upstream/mercurial-mirror Commit - r13231:b335882c

url: expand path for web.cacerts

Eduard-Cristian Stefan -

r13231:b335882c stable

parent child

mercurial/hg.py

0 +1 -1

             # hg.py - repository classes for mercurial
             #
             # Copyright 2005-2007 Matt Mackall <mpm@selenic.com>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             from i18n import _
             from lock import release
             from node import hex, nullid, nullrev, short
             import localrepo, bundlerepo, httprepo, sshrepo, statichttprepo
             import lock, util, extensions, error, encoding, node
             import cmdutil, discovery, url
             import merge as mergemod
             import verify as verifymod
             import errno, os, shutil
             def _local(path):
                 path = util.expandpath(util.drop_scheme('file', path))
                 return (os.path.isfile(path) and bundlerepo or localrepo)
             def addbranchrevs(lrepo, repo, branches, revs):
                 hashbranch, branches = branches
                 if not hashbranch and not branches:
                     return revs or None, revs and revs[0] or None
                 revs = revs and list(revs) or []
                 if not repo.capable('branchmap'):
                     if branches:
                         raise util.Abort(_("remote branch lookup not supported"))
                     revs.append(hashbranch)
                     return revs, revs[0]
                 branchmap = repo.branchmap()
                 def primary(butf8):
                     if butf8 == '.':
                         if not lrepo or not lrepo.local():
                             raise util.Abort(_("dirstate branch not accessible"))
                         butf8 = lrepo.dirstate.branch()
                     if butf8 in branchmap:
                         revs.extend(node.hex(r) for r in reversed(branchmap[butf8]))
                         return True
                     else:
                         return False
                 for branch in branches:
                     butf8 = encoding.fromlocal(branch)
                     if not primary(butf8):
                         raise error.RepoLookupError(_("unknown branch '%s'") % branch)
                 if hashbranch:
                     butf8 = encoding.fromlocal(hashbranch)
                     if not primary(butf8):
                         revs.append(hashbranch)
                 return revs, revs[0]
             def parseurl(url, branches=None):
                 '''parse url#branch, returning (url, (branch, branches))'''
                 if '#' not in url:
                     return url, (None, branches or [])
                 url, branch = url.split('#', 1)
                 return url, (branch, branches or [])
             schemes = {
                 'bundle': bundlerepo,
                 'file': _local,
                 'http': httprepo,
                 'https': httprepo,
                 'ssh': sshrepo,
                 'static-http': statichttprepo,
             }
             def _lookup(path):
                 scheme = 'file'
                 if path:
                     c = path.find(':')
                     if c > 0:
                         scheme = path[:c]
                 thing = schemes.get(scheme) or schemes['file']
                 try:
                     return thing(path)
                 except TypeError:
                     return thing
             def islocal(repo):
                 '''return true if repo or path is local'''
                 if isinstance(repo, str):
                     try:
                         return _lookup(repo).islocal(repo)
                     except AttributeError:
                         return False
                 return repo.local()
             def repository(ui, path='', create=False):
                 """return a repository object for the specified path"""
                 repo = _lookup(path).instance(ui, path, create)
                 ui = getattr(repo, "ui", ui)
                 for name, module in extensions.extensions():
                     hook = getattr(module, 'reposetup', None)
                     if hook:
                         hook(ui, repo)
                 return repo
             def defaultdest(source):
                 '''return default destination of clone if none is given'''
                 return os.path.basename(os.path.normpath(source))
             def localpath(path):
                 if path.startswith('file://localhost/'):
                     return path[16:]
                 if path.startswith('file://'):
                     return path[7:]
                 if path.startswith('file:'):
                     return path[5:]
                 return path
             def share(ui, source, dest=None, update=True):
                 '''create a shared repository'''
                 if not islocal(source):
                     raise util.Abort(_('can only share local repositories'))
                 if not dest:
                     dest = defaultdest(source)
                 else:
                     dest = ui.expandpath(dest)
                 if isinstance(source, str):
                     origsource = ui.expandpath(source)
                     source, branches = parseurl(origsource)
                     srcrepo = repository(ui, source)
                     rev, checkout = addbranchrevs(srcrepo, srcrepo, branches, None)
                 else:
                     srcrepo = source
                     origsource = source = srcrepo.url()
                     checkout = None
                 sharedpath = srcrepo.sharedpath # if our source is already sharing
                 root = os.path.realpath(dest)
                 roothg = os.path.join(root, '.hg')
                 if os.path.exists(roothg):
                     raise util.Abort(_('destination already exists'))
                 if not os.path.isdir(root):
                     os.mkdir(root)
                 os.mkdir(roothg)
                 requirements = ''
                 try:
                     requirements = srcrepo.opener('requires').read()
                 except IOError, inst:
                     if inst.errno != errno.ENOENT:
                         raise
                 requirements += 'shared\n'
                 file(os.path.join(roothg, 'requires'), 'w').write(requirements)
                 file(os.path.join(roothg, 'sharedpath'), 'w').write(sharedpath)
                 default = srcrepo.ui.config('paths', 'default')
                 if default:
                     f = file(os.path.join(roothg, 'hgrc'), 'w')
                     f.write('[paths]\ndefault = %s\n' % default)
                     f.close()
                 r = repository(ui, root)
                 if update:
                     r.ui.status(_("updating working directory\n"))
                     if update is not True:
                         checkout = update
                     for test in (checkout, 'default', 'tip'):
                         if test is None:
                             continue
                         try:
                             uprev = r.lookup(test)
                             break
                         except error.RepoLookupError:
                             continue
                     _update(r, uprev)
             def clone(ui, source, dest=None, pull=False, rev=None, update=True,
                       stream=False, branch=None):
                 """Make a copy of an existing repository.
                 Create a copy of an existing repository in a new directory.  The
                 source and destination are URLs, as passed to the repository
                 function.  Returns a pair of repository objects, the source and
                 newly created destination.
                 The location of the source is added to the new repository's
                 .hg/hgrc file, as the default to be used for future pulls and
                 pushes.
                 If an exception is raised, the partly cloned/updated destination
                 repository will be deleted.
                 Arguments:
                 source: repository object or URL
                 dest: URL of destination repository to create (defaults to base
                 name of source repository)
                 pull: always pull from source repository, even in local case
                 stream: stream raw data uncompressed from repository (fast over
                 LAN, slow over WAN)
                 rev: revision to clone up to (implies pull=True)
                 update: update working directory after clone completes, if
                 destination is local repository (True means update to default rev,
                 anything else is treated as a revision)
                 branch: branches to clone
                 """
                 if isinstance(source, str):
                     origsource = ui.expandpath(source)
                     source, branch = parseurl(origsource, branch)
                     src_repo = repository(ui, source)
                 else:
                     src_repo = source
                     branch = (None, branch or [])
                     origsource = source = src_repo.url()
                 rev, checkout = addbranchrevs(src_repo, src_repo, branch, rev)
                 if dest is None:
                     dest = defaultdest(source)
                     ui.status(_("destination directory: %s\n") % dest)
                 else:
                     dest = ui.expandpath(dest)
                 dest = localpath(dest)
                 source = localpath(source)
                 if os.path.exists(dest):
                     if not os.path.isdir(dest):
                         raise util.Abort(_("destination '%s' already exists") % dest)
                     elif os.listdir(dest):
                         raise util.Abort(_("destination '%s' is not empty") % dest)
                 class DirCleanup(object):
                     def __init__(self, dir_):
                         self.rmtree = shutil.rmtree
                         self.dir_ = dir_
                     def close(self):
                         self.dir_ = None
                     def cleanup(self):
                         if self.dir_:
                             self.rmtree(self.dir_, True)
                 src_lock = dest_lock = dir_cleanup = None
                 try:
                     if islocal(dest):
                         dir_cleanup = DirCleanup(dest)
                     abspath = origsource
                     copy = False
                     if src_repo.cancopy() and islocal(dest):
                         abspath = os.path.abspath(util.drop_scheme('file', origsource))
                         copy = not pull and not rev
                     if copy:
                         try:
                             # we use a lock here because if we race with commit, we
                             # can end up with extra data in the cloned revlogs that's
                             # not pointed to by changesets, thus causing verify to
                             # fail
                             src_lock = src_repo.lock(wait=False)
                         except error.LockError:
                             copy = False
                     if copy:
                         src_repo.hook('preoutgoing', throw=True, source='clone')
                         hgdir = os.path.realpath(os.path.join(dest, ".hg"))
                         if not os.path.exists(dest):
                             os.mkdir(dest)
                         else:
                             # only clean up directories we create ourselves
                             dir_cleanup.dir_ = hgdir
                         try:
                             dest_path = hgdir
                             os.mkdir(dest_path)
                         except OSError, inst:
                             if inst.errno == errno.EEXIST:
                                 dir_cleanup.close()
                                 raise util.Abort(_("destination '%s' already exists")
                                                  % dest)
                             raise
                         hardlink = None
                         num = 0
                         for f in src_repo.store.copylist():
                             src = os.path.join(src_repo.sharedpath, f)
                             dst = os.path.join(dest_path, f)
                             dstbase = os.path.dirname(dst)
                             if dstbase and not os.path.exists(dstbase):
                                 os.mkdir(dstbase)
                             if os.path.exists(src):
                                 if dst.endswith('data'):
                                     # lock to avoid premature writing to the target
                                     dest_lock = lock.lock(os.path.join(dstbase, "lock"))
                                 hardlink, n = util.copyfiles(src, dst, hardlink)
                                 num += n
                         if hardlink:
                             ui.debug("linked %d files\n" % num)
                         else:
                             ui.debug("copied %d files\n" % num)
                         # we need to re-init the repo after manually copying the data
                         # into it
                         dest_repo = repository(ui, dest)
                         src_repo.hook('outgoing', source='clone',
                                       node=node.hex(node.nullid))
                     else:
                         try:
                             dest_repo = repository(ui, dest, create=True)
                         except OSError, inst:
                             if inst.errno == errno.EEXIST:
                                 dir_cleanup.close()
                                 raise util.Abort(_("destination '%s' already exists")
                                                  % dest)
                             raise
                         revs = None
                         if rev:
                             if 'lookup' not in src_repo.capabilities:
                                 raise util.Abort(_("src repository does not support "
                                                    "revision lookup and so doesn't "
                                                    "support clone by revision"))
                             revs = [src_repo.lookup(r) for r in rev]
                             checkout = revs[0]
                         if dest_repo.local():
                             dest_repo.clone(src_repo, heads=revs, stream=stream)
                         elif src_repo.local():
                             src_repo.push(dest_repo, revs=revs)
                         else:
                             raise util.Abort(_("clone from remote to remote not supported"))
                     if dir_cleanup:
                         dir_cleanup.close()
                     if dest_repo.local():
                         fp = dest_repo.opener("hgrc", "w", text=True)
                         fp.write("[paths]\n")
                         fp.write("default = %s\n" % abspath)
                         fp.close()
                         dest_repo.ui.setconfig('paths', 'default', abspath)
                         if update:
                             if update is not True:
                                 checkout = update
                                 if src_repo.local():
                                     checkout = src_repo.lookup(update)
                             for test in (checkout, 'default', 'tip'):
                                 if test is None:
                                     continue
                                 try:
                                     uprev = dest_repo.lookup(test)
                                     break
                                 except error.RepoLookupError:
                                     continue
                             bn = dest_repo[uprev].branch()
                             dest_repo.ui.status(_("updating to branch %s\n")
                                                 % encoding.tolocal(bn))
                             _update(dest_repo, uprev)
                     return src_repo, dest_repo
                 finally:
                     release(src_lock, dest_lock)
                     if dir_cleanup is not None:
                         dir_cleanup.cleanup()
             def _showstats(repo, stats):
                 repo.ui.status(_("%d files updated, %d files merged, "
                                  "%d files removed, %d files unresolved\n") % stats)
             def update(repo, node):
                 """update the working directory to node, merging linear changes"""
                 stats = mergemod.update(repo, node, False, False, None)
                 _showstats(repo, stats)
                 if stats[3]:
                     repo.ui.status(_("use 'hg resolve' to retry unresolved file merges\n"))
                 return stats[3] > 0
             # naming conflict in clone()
             _update = update
             def clean(repo, node, show_stats=True):
                 """forcibly switch the working directory to node, clobbering changes"""
                 stats = mergemod.update(repo, node, False, True, None)
                 if show_stats:
                     _showstats(repo, stats)
                 return stats[3] > 0
             def merge(repo, node, force=None, remind=True):
                 """branch merge with node, resolving changes"""
                 stats = mergemod.update(repo, node, True, force, False)
                 _showstats(repo, stats)
                 if stats[3]:
                     repo.ui.status(_("use 'hg resolve' to retry unresolved file merges "
                                      "or 'hg update -C .' to abandon\n"))
                 elif remind:
                     repo.ui.status(_("(branch merge, don't forget to commit)\n"))
                 return stats[3] > 0
             def _incoming(displaychlist, subreporecurse, ui, repo, source,
                     opts, buffered=False):
                 """
                 Helper for incoming / gincoming.
                 displaychlist gets called with
                     (remoterepo, incomingchangesetlist, displayer) parameters,
                 and is supposed to contain only code that can't be unified.
                 """
                 source, branches = parseurl(ui.expandpath(source), opts.get('branch'))
                 other = repository(remoteui(repo, opts), source)
                 ui.status(_('comparing with %s\n') % url.hidepassword(source))
                 revs, checkout = addbranchrevs(repo, other, branches, opts.get('rev'))
                 if revs:
                     revs = [other.lookup(rev) for rev in revs]
                 other, incoming, bundle = bundlerepo.getremotechanges(ui, repo, other, revs,
                                             opts["bundle"], opts["force"])
                 if incoming is None:
                     ui.status(_("no changes found\n"))
                     return subreporecurse()
                 try:
                     chlist = other.changelog.nodesbetween(incoming, revs)[0]
                     displayer = cmdutil.show_changeset(ui, other, opts, buffered)
                     # XXX once graphlog extension makes it into core,
                     # should be replaced by a if graph/else
                     displaychlist(other, chlist, displayer)
                     displayer.close()
                 finally:
                     if hasattr(other, 'close'):
                         other.close()
                     if bundle:
                         os.unlink(bundle)
                 subreporecurse()
                 return 0 # exit code is zero since we found incoming changes
             def incoming(ui, repo, source, opts):
                 def subreporecurse():
                     ret = 1
                     if opts.get('subrepos'):
                         ctx = repo[None]
                         for subpath in sorted(ctx.substate):
                             sub = ctx.sub(subpath)
                             ret = min(ret, sub.incoming(ui, source, opts))
                     return ret
                 def display(other, chlist, displayer):
                     limit = cmdutil.loglimit(opts)
                     if opts.get('newest_first'):
                         chlist.reverse()
                     count = 0
                     for n in chlist:
                         if limit is not None and count >= limit:
                             break
                         parents = [p for p in other.changelog.parents(n) if p != nullid]
                         if opts.get('no_merges') and len(parents) == 2:
                             continue
                         count += 1
                         displayer.show(other[n])
                 return _incoming(display, subreporecurse, ui, repo, source, opts)
             def _outgoing(ui, repo, dest, opts):
                 dest = ui.expandpath(dest or 'default-push', dest or 'default')
                 dest, branches = parseurl(dest, opts.get('branch'))
                 revs, checkout = addbranchrevs(repo, repo, branches, opts.get('rev'))
                 if revs:
                     revs = [repo.lookup(rev) for rev in revs]
                 other = repository(remoteui(repo, opts), dest)
                 ui.status(_('comparing with %s\n') % url.hidepassword(dest))
                 o = discovery.findoutgoing(repo, other, force=opts.get('force'))
                 if not o:
                     ui.status(_("no changes found\n"))
                     return None
                 return repo.changelog.nodesbetween(o, revs)[0]
             def outgoing(ui, repo, dest, opts):
                 def recurse():
                     ret = 1
                     if opts.get('subrepos'):
                         ctx = repo[None]
                         for subpath in sorted(ctx.substate):
                             sub = ctx.sub(subpath)
                             ret = min(ret, sub.outgoing(ui, dest, opts))
                     return ret
                 limit = cmdutil.loglimit(opts)
                 o = _outgoing(ui, repo, dest, opts)
                 if o is None:
                     return recurse()
                 if opts.get('newest_first'):
                     o.reverse()
                 displayer = cmdutil.show_changeset(ui, repo, opts)
                 count = 0
                 for n in o:
                     if limit is not None and count >= limit:
                         break
                     parents = [p for p in repo.changelog.parents(n) if p != nullid]
                     if opts.get('no_merges') and len(parents) == 2:
                         continue
                     count += 1
                     displayer.show(repo[n])
                 displayer.close()
                 recurse()
                 return 0 # exit code is zero since we found outgoing changes
             def revert(repo, node, choose):
                 """revert changes to revision in node without updating dirstate"""
                 return mergemod.update(repo, node, False, True, choose)[3] > 0
             def verify(repo):
                 """verify the consistency of a repository"""
                 return verifymod.verify(repo)
             def remoteui(src, opts):
                 'build a remote ui from ui or repo and opts'
                 if hasattr(src, 'baseui'): # looks like a repository
                     dst = src.baseui.copy() # drop repo-specific config
                     src = src.ui # copy target options from repo
                 else: # assume it's a global ui object
                     dst = src.copy() # keep all global options
                 # copy ssh-specific options
                 for o in 'ssh', 'remotecmd':
                     v = opts.get(o) or src.config('ui', o)
                     if v:
                         dst.setconfig("ui", o, v)
                 # copy bundle-specific options
                 r = src.config('bundle', 'mainreporoot')
                 if r:
                     dst.setconfig('bundle', 'mainreporoot', r)
                 # copy selected local settings to the remote ui
                 for sect in ('auth', 'http_proxy'):
                     for key, val in src.configitems(sect):
                         dst.setconfig(sect, key, val)
                 v = src.config('web', 'cacerts')
                 if v:
-                    dst.setconfig('web', 'cacerts', v)
+                    dst.setconfig('web', 'cacerts', util.expandpath(v))
                 return dst

mercurial/url.py

0 +2 0

             # url.py - HTTP handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO
             import __builtin__
             from i18n import _
             import keepalive, util
             def _urlunparse(scheme, netloc, path, params, query, fragment, url):
                 '''Handle cases where urlunparse(urlparse(x://)) doesn't preserve the "//"'''
                 result = urlparse.urlunparse((scheme, netloc, path, params, query, fragment))
                 if (scheme and
                     result.startswith(scheme + ':') and
                     not result.startswith(scheme + '://') and
                     url.startswith(scheme + '://')
                    ):
                     result = scheme + '://' + result[len(scheme + ':'):]
                 return result
             def hidepassword(url):
                 '''hide user credential in a url string'''
                 scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
                 netloc = re.sub('([^:]*):([^@]*)@(.*)', r'\1:***@\3', netloc)
                 return _urlunparse(scheme, netloc, path, params, query, fragment, url)
             def removeauth(url):
                 '''remove all authentication information from a url string'''
                 scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
                 netloc = netloc[netloc.find('@')+1:]
                 return _urlunparse(scheme, netloc, path, params, query, fragment, url)
             def netlocsplit(netloc):
                 '''split [user[:passwd]@]host[:port] into 4-tuple.'''
                 a = netloc.find('@')
                 if a == -1:
                     user, passwd = None, None
                 else:
                     userpass, netloc = netloc[:a], netloc[a + 1:]
                     c = userpass.find(':')
                     if c == -1:
                         user, passwd = urllib.unquote(userpass), None
                     else:
                         user = urllib.unquote(userpass[:c])
                         passwd = urllib.unquote(userpass[c + 1:])
                 c = netloc.find(':')
                 if c == -1:
                     host, port = netloc, None
                 else:
                     host, port = netloc[:c], netloc[c + 1:]
                 return host, port, user, passwd
             def netlocunsplit(host, port, user=None, passwd=None):
                 '''turn host, port, user, passwd into [user[:passwd]@]host[:port].'''
                 if port:
                     hostport = host + ':' + port
                 else:
                     hostport = host
                 if user:
                     quote = lambda s: urllib.quote(s, safe='')
                     if passwd:
                         userpass = quote(user) + ':' + quote(passwd)
                     else:
                         userpass = quote(user)
                     return userpass + '@' + hostport
                 return hostport
             _safe = ('abcdefghijklmnopqrstuvwxyz'
                      'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
                      '0123456789' '_.-/')
             _safeset = None
             _hex = None
             def quotepath(path):
                 '''quote the path part of a URL
                 This is similar to urllib.quote, but it also tries to avoid
                 quoting things twice (inspired by wget):
                 >>> quotepath('abc def')
                 'abc%20def'
                 >>> quotepath('abc%20def')
                 'abc%20def'
                 >>> quotepath('abc%20 def')
                 'abc%20%20def'
                 >>> quotepath('abc def%20')
                 'abc%20def%20'
                 >>> quotepath('abc def%2')
                 'abc%20def%252'
                 >>> quotepath('abc def%')
                 'abc%20def%25'
                 '''
                 global _safeset, _hex
                 if _safeset is None:
                     _safeset = set(_safe)
                     _hex = set('abcdefABCDEF0123456789')
                 l = list(path)
                 for i in xrange(len(l)):
                     c = l[i]
                     if (c == '%' and i + 2 < len(l) and
                         l[i + 1] in _hex and l[i + 2] in _hex):
                         pass
                     elif c not in _safeset:
                         l[i] = '%%%02X' % ord(c)
                 return ''.join(l)
             class passwordmgr(urllib2.HTTPPasswordMgrWithDefaultRealm):
                 def __init__(self, ui):
                     urllib2.HTTPPasswordMgrWithDefaultRealm.__init__(self)
                     self.ui = ui
                 def find_user_password(self, realm, authuri):
                     authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm.find_user_password(
                         self, realm, authuri)
                     user, passwd = authinfo
                     if user and passwd:
                         self._writedebug(user, passwd)
                         return (user, passwd)
                     if not user:
                         auth = self.readauthtoken(authuri)
                         if auth:
                             user, passwd = auth.get('username'), auth.get('password')
                     if not user or not passwd:
                         if not self.ui.interactive():
                             raise util.Abort(_('http authorization required'))
                         self.ui.write(_("http authorization required\n"))
                         self.ui.write(_("realm: %s\n") % realm)
                         if user:
                             self.ui.write(_("user: %s\n") % user)
                         else:
                             user = self.ui.prompt(_("user:"), default=None)
                         if not passwd:
                             passwd = self.ui.getpass()
                     self.add_password(realm, authuri, user, passwd)
                     self._writedebug(user, passwd)
                     return (user, passwd)
                 def _writedebug(self, user, passwd):
                     msg = _('http auth: user %s, password %s\n')
                     self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))
                 def readauthtoken(self, uri):
                     # Read configuration
                     config = dict()
                     for key, val in self.ui.configitems('auth'):
                         if '.' not in key:
                             self.ui.warn(_("ignoring invalid [auth] key '%s'\n") % key)
                             continue
                         group, setting = key.split('.', 1)
                         gdict = config.setdefault(group, dict())
                         if setting in ('username', 'cert', 'key'):
                             val = util.expandpath(val)
                         gdict[setting] = val
                     # Find the best match
                     scheme, hostpath = uri.split('://', 1)
                     bestlen = 0
                     bestauth = None
                     for auth in config.itervalues():
                         prefix = auth.get('prefix')
                         if not prefix:
                             continue
                         p = prefix.split('://', 1)
                         if len(p) > 1:
                             schemes, prefix = [p[0]], p[1]
                         else:
                             schemes = (auth.get('schemes') or 'https').split()
                         if (prefix == '*' or hostpath.startswith(prefix)) and \
                             len(prefix) > bestlen and scheme in schemes:
                             bestlen = len(prefix)
                             bestauth = auth
                     return bestauth
             class proxyhandler(urllib2.ProxyHandler):
                 def __init__(self, ui):
                     proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')
                     # XXX proxyauthinfo = None
                     if proxyurl:
                         # proxy can be proper url or host[:port]
                         if not (proxyurl.startswith('http:') or
                                 proxyurl.startswith('https:')):
                             proxyurl = 'http://' + proxyurl + '/'
                         snpqf = urlparse.urlsplit(proxyurl)
                         proxyscheme, proxynetloc, proxypath, proxyquery, proxyfrag = snpqf
                         hpup = netlocsplit(proxynetloc)
                         proxyhost, proxyport, proxyuser, proxypasswd = hpup
                         if not proxyuser:
                             proxyuser = ui.config("http_proxy", "user")
                             proxypasswd = ui.config("http_proxy", "passwd")
                         # see if we should use a proxy for this url
                         no_list = ["localhost", "127.0.0.1"]
                         no_list.extend([p.lower() for
                                         p in ui.configlist("http_proxy", "no")])
                         no_list.extend([p.strip().lower() for
                                         p in os.getenv("no_proxy", '').split(',')
                                         if p.strip()])
                         # "http_proxy.always" config is for running tests on localhost
                         if ui.configbool("http_proxy", "always"):
                             self.no_list = []
                         else:
                             self.no_list = no_list
                         proxyurl = urlparse.urlunsplit((
                             proxyscheme, netlocunsplit(proxyhost, proxyport,
                                                             proxyuser, proxypasswd or ''),
                             proxypath, proxyquery, proxyfrag))
                         proxies = {'http': proxyurl, 'https': proxyurl}
                         ui.debug('proxying through http://%s:%s\n' %
                                   (proxyhost, proxyport))
                     else:
                         proxies = {}
                     # urllib2 takes proxy values from the environment and those
                     # will take precedence if found, so drop them
                     for env in ["HTTP_PROXY", "http_proxy", "no_proxy"]:
                         try:
                             if env in os.environ:
                                 del os.environ[env]
                         except OSError:
                             pass
                     urllib2.ProxyHandler.__init__(self, proxies)
                     self.ui = ui
                 def proxy_open(self, req, proxy, type_):
                     host = req.get_host().split(':')[0]
                     if host in self.no_list:
                         return None
                     # work around a bug in Python < 2.4.2
                     # (it leaves a "\n" at the end of Proxy-authorization headers)
                     baseclass = req.__class__
                     class _request(baseclass):
                         def add_header(self, key, val):
                             if key.lower() == 'proxy-authorization':
                                 val = val.strip()
                             return baseclass.add_header(self, key, val)
                     req.__class__ = _request
                     return urllib2.ProxyHandler.proxy_open(self, req, proxy, type_)
             class httpsendfile(object):
                 """This is a wrapper around the objects returned by python's "open".
                 Its purpose is to send file-like objects via HTTP and, to do so, it
                 defines a __len__ attribute to feed the Content-Length header.
                 """
                 def __init__(self, *args, **kwargs):
                     # We can't just "self._data = open(*args, **kwargs)" here because there
                     # is an "open" function defined in this module that shadows the global
                     # one
                     self._data = __builtin__.open(*args, **kwargs)
                     self.read = self._data.read
                     self.seek = self._data.seek
                     self.close = self._data.close
                     self.write = self._data.write
                 def __len__(self):
                     return os.fstat(self._data.fileno()).st_size
             def _gen_sendfile(connection):
                 def _sendfile(self, data):
                     # send a file
                     if isinstance(data, httpsendfile):
                         # if auth required, some data sent twice, so rewind here
                         data.seek(0)
                         for chunk in util.filechunkiter(data):
                             connection.send(self, chunk)
                     else:
                         connection.send(self, data)
                 return _sendfile
             has_https = hasattr(urllib2, 'HTTPSHandler')
             if has_https:
                 try:
                     # avoid using deprecated/broken FakeSocket in python 2.6
                     import ssl
                     _ssl_wrap_socket = ssl.wrap_socket
                     CERT_REQUIRED = ssl.CERT_REQUIRED
                 except ImportError:
                     CERT_REQUIRED = 2
                     def _ssl_wrap_socket(sock, key_file, cert_file,
                                          cert_reqs=CERT_REQUIRED, ca_certs=None):
                         if ca_certs:
                             raise util.Abort(_(
                                 'certificate checking requires Python 2.6'))
                         ssl = socket.ssl(sock, key_file, cert_file)
                         return httplib.FakeSocket(sock, ssl)
                 try:
                     _create_connection = socket.create_connection
                 except AttributeError:
                     _GLOBAL_DEFAULT_TIMEOUT = object()
                     def _create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,
                                            source_address=None):
                         # lifted from Python 2.6
                         msg = "getaddrinfo returns an empty list"
                         host, port = address
                         for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
                             af, socktype, proto, canonname, sa = res
                             sock = None
                             try:
                                 sock = socket.socket(af, socktype, proto)
                                 if timeout is not _GLOBAL_DEFAULT_TIMEOUT:
                                     sock.settimeout(timeout)
                                 if source_address:
                                     sock.bind(source_address)
                                 sock.connect(sa)
                                 return sock
                             except socket.error, msg:
                                 if sock is not None:
                                     sock.close()
                         raise socket.error, msg
             class httpconnection(keepalive.HTTPConnection):
                 # must be able to send big bundle as stream.
                 send = _gen_sendfile(keepalive.HTTPConnection)
                 def connect(self):
                     if has_https and self.realhostport: # use CONNECT proxy
                         self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                         self.sock.connect((self.host, self.port))
                         if _generic_proxytunnel(self):
                             # we do not support client x509 certificates
                             self.sock = _ssl_wrap_socket(self.sock, None, None)
                     else:
                         keepalive.HTTPConnection.connect(self)
                 def getresponse(self):
                     proxyres = getattr(self, 'proxyres', None)
                     if proxyres:
                         if proxyres.will_close:
                             self.close()
                         self.proxyres = None
                         return proxyres
                     return keepalive.HTTPConnection.getresponse(self)
             # general transaction handler to support different ways to handle
             # HTTPS proxying before and after Python 2.6.3.
             def _generic_start_transaction(handler, h, req):
                 if hasattr(req, '_tunnel_host') and req._tunnel_host:
                     tunnel_host = req._tunnel_host
                     if tunnel_host[:7] not in ['http://', 'https:/']:
                         tunnel_host = 'https://' + tunnel_host
                     new_tunnel = True
                 else:
                     tunnel_host = req.get_selector()
                     new_tunnel = False
                 if new_tunnel or tunnel_host == req.get_full_url(): # has proxy
                     urlparts = urlparse.urlparse(tunnel_host)
                     if new_tunnel or urlparts[0] == 'https': # only use CONNECT for HTTPS
                         realhostport = urlparts[1]
                         if realhostport[-1] == ']' or ':' not in realhostport:
                             realhostport += ':443'
                         h.realhostport = realhostport
                         h.headers = req.headers.copy()
                         h.headers.update(handler.parent.addheaders)
                         return
                 h.realhostport = None
                 h.headers = None
             def _generic_proxytunnel(self):
                 proxyheaders = dict(
                         [(x, self.headers[x]) for x in self.headers
                          if x.lower().startswith('proxy-')])
                 self._set_hostport(self.host, self.port)
                 self.send('CONNECT %s HTTP/1.0\r\n' % self.realhostport)
                 for header in proxyheaders.iteritems():
                     self.send('%s: %s\r\n' % header)
                 self.send('\r\n')
                 # majority of the following code is duplicated from
                 # httplib.HTTPConnection as there are no adequate places to
                 # override functions to provide the needed functionality
                 res = self.response_class(self.sock,
                                           strict=self.strict,
                                           method=self._method)
                 while True:
                     version, status, reason = res._read_status()
                     if status != httplib.CONTINUE:
                         break
                     while True:
                         skip = res.fp.readline().strip()
                         if not skip:
                             break
                 res.status = status
                 res.reason = reason.strip()
                 if res.status == 200:
                     while True:
                         line = res.fp.readline()
                         if line == '\r\n':
                             break
                     return True
                 if version == 'HTTP/1.0':
                     res.version = 10
                 elif version.startswith('HTTP/1.'):
                     res.version = 11
                 elif version == 'HTTP/0.9':
                     res.version = 9
                 else:
                     raise httplib.UnknownProtocol(version)
                 if res.version == 9:
                     res.length = None
                     res.chunked = 0
                     res.will_close = 1
                     res.msg = httplib.HTTPMessage(cStringIO.StringIO())
                     return False
                 res.msg = httplib.HTTPMessage(res.fp)
                 res.msg.fp = None
                 # are we using the chunked-style of transfer encoding?
                 trenc = res.msg.getheader('transfer-encoding')
                 if trenc and trenc.lower() == "chunked":
                     res.chunked = 1
                     res.chunk_left = None
                 else:
                     res.chunked = 0
                 # will the connection close at the end of the response?
                 res.will_close = res._check_close()
                 # do we have a Content-Length?
                 # NOTE: RFC 2616, S4.4, #3 says we ignore this if tr_enc is "chunked"
                 length = res.msg.getheader('content-length')
                 if length and not res.chunked:
                     try:
                         res.length = int(length)
                     except ValueError:
                         res.length = None
                     else:
                         if res.length < 0:  # ignore nonsensical negative lengths
                             res.length = None
                 else:
                     res.length = None
                 # does the body have a fixed length? (of zero)
                 if (status == httplib.NO_CONTENT or status == httplib.NOT_MODIFIED or
 <= status < 200 or # 1xx codes
                     res._method == 'HEAD'):
                     res.length = 0
                 # if the connection remains open, and we aren't using chunked, and
                 # a content-length was not provided, then assume that the connection
                 # WILL close.
                 if (not res.will_close and
                    not res.chunked and
                    res.length is None):
                     res.will_close = 1
                 self.proxyres = res
                 return False
             class httphandler(keepalive.HTTPHandler):
                 def http_open(self, req):
                     return self.do_open(httpconnection, req)
                 def _start_transaction(self, h, req):
                     _generic_start_transaction(self, h, req)
                     return keepalive.HTTPHandler._start_transaction(self, h, req)
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs and subjectAltName are not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         certname = value.lower()
                         if (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName found in certificate')
             if has_https:
                 class BetterHTTPS(httplib.HTTPSConnection):
                     send = keepalive.safesend
                     def connect(self):
                         if hasattr(self, 'ui'):
                             cacerts = self.ui.config('web', 'cacerts')
+                            if cacerts:
+                                cacerts = util.expandpath(cacerts)
                         else:
                             cacerts = None
                         if cacerts:
                             sock = _create_connection((self.host, self.port))
                             self.sock = _ssl_wrap_socket(sock, self.key_file,
                                     self.cert_file, cert_reqs=CERT_REQUIRED,
                                     ca_certs=cacerts)
                             msg = _verifycert(self.sock.getpeercert(), self.host)
                             if msg:
                                 raise util.Abort(_('%s certificate error: %s') %
                                                  (self.host, msg))
                             self.ui.debug('%s certificate successfully verified\n' %
                                           self.host)
                         else:
                             self.ui.warn(_("warning: %s certificate not verified "
                                            "(check web.cacerts config setting)\n") %
                                          self.host)
                             httplib.HTTPSConnection.connect(self)
                 class httpsconnection(BetterHTTPS):
                     response_class = keepalive.HTTPResponse
                     # must be able to send big bundle as stream.
                     send = _gen_sendfile(BetterHTTPS)
                     getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)
                     def connect(self):
                         if self.realhostport: # use CONNECT proxy
                             self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                             self.sock.connect((self.host, self.port))
                             if _generic_proxytunnel(self):
                                 self.sock = _ssl_wrap_socket(self.sock, self.key_file,
                                         self.cert_file)
                         else:
                             BetterHTTPS.connect(self)
                 class httpshandler(keepalive.KeepAliveHandler, urllib2.HTTPSHandler):
                     def __init__(self, ui):
                         keepalive.KeepAliveHandler.__init__(self)
                         urllib2.HTTPSHandler.__init__(self)
                         self.ui = ui
                         self.pwmgr = passwordmgr(self.ui)
                     def _start_transaction(self, h, req):
                         _generic_start_transaction(self, h, req)
                         return keepalive.KeepAliveHandler._start_transaction(self, h, req)
                     def https_open(self, req):
                         self.auth = self.pwmgr.readauthtoken(req.get_full_url())
                         return self.do_open(self._makeconnection, req)
                     def _makeconnection(self, host, port=None, *args, **kwargs):
                         keyfile = None
                         certfile = None
                         if len(args) >= 1: # key_file
                             keyfile = args[0]
                         if len(args) >= 2: # cert_file
                             certfile = args[1]
                         args = args[2:]
                         # if the user has specified different key/cert files in
                         # hgrc, we prefer these
                         if self.auth and 'key' in self.auth and 'cert' in self.auth:
                             keyfile = self.auth['key']
                             certfile = self.auth['cert']
                         conn = httpsconnection(host, port, keyfile, certfile, *args, **kwargs)
                         conn.ui = self.ui
                         return conn
             class httpdigestauthhandler(urllib2.HTTPDigestAuthHandler):
                 def __init__(self, *args, **kwargs):
                     urllib2.HTTPDigestAuthHandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     # In python < 2.5 AbstractDigestAuthHandler raises a ValueError if
                     # it doesn't know about the auth type requested. This can happen if
                     # somebody is using BasicAuth and types a bad password.
                     try:
                         return urllib2.HTTPDigestAuthHandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
                     except ValueError, inst:
                         arg = inst.args[0]
                         if arg.startswith("AbstractDigestAuthHandler doesn't know "):
                             return
                         raise
             class httpbasicauthhandler(urllib2.HTTPBasicAuthHandler):
                 def __init__(self, *args, **kwargs):
                     urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
             def getauthinfo(path):
                 scheme, netloc, urlpath, query, frag = urlparse.urlsplit(path)
                 if not urlpath:
                     urlpath = '/'
                 if scheme != 'file':
                     # XXX: why are we quoting the path again with some smart
                     # heuristic here? Anyway, it cannot be done with file://
                     # urls since path encoding is os/fs dependent (see
                     # urllib.pathname2url() for details).
                     urlpath = quotepath(urlpath)
                 host, port, user, passwd = netlocsplit(netloc)
                 # urllib cannot handle URLs with embedded user or passwd
                 url = urlparse.urlunsplit((scheme, netlocunsplit(host, port),
                                           urlpath, query, frag))
                 if user:
                     netloc = host
                     if port:
                         netloc += ':' + port
                     # Python < 2.4.3 uses only the netloc to search for a password
                     authinfo = (None, (url, netloc), user, passwd or '')
                 else:
                     authinfo = None
                 return url, authinfo
             handlerfuncs = []
             def opener(ui, authinfo=None):
                 '''
                 construct an opener suitable for urllib2
                 authinfo will be added to the password manager
                 '''
                 handlers = [httphandler()]
                 if has_https:
                     handlers.append(httpshandler(ui))
                 handlers.append(proxyhandler(ui))
                 passmgr = passwordmgr(ui)
                 if authinfo is not None:
                     passmgr.add_password(*authinfo)
                     user, passwd = authinfo[2:4]
                     ui.debug('http auth: user %s, password %s\n' %
                              (user, passwd and '*' * len(passwd) or 'not set'))
                 handlers.extend((httpbasicauthhandler(passmgr),
                                  httpdigestauthhandler(passmgr)))
                 handlers.extend([h(ui, passmgr) for h in handlerfuncs])
                 opener = urllib2.build_opener(*handlers)
                 # 1.0 here is the _protocol_ version
                 opener.addheaders = [('User-agent', 'mercurial/proto-1.0')]
                 opener.addheaders.append(('Accept', 'application/mercurial-0.1'))
                 return opener
             scheme_re = re.compile(r'^([a-zA-Z0-9+-.]+)://')
             def open(ui, url, data=None):
                 scheme = None
                 m = scheme_re.search(url)
                 if m:
                     scheme = m.group(1).lower()
                 if not scheme:
                     path = util.normpath(os.path.abspath(url))
                     url = 'file://' + urllib.pathname2url(path)
                     authinfo = None
                 else:
                     url, authinfo = getauthinfo(url)
                 return opener(ui, authinfo).open(url, data)

tests/test-https.t

0 +4 -3

             Proper https client requires the built-in ssl from Python 2.6.
               $ "$TESTDIR/hghave" ssl || exit 80
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
               $ cd ..
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull
               warning: localhost certificate not verified (check web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull without cacert
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
               $ hg pull
               warning: localhost certificate not verified (check web.cacerts config setting)
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert configured in local repo
               $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
               $ echo "[web]" >> copy-pull/.hg/hgrc
               $ echo "cacerts=`pwd`/pub.pem" >> copy-pull/.hg/hgrc
               $ hg -R copy-pull pull --traceback
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
-            cacert configured globally
+            cacert configured globally, also testing expansion of environment
+            variables in the filename
               $ echo "[web]" >> $HGRCPATH
-              $ echo "cacerts=`pwd`/pub.pem" >> $HGRCPATH
+              $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
-              $ hg -R copy-pull pull
+              $ P=`pwd` hg -R copy-pull pull
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
             cacert mismatch
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages