Show More
@@ -1,140 +1,144 b'' | |||
|
1 | 1 | # Copyright (C) 2015 - Mike Edgar <adgar@google.com> |
|
2 | 2 | # |
|
3 | 3 | # This extension enables removal of file content at a given revision, |
|
4 | 4 | # rewriting the data/metadata of successive revisions to preserve revision log |
|
5 | 5 | # integrity. |
|
6 | 6 | |
|
7 | 7 | """erase file content at a given revision |
|
8 | 8 | |
|
9 | 9 | The censor command instructs Mercurial to erase all content of a file at a given |
|
10 | 10 | revision *without updating the changeset hash.* This allows existing history to |
|
11 | 11 | remain valid while preventing future clones/pulls from receiving the erased |
|
12 | 12 | data. |
|
13 | 13 | |
|
14 | 14 | Typical uses for censor are due to security or legal requirements, including:: |
|
15 | 15 | |
|
16 | 16 | * Passwords, private keys, cryptographic material |
|
17 | 17 | * Licensed data/code/libraries for which the license has expired |
|
18 | 18 | * Personally Identifiable Information or other private data |
|
19 | 19 | |
|
20 | 20 | Censored nodes can interrupt mercurial's typical operation whenever the excised |
|
21 | 21 | data needs to be materialized. Some commands, like ``hg cat``/``hg revert``, |
|
22 | 22 | simply fail when asked to produce censored data. Others, like ``hg verify`` and |
|
23 | 23 | ``hg update``, must be capable of tolerating censored data to continue to |
|
24 | 24 | function in a meaningful way. Such commands only tolerate censored file |
|
25 | 25 | As having a censored version in a checkout is impractical. The current head |
|
26 | 26 | revisions of the repository are checked. If the revision to be censored is in |
|
27 | 27 | any of them the command will abort. |
|
28 | 28 | |
|
29 | 29 | A few informative commands such as ``hg grep`` will unconditionally |
|
30 | 30 | ignore censored data and merely report that it was encountered. |
|
31 | 31 | """ |
|
32 | 32 | |
|
33 | 33 | |
|
34 | 34 | from mercurial.i18n import _ |
|
35 | 35 | from mercurial.node import short |
|
36 | 36 | |
|
37 | 37 | from mercurial import ( |
|
38 | 38 | error, |
|
39 | 39 | logcmdutil, |
|
40 | 40 | registrar, |
|
41 | 41 | scmutil, |
|
42 | 42 | ) |
|
43 | 43 | |
|
44 | 44 | cmdtable = {} |
|
45 | 45 | command = registrar.command(cmdtable) |
|
46 | 46 | # Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for |
|
47 | 47 | # extensions which SHIP WITH MERCURIAL. Non-mainline extensions should |
|
48 | 48 | # be specifying the version(s) of Mercurial they are tested with, or |
|
49 | 49 | # leave the attribute unspecified. |
|
50 | 50 | testedwith = b'ships-with-hg-core' |
|
51 | 51 | |
|
52 | 52 | |
|
53 | 53 | @command( |
|
54 | 54 | b'censor', |
|
55 | 55 | [ |
|
56 | 56 | ( |
|
57 | 57 | b'r', |
|
58 | 58 | b'rev', |
|
59 | 59 | b'', |
|
60 | 60 | _(b'censor file from specified revision'), |
|
61 | 61 | _(b'REV'), |
|
62 | 62 | ), |
|
63 | 63 | ( |
|
64 | 64 | b'', |
|
65 | 65 | b'check-heads', |
|
66 | 66 | True, |
|
67 | 67 | _(b'check that repository heads are not affected'), |
|
68 | 68 | ), |
|
69 | 69 | (b't', b'tombstone', b'', _(b'replacement tombstone data'), _(b'TEXT')), |
|
70 | 70 | ], |
|
71 | 71 | _(b'-r REV [-t TEXT] [FILE]'), |
|
72 | 72 | helpcategory=command.CATEGORY_MAINTENANCE, |
|
73 | 73 | ) |
|
74 | 74 | def censor(ui, repo, path, rev=b'', tombstone=b'', check_heads=True, **opts): |
|
75 | 75 | with repo.wlock(), repo.lock(): |
|
76 | 76 | return _docensor( |
|
77 | 77 | ui, |
|
78 | 78 | repo, |
|
79 | 79 | path, |
|
80 | 80 | rev, |
|
81 | 81 | tombstone, |
|
82 | 82 | check_heads=check_heads, |
|
83 | 83 | **opts, |
|
84 | 84 | ) |
|
85 | 85 | |
|
86 | 86 | |
|
87 | 87 | def _docensor(ui, repo, path, rev=b'', tombstone=b'', check_heads=True, **opts): |
|
88 | 88 | if not path: |
|
89 | 89 | raise error.Abort(_(b'must specify file path to censor')) |
|
90 | 90 | if not rev: |
|
91 | 91 | raise error.Abort(_(b'must specify revision to censor')) |
|
92 | 92 | |
|
93 | 93 | wctx = repo[None] |
|
94 | 94 | |
|
95 | 95 | m = scmutil.match(wctx, (path,)) |
|
96 | 96 | if m.anypats() or len(m.files()) != 1: |
|
97 | 97 | raise error.Abort(_(b'can only specify an explicit filename')) |
|
98 | 98 | path = m.files()[0] |
|
99 | 99 | flog = repo.file(path) |
|
100 | 100 | if not len(flog): |
|
101 | 101 | raise error.Abort(_(b'cannot censor file with no history')) |
|
102 | 102 | |
|
103 | 103 | rev = logcmdutil.revsingle(repo, rev, rev).rev() |
|
104 | 104 | try: |
|
105 | 105 | ctx = repo[rev] |
|
106 | 106 | except KeyError: |
|
107 | 107 | raise error.Abort(_(b'invalid revision identifier %s') % rev) |
|
108 | 108 | |
|
109 | 109 | try: |
|
110 | 110 | fctx = ctx.filectx(path) |
|
111 | 111 | except error.LookupError: |
|
112 | 112 | raise error.Abort(_(b'file does not exist at revision %s') % rev) |
|
113 | 113 | |
|
114 | 114 | fnode = fctx.filenode() |
|
115 | 115 | if check_heads: |
|
116 | 116 | heads = [] |
|
117 | 117 | repo_heads = repo.heads() |
|
118 | 118 | msg = b'checking for the censored content in %d heads\n' |
|
119 | 119 | msg %= len(repo_heads) |
|
120 | 120 | ui.status(msg) |
|
121 | 121 | for headnode in repo_heads: |
|
122 | 122 | hc = repo[headnode] |
|
123 | 123 | if path in hc and hc.filenode(path) == fnode: |
|
124 | 124 | heads.append(hc) |
|
125 | 125 | if heads: |
|
126 | 126 | headlist = b', '.join([short(c.node()) for c in heads]) |
|
127 | 127 | raise error.Abort( |
|
128 | 128 | _(b'cannot censor file in heads (%s)') % headlist, |
|
129 | 129 | hint=_(b'clean/delete and commit first'), |
|
130 | 130 | ) |
|
131 | 131 | |
|
132 | msg = b'checking for the censored content in the working directory\n' | |
|
133 | ui.status(msg) | |
|
132 | 134 | wp = wctx.parents() |
|
133 | 135 | if ctx.node() in [p.node() for p in wp]: |
|
134 | 136 | raise error.Abort( |
|
135 | 137 | _(b'cannot censor working directory'), |
|
136 | 138 | hint=_(b'clean/delete/update first'), |
|
137 | 139 | ) |
|
138 | 140 | |
|
141 | msg = b'censoring 1 file revision\n' | |
|
142 | ui.status(msg) | |
|
139 | 143 | with repo.transaction(b'censor') as tr: |
|
140 | 144 | flog.censorrevision(tr, fnode, tombstone=tombstone) |
@@ -1,636 +1,655 b'' | |||
|
1 | 1 | #require no-reposimplestore |
|
2 | 2 | #testcases revlogv1 revlogv2 |
|
3 | 3 | |
|
4 | 4 | #if revlogv2 |
|
5 | 5 | |
|
6 | 6 | $ cat >> $HGRCPATH <<EOF |
|
7 | 7 | > [experimental] |
|
8 | 8 | > revlogv2=enable-unstable-format-and-corrupt-my-data |
|
9 | 9 | > EOF |
|
10 | 10 | |
|
11 | 11 | #endif |
|
12 | 12 | |
|
13 | 13 | $ cp $HGRCPATH $HGRCPATH.orig |
|
14 | 14 | |
|
15 | 15 | Create repo with unimpeachable content |
|
16 | 16 | |
|
17 | 17 | $ hg init r |
|
18 | 18 | $ cd r |
|
19 | 19 | $ echo 'Initially untainted file' > target |
|
20 | 20 | $ echo 'Normal file here' > bystander |
|
21 | 21 | $ hg add target bystander |
|
22 | 22 | $ hg ci -m init |
|
23 | 23 | |
|
24 | 24 | Clone repo so we can test pull later |
|
25 | 25 | |
|
26 | 26 | $ cd .. |
|
27 | 27 | $ hg clone r rpull |
|
28 | 28 | updating to branch default |
|
29 | 29 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
30 | 30 | $ cd r |
|
31 | 31 | |
|
32 | 32 | Introduce content which will ultimately require censorship. Name the first |
|
33 | 33 | censored node C1, second C2, and so on |
|
34 | 34 | |
|
35 | 35 | $ echo 'Tainted file' > target |
|
36 | 36 | $ echo 'Passwords: hunter2' >> target |
|
37 | 37 | $ hg ci -m taint target |
|
38 | 38 | $ C1=`hg id --debug -i` |
|
39 | 39 | |
|
40 | 40 | $ echo 'hunter3' >> target |
|
41 | 41 | $ echo 'Normal file v2' > bystander |
|
42 | 42 | $ hg ci -m moretaint target bystander |
|
43 | 43 | $ C2=`hg id --debug -i` |
|
44 | 44 | |
|
45 | 45 | Add a new sanitized versions to correct our mistake. Name the first head H1, |
|
46 | 46 | the second head H2, and so on |
|
47 | 47 | |
|
48 | 48 | $ echo 'Tainted file is now sanitized' > target |
|
49 | 49 | $ hg ci -m sanitized target |
|
50 | 50 | $ H1=`hg id --debug -i` |
|
51 | 51 | |
|
52 | 52 | $ hg update -r $C2 |
|
53 | 53 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
54 | 54 | $ echo 'Tainted file now super sanitized' > target |
|
55 | 55 | $ hg ci -m 'super sanitized' target |
|
56 | 56 | created new head |
|
57 | 57 | $ H2=`hg id --debug -i` |
|
58 | 58 | |
|
59 | 59 | Verify target contents before censorship at each revision |
|
60 | 60 | |
|
61 | 61 | $ hg cat -r $H1 target | head -n 10 |
|
62 | 62 | Tainted file is now sanitized |
|
63 | 63 | $ hg cat -r $H2 target | head -n 10 |
|
64 | 64 | Tainted file now super sanitized |
|
65 | 65 | $ hg cat -r $C2 target | head -n 10 |
|
66 | 66 | Tainted file |
|
67 | 67 | Passwords: hunter2 |
|
68 | 68 | hunter3 |
|
69 | 69 | $ hg cat -r $C1 target | head -n 10 |
|
70 | 70 | Tainted file |
|
71 | 71 | Passwords: hunter2 |
|
72 | 72 | $ hg cat -r 0 target | head -n 10 |
|
73 | 73 | Initially untainted file |
|
74 | 74 | |
|
75 | 75 | Censor revision with 2 offenses |
|
76 | 76 | |
|
77 | 77 | (this also tests file pattern matching: path relative to cwd case) |
|
78 | 78 | |
|
79 | 79 | $ mkdir -p foo/bar/baz |
|
80 | 80 | $ hg --config extensions.censor= --cwd foo/bar/baz censor -r $C2 -t "remove password" ../../../target |
|
81 | 81 | checking for the censored content in 2 heads |
|
82 | checking for the censored content in the working directory | |
|
83 | censoring 1 file revision | |
|
82 | 84 | $ hg cat -r $H1 target | head -n 10 |
|
83 | 85 | Tainted file is now sanitized |
|
84 | 86 | $ hg cat -r $H2 target | head -n 10 |
|
85 | 87 | Tainted file now super sanitized |
|
86 | 88 | $ hg cat -r $C2 target | head -n 10 |
|
87 | 89 | abort: censored node: 1e0247a9a4b7 |
|
88 | 90 | (set censor.policy to ignore errors) |
|
89 | 91 | $ hg cat -r $C1 target | head -n 10 |
|
90 | 92 | Tainted file |
|
91 | 93 | Passwords: hunter2 |
|
92 | 94 | $ hg cat -r 0 target | head -n 10 |
|
93 | 95 | Initially untainted file |
|
94 | 96 | |
|
95 | 97 | Censor revision with 1 offense |
|
96 | 98 | |
|
97 | 99 | (this also tests file pattern matching: with 'path:' scheme) |
|
98 | 100 | |
|
99 | 101 | $ hg --config extensions.censor= --cwd foo/bar/baz censor -r $C1 path:target |
|
100 | 102 | checking for the censored content in 2 heads |
|
103 | checking for the censored content in the working directory | |
|
104 | censoring 1 file revision | |
|
101 | 105 | $ hg cat -r $H1 target | head -n 10 |
|
102 | 106 | Tainted file is now sanitized |
|
103 | 107 | $ hg cat -r $H2 target | head -n 10 |
|
104 | 108 | Tainted file now super sanitized |
|
105 | 109 | $ hg cat -r $C2 target | head -n 10 |
|
106 | 110 | abort: censored node: 1e0247a9a4b7 |
|
107 | 111 | (set censor.policy to ignore errors) |
|
108 | 112 | $ hg cat -r $C1 target | head -n 10 |
|
109 | 113 | abort: censored node: 613bc869fceb |
|
110 | 114 | (set censor.policy to ignore errors) |
|
111 | 115 | $ hg cat -r 0 target | head -n 10 |
|
112 | 116 | Initially untainted file |
|
113 | 117 | |
|
114 | 118 | Can only checkout target at uncensored revisions, -X is workaround for --all |
|
115 | 119 | |
|
116 | 120 | $ hg revert -r $C2 target | head -n 10 |
|
117 | 121 | abort: censored node: 1e0247a9a4b7 |
|
118 | 122 | (set censor.policy to ignore errors) |
|
119 | 123 | $ hg revert -r $C1 target | head -n 10 |
|
120 | 124 | abort: censored node: 613bc869fceb |
|
121 | 125 | (set censor.policy to ignore errors) |
|
122 | 126 | $ hg revert -r $C1 --all |
|
123 | 127 | reverting bystander |
|
124 | 128 | reverting target |
|
125 | 129 | abort: censored node: 613bc869fceb |
|
126 | 130 | (set censor.policy to ignore errors) |
|
127 | 131 | [255] |
|
128 | 132 | $ hg revert -r $C1 --all -X target |
|
129 | 133 | $ cat target | head -n 10 |
|
130 | 134 | Tainted file now super sanitized |
|
131 | 135 | $ hg revert -r 0 --all |
|
132 | 136 | reverting target |
|
133 | 137 | $ cat target | head -n 10 |
|
134 | 138 | Initially untainted file |
|
135 | 139 | $ hg revert -r $H2 --all |
|
136 | 140 | reverting bystander |
|
137 | 141 | reverting target |
|
138 | 142 | $ cat target | head -n 10 |
|
139 | 143 | Tainted file now super sanitized |
|
140 | 144 | |
|
141 | 145 | Uncensored file can be viewed at any revision |
|
142 | 146 | |
|
143 | 147 | $ hg cat -r $H1 bystander | head -n 10 |
|
144 | 148 | Normal file v2 |
|
145 | 149 | $ hg cat -r $C2 bystander | head -n 10 |
|
146 | 150 | Normal file v2 |
|
147 | 151 | $ hg cat -r $C1 bystander | head -n 10 |
|
148 | 152 | Normal file here |
|
149 | 153 | $ hg cat -r 0 bystander | head -n 10 |
|
150 | 154 | Normal file here |
|
151 | 155 | |
|
152 | 156 | Can update to children of censored revision |
|
153 | 157 | |
|
154 | 158 | $ hg update -r $H1 |
|
155 | 159 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
156 | 160 | $ cat target | head -n 10 |
|
157 | 161 | Tainted file is now sanitized |
|
158 | 162 | $ hg update -r $H2 |
|
159 | 163 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
160 | 164 | $ cat target | head -n 10 |
|
161 | 165 | Tainted file now super sanitized |
|
162 | 166 | |
|
163 | 167 | Set censor policy to abort in trusted $HGRC so hg verify fails |
|
164 | 168 | |
|
165 | 169 | $ cp $HGRCPATH.orig $HGRCPATH |
|
166 | 170 | $ cat >> $HGRCPATH <<EOF |
|
167 | 171 | > [censor] |
|
168 | 172 | > policy = abort |
|
169 | 173 | > EOF |
|
170 | 174 | |
|
171 | 175 | Repo fails verification due to censorship |
|
172 | 176 | |
|
173 | 177 | $ hg verify |
|
174 | 178 | checking changesets |
|
175 | 179 | checking manifests |
|
176 | 180 | crosschecking files in changesets and manifests |
|
177 | 181 | checking files |
|
178 | 182 | target@1: censored file data |
|
179 | 183 | target@2: censored file data |
|
180 | 184 | not checking dirstate because of previous errors |
|
181 | 185 | checked 5 changesets with 7 changes to 2 files |
|
182 | 186 | 2 integrity errors encountered! |
|
183 | 187 | (first damaged changeset appears to be 1) |
|
184 | 188 | [1] |
|
185 | 189 | |
|
186 | 190 | Cannot update to revision with censored data |
|
187 | 191 | |
|
188 | 192 | $ hg update -r $C2 |
|
189 | 193 | abort: censored node: 1e0247a9a4b7 |
|
190 | 194 | (set censor.policy to ignore errors) |
|
191 | 195 | [255] |
|
192 | 196 | $ hg update -r $C1 |
|
193 | 197 | abort: censored node: 613bc869fceb |
|
194 | 198 | (set censor.policy to ignore errors) |
|
195 | 199 | [255] |
|
196 | 200 | $ hg update -r 0 |
|
197 | 201 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
198 | 202 | $ hg update -r $H2 |
|
199 | 203 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
200 | 204 | |
|
201 | 205 | Set censor policy to ignore in trusted $HGRC so hg verify passes |
|
202 | 206 | |
|
203 | 207 | $ cp $HGRCPATH.orig $HGRCPATH |
|
204 | 208 | $ cat >> $HGRCPATH <<EOF |
|
205 | 209 | > [censor] |
|
206 | 210 | > policy = ignore |
|
207 | 211 | > EOF |
|
208 | 212 | |
|
209 | 213 | Repo passes verification with warnings with explicit config |
|
210 | 214 | |
|
211 | 215 | $ hg verify -q |
|
212 | 216 | |
|
213 | 217 | May update to revision with censored data with explicit config |
|
214 | 218 | |
|
215 | 219 | $ hg update -r $C2 |
|
216 | 220 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
217 | 221 | $ cat target | head -n 10 |
|
218 | 222 | $ hg update -r $C1 |
|
219 | 223 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
220 | 224 | $ cat target | head -n 10 |
|
221 | 225 | $ hg update -r 0 |
|
222 | 226 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
223 | 227 | $ cat target | head -n 10 |
|
224 | 228 | Initially untainted file |
|
225 | 229 | $ hg update -r $H2 |
|
226 | 230 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
227 | 231 | $ cat target | head -n 10 |
|
228 | 232 | Tainted file now super sanitized |
|
229 | 233 | |
|
230 | 234 | Can merge in revision with censored data. Test requires one branch of history |
|
231 | 235 | with the file censored, but we can't censor at a head, so advance H1. |
|
232 | 236 | |
|
233 | 237 | $ hg update -r $H1 |
|
234 | 238 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
235 | 239 | $ C3=$H1 |
|
236 | 240 | $ echo 'advanced head H1' > target |
|
237 | 241 | $ hg ci -m 'advance head H1' target |
|
238 | 242 | $ H1=`hg id --debug -i` |
|
239 | 243 | $ hg --config extensions.censor= censor -r $C3 target |
|
240 | 244 | checking for the censored content in 2 heads |
|
245 | checking for the censored content in the working directory | |
|
246 | censoring 1 file revision | |
|
241 | 247 | $ hg update -r $H2 |
|
242 | 248 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
243 | 249 | $ hg merge -r $C3 |
|
244 | 250 | merging target |
|
245 | 251 | 0 files updated, 1 files merged, 0 files removed, 0 files unresolved |
|
246 | 252 | (branch merge, don't forget to commit) |
|
247 | 253 | |
|
248 | 254 | Revisions present in repository heads may not be censored |
|
249 | 255 | |
|
250 | 256 | $ hg update -C -r $H2 |
|
251 | 257 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
252 | 258 | $ hg --config extensions.censor= censor -r $H2 target |
|
253 | 259 | checking for the censored content in 2 heads |
|
254 | 260 | abort: cannot censor file in heads (78a8fc215e79) |
|
255 | 261 | (clean/delete and commit first) |
|
256 | 262 | [255] |
|
257 | 263 | $ echo 'twiddling thumbs' > bystander |
|
258 | 264 | $ hg ci -m 'bystander commit' |
|
259 | 265 | $ H2=`hg id --debug -i` |
|
260 | 266 | $ hg --config extensions.censor= censor -r "$H2^" target |
|
261 | 267 | checking for the censored content in 2 heads |
|
262 | 268 | abort: cannot censor file in heads (efbe78065929) |
|
263 | 269 | (clean/delete and commit first) |
|
264 | 270 | [255] |
|
265 | 271 | |
|
266 | 272 | Cannot censor working directory |
|
267 | 273 | |
|
268 | 274 | $ echo 'seriously no passwords' > target |
|
269 | 275 | $ hg ci -m 'extend second head arbitrarily' target |
|
270 | 276 | $ H2=`hg id --debug -i` |
|
271 | 277 | $ hg update -r "$H2^" |
|
272 | 278 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
273 | 279 | $ hg --config extensions.censor= censor -r . target |
|
274 | 280 | checking for the censored content in 2 heads |
|
281 | checking for the censored content in the working directory | |
|
275 | 282 | abort: cannot censor working directory |
|
276 | 283 | (clean/delete/update first) |
|
277 | 284 | [255] |
|
278 | 285 | $ hg update -r $H2 |
|
279 | 286 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
280 | 287 | |
|
281 | 288 | Can re-add file after being deleted + censored |
|
282 | 289 | |
|
283 | 290 | $ C4=$H2 |
|
284 | 291 | $ hg rm target |
|
285 | 292 | $ hg ci -m 'delete target so it may be censored' |
|
286 | 293 | $ H2=`hg id --debug -i` |
|
287 | 294 | $ hg --config extensions.censor= censor -r $C4 target |
|
288 | 295 | checking for the censored content in 2 heads |
|
296 | checking for the censored content in the working directory | |
|
297 | censoring 1 file revision | |
|
289 | 298 | $ hg cat -r $C4 target | head -n 10 |
|
290 | 299 | $ hg cat -r "$H2^^" target | head -n 10 |
|
291 | 300 | Tainted file now super sanitized |
|
292 | 301 | $ echo 'fresh start' > target |
|
293 | 302 | $ hg add target |
|
294 | 303 | $ hg ci -m reincarnated target |
|
295 | 304 | $ H2=`hg id --debug -i` |
|
296 | 305 | $ hg cat -r $H2 target | head -n 10 |
|
297 | 306 | fresh start |
|
298 | 307 | $ hg cat -r "$H2^" target | head -n 10 |
|
299 | 308 | target: no such file in rev 452ec1762369 |
|
300 | 309 | $ hg cat -r $C4 target | head -n 10 |
|
301 | 310 | $ hg cat -r "$H2^^^" target | head -n 10 |
|
302 | 311 | Tainted file now super sanitized |
|
303 | 312 | |
|
304 | 313 | Can censor enough revision to move back to inline storage |
|
305 | 314 | |
|
306 | 315 | $ hg debugrevlogstats | grep target |
|
307 | 316 | rev-count data-size inl type target |
|
308 | 317 | 8 ??? no file target (glob) (revlogv2 !) |
|
309 | 318 | 8 ??? yes file target (glob) (revlogv1 !) |
|
310 | 319 | $ cat /dev/rand?m | dd status=none count=200 | f --hexdump > target |
|
311 | 320 | $ hg ci -m 'add 100k passwords' |
|
312 | 321 | $ H2=`hg id --debug -i` |
|
313 | 322 | $ C5=$H2 |
|
314 | 323 | $ hg revert -r "$H2^" target |
|
315 | 324 | $ hg ci -m 'cleaned 100k passwords' |
|
316 | 325 | $ H2=`hg id --debug -i` |
|
317 | 326 | $ hg debugrevlogstats | grep target |
|
318 | 327 | rev-count data-size inl type target |
|
319 | 328 | 10 ?????? no file target (glob) |
|
320 | 329 | $ hg --config extensions.censor= censor -r $C5 target |
|
321 | 330 | checking for the censored content in 2 heads |
|
331 | checking for the censored content in the working directory | |
|
332 | censoring 1 file revision | |
|
322 | 333 | |
|
323 | 334 | The important part is for the censor operation to not crash and the repository |
|
324 | 335 | to not be corrupted. Right now this involve keeping the revlog split. |
|
325 | 336 | |
|
326 | 337 | $ hg debugrevlogstats | grep target |
|
327 | 338 | rev-count data-size inl type target |
|
328 | 339 | 10 ??? no file target (glob) |
|
329 | 340 | $ hg cat -r $C5 target | head -n 10 |
|
330 | 341 | $ hg cat -r $H2 target | head -n 10 |
|
331 | 342 | fresh start |
|
332 | 343 | $ hg verify |
|
333 | 344 | checking changesets |
|
334 | 345 | checking manifests |
|
335 | 346 | crosschecking files in changesets and manifests |
|
336 | 347 | checking files |
|
337 | 348 | checking dirstate |
|
338 | 349 | checked 12 changesets with 13 changes to 2 files |
|
339 | 350 | |
|
340 | 351 | Repo with censored nodes can be cloned and cloned nodes are censored |
|
341 | 352 | |
|
342 | 353 | $ cd .. |
|
343 | 354 | $ hg clone r rclone |
|
344 | 355 | updating to branch default |
|
345 | 356 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
346 | 357 | $ cd rclone |
|
347 | 358 | $ hg cat -r $H1 target | head -n 10 |
|
348 | 359 | advanced head H1 |
|
349 | 360 | $ hg cat -r $H2~5 target | head -n 10 |
|
350 | 361 | Tainted file now super sanitized |
|
351 | 362 | $ hg cat -r $C2 target | head -n 10 |
|
352 | 363 | $ hg cat -r $C1 target | head -n 10 |
|
353 | 364 | $ hg cat -r 0 target | head -n 10 |
|
354 | 365 | Initially untainted file |
|
355 | 366 | $ hg verify -q |
|
356 | 367 | |
|
357 | 368 | Repo cloned before tainted content introduced can pull censored nodes |
|
358 | 369 | |
|
359 | 370 | $ cd ../rpull |
|
360 | 371 | $ hg cat -r tip target | head -n 10 |
|
361 | 372 | Initially untainted file |
|
362 | 373 | $ hg verify -q |
|
363 | 374 | $ hg pull -r $H1 -r $H2 |
|
364 | 375 | pulling from $TESTTMP/r |
|
365 | 376 | searching for changes |
|
366 | 377 | adding changesets |
|
367 | 378 | adding manifests |
|
368 | 379 | adding file changes |
|
369 | 380 | added 11 changesets with 11 changes to 2 files (+1 heads) |
|
370 | 381 | new changesets * (glob) |
|
371 | 382 | (run 'hg heads' to see heads, 'hg merge' to merge) |
|
372 | 383 | $ hg update 4 |
|
373 | 384 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
374 | 385 | $ cat target | head -n 10 |
|
375 | 386 | Tainted file now super sanitized |
|
376 | 387 | $ hg cat -r $H1 target | head -n 10 |
|
377 | 388 | advanced head H1 |
|
378 | 389 | $ hg cat -r $H2~5 target | head -n 10 |
|
379 | 390 | Tainted file now super sanitized |
|
380 | 391 | $ hg cat -r $C2 target | head -n 10 |
|
381 | 392 | $ hg cat -r $C1 target | head -n 10 |
|
382 | 393 | $ hg cat -r 0 target | head -n 10 |
|
383 | 394 | Initially untainted file |
|
384 | 395 | $ hg verify -q |
|
385 | 396 | |
|
386 | 397 | Censored nodes can be pushed if they censor previously unexchanged nodes |
|
387 | 398 | |
|
388 | 399 | $ echo 'Passwords: hunter2hunter2' > target |
|
389 | 400 | $ hg ci -m 're-add password from clone' target |
|
390 | 401 | created new head |
|
391 | 402 | $ H3=`hg id --debug -i` |
|
392 | 403 | $ REV=$H3 |
|
393 | 404 | $ echo 'Re-sanitized; nothing to see here' > target |
|
394 | 405 | $ hg ci -m 're-sanitized' target |
|
395 | 406 | $ H2=`hg id --debug -i` |
|
396 | 407 | $ CLEANREV=$H2 |
|
397 | 408 | $ hg cat -r $REV target | head -n 10 |
|
398 | 409 | Passwords: hunter2hunter2 |
|
399 | 410 | $ hg --config extensions.censor= censor -r $REV target |
|
400 | 411 | checking for the censored content in 3 heads |
|
412 | checking for the censored content in the working directory | |
|
413 | censoring 1 file revision | |
|
401 | 414 | $ hg cat -r $REV target | head -n 10 |
|
402 | 415 | $ hg cat -r $CLEANREV target | head -n 10 |
|
403 | 416 | Re-sanitized; nothing to see here |
|
404 | 417 | $ hg push -f -r $H2 |
|
405 | 418 | pushing to $TESTTMP/r |
|
406 | 419 | searching for changes |
|
407 | 420 | adding changesets |
|
408 | 421 | adding manifests |
|
409 | 422 | adding file changes |
|
410 | 423 | added 2 changesets with 2 changes to 1 files (+1 heads) |
|
411 | 424 | |
|
412 | 425 | $ cd ../r |
|
413 | 426 | $ hg cat -r $REV target | head -n 10 |
|
414 | 427 | $ hg cat -r $CLEANREV target | head -n 10 |
|
415 | 428 | Re-sanitized; nothing to see here |
|
416 | 429 | $ hg update $CLEANREV |
|
417 | 430 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
418 | 431 | $ cat target | head -n 10 |
|
419 | 432 | Re-sanitized; nothing to see here |
|
420 | 433 | |
|
421 | 434 | Censored nodes can be bundled up and unbundled in another repo |
|
422 | 435 | |
|
423 | 436 | $ hg bundle --base 0 ../pwbundle |
|
424 | 437 | 13 changesets found |
|
425 | 438 | $ cd ../rclone |
|
426 | 439 | $ hg unbundle ../pwbundle |
|
427 | 440 | adding changesets |
|
428 | 441 | adding manifests |
|
429 | 442 | adding file changes |
|
430 | 443 | added 2 changesets with 2 changes to 2 files (+1 heads) |
|
431 | 444 | new changesets * (glob) |
|
432 | 445 | (run 'hg heads .' to see heads, 'hg merge' to merge) |
|
433 | 446 | $ hg cat -r $REV target | head -n 10 |
|
434 | 447 | $ hg cat -r $CLEANREV target | head -n 10 |
|
435 | 448 | Re-sanitized; nothing to see here |
|
436 | 449 | $ hg update $CLEANREV |
|
437 | 450 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
438 | 451 | $ cat target | head -n 10 |
|
439 | 452 | Re-sanitized; nothing to see here |
|
440 | 453 | $ hg verify -q |
|
441 | 454 | |
|
442 | 455 | Grepping only warns, doesn't error out |
|
443 | 456 | |
|
444 | 457 | $ cd ../rpull |
|
445 | 458 | $ hg grep 'Normal file' |
|
446 | 459 | bystander:Normal file v2 |
|
447 | 460 | $ hg grep nothing |
|
448 | 461 | target:Re-sanitized; nothing to see here |
|
449 | 462 | $ hg grep --diff 'Normal file' |
|
450 | 463 | cannot search in censored file: target:7 |
|
451 | 464 | cannot search in censored file: target:10 |
|
452 | 465 | cannot search in censored file: target:12 |
|
453 | 466 | bystander:6:-:Normal file v2 |
|
454 | 467 | cannot search in censored file: target:1 |
|
455 | 468 | cannot search in censored file: target:2 |
|
456 | 469 | cannot search in censored file: target:3 |
|
457 | 470 | bystander:2:-:Normal file here |
|
458 | 471 | bystander:2:+:Normal file v2 |
|
459 | 472 | bystander:0:+:Normal file here |
|
460 | 473 | $ hg grep --diff nothing |
|
461 | 474 | cannot search in censored file: target:7 |
|
462 | 475 | cannot search in censored file: target:10 |
|
463 | 476 | cannot search in censored file: target:12 |
|
464 | 477 | target:13:+:Re-sanitized; nothing to see here |
|
465 | 478 | cannot search in censored file: target:1 |
|
466 | 479 | cannot search in censored file: target:2 |
|
467 | 480 | cannot search in censored file: target:3 |
|
468 | 481 | |
|
469 | 482 | Censored nodes can be imported on top of censored nodes, consecutively |
|
470 | 483 | |
|
471 | 484 | $ hg init ../rimport |
|
472 | 485 | $ hg bundle --base 1 ../rimport/splitbundle |
|
473 | 486 | 12 changesets found |
|
474 | 487 | $ cd ../rimport |
|
475 | 488 | $ hg pull -r $H1 -r $H2 ../r |
|
476 | 489 | pulling from ../r |
|
477 | 490 | adding changesets |
|
478 | 491 | adding manifests |
|
479 | 492 | adding file changes |
|
480 | 493 | added 8 changesets with 10 changes to 2 files (+1 heads) |
|
481 | 494 | new changesets e97f55b2665a:dcbaf17bf3a1 |
|
482 | 495 | (run 'hg heads' to see heads, 'hg merge' to merge) |
|
483 | 496 | $ hg unbundle splitbundle |
|
484 | 497 | adding changesets |
|
485 | 498 | adding manifests |
|
486 | 499 | adding file changes |
|
487 | 500 | added 6 changesets with 5 changes to 2 files (+1 heads) |
|
488 | 501 | new changesets * (glob) |
|
489 | 502 | (run 'hg heads .' to see heads, 'hg merge' to merge) |
|
490 | 503 | $ hg update $H2 |
|
491 | 504 | 2 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
492 | 505 | $ cat target | head -n 10 |
|
493 | 506 | Re-sanitized; nothing to see here |
|
494 | 507 | $ hg verify -q |
|
495 | 508 | $ cd ../r |
|
496 | 509 | |
|
497 | 510 | Can import bundle where first revision of a file is censored |
|
498 | 511 | |
|
499 | 512 | $ hg init ../rinit |
|
500 | 513 | $ hg --config extensions.censor= censor -r 0 target |
|
501 | 514 | checking for the censored content in 3 heads |
|
515 | checking for the censored content in the working directory | |
|
516 | censoring 1 file revision | |
|
502 | 517 | $ hg bundle -r 0 --base null ../rinit/initbundle |
|
503 | 518 | 1 changesets found |
|
504 | 519 | $ cd ../rinit |
|
505 | 520 | $ hg unbundle initbundle |
|
506 | 521 | adding changesets |
|
507 | 522 | adding manifests |
|
508 | 523 | adding file changes |
|
509 | 524 | added 1 changesets with 2 changes to 2 files |
|
510 | 525 | new changesets e97f55b2665a (1 drafts) |
|
511 | 526 | (run 'hg update' to get a working copy) |
|
512 | 527 | $ hg cat -r 0 target | head -n 10 |
|
513 | 528 | |
|
514 | 529 | Can skip the head checking steps |
|
515 | 530 | |
|
516 | 531 | $ hg --config extensions.censor= censor -r 0 --no-check-heads target |
|
532 | checking for the censored content in the working directory | |
|
533 | censoring 1 file revision | |
|
517 | 534 | |
|
518 | 535 | #if revlogv2 |
|
519 | 536 | |
|
520 | 537 | Testing feature that does not work in revlog v1 |
|
521 | 538 | =============================================== |
|
522 | 539 | |
|
523 | 540 | Censoring a revision that is used as delta base |
|
524 | 541 | ----------------------------------------------- |
|
525 | 542 | |
|
526 | 543 | $ cd .. |
|
527 | 544 | $ hg init censor-with-delta |
|
528 | 545 | $ cd censor-with-delta |
|
529 | 546 | $ echo root > target |
|
530 | 547 | $ hg add target |
|
531 | 548 | $ hg commit -m root |
|
532 | 549 | $ B0=`hg id --debug -i` |
|
533 | 550 | $ for x in `"$PYTHON" $TESTDIR/seq.py 0 50000` |
|
534 | 551 | > do |
|
535 | 552 | > echo "Password: hunter$x" >> target |
|
536 | 553 | > done |
|
537 | 554 | $ hg ci -m 'write a long file' |
|
538 | 555 | $ B1=`hg id --debug -i` |
|
539 | 556 | $ echo 'small change (should create a delta)' >> target |
|
540 | 557 | $ hg ci -m 'create a delta over the password' |
|
541 | 558 | (should show that the last revision is a delta, not a snapshot) |
|
542 | 559 | $ B2=`hg id --debug -i` |
|
543 | 560 | |
|
544 | 561 | Make sure the last revision is a delta against the revision we will censor |
|
545 | 562 | |
|
546 | 563 | $ hg debugdeltachain target -T '{rev} {chainid} {chainlen} {prevrev}\n' |
|
547 | 564 | 0 1 1 -1 |
|
548 | 565 | 1 2 1 -1 |
|
549 | 566 | 2 2 2 1 |
|
550 | 567 | |
|
551 | 568 | Censor the file |
|
552 | 569 | |
|
553 | 570 | $ hg cat -r $B1 target | wc -l |
|
554 | 571 | *50002 (re) |
|
555 | 572 | $ hg --config extensions.censor= censor -r $B1 target |
|
556 | 573 | checking for the censored content in 1 heads |
|
574 | checking for the censored content in the working directory | |
|
575 | censoring 1 file revision | |
|
557 | 576 | $ hg cat -r $B1 target | wc -l |
|
558 | 577 | *0 (re) |
|
559 | 578 | |
|
560 | 579 | Check the children is fine |
|
561 | 580 | |
|
562 | 581 | $ hg cat -r $B2 target | wc -l |
|
563 | 582 | *50003 (re) |
|
564 | 583 | |
|
565 | 584 | #endif |
|
566 | 585 | |
|
567 | 586 | Testing repository upgrade with censors revision |
|
568 | 587 | ================================================ |
|
569 | 588 | |
|
570 | 589 | $ cd ../rclone |
|
571 | 590 | |
|
572 | 591 | With the "abort" policy |
|
573 | 592 | ======================= |
|
574 | 593 | |
|
575 | 594 | $ hg verify --config censor.policy=ignore |
|
576 | 595 | checking changesets |
|
577 | 596 | checking manifests |
|
578 | 597 | crosschecking files in changesets and manifests |
|
579 | 598 | checking files |
|
580 | 599 | checking dirstate |
|
581 | 600 | checked 14 changesets with 15 changes to 2 files |
|
582 | 601 | $ hg debugupgraderepo --run --quiet \ |
|
583 | 602 | > --optimize re-delta-parent \ |
|
584 | 603 | > --config censor.policy=abort |
|
585 | 604 | upgrade will perform the following actions: |
|
586 | 605 | |
|
587 | 606 | requirements |
|
588 | 607 | preserved: * (glob) |
|
589 | 608 | |
|
590 | 609 | optimisations: re-delta-parent |
|
591 | 610 | |
|
592 | 611 | processed revlogs: |
|
593 | 612 | - all-filelogs |
|
594 | 613 | - changelog |
|
595 | 614 | - manifest |
|
596 | 615 | |
|
597 | 616 | $ hg verify --config censor.policy=ignore |
|
598 | 617 | checking changesets |
|
599 | 618 | checking manifests |
|
600 | 619 | crosschecking files in changesets and manifests |
|
601 | 620 | checking files |
|
602 | 621 | checking dirstate |
|
603 | 622 | checked 14 changesets with 15 changes to 2 files |
|
604 | 623 | |
|
605 | 624 | With the "ignore" policy |
|
606 | 625 | ======================== |
|
607 | 626 | |
|
608 | 627 | $ hg verify --config censor.policy=ignore |
|
609 | 628 | checking changesets |
|
610 | 629 | checking manifests |
|
611 | 630 | crosschecking files in changesets and manifests |
|
612 | 631 | checking files |
|
613 | 632 | checking dirstate |
|
614 | 633 | checked 14 changesets with 15 changes to 2 files |
|
615 | 634 | $ hg debugupgraderepo --run --quiet \ |
|
616 | 635 | > --optimize re-delta-parent \ |
|
617 | 636 | > --config censor.policy=ignore |
|
618 | 637 | upgrade will perform the following actions: |
|
619 | 638 | |
|
620 | 639 | requirements |
|
621 | 640 | preserved: * (glob) |
|
622 | 641 | |
|
623 | 642 | optimisations: re-delta-parent |
|
624 | 643 | |
|
625 | 644 | processed revlogs: |
|
626 | 645 | - all-filelogs |
|
627 | 646 | - changelog |
|
628 | 647 | - manifest |
|
629 | 648 | |
|
630 | 649 | $ hg verify --config censor.policy=ignore |
|
631 | 650 | checking changesets |
|
632 | 651 | checking manifests |
|
633 | 652 | crosschecking files in changesets and manifests |
|
634 | 653 | checking files |
|
635 | 654 | checking dirstate |
|
636 | 655 | checked 14 changesets with 15 changes to 2 files |
@@ -1,23 +1,25 b'' | |||
|
1 | 1 | $ cat >> $HGRCPATH <<EOF |
|
2 | 2 | > [censor] |
|
3 | 3 | > policy=ignore |
|
4 | 4 | > EOF |
|
5 | 5 | |
|
6 | 6 | $ mkdir r |
|
7 | 7 | $ cd r |
|
8 | 8 | $ hg init |
|
9 | 9 | $ echo secret > target |
|
10 | 10 | $ hg commit -Am "secret" |
|
11 | 11 | adding target |
|
12 | 12 | $ touch bystander |
|
13 | 13 | $ hg commit -Am "innocent" |
|
14 | 14 | adding bystander |
|
15 | 15 | $ echo erased-secret > target |
|
16 | 16 | $ hg commit -m "erased secret" |
|
17 | 17 | $ hg censor target --config extensions.censor= -r ".^^" |
|
18 | 18 | checking for the censored content in 1 heads |
|
19 | checking for the censored content in the working directory | |
|
20 | censoring 1 file revision | |
|
19 | 21 | $ hg update ".^" |
|
20 | 22 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
21 | 23 | $ cat target |
|
22 | 24 | $ hg update tip |
|
23 | 25 | 1 files updated, 0 files merged, 0 files removed, 0 files unresolved |
General Comments 0
You need to be logged in to leave comments.
Login now