|
Chris@7
|
1 package Apache::Authn::SoundSoftware;
|
|
Chris@7
|
2
|
|
Chris@7
|
3 =head1 Apache::Authn::SoundSoftware
|
|
Chris@7
|
4
|
|
Chris@7
|
5 SoundSoftware - a mod_perl module for Apache authentication against a
|
|
Chris@7
|
6 Redmine database and optional LDAP implementing the access control
|
|
Chris@7
|
7 rules required for the SoundSoftware.ac.uk repository site.
|
|
Chris@7
|
8
|
|
Chris@7
|
9 =head1 SYNOPSIS
|
|
Chris@7
|
10
|
|
Chris@7
|
11 This module is closely based on the Redmine.pm authentication module
|
|
Chris@7
|
12 provided with Redmine. It is intended to be used for authentication
|
|
Chris@7
|
13 in front of a repository service such as hgwebdir.
|
|
Chris@7
|
14
|
|
Chris@7
|
15 Requirements:
|
|
Chris@7
|
16
|
|
Chris@7
|
17 1. Clone/pull from repo for public project: Any user, no
|
|
Chris@7
|
18 authentication required
|
|
Chris@7
|
19
|
|
Chris@7
|
20 2. Clone/pull from repo for private project: Project members only
|
|
Chris@7
|
21
|
|
Chris@7
|
22 3. Push to repo for public project: "Permitted" users only (this
|
|
Chris@7
|
23 probably means project members who are also identified in the hgrc web
|
|
Chris@7
|
24 section for the repository and so will be approved by hgwebdir?)
|
|
Chris@7
|
25
|
|
Chris@7
|
26 4. Push to repo for private project: "Permitted" users only (as above)
|
|
Chris@7
|
27
|
|
Chris@7
|
28 =head1 INSTALLATION
|
|
Chris@7
|
29
|
|
Chris@7
|
30 Debian/ubuntu:
|
|
Chris@7
|
31
|
|
Chris@7
|
32 apt-get install libapache-dbi-perl libapache2-mod-perl2 \
|
|
Chris@7
|
33 libdbd-mysql-perl libauthen-simple-ldap-perl libio-socket-ssl-perl
|
|
Chris@7
|
34
|
|
Chris@7
|
35 Note that LDAP support is hardcoded "on" in this script (it is
|
|
Chris@7
|
36 optional in the original Redmine.pm).
|
|
Chris@7
|
37
|
|
Chris@7
|
38 =head1 CONFIGURATION
|
|
Chris@7
|
39
|
|
Chris@7
|
40 ## This module has to be in your perl path
|
|
Chris@7
|
41 ## eg: /usr/local/lib/site_perl/Apache/Authn/SoundSoftware.pm
|
|
Chris@7
|
42 PerlLoadModule Apache::Authn::SoundSoftware
|
|
Chris@7
|
43
|
|
Chris@7
|
44 # Example when using hgwebdir
|
|
Chris@7
|
45 ScriptAlias / "/var/hg/hgwebdir.cgi/"
|
|
Chris@7
|
46
|
|
Chris@7
|
47 <Location />
|
|
Chris@7
|
48 AuthName "Mercurial"
|
|
Chris@7
|
49 AuthType Basic
|
|
Chris@7
|
50 Require valid-user
|
|
Chris@7
|
51 PerlAccessHandler Apache::Authn::SoundSoftware::access_handler
|
|
Chris@7
|
52 PerlAuthenHandler Apache::Authn::SoundSoftware::authen_handler
|
|
Chris@7
|
53 SoundSoftwareDSN "DBI:mysql:database=redmine;host=localhost"
|
|
Chris@7
|
54 SoundSoftwareDbUser "redmine"
|
|
Chris@7
|
55 SoundSoftwareDbPass "password"
|
|
Chris@7
|
56 Options +ExecCGI
|
|
Chris@7
|
57 AddHandler cgi-script .cgi
|
|
Chris@7
|
58 ## Optional where clause (fulltext search would be slow and
|
|
Chris@7
|
59 ## database dependant).
|
|
Chris@7
|
60 # SoundSoftwareDbWhereClause "and members.role_id IN (1,2)"
|
|
Chris@7
|
61 ## Optional credentials cache size
|
|
Chris@7
|
62 # SoundSoftwareCacheCredsMax 50
|
|
Chris@7
|
63 </Location>
|
|
Chris@7
|
64
|
|
Chris@7
|
65 See the original Redmine.pm for further configuration notes.
|
|
Chris@7
|
66
|
|
Chris@7
|
67 =cut
|
|
Chris@7
|
68
|
|
Chris@7
|
69 use strict;
|
|
Chris@7
|
70 use warnings FATAL => 'all', NONFATAL => 'redefine';
|
|
Chris@7
|
71
|
|
Chris@7
|
72 use DBI;
|
|
Chris@7
|
73 use Digest::SHA1;
|
|
Chris@7
|
74 use Authen::Simple::LDAP;
|
|
Chris@7
|
75 use Apache2::Module;
|
|
Chris@7
|
76 use Apache2::Access;
|
|
Chris@7
|
77 use Apache2::ServerRec qw();
|
|
Chris@7
|
78 use Apache2::RequestRec qw();
|
|
Chris@7
|
79 use Apache2::RequestUtil qw();
|
|
Chris@7
|
80 use Apache2::Const qw(:common :override :cmd_how);
|
|
Chris@7
|
81 use APR::Pool ();
|
|
Chris@7
|
82 use APR::Table ();
|
|
Chris@7
|
83
|
|
Chris@7
|
84 # use Apache2::Directive qw();
|
|
Chris@7
|
85
|
|
Chris@7
|
86 my @directives = (
|
|
Chris@7
|
87 {
|
|
Chris@7
|
88 name => 'SoundSoftwareDSN',
|
|
Chris@7
|
89 req_override => OR_AUTHCFG,
|
|
Chris@7
|
90 args_how => TAKE1,
|
|
Chris@7
|
91 errmsg => 'Dsn in format used by Perl DBI. eg: "DBI:Pg:dbname=databasename;host=my.db.server"',
|
|
Chris@7
|
92 },
|
|
Chris@7
|
93 {
|
|
Chris@7
|
94 name => 'SoundSoftwareDbUser',
|
|
Chris@7
|
95 req_override => OR_AUTHCFG,
|
|
Chris@7
|
96 args_how => TAKE1,
|
|
Chris@7
|
97 },
|
|
Chris@7
|
98 {
|
|
Chris@7
|
99 name => 'SoundSoftwareDbPass',
|
|
Chris@7
|
100 req_override => OR_AUTHCFG,
|
|
Chris@7
|
101 args_how => TAKE1,
|
|
Chris@7
|
102 },
|
|
Chris@7
|
103 {
|
|
Chris@7
|
104 name => 'SoundSoftwareDbWhereClause',
|
|
Chris@7
|
105 req_override => OR_AUTHCFG,
|
|
Chris@7
|
106 args_how => TAKE1,
|
|
Chris@7
|
107 },
|
|
Chris@7
|
108 {
|
|
Chris@7
|
109 name => 'SoundSoftwareCacheCredsMax',
|
|
Chris@7
|
110 req_override => OR_AUTHCFG,
|
|
Chris@7
|
111 args_how => TAKE1,
|
|
Chris@7
|
112 errmsg => 'SoundSoftwareCacheCredsMax must be decimal number',
|
|
Chris@7
|
113 },
|
|
Chris@7
|
114 );
|
|
Chris@7
|
115
|
|
Chris@7
|
116 sub SoundSoftwareDSN {
|
|
Chris@7
|
117 my ($self, $parms, $arg) = @_;
|
|
Chris@7
|
118 $self->{SoundSoftwareDSN} = $arg;
|
|
Chris@7
|
119 my $query = "SELECT
|
|
Chris@7
|
120 hashed_password, auth_source_id, permissions
|
|
Chris@7
|
121 FROM members, projects, users, roles, member_roles
|
|
Chris@7
|
122 WHERE
|
|
Chris@7
|
123 projects.id=members.project_id
|
|
Chris@7
|
124 AND member_roles.member_id=members.id
|
|
Chris@7
|
125 AND users.id=members.user_id
|
|
Chris@7
|
126 AND roles.id=member_roles.role_id
|
|
Chris@7
|
127 AND users.status=1
|
|
Chris@7
|
128 AND login=?
|
|
Chris@7
|
129 AND identifier=? ";
|
|
Chris@7
|
130 $self->{SoundSoftwareQuery} = trim($query);
|
|
Chris@7
|
131 }
|
|
Chris@7
|
132
|
|
Chris@7
|
133 sub SoundSoftwareDbUser { set_val('SoundSoftwareDbUser', @_); }
|
|
Chris@7
|
134 sub SoundSoftwareDbPass { set_val('SoundSoftwareDbPass', @_); }
|
|
Chris@7
|
135 sub SoundSoftwareDbWhereClause {
|
|
Chris@7
|
136 my ($self, $parms, $arg) = @_;
|
|
Chris@7
|
137 $self->{SoundSoftwareQuery} = trim($self->{SoundSoftwareQuery}.($arg ? $arg : "")." ");
|
|
Chris@7
|
138 }
|
|
Chris@7
|
139
|
|
Chris@7
|
140 sub SoundSoftwareCacheCredsMax {
|
|
Chris@7
|
141 my ($self, $parms, $arg) = @_;
|
|
Chris@7
|
142 if ($arg) {
|
|
Chris@7
|
143 $self->{SoundSoftwareCachePool} = APR::Pool->new;
|
|
Chris@7
|
144 $self->{SoundSoftwareCacheCreds} = APR::Table::make($self->{SoundSoftwareCachePool}, $arg);
|
|
Chris@7
|
145 $self->{SoundSoftwareCacheCredsCount} = 0;
|
|
Chris@7
|
146 $self->{SoundSoftwareCacheCredsMax} = $arg;
|
|
Chris@7
|
147 }
|
|
Chris@7
|
148 }
|
|
Chris@7
|
149
|
|
Chris@7
|
150 sub trim {
|
|
Chris@7
|
151 my $string = shift;
|
|
Chris@7
|
152 $string =~ s/\s{2,}/ /g;
|
|
Chris@7
|
153 return $string;
|
|
Chris@7
|
154 }
|
|
Chris@7
|
155
|
|
Chris@7
|
156 sub set_val {
|
|
Chris@7
|
157 my ($key, $self, $parms, $arg) = @_;
|
|
Chris@7
|
158 $self->{$key} = $arg;
|
|
Chris@7
|
159 }
|
|
Chris@7
|
160
|
|
Chris@7
|
161 Apache2::Module::add(__PACKAGE__, \@directives);
|
|
Chris@7
|
162
|
|
Chris@7
|
163
|
|
Chris@7
|
164 my %read_only_methods = map { $_ => 1 } qw/GET PROPFIND REPORT OPTIONS/;
|
|
Chris@7
|
165
|
|
Chris@7
|
166 sub access_handler {
|
|
Chris@7
|
167 my $r = shift;
|
|
Chris@7
|
168
|
|
Chris@7
|
169 print STDERR "SoundSoftware.pm: In access handler\n";
|
|
Chris@7
|
170
|
|
Chris@7
|
171 unless ($r->some_auth_required) {
|
|
Chris@7
|
172 $r->log_reason("No authentication has been configured");
|
|
Chris@7
|
173 return FORBIDDEN;
|
|
Chris@7
|
174 }
|
|
Chris@7
|
175
|
|
Chris@7
|
176 my $method = $r->method;
|
|
Chris@7
|
177
|
|
Chris@7
|
178 print STDERR "SoundSoftware.pm: Method: $method, uri " . $r->uri . ", location " . $r->location . "\n";
|
|
Chris@7
|
179
|
|
Chris@7
|
180 if (!defined $read_only_methods{$method}) {
|
|
Chris@7
|
181 print STDERR "SoundSoftware.pm: Method is not read-only, authentication handler required\n";
|
|
Chris@7
|
182 return OK;
|
|
Chris@7
|
183 }
|
|
Chris@7
|
184
|
|
Chris@7
|
185 my $project_id = get_project_identifier($r);
|
|
Chris@7
|
186
|
|
Chris@7
|
187 if (defined $project_id) {
|
|
Chris@7
|
188 print STDERR "SoundSoftware.pm: Project: $project_id\n";
|
|
Chris@7
|
189 } else {
|
|
Chris@7
|
190 print STDERR "SoundSoftware.pm: No project identifier available, refusing access\n";
|
|
Chris@7
|
191 return FORBIDDEN;
|
|
Chris@7
|
192 }
|
|
Chris@7
|
193
|
|
Chris@7
|
194 my $status = get_project_status($project_id, $r);
|
|
Chris@7
|
195
|
|
Chris@7
|
196 if ($status == 0) { # nonexistent
|
|
Chris@7
|
197 print STDERR "SoundSoftware.pm: Project does not exist, refusing access\n";
|
|
Chris@7
|
198 return FORBIDDEN;
|
|
Chris@7
|
199 } elsif ($status == 1) { # public
|
|
Chris@7
|
200 print STDERR "SoundSoftware.pm: Project is public, no restriction here\n";
|
|
Chris@7
|
201 $r->set_handlers(PerlAuthenHandler => [\&OK])
|
|
Chris@7
|
202 } else { # private
|
|
Chris@7
|
203 print STDERR "SoundSoftware.pm: Project is not public, authentication handler required\n";
|
|
Chris@7
|
204 }
|
|
Chris@7
|
205
|
|
Chris@7
|
206 return OK
|
|
Chris@7
|
207 }
|
|
Chris@7
|
208
|
|
Chris@7
|
209 sub authen_handler {
|
|
Chris@7
|
210 my $r = shift;
|
|
Chris@7
|
211
|
|
Chris@7
|
212 print STDERR "SoundSoftware.pm: In authentication handler\n";
|
|
Chris@7
|
213
|
|
Chris@7
|
214 my ($res, $redmine_pass) = $r->get_basic_auth_pw();
|
|
Chris@7
|
215 return $res unless $res == OK;
|
|
Chris@7
|
216
|
|
Chris@7
|
217 print STDERR "SoundSoftware.pm: User is " . $r->user . ", got password\n";
|
|
Chris@7
|
218
|
|
Chris@7
|
219 if (is_member($r->user, $redmine_pass, $r)) {
|
|
Chris@7
|
220 return OK;
|
|
Chris@7
|
221 } else {
|
|
Chris@7
|
222 print STDERR "SoundSoftware.pm: Failed to validate project membership\n";
|
|
Chris@7
|
223 $r->note_auth_failure();
|
|
Chris@7
|
224 return AUTH_REQUIRED;
|
|
Chris@7
|
225 }
|
|
Chris@7
|
226 }
|
|
Chris@7
|
227
|
|
Chris@7
|
228 sub get_project_status {
|
|
Chris@7
|
229 my $project_id = shift;
|
|
Chris@7
|
230 my $r = shift;
|
|
Chris@7
|
231
|
|
Chris@7
|
232 my $dbh = connect_database($r);
|
|
Chris@7
|
233 my $sth = $dbh->prepare(
|
|
Chris@7
|
234 "SELECT is_public FROM projects WHERE projects.identifier = ?;"
|
|
Chris@7
|
235 );
|
|
Chris@7
|
236
|
|
Chris@7
|
237 $sth->execute($project_id);
|
|
Chris@7
|
238 my $ret = 0;
|
|
Chris@7
|
239 if (my @row = $sth->fetchrow_array) {
|
|
Chris@7
|
240 if ($row[0] eq "1" || $row[0] eq "t") {
|
|
Chris@7
|
241 $ret = 1; # public
|
|
Chris@7
|
242 } else {
|
|
Chris@7
|
243 $ret = 2; # private (0 means nonexistent)
|
|
Chris@7
|
244 }
|
|
Chris@7
|
245 }
|
|
Chris@7
|
246 $sth->finish();
|
|
Chris@7
|
247 undef $sth;
|
|
Chris@7
|
248 $dbh->disconnect();
|
|
Chris@7
|
249 undef $dbh;
|
|
Chris@7
|
250
|
|
Chris@7
|
251 $ret;
|
|
Chris@7
|
252 }
|
|
Chris@7
|
253
|
|
Chris@7
|
254 sub is_member {
|
|
Chris@7
|
255 my $redmine_user = shift;
|
|
Chris@7
|
256 my $redmine_pass = shift;
|
|
Chris@7
|
257 my $r = shift;
|
|
Chris@7
|
258
|
|
Chris@7
|
259 my $dbh = connect_database($r);
|
|
Chris@7
|
260 my $project_id = get_project_identifier($r);
|
|
Chris@7
|
261
|
|
Chris@7
|
262 my $pass_digest = Digest::SHA1::sha1_hex($redmine_pass);
|
|
Chris@7
|
263
|
|
Chris@7
|
264 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
|
|
Chris@7
|
265 my $usrprojpass;
|
|
Chris@7
|
266 if ($cfg->{SoundSoftwareCacheCredsMax}) {
|
|
Chris@7
|
267 $usrprojpass = $cfg->{SoundSoftwareCacheCreds}->get($redmine_user.":".$project_id);
|
|
Chris@7
|
268 return 1 if (defined $usrprojpass and ($usrprojpass eq $pass_digest));
|
|
Chris@7
|
269 }
|
|
Chris@7
|
270 my $query = $cfg->{SoundSoftwareQuery};
|
|
Chris@7
|
271 my $sth = $dbh->prepare($query);
|
|
Chris@7
|
272 $sth->execute($redmine_user, $project_id);
|
|
Chris@7
|
273
|
|
Chris@7
|
274 my $ret;
|
|
Chris@7
|
275 while (my ($hashed_password, $auth_source_id, $permissions) = $sth->fetchrow_array) {
|
|
Chris@7
|
276
|
|
Chris@7
|
277 unless ($auth_source_id) {
|
|
Chris@7
|
278 my $method = $r->method;
|
|
Chris@7
|
279 if ($hashed_password eq $pass_digest && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
|
|
Chris@7
|
280 $ret = 1;
|
|
Chris@7
|
281 last;
|
|
Chris@7
|
282 }
|
|
Chris@7
|
283 } else {
|
|
Chris@7
|
284 my $sthldap = $dbh->prepare(
|
|
Chris@7
|
285 "SELECT host,port,tls,account,account_password,base_dn,attr_login from auth_sources WHERE id = ?;"
|
|
Chris@7
|
286 );
|
|
Chris@7
|
287 $sthldap->execute($auth_source_id);
|
|
Chris@7
|
288 while (my @rowldap = $sthldap->fetchrow_array) {
|
|
Chris@7
|
289 my $ldap = Authen::Simple::LDAP->new(
|
|
Chris@7
|
290 host => ($rowldap[2] eq "1" || $rowldap[2] eq "t") ? "ldaps://$rowldap[0]" : $rowldap[0],
|
|
Chris@7
|
291 port => $rowldap[1],
|
|
Chris@7
|
292 basedn => $rowldap[5],
|
|
Chris@7
|
293 binddn => $rowldap[3] ? $rowldap[3] : "",
|
|
Chris@7
|
294 bindpw => $rowldap[4] ? $rowldap[4] : "",
|
|
Chris@7
|
295 filter => "(".$rowldap[6]."=%s)"
|
|
Chris@7
|
296 );
|
|
Chris@7
|
297 my $method = $r->method;
|
|
Chris@7
|
298 $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
|
|
Chris@7
|
299
|
|
Chris@7
|
300 }
|
|
Chris@7
|
301 $sthldap->finish();
|
|
Chris@7
|
302 undef $sthldap;
|
|
Chris@7
|
303 }
|
|
Chris@7
|
304 }
|
|
Chris@7
|
305 $sth->finish();
|
|
Chris@7
|
306 undef $sth;
|
|
Chris@7
|
307 $dbh->disconnect();
|
|
Chris@7
|
308 undef $dbh;
|
|
Chris@7
|
309
|
|
Chris@7
|
310 if ($cfg->{SoundSoftwareCacheCredsMax} and $ret) {
|
|
Chris@7
|
311 if (defined $usrprojpass) {
|
|
Chris@7
|
312 $cfg->{SoundSoftwareCacheCreds}->set($redmine_user.":".$project_id, $pass_digest);
|
|
Chris@7
|
313 } else {
|
|
Chris@7
|
314 if ($cfg->{SoundSoftwareCacheCredsCount} < $cfg->{SoundSoftwareCacheCredsMax}) {
|
|
Chris@7
|
315 $cfg->{SoundSoftwareCacheCreds}->set($redmine_user.":".$project_id, $pass_digest);
|
|
Chris@7
|
316 $cfg->{SoundSoftwareCacheCredsCount}++;
|
|
Chris@7
|
317 } else {
|
|
Chris@7
|
318 $cfg->{SoundSoftwareCacheCreds}->clear();
|
|
Chris@7
|
319 $cfg->{SoundSoftwareCacheCredsCount} = 0;
|
|
Chris@7
|
320 }
|
|
Chris@7
|
321 }
|
|
Chris@7
|
322 }
|
|
Chris@7
|
323
|
|
Chris@7
|
324 $ret;
|
|
Chris@7
|
325 }
|
|
Chris@7
|
326
|
|
Chris@7
|
327 sub get_project_identifier {
|
|
Chris@7
|
328 my $r = shift;
|
|
Chris@7
|
329
|
|
Chris@7
|
330 my $location = $r->location;
|
|
Chris@7
|
331 my ($repo) = $r->uri =~ m{$location/*([^/]+)};
|
|
Chris@7
|
332 $repo =~ s/[^a-zA-Z0-9\._-]//g;
|
|
Chris@7
|
333
|
|
Chris@7
|
334 my $dbh = connect_database($r);
|
|
Chris@7
|
335 my $sth = $dbh->prepare(
|
|
Chris@7
|
336 "SELECT projects.identifier FROM projects, repositories WHERE repositories.project_id = projects.id AND repositories.url LIKE ?;"
|
|
Chris@7
|
337 );
|
|
Chris@7
|
338
|
|
Chris@7
|
339 my $identifier = '';
|
|
Chris@7
|
340
|
|
Chris@7
|
341 $sth->execute('%/' . $repo);
|
|
Chris@7
|
342 my $ret = 0;
|
|
Chris@7
|
343 if (my @row = $sth->fetchrow_array) {
|
|
Chris@7
|
344 $identifier = $row[0];
|
|
Chris@7
|
345 }
|
|
Chris@7
|
346 $sth->finish();
|
|
Chris@7
|
347 undef $sth;
|
|
Chris@7
|
348 $dbh->disconnect();
|
|
Chris@7
|
349 undef $dbh;
|
|
Chris@7
|
350
|
|
Chris@7
|
351 print STDERR "SoundSoftware.pm: Repository $repo belongs to project $identifier\n";
|
|
Chris@7
|
352
|
|
Chris@7
|
353 $identifier;
|
|
Chris@7
|
354 }
|
|
Chris@7
|
355
|
|
Chris@7
|
356 sub connect_database {
|
|
Chris@7
|
357 my $r = shift;
|
|
Chris@7
|
358
|
|
Chris@7
|
359 my $cfg = Apache2::Module::get_config(__PACKAGE__, $r->server, $r->per_dir_config);
|
|
Chris@7
|
360 return DBI->connect($cfg->{SoundSoftwareDSN}, $cfg->{SoundSoftwareDbUser}, $cfg->{SoundSoftwareDbPass});
|
|
Chris@7
|
361 }
|
|
Chris@7
|
362
|
|
Chris@7
|
363 1;
|
