view contrib/hg-ssh @ 30228:b9f7b0c10027 stable tip @

sslutil: guard against broken certifi installations (issue5406) Certifi is currently incompatible with py2exe; the Python code for certifi gets included in, but not the cacert.pem file - and even if it were included, SSLContext can't load a cacert.pem file from This currently makes it impossible to build a standalone Windows version of Mercurial. Guard against this, and possibly other situations where a module with the name "certifi" exists, but is not usable.
author Gábor Stefanik <>
date Wed, 19 Oct 2016 18:06:14 +0200
parents 863075fd4cd0
line wrap: on
line source
#!/usr/bin/env python
# Copyright 2005-2007 by Intevation GmbH <>
# Author(s):
# Thomas Arendsen Hein <>
# This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version.

hg-ssh - a wrapper for ssh access to a limited set of mercurial repos

To be used in ~/.ssh/authorized_keys with the "command" option, see sshd(8):
command="hg-ssh path/to/repo1 /path/to/repo2 ~/repo3 ~user/repo4" ssh-dss ...
(probably together with these other useful options:

This allows pull/push over ssh from/to the repositories given as arguments.

If all your repositories are subdirectories of a common directory, you can
allow shorter paths with:
command="cd path/to/my/repositories && hg-ssh repo1 subdir/repo2"

You can use pattern matching of your normal shell, e.g.:
command="cd repos && hg-ssh user/thomas/* projects/{mercurial,foo}"

You can also add a --read-only flag to allow read-only access to a key, e.g.:
command="hg-ssh --read-only repos/*"

# enable importing on demand to reduce startup time
from mercurial import demandimport; demandimport.enable()

from mercurial import dispatch

import sys, os, shlex

def main():
    cwd = os.getcwd()
    readonly = False
    args = sys.argv[1:]
    while len(args):
        if args[0] == '--read-only':
            readonly = True
    allowed_paths = [os.path.normpath(os.path.join(cwd,
                     for path in args]
    orig_cmd = os.getenv('SSH_ORIGINAL_COMMAND', '?')
        cmdargv = shlex.split(orig_cmd)
    except ValueError as e:
        sys.stderr.write('Illegal command "%s": %s\n' % (orig_cmd, e))

    if cmdargv[:2] == ['hg', '-R'] and cmdargv[3:] == ['serve', '--stdio']:
        path = cmdargv[2]
        repo = os.path.normpath(os.path.join(cwd, os.path.expanduser(path)))
        if repo in allowed_paths:
            cmd = ['-R', repo, 'serve', '--stdio']
            if readonly:
                cmd += [
            sys.stderr.write('Illegal repository "%s"\n' % repo)
        sys.stderr.write('Illegal command "%s"\n' % orig_cmd)

def rejectpush(ui, **kwargs):
    ui.warn(("Permission denied\n"))
    # mercurial hooks use unix process conventions for hook return values
    # so a truthy return means failure
    return True

if __name__ == '__main__':