I'm setting up a mercurial server with LDAP auth where I want to allow access per repo so I'm creating a hgrc under .hg for each repo.
[web]
allow_push = user1
My problem is that If I use these hgrc files I cannot push with any user (abort: authorization failed). If I just use hgweb.config I can do it with no problem
Any help?
Thanks
When you put those lines in your hgweb.config file can you push with any user or only the ones you list? My guess would be that your LDAP is providing user names formatted differently than you expect (perhaps as email addresses, etc.) and so they're not matching.
Check your apache error logs for anything interesting, and consider changing the log format to log the $REMOTE_USER environment user to see what's being matched. Also, make sure your push_ssl value is set to false if you're not using SSL connections (though you should).
When your HTTP server is Nginx, Modify log_format to find out which user redirect from Nginx to HG
vi /etc/nginx/nginx.conf
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
And see the Nginx log file
cat /var/log/nginx/nginx.log
Related
I have a team set up on bitbucket with multiple users, and I'm using the keyring extension for mercurial. I need to set up a subrepo, and in the .hgsub file I need to provide the url for the subrepo.
If I use https://bitbucket.org/team/subrepo then the user needs to authenticate each time they try to pull.
If I use https://userX.bitbucket.org/team/subrepo then each user will need to authenticate with userX's password.
If I use https://team.bitbucket.org/team/subrepo then each user will need the team's password.
Is there a way I can set it up so that the authentication can be saved using the keyring extension, but still have separate credentials for each user, without using ssh?
Yes, you can enter your authentication information into your config file. The documentation for this is here.
In the auth section of each user's config file you can enter the following details:
[auth]
bb.schemes = http https
bb.prefix = bitbucket.org/team
bb.username = userX
The bb part is just a tag to group the settings together - you can use what you like and you can have more than one set if you have more than one Mercurial server that you use.
The example settings say that all repositories that start http://bitbucket.org/team or https://bitbucket.org/team should use the username of userX. The keyring extension will take care of the password after that.
I have set up a mercurial server through SSL. In the apache config file I have set up an authentication using a mysql database.
I would like everyone to be able to pull from the repository without credentials, but restrict the push right to authenticated users. The way it is done now either everyone is authenticated both for pull and push, or nobody is.
My apache configuration is this:
<Location /hg/repo>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
<LimitExcept GET>
Require valid-user
</LimitExcept>
</Location>
hg also requires authentication for the ssl pull, Regardless on the LimitExcept switch.
Is there a way to limit the authentication only for pushing to the repository?
A simple http access would not be sufficient because if somebody is a developer she checks out the code through https.
SSH access is not possible because some of the developers have the ssh port forbidden by the firewall.
One of the solutions would be if hg would remember the https credentials.
Thank You for reading the question.
The authentication should be wrapped into the exception rule.
<Location /hg/repo>
<LimitExcept GET>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
</LimitExcept>
</Location>
One of the solutions would be if hg would remember the https credentials.
It can remember the credentials for push and pull. Look under the auth section of hg help config if you don't mind adding the details to one of the config files (either user's config or the repository clone's hgrc)
This would mean putting the password in the config file which you might not like so you could use the Mercurial Keyring Extension instead which stores the password more securely.
It turns out automatic credentials are not enough. The repository aught to be accessible through the web interface. However the same config file pops up an authentication dialog in the browser which makes the web interface unusable.
I'm trying to access BitBucket from work. The only access to the Internet is via an authenticating HTTP proxy which proxies http on port 8080 and SSL on port 8070. This proxy conducts a man-in-the-middle attack on SSL connections, browsers are able to create HTTPS connections to the Internet only due to the installation of a fake Websense certificate on all clients.
I am able to connect to BitBucket using Git but not using Mercurial. I'm using Mercurial version 2.0.2.
With Git I use the following config in .gitconfig
[user]
name = Firstname Lastname
email = firstname_lastname#domain.co.uk
[http]
proxy = http://name:password#nnn.nnn.nnn.nnn:8080
And can clone a repository with the following command
D:\MercurialTesting>git clone http://Firstname_Lastname#bitbucket.org/Firstname_Lastname/bb102repo.git test1
Cloning into 'test1'...
Password for 'bitbucket.org':
remote: Counting objects: 3, done.
remote: Total 3 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
D:\MercurialTesting>
With the addition of this config setting
[http]
sslverify = false
I can also clone the repository via the https url https://Firstname_Lastname#bitbucket.org/Firstname_Lastname/bb102repo.git
Using Mercurial though it's a different story. Using the following config in mercurial.ini
[http_proxy]
host = nnn.nnn.nnn.nnn:8080
user = firstname_lastname#domain.co.uk
passwd = password
Mercurial will access my own Mercurial server at home no problem.
D:\MercurialTesting>hg --debug clone http://nnn.nnn.nnn.nnn/hg/Workspaces/Test1
using http://nnn.nnn.nnn.nnn/hg/Workspaces/Test1
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
http authorization required
realm: Mercurial Repositories
user: username
password:
http auth: user username, password *******
destination directory: Test1
query 1; heads
sending batch command
http auth: user username, password *******
requesting all changes
sending getbundle command
http auth: user username, password *******
adding changesets
changesets: 1 chunks
add changeset 711ff2c6f5b2
changesets: 2 chunks
add changeset 9034b963b4c1
. . .
Using the exact same configuration and trying to access BitBucket through Mercurial just hangs.
D:\MercurialTesting>hg --debug clone http://bitbucket.org/Firstname_Lastname/bb101repo
using http://bitbucket.org/Firstname_Lastname/bb101repo
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
abort: error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
D:\MercurialTesting>
Using the same configuration with SSL via the url https://bitbucket.org/Firstname_Lastname/bb101repo Mercurial hangs in exactly the same way. During this process Wireshark detects no network activity at all.
Changing the settings in Mercurial.ini to match the port which the proxy serves SSL through has no effect. Setting the environment variable http_proxy makes no difference, but setting the environment variable https_proxy changes the output completely. Setting https_proxy and adding --insecure to the hg command invocation results in:
D:\MercurialTesting>hg --debug clone http://bitbucket.org/Firstname_Lastname/bb101repo --insecure
using http://bitbucket.org/Firstname_Lastname/bb101repo
proxying through http://nnn.nnn.nnn.nnn:8080
sending capabilities command
warning: bitbucket.org certificate with fingerprint 79:ce:0d:30:b0:17:29:6a:d1:9f:dd:d3:62:80:70:28:5e:9f:c2:e3 not verified (check hostfingerprints or web.cacerts config setting)
http authorization required
realm: Bitbucket.org HTTP
user: Firstname_Lastname
password:
http auth: user Firstname_Lastname, password ***
warning: bitbucket.org certificate with fingerprint 79:ce:0d:30:b0:17:29:6a:d1:9f:dd:d3:62:80:70:28:5e:9f:c2:e3 not verified (check hostfingerprints or web.cacerts config setting)
abort: HTTP Error 502: Success
D:\MercurialTesting>
And now Wireshark does detect an exchange taking place between my workstation and the proxy server. What I find most confusing though is that it doesn't make the slightest difference what I set https_proxy to, hg always uses the http proxy setting from Mercurial.ini and produces the same output above irrespective of whether I set https_proxy to the correct details for the SSL proxy or to complete garbage. The only difference is that if the environment variable https_proxy isn't set at all then hg just hangs as described above.
The formats for https_proxy I've tried include all variations of:
https_proxy=ip.ip.ip.ip:8070
https_proxy=ip.ip.ip.ip:8080
https_proxy=username:password#ip.ip.ip.ip:8070
https_proxy=username:password#ip.ip.ip.ip:8080
https_proxy=http://ip.ip.ip.ip:8070
https_proxy=http://ip.ip.ip.ip:8080
https_proxy=http://username:password#ip.ip.ip.ip:8070
https_proxy=http://username:password#ip.ip.ip.ip:8080
The results are the same no matter what I set it to.
So the questions I could really use some help with are:
How come I can access my Mercurial repositories at home but not at BitBucket?
How come I can access BitBucket with Git but not with Mercurial using the same configuration?
Does anyone have any ideas of how I can get this to work or what I can test next?
I am also connecting via proxy to bitbucket. As my settings didn't work as expected I found this SO entry.
I noticed that if I use command line parameters then everything works.
hg --config http_proxy.host=192.168.1.1:8080 --config http_proxy.user=Vad1mo --config http_proxy.passwd=secret clone https://bitbucket.org/Vadimo/test
On the other hand same entries in Mercurial.ini didn't work.
[http_proxy]
host = 192.168.1.1
port = 8080
user = Vad1mo
passwd = internet
By accident I found out the tiny difference between CMD and ini. In CMD the port is postfixed to the host. In ini file it is a new entry.
Changing mercurial.ini to postfix the port to host like on command line solved the problem.
[http_proxy]
host = 192.168.1.1:8080
;port = 8080
user = Vad1mo
passwd = internet
Maybe this also will help you.
btw. my hg version is 2.6.3
I ran into a similar problem with my work's proxy- actually, almost identical.
I've gotten around the problem so far by setting the http_proxy in mercurial.ini and then connecting to BitBucket via their HTTP address hg.io.
For example, my repository at https://bitbucket.org/mattgwagner/mattgwagner.com can be accessed via http://hg.io/mattgwagner/mattgwagner.com . Of course, this will send your password and connection in plaintext, but at least it let me connect.
This came in more use for me when pulling in open source projects hosted on BitBucket for my use.
Mercurial.ini
[http_proxy]
host = 192.168.1.155:8080
no =
user = domainUsername
passwd = pass
Are you able to ssh out? Bitbucket supports ssh access and your proxy won't muck w/ that if it's allowed.
I have hgweb.wsgi setup on an ubuntu server under apache2. Furthermore I have basic authing using the apache2 htpasswd approach. This all works nicely. However, we want to control what each user have access to and ACL seems to be the best approach. So inside the repos .hg folder I've created a hgrc and modified it according to the documentation for getting ACL up and running ( I've also enabled the extension ). The problem is I get no indication that the hgrc is used at all. If I add [ui] debug = true I still get nothing from the remote client. Sadly I'm not quite sure how to go about debugging this so any help would be much appreciated.
To make sure that a .hg/hgrc file in a repository is being consulted add something noticable to the [web] section like:
[web]
description = Got this from the hgrc
style = coal
name = RENAMED
If you don't see those in the web interface your .hg/hgrc isn't being consulted, and the most common reason for that is -- permissions. Remember that the .hg/hgrc has to owned by a user or group that is trusted by the webserver user (usually apache or www-data or similar). If apache is running under the user apache then chown the .hg/hgrc file over to apache for ownership -- root won't do and htpasswd user is irrelevant.
If that file is being consulted then you need to start poking around in the apache error logs. Turning on debug and verbose will put more messages into the apache error log, not into the remote client's output.
I'm using TortoiseHg, and I want to run it as a server. I've been able to run the server, pointing it to the root of the repository I've chosen.
http://192.168.1.64:8000 points to c:\myproject
I'm looking for a way to have a folder C:\projects, with multiple repositories inside, pointing my Hg server to that folder, and i would access my repositories like:
http://192.168.1.64:8000/project1 points to c:\projects\project1
http://192.168.1.64:8000/project2 points to c:\projects\project2
Can someone help me please?
While using a full web server for repo hosting, as suggested by Lasse, is a good idea, nothing prevents you from serving multiple repositories using hg serve.
Here's my hgweb.config file:
[paths]
project-a = C:/hg/project-a/
library-b = C:/hg/library-b/
I start hg serve with this command:
hg serve --address 127.0.0.1 --port 8000 --webdir-conf C:/hg/hgweb.config --encoding utf8
you should edit the hgweb.config file, as it is by default of view like:
[web]
style = gitweb
[collections]
<br>
/mercurial/collections = /mercurial/collections
so, assume that record as first /mercurial/collections is the identifier name whereas second (right side from equals sign) stands for physical path of repo.
for example, I have made it like:
[web]
style = gitweb
[collections]
myrepo1 = /mercurial/repositories/hang_over
myrepo2 = /mercurial/repositories/first_repo
myrepo3 = /mercurial/repositories/javaforever
Im making this under linux ubuntu distribution version.
anyways, here mercurial directory is in my root directory and I'm pointing from it to /mercurial/repositories.
hope it helped you.
Sincerely.
For that you need to set up a full web server, either IIS or Apache, and host hgweb, the Python cgi script that Mercurial comes with (you may have to download the source for this.)
See Publishing Repositories with hgwebdir.cgi for more details.