summaryrefslogtreecommitdiffstats
path: root/extra
diff options
context:
space:
mode:
authorNicolas Chuche <nicolas.chuche@barna.be>2007-11-18 18:51:48 +0000
committerNicolas Chuche <nicolas.chuche@barna.be>2007-11-18 18:51:48 +0000
commita1f3497ec46881753fc13d25c3cd2cb344ae27d8 (patch)
tree94f6edeb8fa967d084870ce8e164a84dbeece4ad /extra
parent9c9ae217716304f7062fc31c2f4e4f8adafee2b1 (diff)
downloadredmine-a1f3497ec46881753fc13d25c3cd2cb344ae27d8.tar.gz
redmine-a1f3497ec46881753fc13d25c3cd2cb344ae27d8.zip
* add Redmine.pm to authenticate with mod_perl
* add a --test option in reposman.rb * change owner right to fit with apache write access to repositories * add a deprecated warning in reposman.pl git-svn-id: http://redmine.rubyforge.org/svn/trunk@916 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'extra')
-rw-r--r--extra/svn/Redmine.pm210
-rwxr-xr-xextra/svn/reposman.pl5
-rwxr-xr-xextra/svn/reposman.rb24
3 files changed, 237 insertions, 2 deletions
diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm
new file mode 100644
index 000000000..7505b71cb
--- /dev/null
+++ b/extra/svn/Redmine.pm
@@ -0,0 +1,210 @@
+package Apache::Authn::Redmine;
+
+=head1 Apache::Authn::Redmine
+
+Redmine - a mod_perl module to authenticate webdav subversion users
+against redmine database
+
+=head1 SYNOPSIS
+
+This module allow anonymous users to browse public project and
+registred users to browse and commit their project. authentication is
+done on the redmine database.
+
+This method is far simpler than the one with pam_* and works with all
+database without an hassle but you need to have apache/mod_perl on the
+svn server.
+
+=head1 INSTALLATION
+
+For this to automagically work, you need to have a recent reposman.rb
+(after r860) and if you already use reposman, read the last section to
+migrate.
+
+Sorry ruby users but you need some perl modules, at least mod_perl2,
+DBI and DBD::mysql (or the DBD driver for you database as it should
+work on allmost all databases).
+
+On debian/ubuntu you must do :
+
+ aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
+
+=head1 CONFIGURATION
+
+ ## if the module isn't in your perl path
+ PerlRequire /usr/local/apache/Redmine.pm
+ ## else
+ # PerlModule Apache::Authn::Redmine
+ <Location /svn>
+ DAV svn
+ SVNParentPath "/var/svn"
+
+ AuthType Basic
+ AuthName redmine
+ Require valid-user
+
+ PerlAccessHandler Apache::Authn::Redmine::access_handler
+ PerlAuthenHandler Apache::Authn::Redmine::authen_handler
+
+ ## for mysql
+ PerlSetVar dsn DBI:mysql:database=databasename;host=my.db.server
+ ## for postgres
+ # PerlSetVar dsn DBI:Pg:dbname=databasename;host=my.db.server
+
+ PerlSetVar db_user redmine
+ PerlSetVar db_pass password
+ </Location>
+
+To be able to browse repository inside redmine, you must add something
+like that :
+
+ <Location /svn-private>
+ DAV svn
+ SVNParentPath "/var/svn"
+ Order deny,allow
+ Deny from all
+ # only allow reading orders
+ <Limit GET PROPFIND OPTIONS REPORT>
+ Allow from redmine.server.ip
+ </Limit>
+ </Location>
+
+and you will have to use this reposman.rb command line to create repository :
+
+ reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
+
+=head1 MIGRATION FROM OLDER RELEASES
+
+If you use an older reposman.rb (r860 or before), you need to change
+rights on repositories to allow the apache user to read and write
+S<them :>
+
+ sudo chown -R www-data /var/svn/*
+ sudo chmod -R u+w /var/svn/*
+
+And you need to upgrade at least reposman.rb (after r860).
+
+=cut
+
+use strict;
+
+use DBI;
+use Digest::SHA1;
+
+use Apache2::Module;
+use Apache2::Access;
+use Apache2::ServerRec qw();
+use Apache2::RequestRec qw();
+use Apache2::RequestUtil qw();
+use Apache2::Const qw(:common);
+# use Apache2::Directive qw();
+
+my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
+
+sub access_handler {
+ my $r = shift;
+
+ unless ($r->some_auth_required) {
+ $r->log_reason("No authentication has been configured");
+ return FORBIDDEN;
+ }
+
+ my $method = $r->method;
+ return OK unless 1 == $read_only_methods{$method};
+
+ my $project_id = get_project_identifier($r);
+
+ $r->set_handlers(PerlAuthenHandler => [\&OK])
+ if is_public_project($project_id, $r);
+
+ return OK
+}
+
+sub authen_handler {
+ my $r = shift;
+
+ my ($res, $redmine_pass) = $r->get_basic_auth_pw();
+ return $res unless $res == OK;
+
+ if (is_member($r->user, $redmine_pass, $r)) {
+ return OK;
+ } else {
+ $r->note_auth_failure();
+ return AUTH_REQUIRED;
+ }
+}
+
+sub is_public_project {
+ my $project_id = shift;
+ my $r = shift;
+
+ my $dbh = connect_database($r);
+ my $sth = $dbh->prepare(
+ "SELECT * FROM projects WHERE projects.identifier=? and projects.is_public=true;"
+ );
+
+ $sth->execute($project_id);
+ my $ret = $sth->fetchrow_array ? 1 : 0;
+ $dbh->disconnect();
+
+ $ret;
+}
+
+# perhaps we should use repository right (other read right) to check public access.
+# it could be faster BUT it doesn't work for the moment.
+# sub is_public_project_by_file {
+# my $project_id = shift;
+# my $r = shift;
+
+# my $tree = Apache2::Directive::conftree();
+# my $node = $tree->lookup('Location', $r->location);
+# my $hash = $node->as_hash;
+
+# my $svnparentpath = $hash->{SVNParentPath};
+# my $repos_path = $svnparentpath . "/" . $project_id;
+# return 1 if (stat($repos_path))[2] & 00007;
+# }
+
+sub is_member {
+ my $redmine_user = shift;
+ my $redmine_pass = shift;
+ my $r = shift;
+
+ my $dbh = connect_database($r);
+ my $project_id = get_project_identifier($r);
+
+ my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
+
+ my $sth = $dbh->prepare(
+ "SELECT hashed_password FROM members, projects, users WHERE projects.id=members.project_id AND users.id=members.user_id AND login=? AND identifier=?;"
+ );
+ $sth->execute($redmine_user, $project_id);
+
+ my $ret;
+ while (my @row = $sth->fetchrow_array) {
+ if ($row[0] eq $pass_digest) {
+ $ret = 1;
+ last;
+ }
+ }
+ $dbh->disconnect();
+
+ $ret;
+}
+
+sub get_project_identifier {
+ my $r = shift;
+
+ my $location = $r->location;
+ my ($identifier) = $r->uri =~ m{$location/*([^/]+)};
+ $identifier;
+}
+
+sub connect_database {
+ my $r = shift;
+
+ my ($dsn, $db_user, $db_pass) = map { $r->dir_config($_) } qw/dsn db_user db_pass/;
+ return DBI->connect($dsn, $db_user, $db_pass);
+}
+
+1;
diff --git a/extra/svn/reposman.pl b/extra/svn/reposman.pl
index bee800b8b..b8ce8f8af 100755
--- a/extra/svn/reposman.pl
+++ b/extra/svn/reposman.pl
@@ -23,6 +23,11 @@ use vars qw/$VERSION/;
$VERSION = "1.0";
+my $warning = "This program is now deprecated. Use the reposman.rb for new features";
+print STDERR "*" x length($warning), "\n",
+ $warning, "\n",
+ "*" x length($warning), "\n\n";
+
my %opts = (verbose => 0);
GetOptions(\%opts, 'verbose|v+', 'version|V', 'help|h', 'man|m', 'quiet|q', 'svn-dir|s=s', 'redmine-host|r=s') or pod2usage(2);
diff --git a/extra/svn/reposman.rb b/extra/svn/reposman.rb
index d950f45e4..729970406 100755
--- a/extra/svn/reposman.rb
+++ b/extra/svn/reposman.rb
@@ -37,6 +37,8 @@
# -u file:///var/svn/ # if the repository is local
# if this option isn't set, reposman won't register the repository
#
+# -t, --test
+# only show what should be done
#
# -h, --help:
# show help and exit
@@ -64,6 +66,7 @@ opts = GetoptLong.new(
['--redmine-host', '-r', GetoptLong::REQUIRED_ARGUMENT],
['--owner', '-o', GetoptLong::REQUIRED_ARGUMENT],
['--url', '-u', GetoptLong::REQUIRED_ARGUMENT],
+ ['--test', '-t', GetoptLong::NO_ARGUMENT],
['--verbose', '-v', GetoptLong::NO_ARGUMENT],
['--version', '-V', GetoptLong::NO_ARGUMENT],
['--help' , '-h', GetoptLong::NO_ARGUMENT],
@@ -76,6 +79,7 @@ $redmine_host = ''
$repos_base = ''
$svn_owner = 'root'
$svn_url = false
+$test = false
def log(text,level=0, exit=false)
return if $quiet or level > $verbose
@@ -91,6 +95,7 @@ begin
when '--owner'; $svn_owner = arg.dup
when '--url'; $svn_url = arg.dup
when '--verbose'; $verbose += 1
+ when '--test'; $test = true
when '--version'; puts Version; exit
when '--help'; RDoc::usage
when '--quiet'; $quiet = true
@@ -100,6 +105,10 @@ rescue
exit 1
end
+if $test
+ log("running in test mode")
+end
+
$svn_url += "/" if $svn_url and not $svn_url.match(/\/$/)
if ($redmine_host.empty? or $repos_base.empty?)
@@ -136,7 +145,7 @@ def set_owner_and_rights(project, repos_path, &block)
yield if block_given?
else
uid, gid = Etc.getpwnam($svn_owner).uid, Etc.getgrnam(project.identifier).gid
- right = project.is_public ? 0575 : 0570
+ right = project.is_public ? 0775 : 0770
yield if block_given?
Find.find(repos_path) do |f|
File.chmod right, f
@@ -176,6 +185,11 @@ projects.each do |project|
owner = owner_name(repos_path)
next if project.is_public == other_read and owner == $svn_owner
+ if $test
+ log("\tchange mode on #{repos_path}")
+ next
+ end
+
begin
set_owner_and_rights(project, repos_path)
rescue Errno::EPERM => e
@@ -186,7 +200,13 @@ projects.each do |project|
log("\tmode change on #{repos_path}");
else
- project.is_public ? File.umask(0202) : File.umask(0207)
+ project.is_public ? File.umask(0002) : File.umask(0007)
+
+ if $test
+ log("\tcreate repository #{repos_path}")
+ log("\trepository #{repos_path} registered in Redmine with url #{$svn_url}#{project.identifier}") if $svn_url;
+ next
+ end
begin
set_owner_and_rights(project, repos_path) do