1439795 - Hook to prevent changes to repository data on hgweb

Status: RESOLVED FIXED

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Description

[Gregory Szorc [:gps]]

To bolster data integrity protection on hg.mozilla.org, we want to deploy a hook to hgweb machines that prevents mutation of repository data unless it came from the replication mechanism.

This will prevent against unwanted changes to repositories on read-only hgweb machines.

Comment 1

[Gregory Szorc [:gps]]

Attachment: hgserver: hook to prevent most repository changes on hgweb (bug 1439795);

Repositories on hgweb machines should be read-only except to the
replication mechanism.

To reinforce this desired property, this commit introduces a global
hook running as part of the pretxnchangegroup and precommit hooks
that attempts to make repositories read-only.

Local commits are banned outright.

Changegroups can only be applied if they are coming from `hg pull`
operations or are the result of an `hg strip`.

We still allow repository writes via the "pushkey" protocol. But this
is only because there isn't a good way for hooks to know what the
source of a "pushkey" request was. It also doesn't help that the
replication mechanism effectively calls `hg debugpushkey` to replicate
pushkey events. But something is better than nothing.

In addition to the added hooks tests, I verified that vcsreplicator
and Docker-based tests for hg.mo functionality continue to pass.

Review commit: https://reviewboard.mozilla.org/r/221840/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/221840/

Comment 2

[:glob ✱]

Comment on attachment 8952602 [details]
hgserver: hook to prevent most repository changes on hgweb (bug 1439795);

https://reviewboard.mozilla.org/r/221840/#review227730

lgtm

::: hghooks/mozhghooks/prevent_hgweb_changes.py:6
(Diff revision 1)
> +# This hook is intended to run on the hgweb machines. It effectively
> +# prevents repository changes that didn't come from `hg pull` or
> +# `hg strip`. The former is used by the replication mechanism. The
> +# latter is an adminstrative task that is performed from time to time.

should we also prevent tagging?

Comment 3

[Gregory Szorc [:gps]]

Comment on attachment 8952602 [details]
hgserver: hook to prevent most repository changes on hgweb (bug 1439795);

https://reviewboard.mozilla.org/r/221840/#review227730

> should we also prevent tagging?

Unlike Git (where tagging is pushing a specially named ref), tagging in Mercurial requires creating a changeset (tags are stored in the `.hgtags` file). So tagging is prevented by preventing new changesets from being introduced. And `hg tag` goes through the commit code paths. So the pre-commit hook should prevent it.

Comment 4

[Gregory Szorc [:gps]]

Comment on attachment 8952602 [details]
hgserver: hook to prevent most repository changes on hgweb (bug 1439795);

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/221840/diff/1-2/

Comment 5

[Pulsebot]

Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/f48f74151f57
hgserver: hook to prevent most repository changes on hgweb ; r=glob