how to use simple HTTP auth with hg serve
Last night Kiwi and I were exploring Mercurial for our über-secret-project.
Mercurial is, like GIT, a distributed revision control system (if you want to deeply understand the differences between those two systems take a look to http://gitvsmercurial.com/)
With the informal sharing we both expose our repos in a read-only mode so we can
hg clone or
hg pull changes. No
hg push is permitted (it is read-only!).
Because it provides unauthenticated read access to all clients, you should only use
hg servein an environment where you either don’t care, or have complete control over, who can access your network and pull data from your repository.
hg serve hasn’t anything for access control… but we need it ‘cause our project is an über-secret-project. Of course we can use Mercurial with ssh, but
hg serve is so cool :D
And here is the second part aka the beauty of WSGI specification.
Mercurial is written in python, the
hg serve is also a python program and the
hgweb (the mercurial web-app module) exposes a very toasty class:
mercurial.hgweb.hgweb_mod.hgweb [kudos to tomfmason]
hgweb object is a WSGI application so you can use it with any middleware you like. For a basic HTTP auth I used authkit (you can find a simple example in the pylonshq wiki, if you run the example please note that the protected area is under the http://localhost:8080/private path).
After a lot of swearing
^H^H^H^Hting (I never used WSGI before) this is the result:
from paste import httpserver from mercurial.hgweb.hgweb_mod import hgweb from authkit.authenticate import middleware from authkit.permissions import RemoteUser from authkit.authorize import authorize_request PATH_TO_REPO = '/home/vrde/work/secret-project' TITLE = 'secret project repo' hgapp = hgweb(PATH_TO_REPO, TITLE) def simple_app(environ, start_response): authorize_request(environ, RemoteUser()) response = hgapp(environ,start_response) return response def valid(environ, username, password): return username == 'kiwi' and password == 'antani' app = middleware( simple_app, setup_method='basic', basic_realm='Secret Project Realm', basic_authenticate_function=valid ) httpserver.serve(app, host='0.0.0.0', port='8000')
The code wraps the Mercurial server and asks for user and password, if the auth is successful the client can
pull or visit the web interface of the repo.
TODO: patch the
hg serve source and add a parameter for the
simple HTTP auth.