Enable Mercurial reads and writes over SSH

Summary:
Ref T2230. This is substantially more complicated than Git, but mostly because Mercurial's protocol is a like 50 ad-hoc extensions cobbled together. Because we must decode protocol frames in order to determine if a request is read or write, 90% of this is implementing a stream parser for the protocol.

Mercurial's own parser is simpler, but relies on blocking reads. Since we don't even have methods for blocking reads right now and keeping the whole thing non-blocking is conceptually better, I made the parser nonblocking. It ends up being a lot of stuff. I made an effort to cover it reasonably well with unit tests, and to make sure we fail closed (i.e., reject requests) if there are any parts of the protocol I got wrong.

A lot of the complexity is sharable with the HTTP stuff, so it ends up being not-so-bad, just very hard to verify by inspection as clearly correct.

Test Plan:
  - Ran `hg clone` over SSH.
  - Ran `hg fetch` over SSH.
  - Ran `hg push` over SSH, to a read-only repo (error) and a read-write repo (success).

Reviewers: btrahan, asherkin

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2230

Differential Revision: https://secure.phabricator.com/D7553

Author: epriestley

scripts/ssh/ssh-exec.php

@@ -61,7 +61,7 @@
 
   $workflows = array(
     new ConduitSSHWorkflow(),
-
+    new DiffusionSSHMercurialServeWorkflow(),
     new DiffusionSSHGitUploadPackWorkflow(),
     new DiffusionSSHGitReceivePackWorkflow(),
   );

src/__phutil_library_map__.php

@@ -543,6 +543,10 @@
     'DiffusionSSHGitReceivePackWorkflow' => 'applications/diffusion/ssh/DiffusionSSHGitReceivePackWorkflow.php',
     'DiffusionSSHGitUploadPackWorkflow' => 'applications/diffusion/ssh/DiffusionSSHGitUploadPackWorkflow.php',
     'DiffusionSSHGitWorkflow' => 'applications/diffusion/ssh/DiffusionSSHGitWorkflow.php',
+    'DiffusionSSHMercurialServeWorkflow' => 'applications/diffusion/ssh/DiffusionSSHMercurialServeWorkflow.php',
+    'DiffusionSSHMercurialWireClientProtocolChannel' => 'applications/diffusion/ssh/DiffusionSSHMercurialWireClientProtocolChannel.php',
+    'DiffusionSSHMercurialWireTestCase' => 'applications/diffusion/ssh/__tests__/DiffusionSSHMercurialWireTestCase.php',
+    'DiffusionSSHMercurialWorkflow' => 'applications/diffusion/ssh/DiffusionSSHMercurialWorkflow.php',
     'DiffusionSSHWorkflow' => 'applications/diffusion/ssh/DiffusionSSHWorkflow.php',
     'DiffusionServeController' => 'applications/diffusion/controller/DiffusionServeController.php',
     'DiffusionSetPasswordPanel' => 'applications/diffusion/panel/DiffusionSetPasswordPanel.php',
@@ -2808,6 +2812,10 @@
     'DiffusionSSHGitReceivePackWorkflow' => 'DiffusionSSHGitWorkflow',
     'DiffusionSSHGitUploadPackWorkflow' => 'DiffusionSSHGitWorkflow',
     'DiffusionSSHGitWorkflow' => 'DiffusionSSHWorkflow',
+    'DiffusionSSHMercurialServeWorkflow' => 'DiffusionSSHMercurialWorkflow',
+    'DiffusionSSHMercurialWireClientProtocolChannel' => 'PhutilProtocolChannel',
+    'DiffusionSSHMercurialWireTestCase' => 'PhabricatorTestCase',
+    'DiffusionSSHMercurialWorkflow' => 'DiffusionSSHWorkflow',
     'DiffusionSSHWorkflow' => 'PhabricatorSSHWorkflow',
     'DiffusionServeController' => 'DiffusionController',
     'DiffusionSetPasswordPanel' => 'PhabricatorSettingsPanel',

src/applications/diffusion/controller/DiffusionServeController.php

@@ -228,40 +228,8 @@ private function isReadOnlyRequest(
       case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
         $cmd = $request->getStr('cmd');
         if ($cmd == 'batch') {
-          // For "batch" we get a "cmds" argument like
-          //
-          //   heads ;known nodes=
-          //
-          // We need to examine the commands (here, "heads" and "known") to
-          // make sure they're all read-only.
-
-          $args = $this->getMercurialArguments();
-          $cmds = idx($args, 'cmds');
-          if ($cmds) {
-
-            // NOTE: Mercurial has some code to escape semicolons, but it does
-            // not actually function for command separation. For example, these
-            // two batch commands will produce completely different results (the
-            // former will run the lookup; the latter will fail with a parser
-            // error):
-            //
-            //  lookup key=a:xb;lookup key=z* 0
-            //  lookup key=a:;b;lookup key=z* 0
-            //               ^
-            //               |
-            //               +-- Note semicolon.
-            //
-            // So just split unconditionally.
-
-            $cmds = explode(';', $cmds);
-            foreach ($cmds as $sub_cmd) {
-              $name = head(explode(' ', $sub_cmd, 2));
-              if (!DiffusionMercurialWireProtocol::isReadOnlyCommand($name)) {
-                return false;
-              }
-            }
-            return true;
-          }
+          $cmds = idx($this->getMercurialArguments(), 'cmds');
+          return DiffusionMercurialWireProtocol::isReadOnlyBatchCommand($cmds);
         }
         return DiffusionMercurialWireProtocol::isReadOnlyCommand($cmd);
       case PhabricatorRepositoryType::REPOSITORY_TYPE_SUBVERSION:

src/applications/diffusion/protocol/DiffusionMercurialWireProtocol.php

@@ -59,4 +59,44 @@ public static function isReadOnlyCommand($command) {
     return isset($read_only[$command]);
   }
 
+  public static function isReadOnlyBatchCommand($cmds) {
+    if (!strlen($cmds)) {
+      // We expect a "batch" command to always have a "cmds" string, so err
+      // on the side of caution and throw if we don't get any data here. This
+      // either indicates a mangled command from the client or a programming
+      // error in our code.
+      throw new Exception("Expected nonempty 'cmds' specification!");
+    }
+
+    // For "batch" we get a "cmds" argument like:
+    //
+    //   heads ;known nodes=
+    //
+    // We need to examine the commands (here, "heads" and "known") to make sure
+    // they're all read-only.
+
+    // NOTE: Mercurial has some code to escape semicolons, but it does not
+    // actually function for command separation. For example, these two batch
+    // commands will produce completely different results (the former will run
+    // the lookup; the latter will fail with a parser error):
+    //
+    //  lookup key=a:xb;lookup key=z* 0
+    //  lookup key=a:;b;lookup key=z* 0
+    //               ^
+    //               |
+    //               +-- Note semicolon.
+    //
+    // So just split unconditionally.
+
+    $cmds = explode(';', $cmds);
+    foreach ($cmds as $sub_cmd) {
+      $name = head(explode(' ', $sub_cmd, 2));
+      if (!self::isReadOnlyCommand($name)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
 }

src/applications/diffusion/ssh/DiffusionSSHMercurialServeWorkflow.php

@@ -0,0 +1,106 @@
+<?php
+
+final class DiffusionSSHMercurialServeWorkflow
+  extends DiffusionSSHMercurialWorkflow {
+
+  protected $didSeeWrite;
+
+  public function didConstruct() {
+    $this->setName('hg');
+    $this->setArguments(
+      array(
+        array(
+          'name' => 'repository',
+          'short' => 'R',
+          'param' => 'repo',
+        ),
+        array(
+          'name' => 'stdio',
+        ),
+        array(
+          'name' => 'command',
+          'wildcard' => true,
+        ),
+      ));
+  }
+
+  public function getRequestPath() {
+    return $this->getArgs()->getArg('repository');
+  }
+
+  protected function executeRepositoryOperations(
+    PhabricatorRepository $repository) {
+
+    $args = $this->getArgs();
+
+    if (!$args->getArg('stdio')) {
+      throw new Exception("Expected `hg ... --stdio`!");
+    }
+
+    if ($args->getArg('command') !== array('serve')) {
+      throw new Exception("Expected `hg ... serve`!");
+    }
+
+    $future = new ExecFuture(
+      'hg -R %s serve --stdio',
+      $repository->getLocalPath());
+
+    $io_channel = $this->getIOChannel();
+
+    $protocol_channel = new DiffusionSSHMercurialWireClientProtocolChannel(
+      $io_channel);
+
+    $err = id($this->newPassthruCommand())
+      ->setIOChannel($protocol_channel)
+      ->setCommandChannelFromExecFuture($future)
+      ->setWillWriteCallback(array($this, 'willWriteMessageCallback'))
+      ->execute();
+
+    // TODO: It's apparently technically possible to communicate errors to
+    // Mercurial over SSH by writing a special "\n<error>\n-\n" string. However,
+    // my attempt to implement that resulted in Mercurial closing the socket and
+    // then hanging, without showing the error. This might be an issue on our
+    // side (we need to close our half of the socket?), or maybe the code
+    // for this in Mercurial doesn't actually work, or maybe something else
+    // is afoot. At some point, we should look into doing this more cleanly.
+    // For now, when we, e.g., reject writes for policy reasons, the user will
+    // see "abort: unexpected response: empty string" after the diagnostically
+    // useful, e.g., "remote: This repository is read-only over SSH." message.
+
+    if (!$err && $this->didSeeWrite) {
+      $repository->writeStatusMessage(
+        PhabricatorRepositoryStatusMessage::TYPE_NEEDS_UPDATE,
+        PhabricatorRepositoryStatusMessage::CODE_OKAY);
+    }
+
+    return $err;
+  }
+
+  public function willWriteMessageCallback(
+    PhabricatorSSHPassthruCommand $command,
+    $message) {
+
+    $command = $message['command'];
+
+    // Check if this is a readonly command.
+
+    $is_readonly = false;
+    if ($command == 'batch') {
+      $cmds = idx($message['arguments'], 'cmds');
+      if (DiffusionMercurialWireProtocol::isReadOnlyBatchCommand($cmds)) {
+        $is_readonly = true;
+      }
+    } else if (DiffusionMercurialWireProtocol::isReadOnlyCommand($command)) {
+      $is_readonly = true;
+    }
+
+    if (!$is_readonly) {
+      $this->requireWriteAccess();
+      $this->didSeeWrite = true;
+    }
+
+    // If we're good, return the raw message data.
+    return $message['raw'];
+  }
+
+}