/*
* mod_authz_svn.c: an Apache mod_dav_svn sub-module to provide path
* based authorization for a Subversion repository.
*
* ====================================================================
* Copyright (c) 2003-2005 CollabNet. All rights reserved.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at http://subversion.tigris.org/license-1.html.
* If newer versions of this license are posted there, you may use a
* newer version instead, at your option.
*
* This software consists of voluntary contributions made by many
* individuals. For exact contribution history, see the revision
* history and logs, available at http://subversion.tigris.org/.
* ====================================================================
*/
�
#include <httpd.h>
#include <http_config.h>
#include <http_core.h>
#include <http_request.h>
#include <http_protocol.h>
#include <http_log.h>
#include <ap_config.h>
#include <apr_uri.h>
#include <mod_dav.h>
#if AP_MODULE_MAGIC_AT_LEAST(20060110,0)
#include <mod_auth.h>
extern APR_OPTIONAL_FN_TYPE(ap_satisfies) *ap_satisfies;
#endif
#include "mod_dav_svn.h"
#include "svn_path.h"
#include "svn_config.h"
#include "svn_string.h"
#include "svn_repos.h"
extern module AP_MODULE_DECLARE_DATA authz_svn_module;
typedef struct {
int authoritative;
int anonymous;
int no_auth_when_anon_ok;
const char *base_path;
const char *access_file;
} authz_svn_config_rec;
/*
* Configuration
*/
static void *create_authz_svn_dir_config(apr_pool_t *p, char *d)
{
authz_svn_config_rec *conf = apr_pcalloc(p, sizeof(*conf));
conf->base_path = d;
/* By default keep the fortress secure */
conf->authoritative = 1;
conf->anonymous = 1;
return conf;
}
static const command_rec authz_svn_cmds[] =
{
AP_INIT_FLAG("AuthzSVNAuthoritative", ap_set_flag_slot,
(void *)APR_OFFSETOF(authz_svn_config_rec, authoritative),
OR_AUTHCFG,
"Set to 'Off' to allow access control to be passed along to "
"lower modules. (default is On.)"),
AP_INIT_TAKE1("AuthzSVNAccessFile", ap_set_file_slot,
(void *)APR_OFFSETOF(authz_svn_config_rec, access_file),
OR_AUTHCFG,
"Text file containing permissions of repository paths."),
AP_INIT_FLAG("AuthzSVNAnonymous", ap_set_flag_slot,
(void *)APR_OFFSETOF(authz_svn_config_rec, anonymous),
OR_AUTHCFG,
"Set to 'Off' to disable two special-case behaviours of "
"this module: (1) interaction with the 'Satisfy Any' "
"directive, and (2) enforcement of the authorization "
"policy even when no 'Require' directives are present. "
"(default is On.)"),
AP_INIT_FLAG("AuthzSVNNoAuthWhenAnonymousAllowed", ap_set_flag_slot,
(void *)APR_OFFSETOF(authz_svn_config_rec,
no_auth_when_anon_ok),
OR_AUTHCFG,
"Set to 'On' to suppress authentication and authorization "
"for requests which anonymous users are allowed to perform. "
"(default is Off.)"),
{ NULL }
};
/* Check if the current request R is allowed. Upon exit *REPOS_PATH_REF
* will contain the path and repository name that an operation was requested
* on in the form 'name:path'. *DEST_REPOS_PATH_REF will contain the
* destination path if the requested operation was a MOVE or a COPY.
* Returns OK when access is allowed, DECLINED when it isn't, or an HTTP_
* error code when an error occurred.
*/
static int req_check_access(request_rec *r,
authz_svn_config_rec *conf,
const char **repos_path_ref,
const char **dest_repos_path_ref)
{
const char *dest_uri;
apr_uri_t parsed_dest_uri;
const char *cleaned_uri;
int trailing_slash;
const char *repos_name;
const char *dest_repos_name;
const char *relative_path;
const char *repos_path;
const char *dest_repos_path = NULL;
dav_error *dav_err;
svn_repos_authz_access_t authz_svn_type = svn_authz_none;
svn_boolean_t authz_access_granted = FALSE;
svn_authz_t *access_conf = NULL;
svn_error_t *svn_err;
const char *cache_key;
void *user_data;
char errbuf[256];
switch (r->method_number) {
/* All methods requiring read access to all subtrees of r->uri */
case M_COPY:
authz_svn_type |= svn_authz_recursive;
/* All methods requiring read access to r->uri */
case M_OPTIONS:
case M_GET:
case M_PROPFIND:
case M_REPORT:
authz_svn_type |= svn_authz_read;
break;
/* All methods requiring write access to all subtrees of r->uri */
case M_MOVE:
case M_DELETE:
authz_svn_type |= svn_authz_recursive;
/* All methods requiring write access to r->uri */
case M_MKCOL:
case M_PUT:
case M_PROPPATCH:
case M_CHECKOUT:
case M_MERGE:
case M_MKACTIVITY:
case M_LOCK:
case M_UNLOCK:
authz_svn_type |= svn_authz_write;
break;
default:
/* Require most strict access for unknown methods */
authz_svn_type |= svn_authz_write | svn_authz_recursive;
break;
}
dav_err = dav_svn_split_uri(r,
r->uri,
conf->base_path,
&cleaned_uri,
&trailing_slash,
&repos_name,
&relative_path,
&repos_path);
if (dav_err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"%s [%d, #%d]",
dav_err->desc, dav_err->status, dav_err->error_id);
/* Ensure that we never allow access by dav_err->status */
return (dav_err->status != OK && dav_err->status != DECLINED) ?
dav_err->status : HTTP_INTERNAL_SERVER_ERROR;
}
/* Ignore the URI passed to MERGE, like mod_dav_svn does.
* See issue #1821.
* XXX: When we start accepting a broader range of DeltaV MERGE
* XXX: requests, this should be revisited.
*/
if (r->method_number == M_MERGE) {
repos_path = NULL;
}
if (repos_path)
repos_path = svn_path_join("/", repos_path, r->pool);
*repos_path_ref = apr_pstrcat(r->pool, repos_name, ":", repos_path, NULL);
if (r->method_number == M_MOVE || r->method_number == M_COPY) {
dest_uri = apr_table_get(r->headers_in, "Destination");
/* Decline MOVE or COPY when there is no Destination uri, this will
* cause failure.
*/
if (!dest_uri)
return DECLINED;
apr_uri_parse(r->pool, dest_uri, &parsed_dest_uri);
ap_unescape_url(parsed_dest_uri.path);
dest_uri = parsed_dest_uri.path;
if (strncmp(dest_uri, conf->base_path, strlen(conf->base_path))) {
/* If it is not the same location, then we don't allow it.
* XXX: Instead we could compare repository uuids, but that
* XXX: seems a bit over the top.
*/
return HTTP_BAD_REQUEST;
}
dav_err = dav_svn_split_uri(r,
dest_uri,
conf->base_path,
&cleaned_uri,
&trailing_slash,
&dest_repos_name,
&relative_path,
&dest_repos_path);
if (dav_err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"%s [%d, #%d]",
dav_err->desc, dav_err->status, dav_err->error_id);
/* Ensure that we never allow access by dav_err->status */
return (dav_err->status != OK && dav_err->status != DECLINED) ?
dav_err->status : HTTP_INTERNAL_SERVER_ERROR;
}
if (dest_repos_path)
dest_repos_path = svn_path_join("/", dest_repos_path, r->pool);
*dest_repos_path_ref = apr_pstrcat(r->pool, dest_repos_name, ":",
dest_repos_path, NULL);
}
/* Retrieve/cache authorization file */
cache_key = apr_pstrcat(r->pool, "mod_authz_svn:", conf->access_file, NULL);
apr_pool_userdata_get(&user_data, cache_key, r->connection->pool);
access_conf = user_data;
if (access_conf == NULL) {
svn_err = svn_repos_authz_read(&access_conf, conf->access_file,
TRUE, r->connection->pool);
if (svn_err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR,
/* If it is an error code that APR can make sense
of, then show it, otherwise, pass zero to avoid
putting "APR does not understand this error code"
in the error log. */
((svn_err->apr_err >= APR_OS_START_USERERR &&
svn_err->apr_err < APR_OS_START_CANONERR) ?
0 : svn_err->apr_err),
r, "Failed to load the AuthzSVNAccessFile: %s",
svn_err_best_message(svn_err,
errbuf, sizeof(errbuf)));
svn_error_clear(svn_err);
return DECLINED;
}
/* Cache the open repos for the next request on this connection */
apr_pool_userdata_set(access_conf, cache_key,
NULL, r->connection->pool);
}
/* Perform authz access control.
*
* First test the special case where repos_path == NULL, and skip
* calling the authz routines in that case. This is an oddity of
* the DAV RA method: some requests have no repos_path, but apache
* still triggers an authz lookup for the URI.
*
* However, if repos_path == NULL and the request requires write
* access, then perform a global authz lookup. The request is
* denied if the user commiting isn't granted any access anywhere
* in the repository. This is to avoid operations that involve no
* paths (commiting an empty revision, leaving a dangling
* transaction in the FS) being granted by default, letting
* unauthenticated users write some changes to the repository.
* This was issue #2388.
*
* XXX: For now, requesting access to the entire repository always
* XXX: succeeds, until we come up with a good way of figuring
* XXX: this out.
*/
if (repos_path
|| (!repos_path && (authz_svn_type & svn_authz_write)))
{
svn_err = svn_repos_authz_check_access(access_conf, repos_name,
repos_path, r->user,
authz_svn_type,
&authz_access_granted,
r->pool);
if (svn_err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR,
/* If it is an error code that APR can make
sense of, then show it, otherwise, pass
zero to avoid putting "APR does not
understand this error code" in the error
log. */
((svn_err->apr_err >= APR_OS_START_USERERR &&
svn_err->apr_err < APR_OS_START_CANONERR) ?
0 : svn_err->apr_err),
r, "Failed to perform access control: %s",
svn_err_best_message(svn_err, errbuf, sizeof(errbuf)));
svn_error_clear(svn_err);
return DECLINED;
}
if (!authz_access_granted)
return DECLINED;
}
/* XXX: MKCOL, MOVE, DELETE
* XXX: Require write access to the parent dir of repos_path.
*/
/* XXX: PUT
* XXX: If the path doesn't exist, require write access to the
* XXX: parent dir of repos_path.
*/
/* Only MOVE and COPY have a second uri we have to check access to. */
if (r->method_number != M_MOVE
&& r->method_number != M_COPY) {
return OK;
}
/* Check access on the destination repos_path. Again, skip this if
repos_path == NULL (see above for explanations) */
if (repos_path)
{
svn_err = svn_repos_authz_check_access(access_conf,
dest_repos_name,
dest_repos_path,
r->user,
svn_authz_write
|svn_authz_recursive,
&authz_access_granted,
r->pool);
if (svn_err) {
ap_log_rerror(APLOG_MARK, APLOG_ERR,
/* If it is an error code that APR can make sense
of, then show it, otherwise, pass zero to avoid
putting "APR does not understand this error code"
in the error log. */
((svn_err->apr_err >= APR_OS_START_USERERR &&
svn_err->apr_err < APR_OS_START_CANONERR) ?
0 : svn_err->apr_err),
r, "Failed to perform access control: %s",
svn_err_best_message(svn_err, errbuf, sizeof(errbuf)));
svn_error_clear(svn_err);
return DECLINED;
}
if (!authz_access_granted)
return DECLINED;
}
/* XXX: MOVE and COPY, if the path doesn't exist yet, also
* XXX: require write access to the parent dir of dest_repos_path.
*/
return OK;
}
/* Log a message indicating the access control decision made about a
* request. FILE and LINE should be supplied via the APLOG_MARK macro.
* ALLOWED is boolean. REPOS_PATH and DEST_REPOS_PATH are information
* about the request. DEST_REPOS_PATH may be NULL. */
static void log_access_verdict(const char *file, int line,
const request_rec *r,
int allowed,
const char *repos_path,
const char *dest_repos_path)
{
int level = allowed ? APLOG_INFO : APLOG_ERR;
const char *verdict = allowed ? "granted" : "denied";
if (r->user) {
if (dest_repos_path) {
ap_log_rerror(file, line, level, 0, r,
"Access %s: '%s' %s %s %s", verdict, r->user,
r->method, repos_path, dest_repos_path);
}
else {
ap_log_rerror(file, line, level, 0, r,
"Access %s: '%s' %s %s", verdict, r->user,
r->method, repos_path);
}
}
else {
if (dest_repos_path) {
ap_log_rerror(file, line, level, 0, r,
"Access %s: - %s %s %s", verdict,
r->method, repos_path, dest_repos_path);
}
else {
ap_log_rerror(file, line, level, 0, r,
"Access %s: - %s %s", verdict,
r->method, repos_path);
}
}
}
/*
* Hooks
*/
static int access_checker(request_rec *r)
{
authz_svn_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_svn_module);
const char *repos_path;
const char *dest_repos_path = NULL;
int status;
/* We are not configured to run */
if (!conf->anonymous || !conf->access_file)
return DECLINED;
if (ap_some_auth_required(r)) {
/* It makes no sense to check if a location is both accessible
* anonymous and by an authenticated user (in the same request!).
*/
if (ap_satisfies(r) != SATISFY_ANY)
return DECLINED;
/* If the user is trying to authenticate, let him. If anonymous
* access is allowed, so is authenticated access, by definition
* of the meaning of '*' in the access file.
*/
if (apr_table_get(r->headers_in,
(PROXYREQ_PROXY == r->proxyreq)
? "Proxy-Authorization" : "Authorization")) {
/* Given Satisfy Any is in effect, we have to forbid access
* to let the auth_checker hook have a go at it.
*/
return HTTP_FORBIDDEN;
}
}
/* If anon access is allowed, return OK */
status = req_check_access(r, conf, &repos_path, &dest_repos_path);
if (status == DECLINED) {
if (!conf->authoritative)
return DECLINED;
if (!ap_some_auth_required(r)) {
log_access_verdict(APLOG_MARK, r, 0, repos_path, dest_repos_path);
}
return HTTP_FORBIDDEN;
}
if (status != OK)
return status;
log_access_verdict(APLOG_MARK, r, 1, repos_path, dest_repos_path);
return OK;
}
static int check_user_id(request_rec *r)
{
authz_svn_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_svn_module);
const char *repos_path;
const char *dest_repos_path = NULL;
int status;
/* We are not configured to run, or, an earlier module has already
* authenticated this request. */
if (!conf->access_file || !conf->no_auth_when_anon_ok || r->user)
return DECLINED;
/* If anon access is allowed, return OK, preventing later modules
* from issuing an HTTP_UNAUTHORIZED. Also pass a note to our
* auth_checker hook that access has already been checked. */
status = req_check_access(r, conf, &repos_path, &dest_repos_path);
if (status == OK) {
apr_table_setn(r->notes, "authz_svn-anon-ok", (const char*)1);
log_access_verdict(APLOG_MARK, r, 1, repos_path, dest_repos_path);
return OK;
}
return status;
}
static int auth_checker(request_rec *r)
{
authz_svn_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_svn_module);
const char *repos_path;
const char *dest_repos_path = NULL;
int status;
/* We are not configured to run */
if (!conf->access_file)
return DECLINED;
/* Previous hook (check_user_id) already did all the work,
* and, as a sanity check, r->user hasn't been set since then? */
if (!r->user && apr_table_get(r->notes, "authz_svn-anon-ok")) {
return OK;
}
status = req_check_access(r, conf, &repos_path, &dest_repos_path);
if (status == DECLINED) {
if (conf->authoritative) {
log_access_verdict(APLOG_MARK, r, 0, repos_path, dest_repos_path);
ap_note_auth_failure(r);
return HTTP_FORBIDDEN;
}
return DECLINED;
}
if (status != OK)
return status;
log_access_verdict(APLOG_MARK, r, 1, repos_path, dest_repos_path);
return OK;
}
/*
* Module flesh
*/
static void register_hooks(apr_pool_t *p)
{
static const char * const mod_ssl[] = { "mod_ssl.c", NULL };
ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_LAST);
/* Our check_user_id hook must be before any module which will return
* HTTP_UNAUTHORIZED (mod_auth_basic, etc.), but after mod_ssl, to
* give SSLOptions +FakeBasicAuth a chance to work. */
ap_hook_check_user_id(check_user_id, mod_ssl, NULL, APR_HOOK_FIRST);
ap_hook_auth_checker(auth_checker, NULL, NULL, APR_HOOK_FIRST);
}
module AP_MODULE_DECLARE_DATA authz_svn_module =
{
STANDARD20_MODULE_STUFF,
create_authz_svn_dir_config, /* dir config creater */
NULL, /* dir merger --- default is to override */
NULL, /* server config */
NULL, /* merge server config */
authz_svn_cmds, /* command apr_table_t */
register_hooks /* register hooks */
};
syntax highlighted by Code2HTML, v. 0.9.1