upstream/mercurial-mirror Files · contrib/hg-ssh

phabricator: use .arcconfig for the callsign if not set locally (issue6243)...

phabricator: use .arcconfig for the callsign if not set locally (issue6243) This makes things easier for people working with more than one repository because this file can be committed to each repository. The bug report asks to read <repo>/.arcrc, but AFAICT, that file lives in ~/ and holds the credentials. And we already track an .arcconfig file. Any callsign set globally is still used if that is all that is present, but .arcconfig will override it if available. The idea behind letting the local hgrc override .arcconfig is that the developer may need to do testing against another server, and not dirty the working directory. Originally I was going to just try to read the callsign in `getrepophid()` if it wasn't present in the hg config. That works fine, but I think it also makes sense to read the URL from this file too. That would have worked less well because `readurltoken()` doesn't have access to the repo object to know where to find the file. Supplimenting the config mechanism is less magical because it reports the source and value of the properties used, and it doesn't need to read the file twice. Invalid hgrc files generally cause the program to abort. I only flagged it as a warning here because it's not our config file, not crucial to the whole program operating, and really shouldn't be corrupt in the typical case where it is checked into the repo. Differential Revision: https://phab.mercurial-scm.org/D7934

Gregory Szorc - - Load All Authors

File last commit:

r44058:99e231af default


                r44586:59b3fe1e

default

Download file

             hg-ssh
        
                    111 lines
            
             | 3.2 KiB
            
                | text/plain
            
             |
                TextLexer

/ contrib / hg-ssh

History | Annotation | Raw |Copy content |Copy permalink

				#!/usr/bin/env python
				#
				# Copyright 2005-2007 by Intevation GmbH <intevation@intevation.de>
				#
				# Author(s):
				# Thomas Arendsen Hein <thomas@intevation.de>
				#
				# This software may be used and distributed according to the terms of the
				# GNU General Public License version 2 or any later version.

				"""
				hg-ssh - a wrapper for ssh access to a limited set of mercurial repos

				To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):
				command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
				(probably together with these other useful options:
				no-port-forwarding,no-X11-forwarding,no-agent-forwarding)

				This allows pull/push over ssh from/to the repositories given as arguments.

				If all your repositories are subdirectories of a common directory, you can
				allow shorter paths with:
				command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"

				You can use pattern matching of your normal shell, e.g.:
				command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"

				You can also add a --read-only flag to allow read-only access to a key, e.g.:
				command="hg-ssh --read-only repos/*"
				"""
				from __future__ import absolute_import

				import os
				import shlex
				import sys

				# enable importing on demand to reduce startup time
				import hgdemandimport

				hgdemandimport.enable()

				from mercurial import (
				dispatch,
				pycompat,
				ui as uimod,
				)


				def main():
				# Prevent insertion/deletion of CRs
				dispatch.initstdio()

				cwd = os.getcwd()
				readonly = False
				args = sys.argv[1:]
				while len(args):
				if args[0] == '--read-only':
				readonly = True
				args.pop(0)
				else:
				break
				allowed_paths = [
				os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
				for path in args
				]
				orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')
				try:
				cmdargv = shlex.split(orig_cmd)
				except ValueError as e:
				sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))
				sys.exit(255)

				if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:
				path = cmdargv[2]
				repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
				if repo in allowed_paths:
				cmd = [b'-R', pycompat.fsencode(repo), b'serve', b'--stdio']
				req = dispatch.request(cmd)
				if readonly:
				if not req.ui:
				req.ui = uimod.ui.load()
				req.ui.setconfig(
				b'hooks',
				b'pretxnopen.hg-ssh',
				b'python:__main__.rejectpush',
				b'hg-ssh',
				)
				req.ui.setconfig(
				b'hooks',
				b'prepushkey.hg-ssh',
				b'python:__main__.rejectpush',
				b'hg-ssh',
				)
				dispatch.dispatch(req)
				else:
				sys.stderr.write('Illegal repository "%s"\n' % repo)
				sys.exit(255)
				else:
				sys.stderr.write('Illegal command "%s"\n' % orig_cmd)
				sys.exit(255)


				def rejectpush(ui, **kwargs):
				ui.warn((b"Permission denied\n"))
				# mercurial hooks use unix process conventions for hook return values
				# so a truthy return means failure
				return True


				if __name__ == '__main__':
				main()

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages