Mercurial: How to post-hook push to Bitbucket?

Question

We have a 'master' Mercurial server on our network that we use for a local staging box. Our team does all of our pushes and pulls to/from this one box. I'm having trouble with the implementation I'm using, but I'm also second guessing whether what I want to do is even a good idea...

We also want to start using BitBucket, but only as a secondary server. I'd like to use a hook to automatically push to Bitbucket, but I can't get it working right...

Here's the HGRC from the 'master' repo:

[hooks]
changegroup =
changegroup.update = hg update
changegroup.bitbucket = hg push ssh://hg@bitbucket.org/account/repo

If I manually fire off the above push, everything works perfectly. However, as a hook it fails:

warning: changegroup.bitbucket hook exited with status 255

I followed this guide to get SSH working: Set up SSH for Git and Mercurial on Mac OSX/Linux

I get my keys generated, I run ssh-agent, and I ssh-add the key. But ssh-agent doesn't seem to be doing anything, and as soon as I exit the SSH session it seems to leave memory. Additionally, when I test it out with ssh -Tv hg@bitbucket.org it prompts me for my password. I thought the whole point of this was for it not to do that?

But taking a step back, maybe this is a terrible idea to being with. If I give my public key to Bitbucket wouldn't that theoretically mean if someone got a hold of it, they could SSH in to my box without a password?

And if so, what alternative do I have to forward commits to bitbucket? I'd rather not use HTTPS because it would require putting our bitbucket password as plain/text in the .hg/hgrc file...

Maybe there's some more obvious way to do this that I'm missing? For the developers, I'd rather keep things the way they are now (everyone push to master) instead of reconfiguring everyone's developer box to have a private key and to push to bitbucket instead...

As always, thanks for any help you guys can provide.

Have you ever heard of [SSH tuneling](https://en.wikipedia.org/wiki/Ssh_tunnel#Secure_shell_tunneling)? OpenVPN? — user2284570, Dec 26 '13 at 18:29
I have, but I'm not sure how either would help with my problem. There are no firewall or VPN problems here... Would you mind elaborating? — DOOManiac, Dec 26 '13 at 19:28
If you access your mercurial repository through VPN, it would be encrypted. — user2284570, Dec 26 '13 at 19:47
But if I'm using SSH to push to bitbucket, the connection is encrypted already. My problem is *getting* connected... — DOOManiac, Dec 26 '13 at 20:30
Of course, but I still don't understand what you are trying to say. — DOOManiac, Dec 26 '13 at 21:42
That you have to try to use VPN since you have problems with ssh — user2284570, Dec 27 '13 at 01:41
Well I can't VPN into Bitbucket, so unless I'm missing something I believe you may not be understanding the question... — DOOManiac, Dec 27 '13 at 17:33
How do developers push to the master repo on the staging box? Locally (i.e. they already work on this machine), with HTTP(S), or with SSH? — Oben Sonne, Dec 28 '13 at 16:38
We have a shared network drive for the "master" that we push to. It is significantly faster than pushing to BitBucket, which is another reason we'd like to keep it around. — DOOManiac, Dec 29 '13 at 05:24

score 2 · Answer 1 · answered Dec 20 '13 at 19:28

Woah, there are a lot of questions there. I'll hit a few of 'em:

But ssh-agent doesn't seem to be doing anything, and as soon as I exit the SSH session it seems to leave memory.

You're correct. ssh-agent is for interactive sessions, not for automation. In most usages when you log out it's killed, but even if that weren't the case it wouldn't be working as you imagine because when someone does that hg push they're running a new, non-interactive session that wouldn't have access to the ssh-agent anyway

Additionally, when I test it out with ssh -Tv hg@bitbucket.org it prompts me for my password.

Testing it out like that isn't valid. That's saying "I want to log into an interactive session at bitbucket with the username hg", but that's not what they authorize you to do. If you send them your public key they let you login as the user hg only for the purposes of doing hg non-interactive commands.

Additionally, when I test it out with ssh -Tv hg@bitbucket.org it prompts me for my password.

No, public keys are meant to be public -- you can list anyone's on github for example. The public key just says "anyone who has the private key that matches this is authorized to...", so any site that wants your private key are crooks, but any site that wants you public key is just offering you a way to use something better than a password.

One thing you may be missing about hooks is "who" the hook runs as. When people are pushing to your "centralish" repo over ssh that the hook is being run as their unix user, and if they're pushing over http the hook is being run as the web server's user.

If you had:

a private ssh key with no password on it
the public key matching that private key setup on bitbucket
the unix user running the hook using that private key for access to bitbucket.org

then what you're trying to do would work.

"When people are pushing to your "centralish" repo over ssh that the hook is being run as their unix user" - That's the problem! None of us have individual linux user accounts on this box. Is a private SSH key w/o a password safe? — DOOManiac, Dec 20 '13 at 22:54
"safe" is relative. A private key w/o a password means that anyone who finds that file (or the laptop it's on) can access the account. If that feels safe to you (and in some contexts it would be) that's your answer. — Ry4an Brase, Dec 27 '13 at 03:02

Mercurial: How to post-hook push to Bitbucket?

1 Answers1