--- a/Makefile Sat Nov 14 18:23:30 2009 +0100
+++ b/Makefile Wed Dec 02 17:40:23 2009 +0000
@@ -19,7 +19,11 @@
installetc:
$(INSTALL) -d $(DESTDIR)$(ETCDIR)
$(INSTALL) -m 644 -t $(DESTDIR)$(ETCDIR) \
- src/init/conf/remote-hgrc src/init/conf/access.conf
+ src/init/conf/access.conf
+ $(INSTALL) -d $(DESTDIR)$(ETCDIR)/remote-hgrc.d
+ $(INSTALL) -m 644 -t $(DESTDIR)$(ETCDIR)/remote-hgrc.d \
+ src/init/conf/remote-hgrc.d/access.rc \
+ src/init/conf/remote-hgrc.d/logging.rc
$(INSTALL) -d $(DESTDIR)$(ETCDIR)/keys/root
$(INSTALL) -d $(DESTDIR)$(ETCDIR)/keys/users
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/NEWS Wed Dec 02 17:40:23 2009 +0000
@@ -0,0 +1,63 @@
+====================
+mercurial-server 1.0
+====================
+
+* Add "env" section to .mercurial-server instead of special-casing HGRCPATH
+* Switch to remote-hgrc.d directory instead of single file.
+* Control path of authorized keys file in .mercurial_server
+* Overwrite $HOME with value from /etc/passwd
+* Use Python's ConfigParser instead of too-new mercurial.config
+* Fix very out-of-date comments in hg-ssh
+* Belatedly added NEWS file :-)
+
+Upgrading: move the paths/hgrc entry in .mercurial-server to env/HGRCPATH,
+and add an entry under paths that reads
+"authorized_keys = ~/.ssh/authorized_keys"
+
+====================
+mercurial-server 0.9
+====================
+
+* Switch to supporting DESTDIR prefix in Makefile for easier packaging
+
+====================
+mercurial-server 0.8
+====================
+
+* Remove .deb-specific stuff in Docbook documentation - let the README
+ handle that stuff. Also fixes bad version numbers in there.
+* Move html docs into subdirectory
+* Line wrap README
+
+====================
+mercurial-server 0.7
+====================
+
+* Introduce .mercurial-server file for hg user
+* Remove all restrictions on paths, except for dotfiles in repo paths
+* Automatically create containing dirs for subdir repos
+* Guard against repos in repos
+* Switch to Makefile/setup.py based installer
+* Switch to Docbook based documentation
+* Load purge extension for hgadmin repo
+* Guard against setting up hg user who already has .ssh/authorized_keys
+* Link to real home page
+
+Upgrading: you'll need to create a .mercurial-server file
+for the hg user - a suitable one is in the init directory.
+
+====================
+mercurial-server 0.6
+====================
+
+* Remove hardcoding of init file path in hginit
+* Switch from /usr/lib to /usr/share
+* Install documentation
+* Don't create "hg" user if install root is not root.
+
+====================
+mercurial-server 0.5
+====================
+
+* First numbered release
+
--- a/doc/manual.docbook Sat Nov 14 18:23:30 2009 +0100
+++ b/doc/manual.docbook Wed Dec 02 17:40:23 2009 +0000
@@ -311,10 +311,10 @@
class='directory'>hgadmin</filename>.
</para>
<para>
-<filename>/etc/mercurial-server/remote-hgrc</filename> is in the
+<filename>/etc/mercurial-server/remote-hgrc.d</filename> is in the
<systemitem>HGRCPATH</systemitem> for all remote access to mercurial-server
-repositories. This file contains the hooks that mercurial-server uses for
-access control and logging. You can add hooks to this file, but obviously
+repositories. This directory contains the hooks that mercurial-server uses for
+access control and logging. You can add hooks to this directory, but obviously
breaking the existing hooks will disable the relevant functionality and
isn't advisable.
</para>
--- a/src/hg-ssh Sat Nov 14 18:23:30 2009 +0100
+++ b/src/hg-ssh Wed Dec 02 17:40:23 2009 +0000
@@ -14,12 +14,8 @@
hg-ssh - limit access to hg repositories reached via ssh. Part of
mercurial-server.
-This script is called by hg-ssh-wrapper with no arguments - everything
-should be in enviroment variables:
-
-HG_ACCESS_RULES_PATH identifies the paths to the rule files
-REMOTE_USER the remote user (which is the key used by ssh)
-SSH_ORIGINAL_COMMAND the command the user was trying to run
+It is called by ssh due to an entry in the authorized_keys file,
+with the name for the key passed on the command line.
It uses SSH_ORIGINAL_COMMAND to determine what the user was trying to
do and to what repository, and then checks each rule in the rule file
@@ -35,7 +31,7 @@
import sys, os, os.path
import base64
-from mercurialserver import ruleset, paths
+from mercurialserver import config, ruleset
def fail(message):
sys.stderr.write("mercurial-server: %s\n" % message)
@@ -71,7 +67,7 @@
checkParents(repo)
return repo
-paths.setExePath()
+config.initExe()
if len(sys.argv) == 3 and sys.argv[1] == "--base64":
ruleset.rules.set(user = base64.b64decode(sys.argv[2]))
@@ -81,14 +77,12 @@
fail("hg-ssh wrongly called, is authorized_keys corrupt? (%s)"
% sys.argv)
-# Use a different hgrc for remote pulls - this way you can set
-# up access.py for everything at once without affecting local operations
+for k,v in config.getEnv():
+ os.environ[k] = v
-os.environ['HGRCPATH'] = paths.getHgrcPaths()
+os.chdir(config.getReposPath())
-os.chdir(paths.getReposPath())
-
-for f in paths.getAccessPaths():
+for f in config.getAccessPaths():
if os.path.isfile(f):
ruleset.rules.readfile(f)
--- a/src/init/conf/remote-hgrc Sat Nov 14 18:23:30 2009 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,6 +0,0 @@
-# hgrc to use for all remote users
-
-[hooks]
-pretxnchangegroup.access = python:mercurialserver.access.hook
-changegroup.aaaaa_servelog = python:mercurialserver.servelog.hook
-outgoing.aaaaa_servelog = python:mercurialserver.servelog.hook
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/init/conf/remote-hgrc.d/access.rc Wed Dec 02 17:40:23 2009 +0000
@@ -0,0 +1,5 @@
+# Check that a commit meets access control rules before allowing it
+
+[hooks]
+pretxnchangegroup.access = python:mercurialserver.access.hook
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/init/conf/remote-hgrc.d/logging.rc Wed Dec 02 17:40:23 2009 +0000
@@ -0,0 +1,5 @@
+# Log every push and pull to the servelog
+
+[hooks]
+changegroup.aaaaa_servelog = python:mercurialserver.servelog.hook
+outgoing.aaaaa_servelog = python:mercurialserver.servelog.hook
--- a/src/init/dot-mercurial-server Sat Nov 14 18:23:30 2009 +0100
+++ b/src/init/dot-mercurial-server Wed Dec 02 17:40:23 2009 +0000
@@ -3,7 +3,13 @@
[paths]
repos = ~/repos
+authorized_keys = ~/.ssh/authorized_keys
keys = /etc/mercurial-server/keys:~/repos/hgadmin/keys
access = /etc/mercurial-server/access.conf:~/repos/hgadmin/access.conf
-hgrc = /etc/mercurial-server/remote-hgrc
+[env]
+# Use a different hgrc for remote pulls - this way you can set
+# up access.py for everything at once without affecting local operations
+
+HGRCPATH = /etc/mercurial-server/remote-hgrc.d
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/mercurialserver/config.py Wed Dec 02 17:40:23 2009 +0000
@@ -0,0 +1,50 @@
+# Copyright 2008-2009 LShift Ltd
+
+import sys
+import os
+import os.path
+import pwd
+import ConfigParser
+
+globalconfig = None
+
+def _getConf():
+ global globalconfig
+ if globalconfig is None:
+ globalconfig = ConfigParser.RawConfigParser()
+ globalconfig.read(os.path.expanduser("~/.mercurial-server"))
+ return globalconfig
+
+def _getPath(name):
+ return os.path.expanduser(_getConf().get("paths", name))
+
+def _getPaths(name):
+ return [os.path.expanduser(p)
+ for p in _getConf().get("paths", name).split(":")]
+
+def getReposPath(): return _getPath("repos")
+def getAuthorizedKeysPath(): return _getPath("authorized_keys")
+
+def configExists():
+ try:
+ getAuthorizedKeysPath()
+ return True
+ except Exception, e:
+ print e
+ return False
+
+def getKeysPaths(): return _getPaths("keys")
+def getAccessPaths(): return _getPaths("access")
+
+def getEnv(): return _getConf().items("env")
+
+# Work out where we are, don't use config.
+def initExe():
+ global _exePath
+ _exePath = os.path.dirname(os.path.abspath(sys.argv[0]))
+ # Fix $HOME in case of "sudo -u hg refresh-auth"
+ os.environ['HOME'] = pwd.getpwuid(os.geteuid()).pw_dir
+
+def getExePath():
+ return _exePath
+
--- a/src/mercurialserver/paths.py Sat Nov 14 18:23:30 2009 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,47 +0,0 @@
-# Copyright 2008-2009 LShift Ltd
-
-import sys
-import os.path
-import mercurial.config
-
-globalconfig = None
-
-def _getConf():
- global globalconfig
- if globalconfig is None:
- globalconfig = mercurial.config.config()
- globalconfig.read(os.path.expanduser("~/.mercurial-server"))
- return globalconfig
-
-def configExists():
- try:
- _getConf()
- return True
- except:
- return False
-
-def _getPath(name):
- return os.path.expanduser(_getConf()["paths"][name])
-
-def _getPaths(name):
- return [os.path.expanduser(p)
- for p in _getConf()["paths"][name].split(":")]
-
-
-def getExePath(): return _getPath("exe")
-def getReposPath(): return _getPath("repos")
-
-def getKeysPaths(): return _getPaths("keys")
-def getAccessPaths(): return _getPaths("access")
-
-# This goes into an env var, so pass it on verbatim.
-def getHgrcPaths(): return _getConf()["paths"]["hgrc"]
-
-# Work out where we are, don't use config.
-def setExePath():
- global _exePath
- _exePath = os.path.dirname(os.path.abspath(sys.argv[0]))
-
-def getExePath():
- return _exePath
-
--- a/src/mercurialserver/refreshauth.py Sat Nov 14 18:23:30 2009 +0100
+++ b/src/mercurialserver/refreshauth.py Wed Dec 02 17:40:23 2009 +0000
@@ -10,13 +10,13 @@
import os
import os.path
import subprocess
-from mercurialserver import paths
+from mercurialserver import config
goodkey = re.compile("[/A-Za-z0-9._-]+$")
def refreshAuth():
- akeyfile = os.path.expanduser("~/.ssh/authorized_keys")
- wrappercommand = paths.getExePath() + "/hg-ssh"
+ akeyfile = config.getAuthorizedKeysPath()
+ wrappercommand = config.getExePath() + "/hg-ssh"
prefix='no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command='
if os.path.exists(akeyfile):
@@ -29,7 +29,7 @@
f.close()
akeys = open(akeyfile + "_new", "w")
- for keyroot in paths.getKeysPaths():
+ for keyroot in config.getKeysPaths():
kr = keyroot + "/"
#print "Processing keyroot", keyroot
for root, dirs, files in os.walk(keyroot):
--- a/src/refresh-auth Sat Nov 14 18:23:30 2009 +0100
+++ b/src/refresh-auth Wed Dec 02 17:40:23 2009 +0000
@@ -8,17 +8,18 @@
import sys
import os
-from mercurialserver import refreshauth, paths
+from mercurialserver import refreshauth, config
if len(sys.argv) != 1:
sys.stderr.write("refresh-auth: must be called with no arguments (%s)\n" % sys.argv)
sys.exit(-1)
+config.initExe()
+
# To protect the authorized_keys file for innocent users, you have to have
# a ~/.mercurial-server file to run this.
-if not paths.configExists():
+if not config.configExists():
print >>sys.stderr, "Must be run as the 'hg' user"
sys.exit(-1)
-paths.setExePath()
refreshauth.refreshAuth()