Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:37:28 -0700] rev 29112
sslutil: handle ui.insecureconnections in validator
Right now, web.cacerts=! means one of two things:
1) Use of --insecure
2) No CAs could be found and were loaded (see sslkwargs)
This isn't very obvious and makes changing behavior of these
different scenarios independent of the other impossible.
This patch changes the validator code to explicit handle the
case of --insecure being used.
As the inline comment indicates, there is room to possibly change
messaging and logic here. For now, we are backwards compatible.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:35:45 -0700] rev 29111
sslutil: check for ui.insecureconnections in sslkwargs
The end result of this function is the same. We now have a more
explicit return branch.
We still keep the old code looking at web.cacerts=! a few lines
below because we're still setting web.cacerts=! and need to react
to the variable. This will be removed in an upcoming patch.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:34:22 -0700] rev 29110
dispatch: set ui.insecureconnections when --insecure is used
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:33:38 -0700] rev 29109
ui: add an instance flag to hold --insecure bit
Currently, when --insecure is used we set web.cacerts=! and
socket validation takes this value into account. web.cacerts=!
is not documented AFAICT and is purely an internal implementation
detail.
Let's be more explicit about what is going on by introducing a
dedicated variable outside of the config values to track that
--insecure is used.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:32:43 -0700] rev 29108
sslutil: make sslkwargs code even more explicit
The ways in which this code can interact with socket wrapping
and validation later are mind numbing. This patch helps make it
even more clear.
The end behavior should be identical.
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 04 May 2016 23:38:34 -0700] rev 29107
sslutil: move code examining _canloaddefaultcerts out of _defaultcacerts
Before, the return of _defaultcacerts() was 1 of 3 types. This was
difficult to read. Make it return a path or None.
We had to update hghave.py in the same patch because it was also
looking at this internal function. I wasted dozens of minutes
trying to figure out why tests were failing until I found the
code in hghave.py...
Gregory Szorc <gregory.szorc@gmail.com> [Wed, 04 May 2016 23:01:49 -0700] rev 29106
sslutil: further refactor sslkwargs
The logic here and what happens with web.cacerts is mind numbing.
Make the code even more explicit.
Gregory Szorc <gregory.szorc@gmail.com> [Thu, 05 May 2016 00:31:11 -0700] rev 29105
sslutil: document and slightly refactor sslkwargs
This will help me and any reviewers keep sane as this code
is refactored.
Augie Fackler <augie@google.com> [Fri, 06 May 2016 11:31:29 -0400] rev 29104
localrepo: remove a couple of local type aliases
The local aliases are unused now, and were confusing mypy's type
checker.
Augie Fackler <augie@google.com> [Fri, 06 May 2016 14:22:17 -0400] rev 29103
cmdutil: typo fix in comment