Show More
@@ -1,86 +1,86 b'' | |||
|
1 | 1 | #!/usr/bin/env python |
|
2 | 2 | # |
|
3 | 3 | # Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de> |
|
4 | 4 | # |
|
5 | 5 | # Author(s): |
|
6 | 6 | # Thomas Arendsen Hein <thomas@intevation.de> |
|
7 | 7 | # |
|
8 | 8 | # This software may be used and distributed according to the terms of the |
|
9 | 9 | # GNU General Public License version 2 or any later version. |
|
10 | 10 | |
|
11 | 11 | """ |
|
12 | 12 | hg-ssh - a wrapper for ssh access to a limited set of mercurial repos |
|
13 | 13 | |
|
14 | 14 | To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8): |
|
15 | 15 | command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ... |
|
16 | 16 | (probably together with these other useful options: |
|
17 | 17 | no-port-forwarding,no-X11-forwarding,no-agent-forwarding) |
|
18 | 18 | |
|
19 | 19 | This allows pull/push over ssh from/to the repositories given as arguments. |
|
20 | 20 | |
|
21 | 21 | If all your repositories are subdirectories of a common directory, you can |
|
22 | 22 | allow shorter paths with: |
|
23 | 23 | command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2" |
|
24 | 24 | |
|
25 | 25 | You can use pattern matching of your normal shell, e.g.: |
|
26 | 26 | command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}" |
|
27 | 27 | |
|
28 | 28 | You can also add a --read-only flag to allow read-only access to a key, e.g.: |
|
29 | 29 | command="hg-ssh --read-only repos/*" |
|
30 | 30 | """ |
|
31 | 31 | |
|
32 | 32 | # enable importing on demand to reduce startup time |
|
33 | 33 | from mercurial import demandimport; demandimport.enable() |
|
34 | 34 | |
|
35 | 35 | from mercurial import dispatch |
|
36 | 36 | |
|
37 | 37 | import sys, os, shlex |
|
38 | 38 | |
|
39 | 39 | def main(): |
|
40 | 40 | cwd = os.getcwd() |
|
41 | 41 | readonly = False |
|
42 | 42 | args = sys.argv[1:] |
|
43 | 43 | while len(args): |
|
44 | 44 | if args[0] == '--read-only': |
|
45 | 45 | readonly = True |
|
46 | 46 | args.pop(0) |
|
47 | 47 | else: |
|
48 | 48 | break |
|
49 | 49 | allowed_paths = [os.path.normpath(os.path.join(cwd, |
|
50 | 50 | os.path.expanduser(path))) |
|
51 | 51 | for path in args] |
|
52 | 52 | orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?') |
|
53 | 53 | try: |
|
54 | 54 | cmdargv = shlex.split(orig_cmd) |
|
55 | 55 | except ValueError, e: |
|
56 | 56 | sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e)) |
|
57 | 57 | sys.exit(255) |
|
58 | 58 | |
|
59 | 59 | if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']: |
|
60 | 60 | path = cmdargv[2] |
|
61 | 61 | repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path))) |
|
62 | 62 | if repo in allowed_paths: |
|
63 | 63 | cmd = ['-R', repo, 'serve', '--stdio'] |
|
64 | 64 | if readonly: |
|
65 | 65 | cmd += [ |
|
66 | 66 | '--config', |
|
67 | 67 | 'hooks.pretxnopen.hg-ssh=python:__main__.rejectpush', |
|
68 | 68 | '--config', |
|
69 | 69 | 'hooks.prepushkey.hg-ssh=python:__main__.rejectpush' |
|
70 | 70 | ] |
|
71 | 71 | dispatch.dispatch(dispatch.request(cmd)) |
|
72 | 72 | else: |
|
73 | 73 | sys.stderr.write('Illegal repository "%s"\n' % repo) |
|
74 | 74 | sys.exit(255) |
|
75 | 75 | else: |
|
76 | 76 | sys.stderr.write('Illegal command "%s"\n' % orig_cmd) |
|
77 | 77 | sys.exit(255) |
|
78 | 78 | |
|
79 | 79 | def rejectpush(ui, **kwargs): |
|
80 | ui.warn("Permission denied\n") | |
|
80 | ui.warn(("Permission denied\n")) | |
|
81 | 81 | # mercurial hooks use unix process conventions for hook return values |
|
82 | 82 | # so a truthy return means failure |
|
83 | 83 | return True |
|
84 | 84 | |
|
85 | 85 | if __name__ == '__main__': |
|
86 | 86 | main() |
General Comments 0
You need to be logged in to leave comments.
Login now