* add Redmine.pm to authenticate with mod_perl

* add a --test option in reposman.rb * change owner right to fit with apache write access to repositories * add a deprecated warning in reposman.pl git-svn-id: http://redmine.rubyforge.org/svn/trunk@916 e93f8b46-1217-0410-a6f0-8f06a7374b81
2007-11-18 18:51:48 +00:00 · 2007-11-18 18:51:48 +00:00 · a1f3497ec4
parent 9c9ae21771
commit a1f3497ec4
3 changed files with 237 additions and 2 deletions
--- a/extra/svn/Redmine.pm
+++ b/extra/svn/Redmine.pm
@ -0,0 +1,210 @@
+package Apache::Authn::Redmine;
+
+=head1 Apache::Authn::Redmine
+
+Redmine - a mod_perl module to authenticate webdav subversion users
+against redmine database
+
+=head1 SYNOPSIS
+
+This module allow anonymous users to browse public project and
+registred users to browse and commit their project. authentication is
+done on the redmine database.
+
+This method is far simpler than the one with pam_* and works with all
+database without an hassle but you need to have apache/mod_perl on the
+svn server.
+
+=head1 INSTALLATION
+
+For this to automagically work, you need to have a recent reposman.rb
+(after r860) and if you already use reposman, read the last section to
+migrate.
+
+Sorry ruby users but you need some perl modules, at least mod_perl2,
+DBI and DBD::mysql (or the DBD driver for you database as it should
+work on allmost all databases).
+
+On debian/ubuntu you must do :
+
+  aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
+
+=head1 CONFIGURATION
+
+   ## if the module isn't in your perl path
+   PerlRequire /usr/local/apache/Redmine.pm
+   ## else
+   # PerlModule Apache::Authn::Redmine
+   <Location /svn>
+     DAV svn
+     SVNParentPath "/var/svn"
+
+     AuthType Basic
+     AuthName redmine
+     Require valid-user
+
+     PerlAccessHandler Apache::Authn::Redmine::access_handler
+     PerlAuthenHandler Apache::Authn::Redmine::authen_handler
+  
+     ## for mysql
+     PerlSetVar dsn DBI:mysql:database=databasename;host=my.db.server
+     ## for postgres
+     # PerlSetVar dsn DBI:Pg:dbname=databasename;host=my.db.server
+
+     PerlSetVar db_user redmine
+     PerlSetVar db_pass password
+  </Location>
+
+To be able to browse repository inside redmine, you must add something
+like that :
+
+   <Location /svn-private>
+     DAV svn
+     SVNParentPath "/var/svn"
+     Order deny,allow
+     Deny from all
+     # only allow reading orders
+     <Limit GET PROPFIND OPTIONS REPORT>
+       Allow from redmine.server.ip
+     </Limit>
+   </Location>
+
+and you will have to use this reposman.rb command line to create repository :
+
+  reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
+
+=head1 MIGRATION FROM OLDER RELEASES
+
+If you use an older reposman.rb (r860 or before), you need to change
+rights on repositories to allow the apache user to read and write
+S<them :>
+
+  sudo chown -R www-data /var/svn/*
+  sudo chmod -R u+w /var/svn/*
+
+And you need to upgrade at least reposman.rb (after r860).
+
+=cut
+
+use strict;
+
+use DBI;
+use Digest::SHA1;
+
+use Apache2::Module;
+use Apache2::Access;
+use Apache2::ServerRec qw();
+use Apache2::RequestRec qw();
+use Apache2::RequestUtil qw();
+use Apache2::Const qw(:common);
+# use Apache2::Directive qw();
+
+my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
+
+sub access_handler {
+  my $r = shift;
+
+  unless ($r->some_auth_required) {
+      $r->log_reason("No authentication has been configured");
+      return FORBIDDEN;
+  }
+
+  my $method = $r->method;
+  return OK unless 1 == $read_only_methods{$method};
+
+  my $project_id = get_project_identifier($r);
+
+  $r->set_handlers(PerlAuthenHandler => [\&OK])
+      if is_public_project($project_id, $r);
+
+  return OK
+}
+
+sub authen_handler {
+  my $r = shift;
+  
+  my ($res, $redmine_pass) =  $r->get_basic_auth_pw();
+  return $res unless $res == OK;
+  
+  if (is_member($r->user, $redmine_pass, $r)) {
+      return OK;
+  } else {
+      $r->note_auth_failure();
+      return AUTH_REQUIRED;
+  }
+}
+
+sub is_public_project {
+    my $project_id = shift;
+    my $r = shift;
+
+    my $dbh = connect_database($r);
+    my $sth = $dbh->prepare(
+	"SELECT * FROM projects WHERE projects.identifier=? and projects.is_public=true;"
+    );
+
+    $sth->execute($project_id);
+    my $ret = $sth->fetchrow_array ? 1 : 0;
+    $dbh->disconnect();
+
+    $ret;
+}
+
+# perhaps we should use repository right (other read right) to check public access.
+# it could be faster BUT it doesn't work for the moment.
+# sub is_public_project_by_file {
+#     my $project_id = shift;
+#     my $r = shift;
+
+#     my $tree = Apache2::Directive::conftree();
+#     my $node = $tree->lookup('Location', $r->location);
+#     my $hash = $node->as_hash;
+
+#     my $svnparentpath = $hash->{SVNParentPath};
+#     my $repos_path = $svnparentpath . "/" . $project_id;
+#     return 1 if (stat($repos_path))[2] & 00007;
+# }
+
+sub is_member {
+  my $redmine_user = shift;
+  my $redmine_pass = shift;
+  my $r = shift;
+
+  my $dbh         = connect_database($r);
+  my $project_id  = get_project_identifier($r);
+
+  my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
+
+  my $sth = $dbh->prepare(
+      "SELECT hashed_password FROM members, projects, users WHERE projects.id=members.project_id AND users.id=members.user_id AND login=? AND identifier=?;"
+  );
+  $sth->execute($redmine_user, $project_id);
+
+  my $ret;
+  while (my @row = $sth->fetchrow_array) {
+      if ($row[0] eq $pass_digest) {
+	  $ret = 1;
+	  last;
+      }
+  }
+  $dbh->disconnect();
+
+  $ret;
+}
+
+sub get_project_identifier {
+    my $r = shift;
+    
+    my $location = $r->location;
+    my ($identifier) = $r->uri =~ m{$location/*([^/]+)};
+    $identifier;
+}
+
+sub connect_database {
+    my $r = shift;
+
+    my ($dsn, $db_user, $db_pass) = map { $r->dir_config($_) } qw/dsn db_user db_pass/;
+    return DBI->connect($dsn, $db_user, $db_pass);
+}
+
+1;
--- a/extra/svn/reposman.pl
+++ b/extra/svn/reposman.pl
@ -23,6 +23,11 @@ use vars qw/$VERSION/;

 $VERSION = "1.0";

+my $warning = "This program is now deprecated. Use the reposman.rb for new features";
+print STDERR "*" x length($warning), "\n",
+    $warning, "\n",
+    "*" x length($warning), "\n\n";
+
 my %opts = (verbose => 0);
 GetOptions(\%opts, 'verbose|v+', 'version|V', 'help|h', 'man|m', 'quiet|q', 'svn-dir|s=s', 'redmine-host|r=s') or pod2usage(2);

--- a/extra/svn/reposman.rb
+++ b/extra/svn/reposman.rb
@ -37,6 +37,8 @@
 #    -u file:///var/svn/                       # if the repository is local
 #    if this option isn't set, reposman won't register the repository
 #
+# -t, --test
+#    only show what should be done
 #
 # -h, --help:
 #    show help and exit
@ -64,6 +66,7 @@ opts = GetoptLong.new(
                      ['--redmine-host', '-r', GetoptLong::REQUIRED_ARGUMENT],
                      ['--owner',        '-o', GetoptLong::REQUIRED_ARGUMENT],
                      ['--url',          '-u', GetoptLong::REQUIRED_ARGUMENT],
+                      ['--test',         '-t', GetoptLong::NO_ARGUMENT],
                      ['--verbose',      '-v', GetoptLong::NO_ARGUMENT],
                      ['--version',      '-V', GetoptLong::NO_ARGUMENT],
                      ['--help'   ,      '-h', GetoptLong::NO_ARGUMENT],
@ -76,6 +79,7 @@ $redmine_host = ''
 $repos_base   = ''
 $svn_owner    = 'root'
 $svn_url      = false
+$test         = false

 def log(text,level=0, exit=false)
  return if $quiet or level > $verbose
@ -91,6 +95,7 @@ begin
    when '--owner';          $svn_owner    = arg.dup
    when '--url';            $svn_url      = arg.dup
    when '--verbose';        $verbose += 1
+    when '--test';           $test = true
    when '--version';        puts Version; exit
    when '--help';           RDoc::usage
    when '--quiet';          $quiet = true
@ -100,6 +105,10 @@ rescue
  exit 1
 end

+if $test
+  log("running in test mode")
+end
+
 $svn_url += "/" if $svn_url and not $svn_url.match(/\/$/)

 if ($redmine_host.empty? or $repos_base.empty?)
@ -136,7 +145,7 @@ def set_owner_and_rights(project, repos_path, &block)
    yield if block_given?
  else
    uid, gid = Etc.getpwnam($svn_owner).uid, Etc.getgrnam(project.identifier).gid
-    right = project.is_public ? 0575 : 0570
+    right = project.is_public ? 0775 : 0770
    yield if block_given?
    Find.find(repos_path) do |f|
      File.chmod right, f
@ -176,6 +185,11 @@ projects.each do |project|
    owner      = owner_name(repos_path)
    next if project.is_public == other_read and owner == $svn_owner

+    if $test
+      log("\tchange mode on #{repos_path}")
+      next
+    end
+
    begin
      set_owner_and_rights(project, repos_path)
    rescue Errno::EPERM => e
@ -186,7 +200,13 @@ projects.each do |project|
    log("\tmode change on #{repos_path}");

  else
-    project.is_public ? File.umask(0202) : File.umask(0207)
+    project.is_public ? File.umask(0002) : File.umask(0007)
+
+    if $test
+      log("\tcreate repository #{repos_path}")
+      log("\trepository #{repos_path} registered in Redmine with url #{$svn_url}#{project.identifier}") if $svn_url;
+      next
+    end

    begin
      set_owner_and_rights(project, repos_path) do