|
|
# Copyright (C) 2015 - Mike Edgar <adgar@google.com>
|
|
|
#
|
|
|
# This extension enables removal of file content at a given revision,
|
|
|
# rewriting the data/metadata of successive revisions to preserve revision log
|
|
|
# integrity.
|
|
|
|
|
|
"""erase file content at a given revision
|
|
|
|
|
|
The censor command instructs Mercurial to erase all content of a file at a given
|
|
|
revision *without updating the changeset hash.* This allows existing history to
|
|
|
remain valid while preventing future clones/pulls from receiving the erased
|
|
|
data.
|
|
|
|
|
|
Typical uses for censor are due to security or legal requirements, including::
|
|
|
|
|
|
* Passwords, private keys, cryptographic material
|
|
|
* Licensed data/code/libraries for which the license has expired
|
|
|
* Personally Identifiable Information or other private data
|
|
|
|
|
|
Censored nodes can interrupt mercurial's typical operation whenever the excised
|
|
|
data needs to be materialized. Some commands, like ``hg cat``/``hg revert``,
|
|
|
simply fail when asked to produce censored data. Others, like ``hg verify`` and
|
|
|
``hg update``, must be capable of tolerating censored data to continue to
|
|
|
function in a meaningful way. Such commands only tolerate censored file
|
|
|
As having a censored version in a checkout is impractical. The current head
|
|
|
revisions of the repository are checked. If the revision to be censored is in
|
|
|
any of them the command will abort.
|
|
|
|
|
|
A few informative commands such as ``hg grep`` will unconditionally
|
|
|
ignore censored data and merely report that it was encountered.
|
|
|
"""
|
|
|
|
|
|
|
|
|
from mercurial.i18n import _
|
|
|
from mercurial.node import short
|
|
|
|
|
|
from mercurial import (
|
|
|
error,
|
|
|
logcmdutil,
|
|
|
registrar,
|
|
|
scmutil,
|
|
|
)
|
|
|
|
|
|
cmdtable = {}
|
|
|
command = registrar.command(cmdtable)
|
|
|
# Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for
|
|
|
# extensions which SHIP WITH MERCURIAL. Non-mainline extensions should
|
|
|
# be specifying the version(s) of Mercurial they are tested with, or
|
|
|
# leave the attribute unspecified.
|
|
|
testedwith = b'ships-with-hg-core'
|
|
|
|
|
|
|
|
|
@command(
|
|
|
b'censor',
|
|
|
[
|
|
|
(
|
|
|
b'r',
|
|
|
b'rev',
|
|
|
b'',
|
|
|
_(b'censor file from specified revision'),
|
|
|
_(b'REV'),
|
|
|
),
|
|
|
(
|
|
|
b'',
|
|
|
b'check-heads',
|
|
|
True,
|
|
|
_(b'check that repository heads are not affected'),
|
|
|
),
|
|
|
(b't', b'tombstone', b'', _(b'replacement tombstone data'), _(b'TEXT')),
|
|
|
],
|
|
|
_(b'-r REV [-t TEXT] [FILE]'),
|
|
|
helpcategory=command.CATEGORY_MAINTENANCE,
|
|
|
)
|
|
|
def censor(ui, repo, path, rev=b'', tombstone=b'', check_heads=True, **opts):
|
|
|
with repo.wlock(), repo.lock():
|
|
|
return _docensor(
|
|
|
ui,
|
|
|
repo,
|
|
|
path,
|
|
|
rev,
|
|
|
tombstone,
|
|
|
check_heads=check_heads,
|
|
|
**opts,
|
|
|
)
|
|
|
|
|
|
|
|
|
def _docensor(ui, repo, path, rev=b'', tombstone=b'', check_heads=True, **opts):
|
|
|
if not path:
|
|
|
raise error.Abort(_(b'must specify file path to censor'))
|
|
|
if not rev:
|
|
|
raise error.Abort(_(b'must specify revision to censor'))
|
|
|
|
|
|
wctx = repo[None]
|
|
|
|
|
|
m = scmutil.match(wctx, (path,))
|
|
|
if m.anypats() or len(m.files()) != 1:
|
|
|
raise error.Abort(_(b'can only specify an explicit filename'))
|
|
|
path = m.files()[0]
|
|
|
flog = repo.file(path)
|
|
|
if not len(flog):
|
|
|
raise error.Abort(_(b'cannot censor file with no history'))
|
|
|
|
|
|
rev = logcmdutil.revsingle(repo, rev, rev).rev()
|
|
|
try:
|
|
|
ctx = repo[rev]
|
|
|
except KeyError:
|
|
|
raise error.Abort(_(b'invalid revision identifier %s') % rev)
|
|
|
|
|
|
try:
|
|
|
fctx = ctx.filectx(path)
|
|
|
except error.LookupError:
|
|
|
raise error.Abort(_(b'file does not exist at revision %s') % rev)
|
|
|
|
|
|
fnode = fctx.filenode()
|
|
|
if check_heads:
|
|
|
heads = []
|
|
|
repo_heads = repo.heads()
|
|
|
msg = b'checking for the censored content in %d heads\n'
|
|
|
msg %= len(repo_heads)
|
|
|
ui.status(msg)
|
|
|
for headnode in repo_heads:
|
|
|
hc = repo[headnode]
|
|
|
if path in hc and hc.filenode(path) == fnode:
|
|
|
heads.append(hc)
|
|
|
if heads:
|
|
|
headlist = b', '.join([short(c.node()) for c in heads])
|
|
|
raise error.Abort(
|
|
|
_(b'cannot censor file in heads (%s)') % headlist,
|
|
|
hint=_(b'clean/delete and commit first'),
|
|
|
)
|
|
|
|
|
|
msg = b'checking for the censored content in the working directory\n'
|
|
|
ui.status(msg)
|
|
|
wp = wctx.parents()
|
|
|
if ctx.node() in [p.node() for p in wp]:
|
|
|
raise error.Abort(
|
|
|
_(b'cannot censor working directory'),
|
|
|
hint=_(b'clean/delete/update first'),
|
|
|
)
|
|
|
|
|
|
msg = b'censoring 1 file revision\n'
|
|
|
ui.status(msg)
|
|
|
with repo.transaction(b'censor') as tr:
|
|
|
flog.censorrevision(tr, fnode, tombstone=tombstone)
|
|
|
|