Mercurial > hgbook
view en/hook.tex @ 38:b49a7dd4e564
More content for hook chapter.
Overview of hooks.
Description of hook security implications.
author | Bryan O'Sullivan <bos@serpentine.com> |
---|---|
date | Wed, 19 Jul 2006 00:06:21 -0700 |
parents | 9fd0c59b009a |
children | 576fef93bb49 |
line wrap: on
line source
\chapter{Handling repository events with hooks} \label{chap:hook} Mercurial offers a powerful mechanism to let you perform automated actions in response to events that occur in a repository. In some cases, you can even control Mercurial's response to those events. The name Mercurial uses for one of these actions is a \emph{hook}. Hooks are called ``triggers'' in some revision control systems, but the two names refer to the same idea. \section{An overview of hooks in Mercurial} Here is a brief list of the hooks that Mercurial supports. For each hook, we indicate when it is run, and a few examples of common tasks you can use it for. We will revisit each of these hooks in more detail later. \begin{itemize} \item[\small\hook{changegroup}] This is run after a group of changesets has been brought into the repository from elsewhere. In other words, it is run after a \hgcmd{pull} or \hgcmd{push} into a repository, but not after a \hgcmd{commit}. You can use this for performing an action once for the entire group of newly arrived changesets. For example, you could use this hook to send out email notifications, or kick off an automated build or test. \item[\small\hook{commit}] This is run after a new changeset has been created in the local repository, typically using the \hgcmd{commit} command. \item[\small\hook{incoming}] This is run once for each new changeset that is brought into the repository from elsewhere. Notice the difference from \hook{changegroup}, which is run once per \emph{group} of changesets brought in. You can use this for the same purposes as the \hook{changegroup} hook; it's simply more convenient sometimes to run a hook once per group of changesets, while othher times it's handier once per changeset. \item[\small\hook{outgoing}] This is run after a group of changesets has been transmitted from this repository to another. You can use this, for example, to notify subscribers every time changes are cloned or pulled from the repository. \item[\small\hook{prechangegroup}] This is run before starting to bring a group of changesets into the repository. It cannot see the actual changesets, because they have not yet been transmitted. If it fails, the changesets will not be transmitted. You can use this hook to ``lock down'' a repository against incoming changes. \item[\small\hook{precommit}] This is run before starting a commit. It cannot tell what files are included in the commit, or any other information about the commit. If it fails, the commit will not be allowed to start. You can use this to perform a build and require it to complete successfully before a commit can proceed, or automatically enforce a requirement that modified files pass your coding style guidelines. \item[\small\hook{preoutgoing}] This is run before starting to transmit a group of changesets from this repository. You can use this to lock a repository against clones or pulls from remote clients. \item[\small\hook{pretag}] This is run before creating a tag. If it fails, the tag will not be created. You can use this to enforce a uniform tag naming convention. \item[\small\hook{pretxnchangegroup}] This is run after a group of changesets has been brought into the local repository from another, but before the transaction completes that will make the changes permanent in the repository. If it fails, the transaction will be rolled back and the changes will disappear from the local repository. You can use this to automatically check newly arrived changes and, for example, roll them back if the group as a whole does not build or pass your test suite. \item[\small\hook{pretxncommit}] This is run after a new changeset has been created in the local repository, but before the transaction completes that will make it permanent. Unlike the \hook{precommit} hook, this hook can see which changes are present in the changeset, and it can also see all other changeset metadata, such as the commit message. You can use this to require that a commit message follows your local conventions, or that a changeset builds cleanly. \item[\small\hook{preupdate}] This is run before starting an update or merge of the working directory. \item[\small\hook{tag}] This is run after a tag is created. \item[\small\hook{update}] This is run after an update or merge of the working directory has finished. \end{itemize} Each of the hooks with a ``\texttt{pre}'' prefix has the ability to \emph{control} an activity. If the hook succeeds, the activity may proceed; if it fails, the activity is either not permitted or undone, depending on the hook. \section{Hooks and security} \subsection{Hooks are run with your privileges} When you run a Mercurial command in a repository, and the command causes a hook to run, that hook runs on your system, under your user account, with your privilege level. Since hooks are arbitrary pieces of executable code, you should treat them with an appropriate level of suspicion. Do not install a hook unless you are confident that you know who created it and what it does. In some cases, you may be exposed to hooks that you did not install yourself. If you work with Mercurial on an unfamiliar system, Mercurial will run hooks defined in that system's global \hgrc\ file. If you are working with a repository owned by another user, Mercurial will run hooks defined in that repository. For example, if you \hgcmd{pull} from that repository, and its \sfilename{.hg/hgrc} defines a local \hook{outgoing} hook, that hook will run under your user account, even though you don't own that repository. \begin{note} This only applies if you are pulling from a repository on a local or network filesystem. If you're pulling over http or ssh, any \hook{outgoing} hook will run under the account of the server process, on the server. \end{note} XXX To see what hooks are defined in a repository, use the \hgcmdargs{config}{hooks} command. If you are working in one repository, but talking to another that you do not own (e.g.~using \hgcmd{pull} or \hgcmd{incoming}), remember that it is the other repository's hooks you should be checking, not your own. \subsection{Hooks do not propagate} In Mercurial, hooks are not revision controlled, and do not propagate when you clone, or pull from, a repository. The reason for this is simple: a hook is a completely arbitrary piece of executable code. It runs under your user identity, with your privilege level, on your machine. It would be extremely reckless for any distributed revision control system to implement revision-controlled hooks, as this would offer an easily exploitable way to subvert the accounts of users of the revision control system. Since Mercurial does not propagate hooks, if you are collaborating with other people on a common project, you should not assume that they are using the same Mercurial hooks as you are, or that theirs are correctly configured. You should document the hooks you expect people to use. In a corporate intranet, this is somewhat easier to control, as you can for example provide a ``standard'' installation of Mercurial on an NFS filesystem, and use a site-wide \hgrc\ file to define hooks that all users will see. However, this too has its limits; see below. \subsection{Hooks can be overridden} Mercurial allows you to override a hook definition by redefining the hook. You can disable it by setting its value to the empty string, or change its behaviour as you wish. If you deploy a system-~or site-wide \hgrc\ file that defines some hooks, you should thus understand that your users can disable or override those hooks. \subsection{Ensuring that critical hooks are run} Sometimes you may want to enforce a policy that you do not want others to be able to work around. For example, you may have a requirement that every changeset must pass a rigorous set of tests. Defining this requirement via a hook in a site-wide \hgrc\ won't work for remote users on laptops, and of course local users can subvert it at will by overriding the hook. Instead, you can set up your policies for use of Mercurial so that people are expected to propagate changes through a well-known ``canonical'' server that you have locked down and configured appropriately. One way to do this is via a combination of social engineering and technology. Set up a restricted-access account; users can push changes over the network to repositories managed by this account, but they cannot log into the account and run normal shell commands. In this scenario, a user can commit a changeset that contains any old garbage they want. When someone pushes a changeset to the server that everyone pulls from, the server will test the changeset before it accepts it as permanent, and reject it if it fails to pass the test suite. If people only pull changes from this filtering server, it will serve to ensure that all changes that people pull have been automatically vetted. \section{A short tutorial on using hooks} \label{sec:hook:simple} It is easy to write a Mercurial hook. Let's start with a hook that runs when you finish a \hgcmd{commit}, and simply prints the hash of the changeset you just created. The hook is called \hook{commit}. \begin{figure}[ht] \interaction{hook.simple.init} \caption{A simple hook that runs when a changeset is committed} \label{ex:hook:init} \end{figure} All hooks follow the pattern in example~\ref{ex:hook:init}. You add an entry to the \rcsection{hooks} section of your \hgrc\. On the left is the name of the event to trigger on; on the right is the action to take. As you can see, you can run an arbitrary shell command in a hook. Mercurial passes extra information to the hook using environment variables (look for \envar{HG\_NODE} in the example). \subsection{Performing multiple actions per event} Quite often, you will want to define more than one hook for a particular kind of event, as shown in example~\ref{ex:hook:ext}. Mercurial lets you do this by adding an \emph{extension} to the end of a hook's name. You extend a hook's name by giving the name of the hook, followed by a full stop (the ``\texttt{.}'' character), followed by some more text of your choosing. For example, Mercurial will run both \texttt{commit.foo} and \texttt{commit.bar} when the \texttt{commit} event occurs. \begin{figure}[ht] \interaction{hook.simple.ext} \caption{Defining a second \hook{commit} hook} \label{ex:hook:ext} \end{figure} To give a well-defined order of execution when there are multiple hooks defined for an event, Mercurial sorts hooks by extension, and executes the hook commands in this sorted order. In the above example, it will execute \texttt{commit.bar} before \texttt{commit.foo}, and \texttt{commit} before both. It is a good idea to use a somewhat descriptive extension when you define a new hook. This will help you to remember what the hook was for. If the hook fails, you'll get an error message that contains the hook name and extension, so using a descriptive extension could give you an immediate hint as to why the hook failed (see section~\ref{sec:hook:perm} for an example). \subsection{Controlling whether an activity can proceed} \label{sec:hook:perm} In our earlier examples, we used the \hook{commit} hook, which is run after a commit has completed. This is one of several Mercurial hooks that run after an activity finishes. Such hooks have no way of influencing the activity itself. Mercurial defines a number of events that occur before an activity starts; or after it starts, but before it finishes. Hooks that trigger on these events have the added ability to choose whether the activity can continue, or will abort. The \hook{pretxncommit} hook runs after a commit has all but completed. In other words, the metadata representing the changeset has been written out to disk, but the transaction has not yet been allowed to complete. The \hook{pretxncommit} hook has the ability to decide whether the transaction can complete, or must be rolled back. If the \hook{pretxncommit} hook exits with a status code of zero, the transaction is allowed to complete; the commit finishes; and the \hook{commit} hook is run. If the \hook{pretxncommit} hook exits with a non-zero status code, the transaction is rolled back; the metadata representing the changeset is erased; and the \hook{commit} hook is not run. \begin{figure}[ht] \interaction{hook.simple.pretxncommit} \caption{Using the \hook{pretxncommit} hook to control commits} \label{ex:hook:pretxncommit} \end{figure} The hook in example~\ref{ex:hook:pretxncommit} checks that a commit comment contains a bug ID. If it does, the commit can complete. If not, the commit is rolled back. \section{Writing your own hooks} When you are writing a hook, you might find it useful to run Mercurial either with the \hggopt{-v} option, or the \rcitem{ui}{verbose} config item set to ``true''. When you do so, Mercurial will print a message before it calls each hook. \subsection{Choosing how your hook should run} \label{sec:hook:lang} You can write a hook either as a normal program---typically a shell script---or as a Python function that is executed within the Mercurial process. Writing a hook as an external program has the advantage that it requires no knowledge of Mercurial's internals. You can call normal Mercurial commands to get any added information you need. The trade-off is that external hooks are slower than in-process hooks. An in-process Python hook has complete access to the Mercurial API, and does not ``shell out'' to another process, so it is inherently faster than an external hook. It is also easier to obtain much of the information that a hook requires by using the Mercurial API than by running Mercurial commands. If you are comfortable with Python, or require high performance, writing your hooks in Python may be a good choice. However, when you have a straightforward hook to write and you don't need to care about performance (probably the majority of hooks), a shell script is perfectly fine. \subsection{Hook parameters} \label{sec:hook:param} Mercurial calls each hook with a set of well-defined parameters. In Python, a parameter is passed as a keyword argument to your hook function. For an external program, a parameter is passed as an environment variable. Whether your hook is written in Python or as a shell script, the hook-specific parameter names and values will be the same. A boolean parameter will be represented as a boolean value in Python, but as the number 1 (for ``true'') or 0 (for ``false'') as an environment variable for an external hook. If a hook parameter is named \texttt{foo}, the keyword argument for a Python hook will also be named \texttt{foo} Python, while the environment variable for an external hook will be named \texttt{HG\_FOO}. \subsection{Hook return values and activity control} A hook that executes successfully must exit with a status of zero if external, or return boolean ``false'' if in-process. Failure is indicated with a non-zero exit status from an external hook, or an in-process hook returning boolean ``true''. If an in-process hook raises an exception, the hook is considered to have failed. For a hook that controls whether an activity can proceed, zero/false means ``allow'', while non-zero/true/exception means ``deny''. \subsection{Writing an external hook} When you define an external hook in your \hgrc\ and the hook is run, its value is passed to your shell, which interprets it. This means that you can use normal shell constructs in the body of the hook. An executable hook is always run with its current directory set to a repository's root directory. Each hook parameter is passed in as an environment variable; the name is upper-cased, and prefixed with the string ``\texttt{HG\_}''. With the exception of hook parameters, Mercurial does not set or modify any environment variables when running a hook. This is useful to remember if you are writing a site-wide hook that may be run by a number of different users with differing environment variables set. In multi-user situations, you should not rely on environment variables being set to the values you have in your environment when testing the hook. \subsection{Telling Mercurial to use an in-process hook} The \hgrc\ syntax for defining an in-process hook is slightly different than for an executable hook. The value of the hook must start with the text ``\texttt{python:}'', and continue with the fully-qualified name of a callable object to use as the hook's value. The module in which a hook lives is automatically imported when a hook is run. So long as you have the module name and \envar{PYTHONPATH} right, it should ``just work''. The following \hgrc\ example snippet illustrates the syntax and meaning of the notions we just described. \begin{codesample2} [hooks] commit.example = python:mymodule.submodule.myhook \end{codesample2} When Mercurial runs the \texttt{commit.example} hook, it imports \texttt{mymodule.submodule}, looks for the callable object named \texttt{myhook}, and calls it. \subsection{Writing an in-process hook} The simplest in-process hook does nothing, but illustrates the basic shape of the hook API: \begin{codesample2} def myhook(ui, repo, **kwargs): pass \end{codesample2} The first argument to a Python hook is always a \pymodclass{mercurial.ui}{ui} object. The second is a repository object; at the moment, it is always an instance of \pymodclass{mercurial.localrepo}{localrepository}. Following these two arguments are other keyword arguments. Which ones are passed in depends on the hook being called, but a hook can ignore arguments it doesn't care about by dropping them into a keyword argument dict, as with \texttt{**kwargs} above. %%% Local Variables: %%% mode: latex %%% TeX-master: "00book" %%% End: