jro_apps/redmine Commit - r7693:2beeae00a23a

1

package Apache::Authn::Redmine;

1

package Apache::Authn::Redmine;

2

3

=head1 Apache::Authn::Redmine

3

=head1 Apache::Authn::Redmine

4

5

Redmine - a mod_perl module to authenticate webdav subversion users

5

Redmine - a mod_perl module to authenticate webdav subversion users

6

against redmine database

6

against redmine database

7

8

=head1 SYNOPSIS

8

=head1 SYNOPSIS

9

10

This module allow anonymous users to browse public project and

10

This module allow anonymous users to browse public project and

11

registred users to browse and commit their project. Authentication is

11

registred users to browse and commit their project. Authentication is

12

done against the redmine database or the LDAP configured in redmine.

12

done against the redmine database or the LDAP configured in redmine.

13

14

This method is far simpler than the one with pam_* and works with all

14

This method is far simpler than the one with pam_* and works with all

15

database without an hassle but you need to have apache/mod_perl on the

15

database without an hassle but you need to have apache/mod_perl on the

16

svn server.

16

svn server.

17

18

=head1 INSTALLATION

18

=head1 INSTALLATION

19

20

For this to automagically work, you need to have a recent reposman.rb

20

For this to automagically work, you need to have a recent reposman.rb

21

(after r860) and if you already use reposman, read the last section to

21

(after r860) and if you already use reposman, read the last section to

22

migrate.

22

migrate.

23

24

Sorry ruby users but you need some perl modules, at least mod_perl2,

24

Sorry ruby users but you need some perl modules, at least mod_perl2,

25

DBI and DBD::mysql (or the DBD driver for you database as it should

25

DBI and DBD::mysql (or the DBD driver for you database as it should

26

work on allmost all databases).

26

work on allmost all databases).

27

28

On debian/ubuntu you must do :

28

On debian/ubuntu you must do :

29

30

aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl

30

aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl

31

32

If your Redmine users use LDAP authentication, you will also need

32

If your Redmine users use LDAP authentication, you will also need

33

Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):

33

Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):

34

35

aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl

35

aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl

36

37

=head1 CONFIGURATION

37

=head1 CONFIGURATION

38

39

## This module has to be in your perl path

39

## This module has to be in your perl path

40

## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm

40

## eg: /usr/lib/perl5/Apache/Authn/Redmine.pm

41

PerlLoadModule Apache::Authn::Redmine

41

PerlLoadModule Apache::Authn::Redmine

42

42

43

DAV svn

43

DAV svn

44

SVNParentPath "/var/svn"

44

SVNParentPath "/var/svn"

45

46

AuthType Basic

46

AuthType Basic

47

AuthName redmine

47

AuthName redmine

48

Require valid-user

48

Require valid-user

49

50

PerlAccessHandler Apache::Authn::Redmine::access_handler

50

PerlAccessHandler Apache::Authn::Redmine::access_handler

51

PerlAuthenHandler Apache::Authn::Redmine::authen_handler

51

PerlAuthenHandler Apache::Authn::Redmine::authen_handler

52

53

## for mysql

53

## for mysql

54

RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"

54

RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"

55

## for postgres

55

## for postgres

56

# RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"

56

# RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"

57

58

RedmineDbUser "redmine"

58

RedmineDbUser "redmine"

59

RedmineDbPass "password"

59

RedmineDbPass "password"

60

## Optional where clause (fulltext search would be slow and

60

## Optional where clause (fulltext search would be slow and

61

## database dependant).

61

## database dependant).

62

# RedmineDbWhereClause "and members.role_id IN (1,2)"

62

# RedmineDbWhereClause "and members.role_id IN (1,2)"

63

## Optional credentials cache size

63

## Optional credentials cache size

64

# RedmineCacheCredsMax 50

64

# RedmineCacheCredsMax 50

65

</Location>

65

</Location>

66

67

To be able to browse repository inside redmine, you must add something

67

To be able to browse repository inside redmine, you must add something

68

like that :

68

like that :

69

70

70

71

DAV svn

71

DAV svn

72

SVNParentPath "/var/svn"

72

SVNParentPath "/var/svn"

73

Order deny,allow

73

Order deny,allow

74

Deny from all

74

Deny from all

75

# only allow reading orders

75

# only allow reading orders

76

76

77

Allow from redmine.server.ip

77

Allow from redmine.server.ip

78

</Limit>

78

</Limit>

79

</Location>

79

</Location>

80

81

and you will have to use this reposman.rb command line to create repository :

81

and you will have to use this reposman.rb command line to create repository :

82

83

reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/

83

reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/

84

85

=head1 MIGRATION FROM OLDER RELEASES

85

=head1 MIGRATION FROM OLDER RELEASES

86

87

If you use an older reposman.rb (r860 or before), you need to change

87

If you use an older reposman.rb (r860 or before), you need to change

88

rights on repositories to allow the apache user to read and write

88

rights on repositories to allow the apache user to read and write

89

S<them :>

89

S<them :>

90

91

sudo chown -R www-data /var/svn/*

91

sudo chown -R www-data /var/svn/*

92

sudo chmod -R u+w /var/svn/*

92

sudo chmod -R u+w /var/svn/*

93

94

And you need to upgrade at least reposman.rb (after r860).

94

And you need to upgrade at least reposman.rb (after r860).

95

96

=cut

96

=cut

97

98

use strict;

98

use strict;

99

use warnings FATAL => 'all', NONFATAL => 'redefine';

99

use warnings FATAL => 'all', NONFATAL => 'redefine';

100

101

use DBI;

101

use DBI;

102

use Digest::SHA1;

102

use Digest::SHA1;

103

# optional module for LDAP authentication

103

# optional module for LDAP authentication

104

my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");

104

my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");

105

106

use Apache2::Module;

106

use Apache2::Module;

107

use Apache2::Access;

107

use Apache2::Access;

108

use Apache2::ServerRec qw();

108

use Apache2::ServerRec qw();

109

use Apache2::RequestRec qw();

109

use Apache2::RequestRec qw();

110

use Apache2::RequestUtil qw();

110

use Apache2::RequestUtil qw();

111

use Apache2::Const qw(:common :override :cmd_how);

111

use Apache2::Const qw(:common :override :cmd_how);

112

use APR::Pool ();

112

use APR::Pool ();

113

use APR::Table ();

113

use APR::Table ();

114

115

# use Apache2::Directive qw();

115

# use Apache2::Directive qw();

116

117

my @directives = (

117

my @directives = (

118

{

118

{

119

name => 'RedmineDSN',

119

name => 'RedmineDSN',

120

req_override => OR_AUTHCFG,

120

req_override => OR_AUTHCFG,

121

args_how => TAKE1,

121

args_how => TAKE1,

122

errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',

122

errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',

123

},

123

},

124

{

124

{

125

name => 'RedmineDbUser',

125

name => 'RedmineDbUser',

126

req_override => OR_AUTHCFG,

126

req_override => OR_AUTHCFG,

127

args_how => TAKE1,

127

args_how => TAKE1,

128

},

128

},

129

{

129

{

130

name => 'RedmineDbPass',

130

name => 'RedmineDbPass',

131

req_override => OR_AUTHCFG,

131

req_override => OR_AUTHCFG,

132

args_how => TAKE1,

132

args_how => TAKE1,

133

},

133

},

134

{

134

{

135

name => 'RedmineDbWhereClause',

135

name => 'RedmineDbWhereClause',

136

req_override => OR_AUTHCFG,

136

req_override => OR_AUTHCFG,

137

args_how => TAKE1,

137

args_how => TAKE1,

138

},

138

},

139

{

139

{

140

name => 'RedmineCacheCredsMax',

140

name => 'RedmineCacheCredsMax',

141

req_override => OR_AUTHCFG,

141

req_override => OR_AUTHCFG,

142

args_how => TAKE1,

142

args_how => TAKE1,

143

errmsg => 'RedmineCacheCredsMax must be decimal number',

143

errmsg => 'RedmineCacheCredsMax must be decimal number',

144

},

144

},

145

);

145

);

146

147

sub RedmineDSN {

147

sub RedmineDSN {

148

my ($self, $parms, $arg) = @_;

148

my ($self, $parms, $arg) = @_;

149

$self->{RedmineDSN} = $arg;

149

$self->{RedmineDSN} = $arg;

150

my $query = "SELECT

150

my $query = "SELECT

151

hashed_password, salt, auth_source_id, permissions

151

hashed_password, salt, auth_source_id, permissions

152

FROM members, projects, users, roles, member_roles

152

FROM members, projects, users, roles, member_roles

153

WHERE

153

WHERE

154

projects.id=members.project_id

154

projects.id=members.project_id

155

AND member_roles.member_id=members.id

155

AND member_roles.member_id=members.id

156

AND users.id=members.user_id

156

AND users.id=members.user_id

157

AND roles.id=member_roles.role_id

157

AND roles.id=member_roles.role_id

158

AND users.status=1

158

AND users.status=1

159

AND login=?

159

AND login=?

160

AND identifier=? ";

160

AND identifier=? ";

161

$self->{RedmineQuery} = trim($query);

161

$self->{RedmineQuery} = trim($query);

162

}

162

}

163

164

sub RedmineDbUser { set_val('RedmineDbUser', @_); }

164

sub RedmineDbUser { set_val('RedmineDbUser', @_); }

165

sub RedmineDbPass { set_val('RedmineDbPass', @_); }

165

sub RedmineDbPass { set_val('RedmineDbPass', @_); }

166

sub RedmineDbWhereClause {

166

sub RedmineDbWhereClause {

167

my ($self, $parms, $arg) = @_;

167

my ($self, $parms, $arg) = @_;

168

$self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");

168

$self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");

169

}

169

}

170

171

sub RedmineCacheCredsMax {

171

sub RedmineCacheCredsMax {

172

my ($self, $parms, $arg) = @_;

172

my ($self, $parms, $arg) = @_;

173

if ($arg) {

173

if ($arg) {

174

$self->{RedmineCachePool} = APR::Pool->new;

174

$self->{RedmineCachePool} = APR::Pool->new;

175

$self->{RedmineCacheCreds} = APR::Table::make($self->{RedmineCachePool}, $arg);

175

$self->{RedmineCacheCreds} = APR::Table::make($self->{RedmineCachePool}, $arg);

176

$self->{RedmineCacheCredsCount} = 0;

176

$self->{RedmineCacheCredsCount} = 0;

177

$self->{RedmineCacheCredsMax} = $arg;

177

$self->{RedmineCacheCredsMax} = $arg;

178

}

178

}

179

}

179

}

180

181

sub trim {

181

sub trim {

182

my $string = shift;

182

my $string = shift;

183

$string =~ s/\s{2,}/ /g;

183

$string =~ s/\s{2,}/ /g;

184

return $string;

184

return $string;

185

}

185

}

186

187

sub set_val {

187

sub set_val {

188

my ($key, $self, $parms, $arg) = @_;

188

my ($key, $self, $parms, $arg) = @_;

189

$self->{$key} = $arg;

189

$self->{$key} = $arg;

190

}

190

}

191

192

Apache2::Module::add(__PACKAGE__, \@directives);

192

Apache2::Module::add(__PACKAGE__, \@directives);

193

194

195

my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;

195

my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;

196

197

sub access_handler {

197

sub access_handler {

198

my $r = shift;

198

my $r = shift;

199

200

unless ($r->some_auth_required) {

200

unless ($r->some_auth_required) {

201

$r->log_reason("No authentication has been configured");

201

$r->log_reason("No authentication has been configured");

202

return FORBIDDEN;

202

return FORBIDDEN;

203

}

203

}

204

205

my $method = $r->method;

205

my $method = $r->method;

206

return OK unless defined $read_only_methods{$method};

206

return OK unless defined $read_only_methods{$method};

207

208

return OK if is_authentication_forced($r);

209

207

210

my $project_id = get_project_identifier($r);

208

my $project_id = get_project_identifier($r);

211

209

212

$r->set_handlers(PerlAuthenHandler => [\&OK])

210

$r->set_handlers(PerlAuthenHandler => [\&OK])

213

if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);

211

if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);

214

212

215

return OK

213

return OK

216

}

214

}

217

215

218

sub authen_handler {

216

sub authen_handler {

219

my $r = shift;

217

my $r = shift;

220

218

221

my ($res, $redmine_pass) = $r->get_basic_auth_pw();

219

my ($res, $redmine_pass) = $r->get_basic_auth_pw();

222

return $res unless $res == OK;

220

return $res unless $res == OK;

223

221

224

my $project_id = get_project_identifier($r);

225

my $method = $r->method;

226

if (defined $read_only_methods{$method} && is_public_project($project_id, $r) && non_member_role_allows_browse_repository($r)) {

227

return OK;

228

}

229

230

if (is_member($r->user, $redmine_pass, $r)) {

222

if (is_member($r->user, $redmine_pass, $r)) {

231

return OK;

223

return OK;

232

} else {

224

} else {

233

$r->note_auth_failure();

225

$r->note_auth_failure();

234

return AUTH_REQUIRED;

226

return AUTH_REQUIRED;

235

}

227

}

236

}

228

}

237

229

238

# check if authentication is forced

230

# check if authentication is forced

239

sub is_authentication_forced {

231

sub is_authentication_forced {

240

my $r = shift;

232

my $r = shift;

241

233

242

my $dbh = connect_database($r);

234

my $dbh = connect_database($r);

243

my $sth = $dbh->prepare(

235

my $sth = $dbh->prepare(

244

"SELECT value FROM settings where settings.name = 'login_required';"

236

"SELECT value FROM settings where settings.name = 'login_required';"

245

);

237

);

246

238

247

$sth->execute();

239

$sth->execute();

248

my $ret = 0;

240

my $ret = 0;

249

if (my @row = $sth->fetchrow_array) {

241

if (my @row = $sth->fetchrow_array) {

250

if ($row[0] eq "1" || $row[0] eq "t") {

242

if ($row[0] eq "1" || $row[0] eq "t") {

251

$ret = 1;

243

$ret = 1;

252

}

244

}

253

}

245

}

254

$sth->finish();

246

$sth->finish();

255

undef $sth;

247

undef $sth;

256

248

257

$dbh->disconnect();

249

$dbh->disconnect();

258

undef $dbh;

250

undef $dbh;

259

251

260

$ret;

252

$ret;

261

}

253

}

262

254

263

sub is_public_project {

255

sub is_public_project {

264

my $project_id = shift;

256

my $project_id = shift;

265

my $r = shift;

257

my $r = shift;

258

259

if (is_authentication_forced($r)) {

260

return 0;

261

}

266

262

267

my $dbh = connect_database($r);

263

my $dbh = connect_database($r);

268

my $sth = $dbh->prepare(

264

my $sth = $dbh->prepare(

269

"SELECT is_public FROM projects WHERE projects.identifier = ?;"

265

"SELECT is_public FROM projects WHERE projects.identifier = ?;"

270

);

266

);

271

267

272

$sth->execute($project_id);

268

$sth->execute($project_id);

273

my $ret = 0;

269

my $ret = 0;

274

if (my @row = $sth->fetchrow_array) {

270

if (my @row = $sth->fetchrow_array) {

275

if ($row[0] eq "1" || $row[0] eq "t") {

271

if ($row[0] eq "1" || $row[0] eq "t") {

276

$ret = 1;

272

$ret = 1;

277

}

273

}

278

}

274

}

279

$sth->finish();

275

$sth->finish();

280

undef $sth;

276

undef $sth;

281

$dbh->disconnect();

277

$dbh->disconnect();

282

undef $dbh;

278

undef $dbh;

283

279

284

$ret;

280

$ret;

285

}

281

}

286

282

287

sub ~~system~~_role_allows_browse_repository {

283

sub anonymous_role_allows_browse_repository {

288

my $r = shift;

284

my $r = shift;

289

my $system_role = shift;

290

285

291

my $dbh = connect_database($r);

286

my $dbh = connect_database($r);

292

my $sth = $dbh->prepare(

287

my $sth = $dbh->prepare(

293

"SELECT permissions FROM roles WHERE builtin = ?;"

288

"SELECT permissions FROM roles WHERE builtin = 2;"

294

);

289

);

295

290

296

$sth->execute(~~$system_role~~);

291

$sth->execute();

297

my $ret = 0;

292

my $ret = 0;

298

if (my @row = $sth->fetchrow_array) {

293

if (my @row = $sth->fetchrow_array) {

299

if ($row[0] =~ /:browse_repository/) {

294

if ($row[0] =~ /:browse_repository/) {

300

$ret = 1;

295

$ret = 1;

301

}

296

}

302

}

297

}

303

$sth->finish();

298

$sth->finish();

304

undef $sth;

299

undef $sth;

305

$dbh->disconnect();

300

$dbh->disconnect();

306

undef $dbh;

301

undef $dbh;

307

302

308

$ret;

303

$ret;

309

}

304

}

310

305

311

sub non_member_role_allows_browse_repository {

312

my $r = shift;

313

my $ret = system_role_allows_browse_repository($r, 1);

314

$ret;

315

}

316

317

sub anonymous_role_allows_browse_repository {

318

my $r = shift;

319

my $ret = system_role_allows_browse_repository($r, 2);

320

$ret;

321

}

322

323

# perhaps we should use repository right (other read right) to check public access.

306

# perhaps we should use repository right (other read right) to check public access.

324

# it could be faster BUT it doesn't work for the moment.

307

# it could be faster BUT it doesn't work for the moment.

325

# sub is_public_project_by_file {

308

# sub is_public_project_by_file {

326

# my $project_id = shift;

309

# my $project_id = shift;

327

# my $r = shift;

310

# my $r = shift;

328

311

329

# my $tree = Apache2::Directive::conftree();

312

# my $tree = Apache2::Directive::conftree();

330

# my $node = $tree->lookup('Location', $r->location);

313

# my $node = $tree->lookup('Location', $r->location);

331

# my $hash = $node->as_hash;

314

# my $hash = $node->as_hash;

332

315

333

# my $svnparentpath = $hash->{SVNParentPath};

316

# my $svnparentpath = $hash->{SVNParentPath};

334

# my $repos_path = $svnparentpath . "/" . $project_id;

317

# my $repos_path = $svnparentpath . "/" . $project_id;

335

# return 1 if (stat($repos_path))[2] & 00007;

318

# return 1 if (stat($repos_path))[2] & 00007;

336

# }

319

# }

337

320

338

sub is_member {

321

sub is_member {

339

my $redmine_user = shift;

322

my $redmine_user = shift;

340

my $redmine_pass = shift;

323

my $redmine_pass = shift;

341

my $r = shift;

324

my $r = shift;

342

325

343

my $dbh = connect_database($r);

326

my $dbh = connect_database($r);

344

my $project_id = get_project_identifier($r);

327

my $project_id = get_project_identifier($r);

345

328

346

my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);

329

my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);

347

330

348

my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W";

331

my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W";

349

332

350

my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);

333

my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);

351

my $usrprojpass;

334

my $usrprojpass;

352

if ($cfg->{RedmineCacheCredsMax}) {

335

if ($cfg->{RedmineCacheCredsMax}) {

353

$usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);

336

$usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);

354

return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));

337

return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));

355

}

338

}

356

my $query = $cfg->{RedmineQuery};

339

my $query = $cfg->{RedmineQuery};

357

my $sth = $dbh->prepare($query);

340

my $sth = $dbh->prepare($query);

358

$sth->execute($redmine_user, $project_id);

341

$sth->execute($redmine_user, $project_id);

359

342

360

my $ret;

343

my $ret;

361

while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {

344

while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {

362

345

363

unless ($auth_source_id) {

346

unless ($auth_source_id) {

364

my $method = $r->method;

347

my $method = $r->method;

365

my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);

348

my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);

366

if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {

349

if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {

367

$ret = 1;

350

$ret = 1;

368

last;

351

last;

369

}

352

}

370

} elsif ($CanUseLDAPAuth) {

353

} elsif ($CanUseLDAPAuth) {

371

my $sthldap = $dbh->prepare(

354

my $sthldap = $dbh->prepare(

372

"SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"

355

"SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"

373

);

356

);

374

$sthldap->execute($auth_source_id);

357

$sthldap->execute($auth_source_id);

375

while (my @rowldap = $sthldap->fetchrow_array) {

358

while (my @rowldap = $sthldap->fetchrow_array) {

376

my $ldap = Authen::Simple::LDAP->new(

359

my $ldap = Authen::Simple::LDAP->new(

377

host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],

360

host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],

378

port => $rowldap[1],

361

port => $rowldap[1],

379

basedn => $rowldap[5],

362

basedn => $rowldap[5],

380

binddn => $rowldap[3] ? $rowldap[3] : "",

363

binddn => $rowldap[3] ? $rowldap[3] : "",

381

bindpw => $rowldap[4] ? $rowldap[4] : "",

364

bindpw => $rowldap[4] ? $rowldap[4] : "",

382

filter => "(".$rowldap[6]."=%s)"

365

filter => "(".$rowldap[6]."=%s)"

383

);

366

);

384

my $method = $r->method;

367

my $method = $r->method;

385

$ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));

368

$ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));

386

369

387

}

370

}

388

$sthldap->finish();

371

$sthldap->finish();

389

undef $sthldap;

372

undef $sthldap;

390

}

373

}

391

}

374

}

392

$sth->finish();

375

$sth->finish();

393

undef $sth;

376

undef $sth;

394

$dbh->disconnect();

377

$dbh->disconnect();

395

undef $dbh;

378

undef $dbh;

396

379

397

if ($cfg->{RedmineCacheCredsMax} and $ret) {

380

if ($cfg->{RedmineCacheCredsMax} and $ret) {

398

if (defined $usrprojpass) {

381

if (defined $usrprojpass) {

399

$cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);

382

$cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);

400

} else {

383

} else {

401

if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {

384

if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {

402

$cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);

385

$cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);

403

$cfg->{RedmineCacheCredsCount}++;

386

$cfg->{RedmineCacheCredsCount}++;

404

} else {

387

} else {

405

$cfg->{RedmineCacheCreds}->clear();

388

$cfg->{RedmineCacheCreds}->clear();

406

$cfg->{RedmineCacheCredsCount} = 0;

389

$cfg->{RedmineCacheCredsCount} = 0;

407

}

390

}

408

}

391

}

409

}

392

}

410

393

411

$ret;

394

$ret;

412

}

395

}

413

396

414

sub get_project_identifier {

397

sub get_project_identifier {

415

my $r = shift;

398

my $r = shift;

416

399

417

my $location = $r->location;

400

my $location = $r->location;

418

my ($identifier) = $r->uri =~ m{$location/*([^/]+)};

401

my ($identifier) = $r->uri =~ m{$location/*([^/]+)};

419

$identifier;

402

$identifier;

420

}

403

}

421

404

422

sub connect_database {

405

sub connect_database {

423

my $r = shift;

406

my $r = shift;

424

407

425

my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);

408

my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);

426

return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});

409

return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});

427

}

410

}

428

411

429

1;

412

1;

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             package Apache::Authn::Redmine;
             =head1 Apache::Authn::Redmine
             Redmine - a mod_perl module to authenticate webdav subversion users
             against redmine database
             =head1 SYNOPSIS
             This module allow anonymous users to browse public project and
             registred users to browse and commit their project. Authentication is
             done against the redmine database or the LDAP configured in redmine.
             This method is far simpler than the one with pam_* and works with all
             database without an hassle but you need to have apache/mod_perl on the
             svn server.
             =head1 INSTALLATION
             For this to automagically work, you need to have a recent reposman.rb
             (after r860) and if you already use reposman, read the last section to
             migrate.
             Sorry ruby users but you need some perl modules, at least mod_perl2,
             DBI and DBD::mysql (or the DBD driver for you database as it should
             work on allmost all databases).
             On debian/ubuntu you must do :
               aptitude install libapache-dbi-perl libapache2-mod-perl2 libdbd-mysql-perl
             If your Redmine users use LDAP authentication, you will also need
             Authen::Simple::LDAP (and IO::Socket::SSL if LDAPS is used):
               aptitude install libauthen-simple-ldap-perl libio-socket-ssl-perl
             =head1 CONFIGURATION
                ## This module has to be in your perl path
                ## eg:  /usr/lib/perl5/Apache/Authn/Redmine.pm
                PerlLoadModule Apache::Authn::Redmine
                <Location /svn>
                  DAV svn
                  SVNParentPath "/var/svn"
                  AuthType Basic
                  AuthName redmine
                  Require valid-user
                  PerlAccessHandler Apache::Authn::Redmine::access_handler
                  PerlAuthenHandler Apache::Authn::Redmine::authen_handler
                  ## for mysql
                  RedmineDSN "DBI:mysql:database=databasename;host=my.db.server"
                  ## for postgres
                  # RedmineDSN "DBI:Pg:dbname=databasename;host=my.db.server"
                  RedmineDbUser "redmine"
                  RedmineDbPass "password"
                  ## Optional where clause (fulltext search would be slow and
                  ## database dependant).
                  # RedmineDbWhereClause "and members.role_id IN (1,2)"
                  ## Optional credentials cache size
                  # RedmineCacheCredsMax 50
               </Location>
             To be able to browse repository inside redmine, you must add something
             like that :
                <Location /svn-private>
                  DAV svn
                  SVNParentPath "/var/svn"
                  Order deny,allow
                  Deny from all
                  # only allow reading orders
                  <Limit GET PROPFIND OPTIONS REPORT>
                    Allow from redmine.server.ip
                  </Limit>
                </Location>
             and you will have to use this reposman.rb command line to create repository :
               reposman.rb --redmine my.redmine.server --svn-dir /var/svn --owner www-data -u http://svn.server/svn-private/
             =head1 MIGRATION FROM OLDER RELEASES
             If you use an older reposman.rb (r860 or before), you need to change
             rights on repositories to allow the apache user to read and write
             S<them :>
               sudo chown -R www-data /var/svn/*
               sudo chmod -R u+w /var/svn/*
             And you need to upgrade at least reposman.rb (after r860).
             =cut
             use strict;
             use warnings FATAL => 'all', NONFATAL => 'redefine';
             use DBI;
             use Digest::SHA1;
             # optional module for LDAP authentication
             my $CanUseLDAPAuth = eval("use Authen::Simple::LDAP; 1");
             use Apache2::Module;
             use Apache2::Access;
             use Apache2::ServerRec qw();
             use Apache2::RequestRec qw();
             use Apache2::RequestUtil qw();
             use Apache2::Const qw(:common :override :cmd_how);
             use APR::Pool ();
             use APR::Table ();
             # use Apache2::Directive qw();
             my @directives = (
               {
                 name => 'RedmineDSN',
                 req_override => OR_AUTHCFG,
                 args_how => TAKE1,
                 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
               },
               {
                 name => 'RedmineDbUser',
                 req_override => OR_AUTHCFG,
                 args_how => TAKE1,
               },
               {
                 name => 'RedmineDbPass',
                 req_override => OR_AUTHCFG,
                 args_how => TAKE1,
               },
               {
                 name => 'RedmineDbWhereClause',
                 req_override => OR_AUTHCFG,
                 args_how => TAKE1,
               },
               {
                 name => 'RedmineCacheCredsMax',
                 req_override => OR_AUTHCFG,
                 args_how => TAKE1,
                 errmsg => 'RedmineCacheCredsMax must be decimal number',
               },
             );
             sub RedmineDSN {
               my ($self, $parms, $arg) = @_;
               $self->{RedmineDSN} = $arg;
               my $query = "SELECT
                              hashed_password, salt, auth_source_id, permissions
                           FROM members, projects, users, roles, member_roles
                           WHERE
                             projects.id=members.project_id
                             AND member_roles.member_id=members.id
                             AND users.id=members.user_id
                             AND roles.id=member_roles.role_id
                             AND users.status=1
                             AND login=?
                             AND identifier=? ";
               $self->{RedmineQuery} = trim($query);
             }
             sub RedmineDbUser { set_val('RedmineDbUser', @_); }
             sub RedmineDbPass { set_val('RedmineDbPass', @_); }
             sub RedmineDbWhereClause {
               my ($self, $parms, $arg) = @_;
               $self->{RedmineQuery} = trim($self->{RedmineQuery}.($arg ? $arg : "")." ");
             }
             sub RedmineCacheCredsMax {
               my ($self, $parms, $arg) = @_;
               if ($arg) {
                 $self->{RedmineCachePool} = APR::Pool->new;
                 $self->{RedmineCacheCreds} = APR::Table::make($self->{RedmineCachePool}, $arg);
                 $self->{RedmineCacheCredsCount} = 0;
                 $self->{RedmineCacheCredsMax} = $arg;
               }
             }
             sub trim {
               my $string = shift;
               $string =~ s/\s{2,}/ /g;
               return $string;
             }
             sub set_val {
               my ($key, $self, $parms, $arg) = @_;
               $self->{$key} = $arg;
             }
             Apache2::Module::add(__PACKAGE__, \@directives);
             my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
             sub access_handler {
               my $r = shift;
               unless ($r->some_auth_required) {
                   $r->log_reason("No authentication has been configured");
                   return FORBIDDEN;
               }
               my $method = $r->method;
               return OK unless defined $read_only_methods{$method};
-              return OK if is_authentication_forced($r);
               my $project_id = get_project_identifier($r);
               $r->set_handlers(PerlAuthenHandler => [\&OK])
                   if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
               return OK
             }
             sub authen_handler {
               my $r = shift;
               my ($res, $redmine_pass) =  $r->get_basic_auth_pw();
               return $res unless $res == OK;
-              my $project_id = get_project_identifier($r);
-              my $method = $r->method;
-              if (defined $read_only_methods{$method} && is_public_project($project_id, $r) && non_member_role_allows_browse_repository($r)) {
-                  return OK;
               if (is_member($r->user, $redmine_pass, $r)) {
                   return OK;
               } else {
                   $r->note_auth_failure();
                   return AUTH_REQUIRED;
               }
             }
             # check if authentication is forced
             sub is_authentication_forced {
               my $r = shift;
               my $dbh = connect_database($r);
               my $sth = $dbh->prepare(
                 "SELECT value FROM settings where settings.name = 'login_required';"
               );
               $sth->execute();
               my $ret = 0;
               if (my @row = $sth->fetchrow_array) {
                 if ($row[0] eq "1" || $row[0] eq "t") {
                   $ret = 1;
                 }
               }
               $sth->finish();
               undef $sth;
               $dbh->disconnect();
               undef $dbh;
               $ret;
             }
             sub is_public_project {
                 my $project_id = shift;
                 my $r = shift;
+                if (is_authentication_forced($r)) {
+                  return 0;
+                }
                 my $dbh = connect_database($r);
                 my $sth = $dbh->prepare(
                     "SELECT is_public FROM projects WHERE projects.identifier = ?;"
                 );
                 $sth->execute($project_id);
                 my $ret = 0;
                 if (my @row = $sth->fetchrow_array) {
                 	if ($row[0] eq "1" || $row[0] eq "t") {
                 		$ret = 1;
                 	}
                 }
                 $sth->finish();
                 undef $sth;
                 $dbh->disconnect();
                 undef $dbh;
                 $ret;
             }
-            sub system_role_allows_browse_repository {
+            sub anonymous_role_allows_browse_repository {
               my $r = shift;
-              my $system_role = shift;
               my $dbh = connect_database($r);
               my $sth = $dbh->prepare(
-                  "SELECT permissions FROM roles WHERE builtin = ?;"
+                  "SELECT permissions FROM roles WHERE builtin = 2;"
               );
-              $sth->execute($system_role);
+              $sth->execute();
               my $ret = 0;
               if (my @row = $sth->fetchrow_array) {
                 if ($row[0] =~ /:browse_repository/) {
                   $ret = 1;
                 }
               }
               $sth->finish();
               undef $sth;
               $dbh->disconnect();
               undef $dbh;
               $ret;
             }
-            sub non_member_role_allows_browse_repository {
-              my $r = shift;
-              my $ret = system_role_allows_browse_repository($r, 1);
-              $ret;
-            sub anonymous_role_allows_browse_repository {
-              my $r = shift;
-              my $ret = system_role_allows_browse_repository($r, 2);
-              $ret;
             # perhaps we should use repository right (other read right) to check public access.
             # it could be faster BUT it doesn't work for the moment.
             # sub is_public_project_by_file {
             #     my $project_id = shift;
             #     my $r = shift;
             #     my $tree = Apache2::Directive::conftree();
             #     my $node = $tree->lookup('Location', $r->location);
             #     my $hash = $node->as_hash;
             #     my $svnparentpath = $hash->{SVNParentPath};
             #     my $repos_path = $svnparentpath . "/" . $project_id;
             #     return 1 if (stat($repos_path))[2] & 00007;
             # }
             sub is_member {
               my $redmine_user = shift;
               my $redmine_pass = shift;
               my $r = shift;
               my $dbh         = connect_database($r);
               my $project_id  = get_project_identifier($r);
               my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
               my $access_mode = defined $read_only_methods{$r->method} ? "R" : "W";
               my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
               my $usrprojpass;
               if ($cfg->{RedmineCacheCredsMax}) {
                 $usrprojpass = $cfg->{RedmineCacheCreds}->get($redmine_user.":".$project_id.":".$access_mode);
                 return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
               }
               my $query = $cfg->{RedmineQuery};
               my $sth = $dbh->prepare($query);
               $sth->execute($redmine_user, $project_id);
               my $ret;
               while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {
                   unless ($auth_source_id) {
             	  			my $method = $r->method;
                       my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);
             					if ($hashed_password eq $salted_password && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
                           $ret = 1;
                           last;
                       }
                   } elsif ($CanUseLDAPAuth) {
                       my $sthldap = $dbh->prepare(
                           "SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"
                       );
                       $sthldap->execute($auth_source_id);
                       while (my @rowldap = $sthldap->fetchrow_array) {
                         my $ldap = Authen::Simple::LDAP->new(
                             host    =>      ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]:$rowldap[1]" : $rowldap[0],
                             port    =>      $rowldap[1],
                             basedn  =>      $rowldap[5],
                             binddn  =>      $rowldap[3] ? $rowldap[3] : "",
                             bindpw  =>      $rowldap[4] ? $rowldap[4] : "",
                             filter  =>      "(".$rowldap[6]."=%s)"
                         );
                         my $method = $r->method;
                         $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && (($access_mode eq "R" && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
                       }
                       $sthldap->finish();
                       undef $sthldap;
                   }
               }
               $sth->finish();
               undef $sth;
               $dbh->disconnect();
               undef $dbh;
               if ($cfg->{RedmineCacheCredsMax} and $ret) {
                 if (defined $usrprojpass) {
                   $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
                 } else {
                   if ($cfg->{RedmineCacheCredsCount} < $cfg->{RedmineCacheCredsMax}) {
                     $cfg->{RedmineCacheCreds}->set($redmine_user.":".$project_id.":".$access_mode, $pass_digest);
                     $cfg->{RedmineCacheCredsCount}++;
                   } else {
                     $cfg->{RedmineCacheCreds}->clear();
                     $cfg->{RedmineCacheCredsCount} = 0;
                   }
                 }
               }
               $ret;
             }
             sub get_project_identifier {
                 my $r = shift;
                 my $location = $r->location;
                 my ($identifier) = $r->uri =~ m{$location/*([^/]+)};
                 $identifier;
             }
             sub connect_database {
                 my $r = shift;
                 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
                 return DBI->connect($cfg->{RedmineDSN}, $cfg->{RedmineDbUser}, $cfg->{RedmineDbPass});
             }
 ;