--- /dev/null
+package Apache::Authn::Redmine;
+
+=head1 Apache::Authn::Redmine
+
+Redmine - a mod_perl module to authenticate webdav subversion users
+against redmine database
+
+=head1 SYNOPSIS
+
+This module allow anonymous users to browse public project and
+registred users to browse and commit their project. authentication is
+done on the redmine database.
+
+This method is far simpler than the one with pam_* and works with all
+database without an hassle but you need to have apache/mod_perl on the
+svn server.
+
+=head1 INSTALLATION
+
+For this to automagically work, you need to have a recent reposman.rb
+(after r860) and if you already use reposman, read the last section to
+migrate.
+
+Sorry ruby users but you need some perl modules, at least mod_perl2,
+DBI and DBD::mysql (or the DBD driver for you database as it should
+work on allmost all databases).
+
+On debian/ubuntu you must do :
+
+ aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
+
+=head1 CONFIGURATION
+
+ ## if the module isn't in your perl path
+ PerlRequire /usr/local/apache/Redmine.pm
+ ## else
+ # PerlModule Apache::Authn::Redmine
+ <Location /svn>
+ DAV svn
+ SVNParentPath "/var/svn"
+
+ AuthType Basic
+ AuthName redmine
+ Require valid-user
+
+ PerlAccessHandler Apache::Authn::Redmine::access_handler
+ PerlAuthenHandler Apache::Authn::Redmine::authen_handler
+
+ ## for mysql
+ PerlSetVar dsn DBI:mysql:database=databasename;host=my.db.server
+ ## for postgres
+ # PerlSetVar dsn DBI:Pg:dbname=databasename;host=my.db.server
+
+ PerlSetVar db_user redmine
+ PerlSetVar db_pass password
+ </Location>
+
+To be able to browse repository inside redmine, you must add something
+like that :
+
+ <Location /svn-private>
+ DAV svn
+ SVNParentPath "/var/svn"
+ Order deny,allow
+ Deny from all
+ # only allow reading orders
+ <Limit GET PROPFIND OPTIONS REPORT>
+ Allow from redmine.server.ip
+ </Limit>
+ </Location>
+
+and you will have to use this reposman.rb command line to create repository :
+
+ reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
+
+=head1 MIGRATION FROM OLDER RELEASES
+
+If you use an older reposman.rb (r860 or before), you need to change
+rights on repositories to allow the apache user to read and write
+S<them :>
+
+ sudo chown -R www-data /var/svn/*
+ sudo chmod -R u+w /var/svn/*
+
+And you need to upgrade at least reposman.rb (after r860).
+
+=cut
+
+use strict;
+
+use DBI;
+use Digest::SHA1;
+
+use Apache2::Module;
+use Apache2::Access;
+use Apache2::ServerRec qw();
+use Apache2::RequestRec qw();
+use Apache2::RequestUtil qw();
+use Apache2::Const qw(:common);
+# use Apache2::Directive qw();
+
+my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
+
+sub access_handler {
+ my $r = shift;
+
+ unless ($r->some_auth_required) {
+ $r->log_reason("No authentication has been configured");
+ return FORBIDDEN;
+ }
+
+ my $method = $r->method;
+ return OK unless 1 == $read_only_methods{$method};
+
+ my $project_id = get_project_identifier($r);
+
+ $r->set_handlers(PerlAuthenHandler => [\&OK])
+ if is_public_project($project_id, $r);
+
+ return OK
+}
+
+sub authen_handler {
+ my $r = shift;
+
+ my ($res, $redmine_pass) = $r->get_basic_auth_pw();
+ return $res unless $res == OK;
+
+ if (is_member($r->user, $redmine_pass, $r)) {
+ return OK;
+ } else {
+ $r->note_auth_failure();
+ return AUTH_REQUIRED;
+ }
+}
+
+sub is_public_project {
+ my $project_id = shift;
+ my $r = shift;
+
+ my $dbh = connect_database($r);
+ my $sth = $dbh->prepare(
+ "SELECT * FROM projects WHERE projects.identifier=? and projects.is_public=true;"
+ );
+
+ $sth->execute($project_id);
+ my $ret = $sth->fetchrow_array ? 1 : 0;
+ $dbh->disconnect();
+
+ $ret;
+}
+
+# perhaps we should use repository right (other read right) to check public access.
+# it could be faster BUT it doesn't work for the moment.
+# sub is_public_project_by_file {
+# my $project_id = shift;
+# my $r = shift;
+
+# my $tree = Apache2::Directive::conftree();
+# my $node = $tree->lookup('Location', $r->location);
+# my $hash = $node->as_hash;
+
+# my $svnparentpath = $hash->{SVNParentPath};
+# my $repos_path = $svnparentpath . "/" . $project_id;
+# return 1 if (stat($repos_path))[2] & 00007;
+# }
+
+sub is_member {
+ my $redmine_user = shift;
+ my $redmine_pass = shift;
+ my $r = shift;
+
+ my $dbh = connect_database($r);
+ my $project_id = get_project_identifier($r);
+
+ my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
+
+ my $sth = $dbh->prepare(
+ "SELECT hashed_password FROM members, projects, users WHERE projects.id=members.project_id AND users.id=members.user_id AND login=? AND identifier=?;"
+ );
+ $sth->execute($redmine_user, $project_id);
+
+ my $ret;
+ while (my @row = $sth->fetchrow_array) {
+ if ($row[0] eq $pass_digest) {
+ $ret = 1;
+ last;
+ }
+ }
+ $dbh->disconnect();
+
+ $ret;
+}
+
+sub get_project_identifier {
+ my $r = shift;
+
+ my $location = $r->location;
+ my ($identifier) = $r->uri =~ m{$location/*([^/]+)};
+ $identifier;
+}
+
+sub connect_database {
+ my $r = shift;
+
+ my ($dsn, $db_user, $db_pass) = map { $r->dir_config($_) } qw/dsn db_user db_pass/;
+ return DBI->connect($dsn, $db_user, $db_pass);
+}
+
+1;
# -u file:///var/svn/ # if the repository is local
# if this option isn't set, reposman won't register the repository
#
+# -t, --test
+# only show what should be done
#
# -h, --help:
# show help and exit
['--redmine-host', '-r', GetoptLong::REQUIRED_ARGUMENT],
['--owner', '-o', GetoptLong::REQUIRED_ARGUMENT],
['--url', '-u', GetoptLong::REQUIRED_ARGUMENT],
+ ['--test', '-t', GetoptLong::NO_ARGUMENT],
['--verbose', '-v', GetoptLong::NO_ARGUMENT],
['--version', '-V', GetoptLong::NO_ARGUMENT],
['--help' , '-h', GetoptLong::NO_ARGUMENT],
$repos_base = ''
$svn_owner = 'root'
$svn_url = false
+$test = false
def log(text,level=0, exit=false)
return if $quiet or level > $verbose
when '--owner'; $svn_owner = arg.dup
when '--url'; $svn_url = arg.dup
when '--verbose'; $verbose += 1
+ when '--test'; $test = true
when '--version'; puts Version; exit
when '--help'; RDoc::usage
when '--quiet'; $quiet = true
exit 1
end
+if $test
+ log("running in test mode")
+end
+
$svn_url += "/" if $svn_url and not $svn_url.match(/\/$/)
if ($redmine_host.empty? or $repos_base.empty?)
yield if block_given?
else
uid, gid = Etc.getpwnam($svn_owner).uid, Etc.getgrnam(project.identifier).gid
- right = project.is_public ? 0575 : 0570
+ right = project.is_public ? 0775 : 0770
yield if block_given?
Find.find(repos_path) do |f|
File.chmod right, f
owner = owner_name(repos_path)
next if project.is_public == other_read and owner == $svn_owner
+ if $test
+ log("\tchange mode on #{repos_path}")
+ next
+ end
+
begin
set_owner_and_rights(project, repos_path)
rescue Errno::EPERM => e
log("\tmode change on #{repos_path}");
else
- project.is_public ? File.umask(0202) : File.umask(0207)
+ project.is_public ? File.umask(0002) : File.umask(0007)
+
+ if $test
+ log("\tcreate repository #{repos_path}")
+ log("\trepository #{repos_path} registered in Redmine with url #{$svn_url}#{project.identifier}") if $svn_url;
+ next
+ end
begin
set_owner_and_rights(project, repos_path) do
projects / redmine.git / commitdiff