Mercurial > hg > mercurial-source

view tests/test-hgweb-auth.py @ 27874:15c6eb0a51bd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
context: use a the nofsauditor when matching file in history (issue4749) Before this change, asking for file from history (eg: 'hg cat -r 42 foo/bar') could fail because of the current content of the working copy (eg: current "foo" being a symlink). As the working copy state have no influence on the content of the history, we can safely skip these checks. The working copy context class have a different 'match' implementation. That implementation still use the repo.auditor will still catch symlink traversal. I've audited all stuff calling "match" and they all go through a ctx in a sensible way. The most unclear case was diff which still seemed okay. You raised my paranoid level today and I double checked through tests. They behave properly. The odds of someone using the wrong (matching with a changectx for operation that will eventually touch the file system) is non-zero because you are never sure of what people will do. But I dunno if we can fight against that. So I would not commit to "never" for "at this level" and "in the future" if someone write especially bad code. However, as a last defense, the vfs itself is running path auditor in all cases outside of .hg/. So I think anything passing the 'matcher' for buggy reason would growl at the vfs layer.
author Pierre-Yves David <pierre-yves.david@fb.com>
date Thu, 03 Dec 2015 13:23:46 -0800
parents 9de689d20230
children 779addce6910
line wrap: on
line source

from mercurial import demandimport; demandimport.enable()
import urllib2
from mercurial import ui, util
from mercurial import url
from mercurial.error import Abort

class myui(ui.ui):
    def interactive(self):
        return False

origui = myui()

def writeauth(items):
    ui = origui.copy()
    for name, value in items.iteritems():
        ui.setconfig('auth', name, value)
    return ui

def dumpdict(dict):
    return '{' + ', '.join(['%s: %s' % (k, dict[k])
                            for k in sorted(dict.iterkeys())]) + '}'

def test(auth, urls=None):
    print 'CFG:', dumpdict(auth)
    prefixes = set()
    for k in auth:
        prefixes.add(k.split('.', 1)[0])
    for p in prefixes:
        for name in ('.username', '.password'):
            if (p + name) not in auth:
                auth[p + name] = p
    auth = dict((k, v) for k, v in auth.iteritems() if v is not None)

    ui = writeauth(auth)

    def _test(uri):
        print 'URI:', uri
        try:
            pm = url.passwordmgr(ui)
            u, authinfo = util.url(uri).authinfo()
            if authinfo is not None:
                pm.add_password(*authinfo)
            print '    ', pm.find_user_password('test', u)
        except Abort:
            print 'abort'

    if not urls:
        urls = [
            'http://example.org/foo',
            'http://example.org/foo/bar',
            'http://example.org/bar',
            'https://example.org/foo',
            'https://example.org/foo/bar',
            'https://example.org/bar',
            'https://x@example.org/bar',
            'https://y@example.org/bar',
            ]
    for u in urls:
        _test(u)


print '\n*** Test in-uri schemes\n'
test({'x.prefix': 'http://example.org'})
test({'x.prefix': 'https://example.org'})
test({'x.prefix': 'http://example.org', 'x.schemes': 'https'})
test({'x.prefix': 'https://example.org', 'x.schemes': 'http'})

print '\n*** Test separately configured schemes\n'
test({'x.prefix': 'example.org', 'x.schemes': 'http'})
test({'x.prefix': 'example.org', 'x.schemes': 'https'})
test({'x.prefix': 'example.org', 'x.schemes': 'http https'})

print '\n*** Test prefix matching\n'
test({'x.prefix': 'http://example.org/foo',
      'y.prefix': 'http://example.org/bar'})
test({'x.prefix': 'http://example.org/foo',
      'y.prefix': 'http://example.org/foo/bar'})
test({'x.prefix': '*', 'y.prefix': 'https://example.org/bar'})

print '\n*** Test user matching\n'
test({'x.prefix': 'http://example.org/foo',
      'x.username': None,
      'x.password': 'xpassword'},
     urls=['http://y@example.org/foo'])
test({'x.prefix': 'http://example.org/foo',
      'x.username': None,
      'x.password': 'xpassword',
      'y.prefix': 'http://example.org/foo',
      'y.username': 'y',
      'y.password': 'ypassword'},
     urls=['http://y@example.org/foo'])
test({'x.prefix': 'http://example.org/foo/bar',
      'x.username': None,
      'x.password': 'xpassword',
      'y.prefix': 'http://example.org/foo',
      'y.username': 'y',
      'y.password': 'ypassword'},
     urls=['http://y@example.org/foo/bar'])

def testauthinfo(fullurl, authurl):
    print 'URIs:', fullurl, authurl
    pm = urllib2.HTTPPasswordMgrWithDefaultRealm()
    pm.add_password(*util.url(fullurl).authinfo()[1])
    print pm.find_user_password('test', authurl)

print '\n*** Test urllib2 and util.url\n'
testauthinfo('http://user@example.com:8080/foo', 'http://example.com:8080/foo')