull id https://localhost:$HGPORT/ --config web.cacerts=
+fed3813f7f5
+            - fails when cert doesn't match hostname (port is ignored)
+              $ hg -R copy-pull id https://localhost:$HGPORT1/
+              abort: invalid certificate for localhost with fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
+              [255]
+            - ignores that certificate doesn't match hostname
+              $ hg -R copy-pull id https://127.0.0.1:$HGPORT/
+fed3813f7f5

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages